Distributed ledgers, and blockchains, as they are sometimes called, provide peer-to-peer open transaction systems used for alternative currencies, such as Bitcoin [Nak08], or general distributed execution of code, often called ‘smart contracts’ [Woo14]. The main innovation of Nakamoto consensus [Nak08], underpinning both systems, is the open nature of the system that allows infrastructure nodes to come-and-go, and participate on the basis of solving proof-of-work cryptographic puzzles. However, this is computationally expensive and resource intensive.
Alternatives based on proof-of-stake [Dai98] do not consume resources, but require nodes to lock some ‘stake’ in a native crypto-currency, to participate and slash this stake upon detecting misbehaviour. However, there are valid concerns around such systems: locked stake represents a loss of opportunity. The consensus favors ‘richer’ nodes, that as a result get richer, which may in turn threaten decentralization and may lead to attacks by minority players with wealth. Finally, the values it embeds relate to ‘boardroom democracy’ (as Bryan Ford suggests), and may not be aligned with principles of openness and equity.
In this work we introduce a new consensus mechanism, SybilQuorum, that allows peers to establish a distributed ledger without the need for either proof-of-work, or other physical resources, or proof-of-stake to eliminate Sybil attacks. The system is open to new members, and permissionless, making it competitive with Nakamoto consensus. It is based on an established line of work related to Sybil defences leveraging Social Networks, starting with protecting Distributed Hash Tables [DLKA05], and pursued by SybilGuard [YKGF08], SybilLimit [YGKX10], and SybilInfer [DM09]. We also present a hybrid system, SybilQuorum-hybrid, that combines stake and social networks to further strengthen Sybil resistance.
Our contributions include:
A proposal for achieving open consensus backed by social links, embodied in the SybilQuorum-core design.
Extensions to integrate aspects of proof-of-stake to enhance Sybil defences, and prevent wealthy nodes from controlling the consensus, namely SybilQuorum-hybrid.
An extension to the theory of Federated Byzantine Agreement Systems (FBAS), and efficient algorithms based on this theory to test for their safety and liveness.
A concrete design, including integration with specific consensus mechanisms compatible with SybilQuorum at a systems level.
An evaluation of the strength of SybilQuorum based on real-world social graphs, and the conditions under which it enhances security against Sybil attacks.
2 Background and Related work
The Sybil attack was introduced by Douceur [Dou02], in relation to engineering peer-to-peer systems, and identified types of defences: admission control through central authentication, and resource constraints. Permissioned ledgers, such as Hyperledger [ABB18] or Quora, take the first approach, and only allow known and designated nodes to participate in consensus. Open distributed ledgers, including Bitcoin and Ethereum follow the second paradigm. Proof of Work was first proposed by Back, as Hashcash [B02], to prevent Denial of Service. In the context of spam its economic efficiency was questioned by Clayton and Laurie [LC04].
Proof-of-stake systems were proposed first in the 90s by Wei Dai, in B-money [Dai98]. Modern proof-of-stake systems, such as Ouroboros [KRDO17] allow users to lock and delegate stake, and sample those users proportionately to their stake to determine an order in which blocks are produced in a blockchain system. Consensus therefore remains open, in that anyone who can buy some currency and lock it as stake can participate. However, there are serious concerns with this approach: the most fundamental one being that very wealthy parties may afford to acquire a lot of stake, and abuse it to extract value out of the system. Since stake often allows nodes to mine blocks, and reap rewards, the economics of proof-of-stake may lead to oligarchies through a “rich get richer” dynamic.
A number of blockchain systems consider some trust judgments between nodes and leverage them to achieve consensus. Stellar [Maz15] considers that each node links to other nodes, and uses these direct trust judgments to form quorums in which byzantine consensus may be run — this is the closest related system to SybilQuorum. We use the definition and security concepts introduced in Stellar, such as a Federated Byzantine Agreement System (FBAS) and a disposable set (DSet), as a basis for our security arguments and evaluation. However, Stellar only considers direct judgments to form an FBAS, rather than the topology of the full social network. Ripple [AKM15] allows participants to connect to each other, but does not solve the Sybil defence problem directly, and does not achieve inter-node consensus in a strong manner. Instead, each node may run its own currency and economy, and rely on others’ willingness to act as an exchange to transfer value between nodes that are not directly connected.
