Much of the active sabotage attacks, such as forg- into the network. We allow arbitrary adversaries with
ing the correctness and authenticity of data as well bounded resources, i.e. an adversary may have an un-
as misrouting, can be addressed using cryptographic limited number of IDs for its peers but it can only own
techniques such as selfcertifying path names [8], end- at most an -fraction of the peers in the system at any
to-end acknowledgements, etc. These techniques al- time. Such adversaries are called -bounded. A priori,
low the system to detect and ignore nonauthentic data, adversarial peers cannot be distinguished from honest
avoid peers who incorrectly route, etc. Blocking of peers.
routing packets appears to be the most difficult to mon- We assume that every honest peer that wants to join
itor. Examples of routing attacks are discussed in Cas- the system knows some honest peer already in the sys-
tro et al. [3], and examples of data-related attacks are tem and thus can initiate the Join operation by one of
described by Sit and Morris [11], who give a series these peers. This is a reasonable assumption, because
of examples of particular weaknesses in existing hash- if a new honest peer does not know any honest peer in
based networks and discuss potential defenses against the system, there is certainly no (reliable) way that it
some of these problems. [3] describe attacks that can can join the system.
be mounted against such overlay networks and the ap- We consider asynchronous systems in which every
plications they support, and present the design of se- honest peer has roughly the same clock speed but there
cure techniques that may help thwart some of these at- is no global time. Since honest peers are considered
tacks in certain practical scenarios (such as using cer- reliable, we assume that at any point in time, any mes-
tified IDs). sage sent by an honest peer p to another honest peer q
Below we describe some of the more theoretical ap- will arrive at q within a unit of time. (Other message
proaches. transmissions may need any amount of time.) Further-
Classical distributed computing methods [6, 2, 7, 9] more, honest peers have unbounded bandwidth, i.e. an
use Byzantine agreement and two-phase commit ap- honest peer can receive and send out an unbounded
proaches with inherently Ω(n) redundancy and over- number of messages in a unit of time. The latter as-
head to maintain a safe state. sumption allows us to ignore denial-of-service attacks,
Random or unpredictable placement of data in a log- but it does not simplify the task of securing an overlay
arithmic size subset of locations (as in Freenet) ensures network against legal attacks (i.e. attacks exploiting
that data is difficult to attack, but also makes it diffi- security holes in its protocols). As long as adversarial
cult to retrieve. Specifically, data retrieval of randomly peers do not transmit unnecessary packets, the num-
placed data requires a linear number of queries, which ber of messages an honest peer will have to deal with
is definitely unscalable. in a time unit will normally be low so that our pro-
Provable randomness is the method pursued in [1]. tocols are practical despite this assumption. Designing
This results in fairly complex protocols, using various provably secure overlay networks for honest peers with
cryptographic assumptions. bounded bandwidth is very challenging and needs fur-
ther research.
We assume that a certification authority is available
2 The Trust-but-Verify approach to issue certified names to peers that want to enter the
system. This prevents peers from taking over the iden-
We start with a collection of basic assumptions explain- tities of other peers, but it does not prevent adversarial
ing the model of our approach. peers from registering under adaptively chosen names
that are different from names of the honest peers. An
2.1 Basic assumptions honest peer only establishes connections to peers with
correctly certified names. The identification number of
We consider a peer to be adversarial if it belongs to an a peer p, ID(p), in our overlay network is determined
adversary or it is simply unreliable. Otherwise, a peer by a pseudo-random one-way hash function mapping
is called honest. We assume that honest peers cannot names to real values in [0, 1). The pseudo-randomness
be taken over by the adversary. However, the adver- makes sure that IDs of honest peers are random, and
sary has a collection of own peers that it can integrate the one-way property makes sure that if the name of a
peer cannot be taken over, it is also hard to take over In the following, a region always means an interval of
its ID. Finally, we need some assumptions about how size 1/2i for some integer i ≥ 0 starting at an integer
messages are passed. We assume that the source of a multiple of 1/2i . I.e. every region has a unique tree
message cannot be forged so that adversarial peers can- node.
not forge messages from honest peers. Also, a message Given a peer p and a region R, let CR denote p’s
sent between honest peers cannot be deleted or altered view of R, i.e. the set of peers p is connected to in
by the adversary. However, the adversary may know R. p’s view of R is called reliable if the number of
p p
about every message sent in the system. adversarial peers in CR is at most |CR |/4. Given that
all honest peers have random IDs, the following result
2.2 Outline of Trust-but-Verify approach holds, where n is the current number of honest peers in
the system.
