A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. - PowerPoint PPT Presentation

A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010 NSDI http://pdos.csail.mit.edu/whanau/slides.pptx

Distributed Hash Table • Interface: PUT( key , value ), GET( key ) → value • Route to peer responsible for key GET( sip://alice@foo ) PUT( sip://alice@foo, 18.26.4.9 )

The Sybil aBack on open DHTs • Create many pseudonyms (Sybils), join DHT • Sybils join the DHT as usual, disrupt rouFng Brute‐force aBack Clustering aBack

P2P mania! Sybil state of the art Chord, Pastry, Tapestry, CAN The Sybil ABack [Douceur] , Security ConsideraFons [Sit, Morris] Restricted tables [Castro et al] BFT [Rodrigues, Liskov] 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 SPROUT, Turtle, Bootstrap graphs Puzzles [Borisov] CAPTCHA [Rowaihy et al] SybilLimit [Yu et al] SybilInfer, SumUp, DSybil (This work) P2P mania!

ContribuFon • Whānau: an efficient Sybil‐proof DHT protocol – G ET cost: O(1) messages, one RTT latency – Cost to build rouFng tables: O( √ N log N) storage/ bandwidth per node (for N keys) – Oblivious to number of Sybils! • Proof of correctness • PlanetLab implementaFon • Large‐scale simulaFons vs. powerful aBack

Division of labor • ApplicaFon provides integrity • Whānau provides availability • E.g., applicaFon signs values using private key • Proc G ET ( key ): UnFl valid value found: Try value = L OOKUP (key) Repeat

Approach • Use a social network to limit Sybils – Addresses brute‐force aBack • New technique: layered iden4fiers – Addresses clustering aBacks

Two main phases • S ETUP : periodically build tables using social links • L OOKUP : use tables to route efficiently key value P UT ( key, value ) key P UT Queue S ETUP L OOKUP value Social Network RouFng Tables

Social links created

Social links maintained over Internet

Social network Honest Sybil ABack edges region region …

Random walks c.f. SybilLimit [Yu et al 2008]

Building tables using random walks c.f. SybilLimit [Yu et al 2008] What have we accomplished? • Small fracFon (e.g. < 50%) of bad nodes in rouFng tables • Bad fracFon is independent of number of Sybil nodes

key value P UT ( key, value ) key P UT Queue S ETUP L OOKUP value Social Network RouFng Tables

RouFng table structure • O( √ n) fingers and O( √ n) keys stored per node • Fingers have random IDs, cover all keys WHP • Lookup: query closest finger to target key Zyzzyva Aardvark Finger tables: Key tables: ( ID , address ) ( key,value ) Kelvin Keynes

From social network to rouFng tables • Finger table: randomly sample O( √ n) nodes • Most samples are honest ID IP address

Honest nodes pick IDs uniformly A B Z C Y D X E W F V G U H T I S J R Plenty of fingers near key K Q L P M O N

Sybil ID clustering aBack A B Z C Y D X E W F V G U H T I S J R Many bad fingers near key K Q L P M O N [HypotheFcal scenario: 50% Sybil IDs, 50% honest IDs]

Honest layered IDs mimic Sybil IDs Layer 0 Layer 1 A A B Z B Z C C Y Y D D X X E E W W F F V V G G U U H H T T I I S S J J R R K K Q Q L P L P M O O M N N

Every range is balanced in some layer Layer 0 Layer 1 A A B Z Z B C Y C Y D D X X E E W W F F V V G G U U H H T T I I S S J J R R K K Q Q L P L P M O O M N N

Two layers is not quite enough Layer 0 Layer 1 A A Z B Z B C Y C Y D D X X E E W W F F V V G G U U RaFo = RaFo = 1 honest : 10 honest : H H T T 10 Sybils 100 Sybils I I S S J J R R K K Q Q L L P P M O M O N N

Log n parallel layers is enough Layer 0 Layer 1 Layer 2 Layer L A B C D A B C D A B C D A B C D X Y Z X Y Z X Y Z X Y Z W E E E E W W W … V F F F F V V V U G G G G U U U T H T H T H T H S I I I I S S S R J J J J R R R K Q Q K Q K Q K P L L L L P P P O M M M M N O O O N N N • log n layered IDs for each node • Lookup steps: 1. Pick a random layer 2. Pick a finger to query 3. GOTO 1 unFl success or Fmeout

Main theorem: secure DHT rouFng If we run Whānau’s S ETUP using: 1. A social network with walk length = O(log n) and number of aBack edges = O(n/log n) 2. RouFng tables of size Ω ( √ N log N) per node Then, for any input key and all but ε n nodes: • Each lookup aBempt (i.e., coin flip) succeeds with probability Ω (1) • Thus G ET ( key ) uses O(1) messages (expected)

EvaluaFon: Hypotheses 1. Random walk technique yields good samples 2. Lookups succeed under clustering aBacks 3. Layered idenFfiers are necessary for security 4. Performance scales the same as a one‐hop DHT 5. Whānau handles network failures and churn

Method • Efficient message‐based simulator – Social network data spidered from Flickr, Youtube, DBLP, and LiveJournal ( n =5.2M) – Clustering aBack, varying number of aBack edges • PlanetLab implementaFon

Escape probability 1 0.8 0.6 2M aBack edges 0.4 200K aBack edges 20K aBack edges 0.2 0 0 10 20 30 40 50 60 70 80 Random walk length [Flickr social network: n ≈ 1.6M, average degree ≈ 9.5]

Walk length tradeoff 1 0.8 0.6 2M aBack edges 200K aBack edges 0.4 20K aBack edges Clumpiness 0.2 0 0 10 20 30 40 50 60 70 80 Random walk length [Flickr social network: n ≈ 1.6M, average degree ≈ 9.5]

Whānau delivers high availability 3 √ n 40 2M aBack edges (>n) Median lookup messages 200K aBack edges 30 20K aBack edges No aBacker 20 10 0 100 1000 10000 100000 1000000 Table size [Flickr social network: n ≈ 1.6M, 3 √ n ≈ 4000]

Everything rests on the model… …

ContribuFons • Whānau: an efficient Sybil‐proof DHT – Use a social network to filter good nodes – Resist up to O(n/log n) aBack edges – Table size per node: O( √ N log N) – Messages to route: O(1) • Introduced layers to combat clustering aBacks