Besides blockchains, systems leveraging social networks — and explicit trust judgments of users about each other — have been proposed to combat Sybil attacks. Early work considers leveraging the ‘introduction graph’, by which nodes get to access a Distributed Hash Table through other nodes, to ensure routing security [DLKA05]. Raph Levien productized those ideas to extract reputation of developers in ‘Advogato’ [Lev09]; and Sam Lessin [Les18] proposed using trust graphs backed by financial commitments to infer the financial trustworthiness of users in a graph in the context of blockchains.
Academic works within this family of systems consider general social network information distributed in a peer to peer network to allow each node to determine which other nodes are genuine or Sybils. In this line of work SybilGuard [YKGF08] and SybilLimit [YGKX10] perform a distributed computation, using random walks in a network, to determine the honest regions within it. SybilInfer [DM09] takes a centralized approach, and analyzes a stored social graph to identify potential Sybil regions.
These defences make some security assumptions related to the topology of ‘honest’ social graphs: those need to be fast mixing, have small diameter, and contain relatively few links to nodes being part of a Sybil attack. Those systems allow each node to extract a degree of belief about whether any other node in the system is a genuine participant or a Sybil. However, this belief depends on the position of the node in the social graph, and may not be exactly the same even for two honest nodes — thus they do not directly lead to any form of consensus, not even about who is a Sybil node. Ultimately, each node uses those degrees of belief to define their own set of nodes considered honest.
Subsequent work questions a number of assumptions based on the analysis of real-world social graphs [MTHK12]. This work is influential in that it highlights that the social graphs on which these defences rest, but truly capture trust judgments, and provide incentives for users to not accept any links, including to malicious nodes. In this work we also highlight a further limit of SybilInfer as originally proposed: it is an effective mechanism to detect Sybil regions in the presence of an attack, however it is also presenting a large number of “false positives” when the network is free of such attacks — by misclasifying a large number of honest nodes as Sybils. We provide a solution to this problem.
Besides ‘blockchain’ based consensus, based on a chain of blocks and a fork choice rule, modern distributed ledgers consider and reimagine more traditional forms of byzantine consensus. An exemplary system is Tendermint [Kwo14], that combines a quorum based byzantine consensus protocol, with a proof-of-stake mechanism. In Tenderming, and in general, decisions are made as part of the consensus protocol when over two-thirds of ‘stake’ supports a decision — abstracting from the actual identities of nodes and only considering their weight in stake. The advantages of this approach is low latency, quick finality, and higher throughput than Nakamoto consensus. This family of systems also includes Blockmania [DH18], which separates messages materialized and exchanged in a network forming a directed acyclic graph of blocks, from the process of nodes independently interpreting it to reach consensus and order transactions. This separation is key for the practical and efficient implementation of SybilQuorum.
3 The SybilQuorum-core system
The SybilQuorum-core system is the purest instantiation of the ideas behind SybilQuorum. It maintains a distributed ledger, including a social network of user trust judgments about each other. In turn it leverages this information to maintain the network consistent across honest users, and also to order arbitrary transactions. Its key security property is that two nodes will accept the same sequence of transactions if they are sufficiently related in the social graph, and sufficiently separated from Sybil nodes. Those may then be used to implement any distributed computation following the well established state-machine replication paradigm [Sch90].
Security State of the Ledger. Each user maintain a local copy of the ledger, which consists of two types of information: security related information, and a sequence of application transactions. The security information relates to SybilQuorum operations, while the transactions can be arbitrary and are never interpreted by SybilQuorum. Specifically, the security information consists of a set of directed links between users. A user Alice, represented by a public key, may sign a statement that she trusts a user Bob, by public key, to not be a Sybil: this becomes an arc between Alice’s public key and Bob’s, denoted as . Alice may also sign a statement removing such an arc – a sequence number prevents replay attacks in either adding or removing such arcs. Signed statements adding or removing links are processed through the consensus protocol, and accepted (or not) by nodes in the network — in a manner we will shortly examine. When accepted the security information is updated to reflect the new social graph.