The basis of the trust-but-verify approach is the as-
sumption that the hash value of every honest peer is Theorem 2.1 Let 0 < ≤ 1/8 and c > 0 be con-
like an independent, random value in [0, 1), but hash stants. If for some peer p and region R, |R| ≥
p p
values of adversarial peers may be any values differ- (c log n)/n and |CR | ≤ (1 + )|R| · n, CR contains
ent from the values of honest peers. The honest peers all honest peers in R, and c is sufficiently large com-
will organize in regions R ⊆ [0, 1) they consider to pared to , then p’s view of R is reliable, with high
be safe (i.e. the honest peers are in the majority) and probability.
will form a hypercubic pointer structure between these
regions. If an honest peer feels that one of its regions The theorem directly follows from the well-known
is no longer safe, it will change it to a larger region. Chernoff bounds because if |R| ≥ (c log n)/n for a
On the other hand, if an honest peer feels that a subre- sufficiently large c, then the number of honest nodes in
gion within one of its regions is now safe, it will move R is at least (1 − )|R| · n, with high probability. In this
to the subregion. Each honest peer will continuously case, the fraction of adversarial nodes in C R can be at
probe peers it knows in its regions. If some peer does most 2 ≤ 1/4 if ≤ 1/8.
not respond, the honest peer will drop its connection Hence, honest nodes p should, as a prerequisite, try
to it. Since we assume honest peers to be reliable, this to maintain connections to regions R so that |R| ≥
will not happen to honest peers. Messages are routed (c log n)/n and |CR | ≤ (1+)|R|·n. If this is true, we
along safe regions to make sure that adversarial peers say that p views its region to be reliable, or the region is
cannot alter, delay, or delete them. Next we give a more safe. There are several issues that have to be addressed
detailed description of how to select regions, how to in- in order to maintain these safeness requirements. For
terconnect the peers, and how to join, leave, and search example, honest peers need a good approximation of n,
in the overlay network. and they need to be able to send region queries in order
to expand their region view if necessary. Also, as we
2.3 Region decomposition will see, just maintaining safe regions is not sufficient
for reliable communication as required for estimating
Consider an infinite complete binary tree T with root n.
r. We use T to decompose [0, 1) into a hierarchy of
intervals. For this, let each edge to a left child have 2.4 Overlay network
label 0 and each edge to a right child have label 1. For
each node v in T , we define its label `(v) to be the The level of a region R is defined as the level of its tree
bit string resulting from the edge labels when going node and denoted by `R , where the root of the decom-
along the unique path from r to v. (I.e. the leftmost position tree has level 0.
node in level 4 of T has label 0000, and its sibling has The aim of every honest peer p is to maintain the
label 0001.) For any node label ` = (x 1 x2 x3 . . .), we smallest region Sp containing ID(p) that is safe from
define b(`) = i≥1 xi 2−i . Using this terminology, we p’s point of view. Sp is also called p’s home region.
can associate a unique region in [0, 1) with each tree Also, a set of active regions Ap = {Api | i ∈ ZZ} is
node v at level i in T : Rv = [b(`(v)), b(`(v)) + 1/2i ). maintained so that for every i ≥ 0,
1. Api (resp. Ap−i ) is the smallest region containing p still keeps a backup of Sp for a limited time to
ID(p) + 1/2i (resp. ID(p) − 1/2i ) that is safe from avoid problems for regions A ∈ Aq containing p.)
p’s point of view and
2. N Sp is still unsafe. Then p moves one level up-
p p
2. at least |CA p |/3 (resp. |C p |/3) of the peers q in
wards with N Sp . (We explain below how to real-
i −i
Api (resp. Ap−i ) reported to p that `Sq ≥ `Ap (resp. ize that.)
