Making Contribution-Aware P2P Systems Robust to Collusion Attacks Using Bandwidth Puzzles Vyas Sekar, Carnegie Mellon University Joint work with Michael Reiter, Chad Spensky, UNC Chapel-Hill Zhenghao Zhang, Florida State 1 Peer-Assisted Content Distribution Peers upload data to other peers Reduces cost of server deployment Increases scalability Incentives for users to contribute upload capacity ? 2 Contribution Awareness for P2P Server-assist Downloads Freq. flyer discounts Priority service Premium content Do you see an obvious problem here ? Alice exchanges “credits” for rewards Alice earns “credits” from Bob for uploading 3 Collusion Attack Server-assist Downloads Freq. flyer discounts Priority service Premium content Defeats the purpose of contribution-awareness Not just hypothetical Observed in real deployments! e.g., Lian et al, ICDCS 07 ✕ How can we mitigate such collusion attacks? Bandwidth Puzzles 4 Outline • Collusion in Contribution-Aware P2P • High-Level Idea • Design and Analysis • Implementation and Evaluation 5 Key Idea 1: Proof of Content Transfer 3. Approve transaction Logically centralized verifier with access to content e.g., Content Owner, CDN node in P2P-CDN Streaming Server Puzzle tied to content. Easy, if you have it Difficult, if you dont 6 One obvious problem with this idea.. 3. Approve transaction Bob doesn’t have the file Forwards puzzle to Alice; Alice solves puzzle for Bob! 7 Key idea 2: Simultaneous Puzzles Alice has limited compute resources Bob doesn’t have the file ✕ Forwards puzzle to Alice; Alice solves puzzle for Bob! 8 Outline • Collusion in Contribution-Aware P2P • High-Level Idea • Design and Analysis • Implementation and Evaluation 9 Puzzle Requirements Low generation cost Low verification cost Tunable puzzle difficulty Low communication cost Relatively easy for Alice Difficult for Bob Has the file Doesn’t have file “Personalized”: Puzzles don’t Help each other 10 Basic Puzzle Construction Generate IndexSets = O(kL) content, filesize = n bits Security parameters: L, k …. Generate L index sets, |L|=k IndexSet {i | i rand(n)} Pick l* rand(L) h* Hash( content[IndexSet l* ]) Overhead to send = O( kL log n) Send h*, IndexSets to Bob Bob needs to return< l*, IndexSet l*> Within time T 11 Efficient Puzzle Construction PRFs: f1 :{1..L} {0,1}κ f2 :{1..k} {1..n} content, filesize = n bits Security parameters: L, k, κ …. Generate L index sets, |L|=k K1 Rand( {0,1}κ ) IndexSet {i | i rand(n)} Generation time independent of L Pick l* rand(L) Pick l* rand(L) K2 f1 K1 (l*) 2 2 (k)] h* content[IndexSet str*Hash( content[f l* ]) K2 (1)]|| … ||content[f K2 Compute h* Hash(str* ) Send h*, IndexSets to Bob Send K1, h* to Bob Communication costs independent of L ,k Bob needs to return< l*, IndexSet l*> Within time T 12 Security Analysis Models how many Captures compute bits need to be constraints transferred Bound the expected number of puzzles that these “A” adversaries can solve, given: n (filesize), P (#puzzles), qhash (#hash queries), qpre (#file bits before), qpost (#file bits after) Content Hash Oracle Oracle Verifier sends P puzzles to a set of A adversaries Make “A qpre“ queries Each makes “qpost “ more queries Can make “A qhash “ queries Need to answer puzzles within T seconds Equivalently, what is the minimum qpost required to solve P puzzles. Key Implication: Can set parameters to ensure that qpost = Ω(n) 13 An Example of the Theorem 14 Outline • Collusion in Contribution-Aware P2P • High-Level Idea • Design and Analysis • Implementation and Evaluation 15 Implementing Bandwidth Puzzles • Media streaming using RTP – Jave, jlibrtip implementation • AES for PRF, SHA-256 for Hash • What we evaluate … – – – – Client heterogeneity Impact on application performance Verifier Scaling Effect of packet loss 16 Simple Verifier handles > 10000 clients Take Away: 75 %ile CPU is largely invariant as #clients increases 17 Impact on application performance Take Away: App performance is unaffected by puzzles 18 Simulating a P2P streaming system • Streaming model similar to Splitstream – Stream divided into stripes – More stripes greater quality • Contribution-awareness (Maze, [ICDCS 07]) – Peer requests prioritized by “points” earned – 1.5 points for 1MB upload, -1 point for download • Attack Model: Sybil-like – Fake identities generate fake transactions – Boosts score improves attacker performance 19 Benefits of puzzles via simulation Take Aways: Honest clients unaffected; Attackers don’t gain! 20 Some caveats .. • Assumes files are incompressible – Not that big a deal; e.g., MPEG, DivX already pretty compressed • Cannot exactly pinpoint who has file/doesn’t • “Invisible” colluders – Get file, “leave” system – Not a problem in streaming system .. • Setting puzzle threshold .. – 7x worst case allowed; can try memory bound? 21 Summary • P2P Incentives Contribution-Awareness Collusion – Strategic attackers can game system and deny service to honest users • Mitigate collusion via Bandwidth Puzzles – Puzzle solution tied to content – Simultaneity to prevent shared solving – Forces bandwidth spending @ misbehaving nodes • Easy and practical – Unoptimized implementation handles > 10000 clients – Doesn’t affect application • Immediate performance benefits – Insulates honest clients from strategic attackers – Deters attackers by limiting scope for gaming the system 22