Ultimately at any moment each node has a representation of the security state of the ledger, namely a directed graph of links between public keys.
Sybil Defences & the Security State.
Upon every update of the security state of the ledger a node performs an analysis of the latest social graph to determine the probability with which each node may be controlled by a Sybil attacker. Applying techniques from SybilInfer[DM09] the outcome of the analysis for node is a map between public keys of nodes and a weight representing the probability the node is honest, represented as .
We note this is local judgment: the node may ascribe a different weight to , than node , namely in general we expect . This is the case even if all nodes involved, namely , , and are all honest. Thus the map, even between two honest nodes cannot be assumed to be the same — and Sybil defences by themselves cannot in general achieve consensus; not even on who is a Sybil.
Despite local judgments being different in their exact details, we do not expect them to be uncorrelated. Since at their core Sybil defence mechanisms applied by honest nodes will tend to ascribe higher probability to nodes that are honest, from those nodes that are actually part of a large Sybil attack. Therefore we assume that the lists of nodes that two honest nodes will extract from the Sybil defence mechanism are going to be largely composed of honest nodes, and also likely to be overlapping.
From SybilInfer weights to presumed honest sets. Our experiments with SybilInfer uncover a shortcomming of the system as originally proposed. In the presence of a Sybil attack, it is effective at detecting it — namely setting the weights as larger than for honest nodes, and lower for Sybil nodes. Therefore each node in SybilQuorum may select a set of other nodes to consider as honest according to the criterium .
However, its probabilistic model is calibrated assuming there is an attack, and in the absence of a large Sybil region it misclassifies a significant number of honest nodes as Sybils. Therefore we need to set a dynamic threshold that is sensitive to whether a cut in the graph is the result of a Sybil attack, or ‘natural’ given a social network.
Our mechanism for calibrating the cut-off is based on the fundamental insights behind social network based Sybil defences: we consider a region of the graph as being composed of Sybils, if the volume of links to this region are comparatively low, compared with the size of the honest graph, and in particular the number of links within this honest sub-graph. We define the node set containing all nodes with , and with all the nodes such that . We also define a function , over a set of nodes , that represent the number of unidirectional links between the node sets and . We select the largest cut-off value such that . We then use the selected value of to define for each nodes the set of honest nodes .
Intuitively this selects a cut-off that ensures that the number of links to the Sybil region is indeed small, and in particular smaller than the number of links within the honest region — a sign of an actual Sybil attack. Large cuts in honest networks, will have a very large number of links between the two honest regions. Since in a largely honest graph the difference in weights is due to the nodes proximity to some nodes, more than others, the actual number of links between the regions will be large, and we would not select such a cut as a Sybil attack. We validate this approach through experiments on real graphs.
From social network Sybil defences to consensus. We have already highlighted that the Sybil defences alone do not lead to any sort of consensus between honest nodes. However, we can leverage them, and the assumptions we make about them to achieve consensus. To achieve consensus we use the definitions, safety and liveness conditions determined by the Stellar [Maz15] protocol for Federated Byzantine Agreement Systems (FBAS).
Definition 1 (Fbas).
A Federated Byzantine Agreement System, or FBAS, is a pair consisting of a set of nodes and a quorum function specifying one of more quorum slices for each node, where a node belongs to all of its own quorum slices—i.e. . (Note denotes the powerset of .) (From [Maz15].)
Definition 2 (Quorum).
A set of nodes in FBAS is a quorum iff and contains a slice for each member—i.e. such that . (From [Maz15].)
We leverage SybilQuorum to create an FBAS in the folowing manner. The set of all nodes includes all nodes in the system, honest and Sybils. Each honest node uses the social network Sybil defence mechanism, to define a list of nodes that it considers honest. It does so by including in all nodes such that , where is the selected cutoff value in (see above for how to select ). The quorum slices for each node are all the subset of of cardinality greater than .
We discuss in our evaluation what it means for such an FBAS system to be secure, and also provide a theory for how to efficiently test an FBAS is secure.