`Sq ≥ `Ap ). 3. A region N Api ∈ N Ap is now safe. Then p sends
Using the 1/3 rule in condition 2 has two benefits: (p, i, `N Sp ) to all peers q it knows of that contain
First, it guarantees that if an active region A is reli- p in one of their untrusted regions and updates A pi
able, then there is at least one honest peer having its to N Api .
safe region inside A, which is useful for routing. Sec- 4. A set N Api ∈ N Ap is still unsafe or violates the
ond, if the 1/3 rule is violated at some point, then the 1/3 rule. Then p moves one level upwards with
majority of peers having a safe region larger than A is N Api .
honest, allowing p to use a majority rule for view fil-
tering to expand A to a region of higher level. If the arrival rate of honest and adversarial peers is lim-
Notice that there can be different values i 1 and i2 ited to / log 2 n, then the size of currently trusted re-
with Api1 ⊆ Api2 , so regions may sometimes be con- gions is accurate enough to estimate n. Also, if the de-
tained in other regions, but for any two active regions parture rate of honest peers is limited to / log 2 n, then
R1 and R2 of a peer p it must hold that either R1 ⊆ R2 the honest peers will be able to find new safe regions
(resp. R2 ⊆ R1 ) or R1 ∩ R2 = ∅. Those regions R1 for Sp and some Api quickly enough before the old ver-
with R1 ⊆ R2 only have to be maintained implicitly, sions of these sets become unreliable. More precisely,
so that p only has to explicitly store O(log n) regions the following result can be shown.
at any point in time.
Besides Sp and Ap , each honest peer p also main- Theorem 2.2 If the adversary is -bounded for some
tains a region N Sp representing the new but not yet sufficiently small constant > 0 and the arrival and
safe version of Sp and a set of regions N Ap represent- departure rate of honest and adversarial peers is at
ing the new but not yet safe version of A p . All new most 0 / log 2 n for some sufficiently small constant
peers are only added to N Sp and N Ap . If N Sp is safe 0 > 0, then our protocols ensure that for any honest
at some point, Sp is replaced by N Sp . The same is peer p, Sp and any A ∈ Ap are reliable at any time,
done for regions in N Ap . Hence, Sp and Ap are safe with high probability.
snapshots of the system. p views the regions S p and
In order to prove this result, we have to describe how
Ap as trusted and the other regions N Sp and N Ap as
to grow the size of a region. This is handled by region
requests. Before explaining them, we start with lookup
p maintains connections to all peers in S p (and some
limited number of older versions of S p ), Ap , N Sp , and
N Ap and all peers q (it knows of) with p in S q , Aq ,
N Sq , or N Aq , but p only forwards requests with a ma- 2.6 Lookup requests
jority consensus in one of its trusted regions. The peer p initiating a request M sends M to all nodes
of its active region Ap0 . Every peer q that receives M
2.5 Maintaining safe and active regions will forward M to all peers q 0 it knows within Ap0 . Ev-
An honest peer p performs the following actions to ery peer q that receives M from at least half of the
nodes in Sq sends it on to all nodes of its active re-
maintain its safe and active regions:
gion representing the next hop of M to its destination.
1. N Sp is now safe. Then p sends (p, `N Sp ) to all There, the same spreading and checking is done as in
peers q it knows of that contain p in one of their p’s active region until M reaches the destination.
untrusted regions and updates Sp to N Sp . (N Sp Condition 2 of an active region and Theorem 2.2
may be smaller or larger than Sp . If `N Sp < `Sp , make sure that if p is honest, there is always at least
one honest peer at each hop that receives the message size, i.e. (c log n)/n. If this does not provide a safe
from a majority of nodes in its safe region so that the region for some Api or Sp , p moves upwards with that
message is delivered in O(log n) steps. region until it obtains a region satisfying the require-
ments of a safe or active region. For each such region
2.7 Region requests that p obtains, p integrates itself into the system. After
O(log 2 n) steps, p is fully integrated.
Region requests also use active regions to obtain a le- Leaving is simple: a peer may leave with or without
gal view of some requested region. A peer is called a notice. It is only important that the departure rate of
legal member of the system if at least one honest peer honest peers does not exceed / log 2 n.
is connected to it, and a view of a region R is called
legal if it only contains legal members. We intend to prove the following conjecture as the
A region request that is still outside the requested end result of all the conditions and protocols.
region is handled like a lookup request. Once a region Conjecture 2.3 The Trust-but-Verify method results in
request for R is in R, the request is split into two re- a survivable overlay network.
quests, one for each subregion of R, and this division
