Download A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT

A Sybil-Proof
Distributed Hash Table
Chris Lesniewski-Laas M. Frans Kaashoek
MIT
28 April 2010
NSDI
http://pdos.csail.mit.edu/whanau/slides.pptx
Distributed Hash Table •  Interface: PUT(key, value), GET(key)→value •  Route to peer responsible for key GET( sip://alice@foo ) PUT( sip://alice@foo, 18.26.4.9 ) The Sybil aBack on open DHTs •  Create many pseudonyms (Sybils), join DHT •  Sybils join the DHT as usual, disrupt rouFng Brute‐force aBack Clustering aBack P2P mania! Sybil state of the art Chord, Pastry, Tapestry, CAN The Sybil ABack [Douceur], Security ConsideraFons [Sit, Morris] Restricted tables [Castro et al] 2010 2009 2008 2007 2006 2005 2004 2003 2002 2001 BFT [Rodrigues, Liskov] SPROUT, Turtle, Bootstrap graphs Puzzles [Borisov] CAPTCHA [Rowaihy et al] SybilLimit [Yu et al] SybilInfer, SumUp, DSybil (This work) P2P mania! ContribuFon •  Whānau: an efficient Sybil‐proof DHT protocol –  GET cost: O(1) messages, one RTT latency –  Cost to build rouFng tables: O(√N log N) storage/
bandwidth per node (for N keys) –  Oblivious to number of Sybils! •  Proof of correctness •  PlanetLab implementaFon •  Large‐scale simulaFons vs. powerful aBack Division of labor •  ApplicaFon provides integrity •  Whānau provides availability •  E.g., applicaFon signs values using private key •  Proc GET(key): UnFl valid value found: Try value = LOOKUP(key) Repeat Approach •  Use a social network to limit Sybils –  Addresses brute‐force aBack •  New technique: layered iden4fiers –  Addresses clustering aBacks Two main phases •  SETUP: periodically build tables using social links •  LOOKUP: use tables to route efficiently key value PUT(key, value) Social Network PUT Queue key SETUP
LOOKUP
RouFng Tables value Social links created Social links maintained over Internet Honest region Social network ABack edges Sybil region …
Random walks c.f. SybilLimit [Yu et al 2008] Building tables using random walks c.f. SybilLimit [Yu et al 2008] What have we accomplished? •  Small fracFon (e.g. < 50%) of bad nodes in rouFng tables •  Bad fracFon is independent of number of Sybil nodes key value PUT(key, value) Social Network PUT Queue key SETUP
LOOKUP
RouFng Tables value RouFng table structure •  O(√n) fingers and O(√n) keys stored per node •  Fingers have random IDs, cover all keys WHP •  Lookup: query closest finger to target key Zyzzyva Finger tables: (ID, address) Aardvark Kelvin Keynes Key tables: (key,value) From social network to rouFng tables •  Finger table: randomly sample O(√n) nodes •  Most samples are honest ID IP address Honest nodes pick IDs uniformly Z A B C Y D X E W F V U G T H I S J R K Q L P O N M Plenty of fingers near key Sybil ID clustering aBack Z A B C Y D X E W F V U G T H I S J R K Q Many bad fingers near key L P O N M [HypotheFcal scenario: 50% Sybil IDs, 50% honest IDs] Honest layered IDs mimic Sybil IDs Layer 0 Z A Layer 1 B Z C Y B C Y D X A E W D X F V E W F V U G U G T H T H I S J R K Q L P O N M I S J R K Q L P O N M Every range is balanced in some layer Layer 0 Z A Layer 1 B Z C Y B C Y D X A E W D X F V E W F V U G U G T H T H I S J R K Q L P O N M I S J R K Q L P O N M Two layers is not quite enough Layer 0 Z A Layer 1 B Z C Y RaFo = 1 honest : 10 Sybils S I J R K Q L P O N M D E W F V T C X E W U B Y D X A F V G U H T G RaFo = 10 honest : 100 Sybils S H I J R K Q L P O N M Log n parallel layers is enough Layer 0 X W V U T S R Q Y Z P O A B C L N M Layer 1 D E F G H I J K X W V U T S R Q Y Z P O A B C L N M Layer 2 D E F G H I J K X W V U T S R Q Y Z P O A B C L N M Layer L D E F G H I J K •  log n layered IDs for each node •  Lookup steps: 1.  Pick a random layer 2.  Pick a finger to query 3.  GOTO 1 unFl success or Fmeout X … W V U T S R Q Y Z P O A B C L N M D E F G H I J K Main theorem: secure DHT rouFng If we run Whānau’s SETUP using: 1.  A social network with walk length = O(log n) and number of aBack edges = O(n/log n)
2.  RouFng tables of size Ω(√N log N) per node Then, for any input key and all but εn nodes: •  Each lookup aBempt (i.e., coin flip) succeeds with probability Ω(1) •  Thus GET(key) uses O(1) messages (expected) EvaluaFon: Hypotheses 1.  Random walk technique yields good samples 2.  Lookups succeed under clustering aBacks 3.  Layered idenFfiers are necessary for security 4.  Performance scales the same as a one‐hop DHT 5.  Whānau handles network failures and churn Method •  Efficient message‐based simulator –  Social network data spidered from Flickr, Youtube, DBLP, and LiveJournal (n=5.2M) –  Clustering aBack, varying number of aBack edges •  PlanetLab implementaFon Escape probability 1 0.8 0.6 2M aBack edges 0.4 200K aBack edges 20K aBack edges 0.2 0 0 10 20 30 40 50 60 70 80 Random walk length [Flickr social network: n ≈ 1.6M, average degree ≈ 9.5] Walk length tradeoff 1 0.8 0.6 2M aBack edges 200K aBack edges 0.4 20K aBack edges Clumpiness 0.2 0 0 10 20 30 40 50 60 70 80 Random walk length [Flickr social network: n ≈ 1.6M, average degree ≈ 9.5] Whānau delivers high availability 3√n Median lookup messages 40 2M aBack edges (>n) 200K aBack edges 30 20K aBack edges No aBacker 20 10 0 100 1000 10000 100000 Table size [Flickr social network: n ≈ 1.6M, 3√n ≈ 4000] 1000000 Everything rests on the model… …
ContribuFons •  Whānau: an efficient Sybil‐proof DHT –  Use a social network to filter good nodes –  Resist up to O(n/log n) aBack edges –  Table size per node: O(√N log N)
–  Messages to route: O(1)
•  Introduced layers to combat clustering aBacks