4 The SybilQuorum-hybrid extensions
Previous work [MTHK12] argues that ‘natural’ social graphs do not provide the fast mixing properties necessary for reliably detecting Sybil attacks. Furthermore, research suggests that, at least some, users are easily defrauded into connecting on social network platforms to other users without much due diligence as to the identity or trustworthiness of the profile.
We extend the SybilQuorum system, and describe SybilQuorum-hybrid, that combines it with aspects of proof-of-stake for two purposes: (1) as traditional proof-of-stake it caps the ability of dishonest nodes to create an infinity of identities at will; and (2) it provides incentives for honest nodes to be careful when connecting to other nodes, and potential penalties for making poor judgments. The first property keeps the number of potential Sybil nodes low, while the second one supports the key property necessary in social network Sybil defences namely that the capacitance of the graph from the honest region to the dishonest region remains small.
Token system. All proof-of-stake systems require a token system, with a fixed supply, to be integrated within the security state of a ledger. Nodes may then ‘lock’ tokens as ‘stake’. SybilQuorum-hybrid also requires such a token system, and it may be abstracted as a map from accounts (as public keys) to token values, namely , maintained by all nodes. We consider those tokens are not forgeable and are fungible, as per other crypto-currencies.
Links with stake. SybilQuorum-hybrid allows nodes to create arcs to other nodes representing judgments about their trustworthiness, as part of the security state of the system. However, unlike SybilQuorum-core, those arcs are associated with a value in tokens. Such an arc from Alice to Bob, with value is denoted as . The transaction creating those arcs is signed by the originator Alice, using , and the value is deducted from her account. Thus the security state of SybilQuorum-hybrid consists of a directed weighted graph between nodes.
SybilQuorum-hybrid enables not only the originators or arcs to remove them, and recuperate the value assigned to them, but also the destination of arcs. Therefore if an arc exists in the system, Bob may issue a transaction signed by to remove the arc and increase his balance by . We allow both sides to reclaim the value of a link in order to ensure it is a reliable signal to others of the trust between nodes. Alice, by creating a link with value to Bob, trusts him to not immediately or eventually ‘steal’ this value. Self-imposed vulnerability implies trust, and signals it in a way that can be relied upon by other nodes.
This vulnerability also penalizes honest nodes that may be more likely to make poor trust decisions that degrade the overall social network Sybil defence mechanism — assuming there is a different propensity amongst honest nodes to make poor decisions. Such nodes will pick dishonest nodes to make arcs to more often. Many of those dishonest nodes will not be part of a Sybil attack, but merely fraudsters that will simply reclaim the value. As a result bulk dishonesty, protects the system from strategic dishonesty — honest nodes with poor judgment are likely to be disincentivized from creating links, and impoverished if they continue doing so recklessly.
Weighted social network defences. As soon as a SybilQuorum-hybrid node updates the security state, and in particular the weighted directed graph representing the social network, it re-runs a Sybil Detection algorithm. However, traditional social network Sybil detection algorithms, such as SybilInfer do not operate on weighted graphs — and require some modifications to operate.
We first prune the social graph from all arcs that are not reciprocated namely all arcs connecting two nodes for which there is no arc . We define the total value committed in remaining links by a node as , where is the value assigned by to arcs to each node (by convention we consider that if an arc does not exist its value is zero).
Our goal is to then define a Markov-chain over the nodeswith a stationary distribution , namely one proportional to the amount of ‘stake’ each node has committed to reciprocal links. (SybilInfer targets instead a uniform stationary distribution).
Any distribution that maintains ‘detailed balance’ would ensure this property, namely . However we wish to limit the transition matrix of the chain to only have support on reciprocal arcs. We therefore define a proposal distribution for node as . This proposal is accepted (following the Metropolis-Hasting MCMC method) with probability:
Thus the transition matrix becomes:
with the remaining probability mass being assigned to the self-transition . Interestingly inter-node transitions are only influenced by the lower value of and ,
An walk on this Markov chain results at a node drawn from the stationary distribution , as its length tends towards infinity. However we want to leverage the properties of short random walk on such graphs: a path of length should converse towards , but would be disrupted by the capacitance between the honest and Sybil region in the graph. As a result short random walks starting at an honest node will tend to remain within the honest sub-graph. We denote the distribution of nodes reached after such a short walk starting at an honest node by . Mathematically this means that for honest nodes and conversely for Sybil nodes .
We leverage this ‘gap’ and amplify it to penalize nodes that are more likely to be Sybils, using the Logistic function:
Each honest node assigns a probability to other nodes being honest, computed as:
The logistic term takes values in , with values closer to zero if undershoots the target , and closer to 1 if it overshoots it. The term then scales the stake of the node , allowing it to take closer to its maximal value for honest nodes; and becoming closer to zero for dishonest nodes. The parameter is a measure of how sharply deviations lead to minimum of maximum values, and can be chosen by the nodes depending on their topology and connectivity into the social graph.
Defining an FBAS. As for SybilQuorum-core, we define an FBAS , by having each node using the resulting weights and considering a set of nodes honest if those weights are at least a cutoff value . That cut-off value is selected as in SybilQuorum-core to prevent large numbers of false positives. The quorum function for each node , contains all subsets of of size greater than .
5 The Security of an FBAS
Both proposed variants of SybilQuorum define a Federated Byzantine Agreement System, as defined in [Maz15]. We therefore use some further definitions to achieve two security properties: (1) safety means that two honest nodes will agree to the same outcome of the consensus; and (2) liveness ensures that progress towards reaching consensus may be made despite some byzantine nodes.
Definition 3 (Quorum Intersection).
An FBAS enjoys quorum intersection iff any two of its quorums share a node—i.e., for all quorums and , . (From [Maz15])
Definition 4 (Delete).
If is an FBAS and is a set of nodes, then to delete B from , written , means to compute the modified FBAS where . (From [Maz15])
Definition 5 (DSet).
Let be an FBAS and be a set of nodes. We say is a dispensible set, or DSet, iff:
(quorum intersection despite ) enjoys quorum intersection.
(quorum availability despite ) Either is a quorum in or .
The concept of ‘dispensible set’ (DSet) in an FBAS is key to understanding its security. The DSet contains a set of nodes that can act adversarially, without jeopardizing the safely and liveness properties of the FBAS for the remaining (honest) nodes. The ‘quorum intersection despite ’ property ensures safety, since it requires any two quorums within a system without nodes to intersect, and thus agree on the same result. The ‘liveness despite property’ ensures the set of honest nodes in the FBAS can form a consensus to agree on a result, even if the nodes in do not participate.
In our experiments, to establish the security of SybilQuorum as an FBAS system, we will need to determine the necessary DSet, containing byzantine nodes, as well as potentially some honest nodes for whom Sybil defences failed. However, establishing the ‘quorum intersection despite B’ property of a DSet not easy: naively it would require computing all quorums and testing their pairwise intersection—which is computationally unfeasible for larger number of nodes. Therefore we devise two algorithms to determine the DSet is a quorum (property 2) and also to check quorum intersection despite the DSet (property 1), efficiently. The correctness of those algorithms depends on original theorems related to an FBAS, which may also be of independent interest.
We first prove a lemma, on which we rely for the correctness of our algorithm.
Consider a node in an FBAS , and a quorum , such that , and a quorum slice for contained in , namely . If another node is in the same slice, namely , and the minimum cardinally of any quorum that contains is —i.e. for all quorum , such that , . Then the minimum cardinally of is also —i.e. .
The theorem seems complex, but really is the result of a simple symmetry: since the quorum slice is contained in , both and are within the quorum, . Since is the minimal cardinality of a quorum containing , and the quorum also contains , it trivially follows that . ∎
Definition 6 (Quorum Slice Cardinality Map).
The function is the quorum slice cardinality Map for an an FBAS . For each node in , it returns the cardinality of the smallest quorum slice in —i.e. .
Security Theorem 1 (Trivial Intersection).
For an FBAS, if all values of the quorum slice cardinality map are larger than half the number of nodes, it enjoys quorum intersection—i.e. .
Consider two nodes and quorums in the FBAS, and . By the definition of quorums there must exist two slices of respectively such that and . Since and , it must be that they intersect at least in one element. And . ∎
This first theorem provides a trivial way to check a FBAS for quorum intersection: if all quorum slices, for all nodes contain more than half the nodes, then all quorums will intersect. However, this condition is much stronger than necessary for quorum intersection, and in practice not always achievable. However, it is the property on which the security of traditional BFT systems can be proven in when those are encoded as FBAS. However, we will seek a weaker property that still implies quorum intersection.
Lemma 2 (Minimum Quorum Cardinality in FBAS).
Consider the FBAS . We define a function providing a lower bound on the cardinality of any quorum containing , namely such that it holds that . We initialize as , where is the quorum slice cardinality map. We also define the sets for each , containing all nodes in ’s quorum slices—i.e. .
Define as the sequence of values in ascending order, and is its element. If we assign , the value is also a lower bound on the cardinally of any quorum containing .
By the definition of the quorum slice cardinality map it is trivial to argue that is a lower bound on the cardinality of all quorums including , since they each need to fully contain at least one quorum slice from . We need to show that the value and therefor is a lower bound on the cardinality of any quorum containing . Since the minimum quorum slice size of is it must contain at least that number of nodes, out of the set . By lemma 1 we know that including a node from into a quorum , would yield a quorum of cardinality at least . Since such nodes from must be included the minimum cardinality of is , since is defines as the ordered sequence of minimum cardinality sizes for quorums each node in . ∎
We use this lemma in building an algorithm that computes lower bounds on the cardinalities quorums of all nodes in the FBAS iterativelly. It starts with an estimation equal to the cardinality of the smallest quorum slice for each node (the function L(v)), and then increases the estimate as, where .
Based on the above we can efficiently estimate minimum bounds on the cardinality of all quorums in the SybilQuorum FBAS. Then we can test them to show quorum intersection:
Security Theorem 2 (Quorum Intersection due to Minimum Size).
If within a FBAS, all quorums have cardinality , it enjoys quorum intersection.
Trivially, if we have two sets and with a number of elements greater than half the number of elements in , they must intersect in at least one element. ∎
We note that Quorum Intersection due to Minimum Size is a sufficient condition to guarantee a FBAS enjoys quorum intersection, but it is too strong to be necessary. For example an FBAS with a dictator node present in all quorums, will satisfy trivially quorum intersection, without the need for all quorums to be of a certain size.
Computing DSets and FBAS safety. We leverage the theorems above to test the concrete FBAS extracted from SybilQuorum for safety and liveness. We define a set of nodes , each with a list of nodes they consider honest, and a set of malicious nodes . The quorum function contains all subsets of of size over .
First we execute a procedure DetermineDSet using the initial bad nodes to determine a set of nodes that cannot reach agreement, due to having accepted too many bad nodes as honest. Following the terminology from Stellar we call the set of nodes befouled nodes. A node is befouled if it has accepted in its set more than a third of bad or befouled nodes. By definition the nodes still constitute a quorum. (Thus proving liveness despite ).
Once we have identified the set of bad and befouled nodes , we define the FBAS and try to establish whether it enjoys quorum intersection. We use algorithm DetermineSafety to test for quorum intersection: we iteratively determine an increasingly better lower bound on the quorum cardinality of each node. Once the bound converges, we check that each , which according to our theorems ensures quorum intersection (Thus proving quorum intersection despite ). If this condition is true we label our FBAS as safe, since the set is a DSet.
6 Experimental Evaluation
Datasets & Pre-processing. An evaluation of SybilQuorum necessitates the use of real-world datasets of social connections, since the mechanism relies on the dynamics of connections within ‘real’ social networks. There are methodological challenges to doing this. First, there does not exist a network embodying the proposed mechanism of establishing links backed by mutual token on links as necessary by SybilQuorum-hybrid. Second, existing datasets are based on networks for casual socializing, in which incentives are not aligned for careful selection of links, but rather provide advantages and incentives for users to be prosmicuous in their connections. Those issues present threats to validity.
For our evaluation we chose to use the pokec network dataset, that is open and available on the Stanford large network dataset collection111https://snap.stanford.edu/data/soc-Pokec.html. This is a snapshop of the largest social network provider in Slovakia, collected in 2012. It contains 1632803 nodes and 30622564 edges.
We pre-process this network in two ways, to produce evaluation datasets: (1) We sub-sample 200000 nodes from the network, and create a subgraph with all their edges (including those to nodes not in the set of nodes); (2) We then recursively prune the network to a core of nodes with degree at least 3. Pruning is performed by removing nodes with degree less than 3, until all nodes have a higher degree.
These operations result in sub-graphs of size about 10000 nodes, which is comparable to the number of miners in systems such as Bitcoin and Ethereum. We extract the degree three core of the network as a proxy for nodes that have strong connections to each other, excluding nodes with weaker trust connections between them. (Note such pre-processing can also done as part of a production SybilQuorum pipeline.)
Sybil Attack Simulation. To evaluate SybilQuorum we simulate Sybil attacks on the graph datasets, in a what that is most generic. We parametrize the attack through a number of parameters: (1) the number of Sybil nodes (); (2) the number of links or amount of stake on links purely in the Sybil region (); (3) the amount of stake on links between the honest region and Sybil region (); (4) the fraction of honest nodes that are naive, and connect to Sybil nodes ().
Given those parameters, we instanciate a set of Sybil nodes of size , and establish mutual links between them at random. We sample at random a set of honest nodes to be ‘naive’, as a fraction of the honest nodes. We then create mutual connections between random Sybil nodes in that set, and honest nodes from the naive set, according to the budget of links or stake available ().
SybilInfer [DM09] provides an argument that the exact composition of the Sybil region does not impact security, but what matters is rather the relative size of the Sybil region and the links between honest and Sybil regions. However, we there might be optimizations in connecting Sybils in specific ways to the naive nodes, which we have not explored. This is a further threat to the validity of our results. However, our methodology is in line with previous works.
Purely Benign or Byzantine Conditions. We first evaluate the SybilQuorum mechanism in a network composed of overwhelmingly benign nodes. We instanciate such a network by only attaching a single Sybil (), no stake in the Sybil region (), and minimal stake between the honest and dishonest nodes (). On the other hand we allow this single Sybil nodes to connect to any honest node (). We primarily use this condition to ensure that SybilQuorum does not suffer from false positives in detecting Sybils, that compromise agreement, as the raw SybilInfer mechanism does.
We also evaluate SybilQuorum under conditions of byzantine attacks that can be accommodated within the traditional Byzantine fault tolerance paradigm, with just a standard proof-of-stake system: where the number of Sybils is of the size of the honest nodes, and the stake of all links connected to the Sybil nodes is at most of the total stake in the honest region. We also allow Sybil nodes to connect to any honest node (). This condition simulates an attack that can be tolerated even if all Sybil nodes are accepted as honest by all – but we need to assess whether this is the case in SybilQuorum and whether the resulting FBAS is secure.
In both conditions SybilQuorum honest nodes reach safe agreement. In the benign condition the cut-off is determined as , and all nodes are accepted by all other honest nodes as honest. This includes the single Sybil node. All quorums are larger than half the number of honest nodes, and global agreement is reached. In the byzantine condition agreement is also reached. The cut-off value is set automatically as . And since all honest nodes have fewer than 1/3 links to Sybil nodes (none is confused) they reach agreement. (Those are the results of 10 repeats of the experiments, for different configurations of the Sybil attack).
Those results confirm that SybilQuorum performs no worse than not using SybilQuorum— which is not a given: (1) when there is no Sybil attack it does not impede agreement through false positives; and (2) when there are fewer than dishonest nodes, the FBAS is secure and preserves agreement and liveness without any negative interference from SybilQuorum.
Future Evaluation. The analysis above, concerning benign and byzantine settings will be extended in the full paper to establish the security of SybilQuorum for:
Variable Number of Adversarial Nodes
Variable Size of Adversarial Stake
Variable Numbers of Confused Honest Nodes
Variable Size of Honest-Sybil Links
In this work we show that we can leverage social networks to protect traditional Proof-of-Stake systems against a wider range of attacks, from nodes with a lot of stake, than previously expected. To do so it is necessary to abstract their consensus mechanisms within the more general FBAS framework, and also devise efficient tests for whether such an FBAS is secure to support experimental evaluations. The degree to which this mechanism is effective is subject to extended evaluation, which will be ready for the Stanford Blockchain Conference.
- [ABB18] Elli Androulaki, Artem Barger, Vita Bortnikov, Christian Cachin, Konstantinos Christidis, Angelo De Caro, David Enyeart, Christopher Ferris, Gennady Laventman, Yacov Manevich, Srinivasan Muralidharan, Chet Murthy, Binh Nguyen, Manish Sethi, Gari Singh, Keith Smith, Alessandro Sorniotti, Chrysoula Stathakopoulou, Marko Vukolic, Sharon Weed Cocco, and Jason Yellick. Hyperledger fabric: a distributed operating system for permissioned blockchains. In Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, Porto, Portugal, April 23-26, 2018, pages 30:1–30:15, 2018.
- [AKM15] Frederik Armknecht, Ghassan O Karame, Avikarsha Mandal, Franck Youssef, and Erik Zenner. Ripple: Overview and outlook. In International Conference on Trust and Trustworthy Computing, pages 163–180. Springer, 2015.
- [B02] Adam Back et al. Hashcash-a denial of service counter-measure, 2002.
- [Dai98] Wei Dai. b-money, 1998. URL: http://www. weidai. com/bmoney. txt, 1998.
- [DH18] George Danezis and David Hrycyszyn. Blockmania: from block dags to consensus. arXiv preprint arXiv:1809.01620, 2018.
- [DLKA05] George Danezis, Chris Lesniewski-Laas, M. Frans Kaashoek, and Ross J. Anderson. Sybil-resistant DHT routing. In Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings, pages 305–318, 2005.
- [DM09] George Danezis and Prateek Mittal. Sybilinfer: Detecting sybil nodes using social networks. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February - 11th February 2009, 2009.
- [Dou02] John R. Douceur. The sybil attack. In Peer-to-Peer Systems, First International Workshop, IPTPS 2002, Cambridge, MA, USA, March 7-8, 2002, Revised Papers, pages 251–260, 2002.
- [KRDO17] Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference, pages 357–388. Springer, 2017.
- [Kwo14] Jae Kwon. Tendermint: Consensus without mining. Draft v. 0.6, fall, 2014.
- [LC04] Ben Laurie and Richard Clayton. Proof-of-work proves not to work; version 0.2. In Workshop on Economics and Information, Security, 2004.
- [Les18] Sam Lessin. Venmo trust and the blockchain. https://www.theinformation.com/articles/venmo-trust-and-the-blockchain, 2018.
- [Lev09] Raph Levien. Attack-resistant trust metrics. In Computing with Social Trust, pages 121–132. Springer, 2009.
- [Maz15] David Mazieres. The stellar consensus protocol: A federated model for internet-level consensus. Stellar Development Foundation, 2015.
- [MTHK12] Abedelaziz Mohaisen, Huy Tran, Nicholas Hopper, and Yongdae Kim. On the mixing time of directed social graphs and security implications. In 7th ACM Symposium on Information, Compuer and Communications Security, ASIACCS ’12, Seoul, Korea, May 2-4, 2012, pages 36–37, 2012.
- [Nak08] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.
- [Sch90] Fred B Schneider. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Computing Surveys (CSUR), 22(4):299–319, 1990.
- [Woo14] Gavin Wood. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper, 151:1–32, 2014.
- [YGKX10] Haifeng Yu, Phillip B. Gibbons, Michael Kaminsky, and Feng Xiao. Sybillimit: A near-optimal social network defense against sybil attacks. IEEE/ACM Trans. Netw., 18(3):885–898, 2010.
- [YKGF08] Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, and Abraham D. Flaxman. Sybilguard: defending against sybil attacks via social networks. IEEE/ACM Trans. Netw., 16(3):576–589, 2008.