Who are you?
Secure identities in ad hoc networks
Seth Gilbert
Calvin Newport
Chaodong Zheng
National University of Singapore
Georgetown University
National University of Singapore
Identity establishment in wireless networks
2
The Sybil Attack
• [Definition] Sybil attack: refers to the behavior where
malicious users dishonestly generate large number of fake
identities (also called sybil identities, or sybils) to obtain
unfair advantage or conduct other hostile activity.
3
What we offer
• Algorithms that solve identity establishment
• With good sybil bound
• Asymptotically optimal
• With correctness guarantee
• Every correct node accepts all other correct nodes
4
The basic idea for sybil-resistance…
Radio resource testing!
!ALERT!
channel one
Ack for
msg
msg
msg
channel two
Honest users:
always pass the test!
Malicious users:
lose (fake) identity with 50% chance!
[1] N. James, E. Shi, D. Song, and A. Perrig. The sybil attack in sensor networks: Analysis & defenses.
[2] D. Mónica, J. Leitão, L. Rodrigues, and C. Ribeiro. On the use of radio resource tests in wireless ad-hoc networks.
5
Challenges
• Decentralized (i.e., ad hoc) environment
• No central base station
• Efficiency of radio resource tests
• Test on per-pair basis is too slow
• Colluding when multiple malicious clients exist
• Insufficient to divide nodes to just two channels
6
Overview of this (short) talk
• Background and Motivation
• Approach and Results
• Model and Problem
• The SimpleSybilSieve Algorithm
• The SybilSieve2 Algorithm
7
Model: multi-channel wireless network
• Network: consists of c channels
• Single-hop, synchronous
• Users: n nodes in total
• Nodes don’t know n, don’t have pre-assigned identities
• Can use crypto tools
• Communication: each node has one transceiver
• Each transceiver can access all channels
• Each transceiver can send/receive on one channel at any time
channel one
……
channel c
8
Model: adversary
• t (of the n nodes) are Byzantine
• 𝑡 ≤ 𝑛/α, and 𝑡 ≤ 𝑐/α, for some constant 𝛼 ≥ 1
• Faulty nodes can: create sybil, jam, etc…
• Faulty nodes can also collude
• Model them as one adversary called Eve
channel one
……
channel c
$%#%@#$%@#$^@$^%$#$%^
9
Problem: sybil-resistant identity establishment
• Nodes are activated simultaneously
• Each node randomly generate asymmetric key pair
• Use public key as the identity
• Sign messages to prevent spoofing
• Goal: provide each node with a set of identities
• Contains all honest nodes
• Contains limited number of sybil identities
channel one
……
channel c
10
SimpleSybilSieve: Intuition
Assume we know the value of n
Assume we have n/2 channels (i.e., c=n/2)
Imagine: each node randomly chooses a channel, then broadcasts
or listens each with probability ½
After 𝑛lg(𝑛) time slots, each node will:
Hear approximately 1/e fraction of silent rounds
Hear each other honest node Θ(lg(𝑛)) times (criteria for accepting identities)
Accept at most 𝑂(𝑡) sybil identities (when using the above criteria)
11
SimpleSybilSieve: Handle unknown n
Assume we know the value of n
Assume we have n/2 channels (i.e., c=n/2)
Estimate n via doubling: n=1? n=2? n=4? n=8? n=16? …
When estimate 𝑛 = 𝑛, use 𝑛/2 channels
Use fraction of silent rounds heard to verify correctness
𝑛 is small: Eve can do nothing due to contention
𝑛 is large: Eve can do nothing due to large number of channels
12
SimpleSybilSieve: Handle small c
Assume we know the value of n
Assume we have n/2 channels (i.e., c=n/2)
When needed channels is larger than c, simulate it!
However, this allows Eve’s to create more sybil!
channel 1
channel 1
channel 2
time slot 1
channel 2
channel 3
channel 3
channel 4
channel 4
channel 5
channel 1
channel 6
channel 7
channel 8
time slot 2
one round
channel 2
channel 3
channel 4
13
The SimpleSybilSieve Protocol
• Proceeds in epochs, each of which contains multiple rounds
• In epoch i, nodes assume n = 2i, use 2i-1 channels
• In each round, each node randomly chooses a channel
• Then, broadcast or listen each with probability ½
• Use fraction of silent rounds heard to check if estimation is correct
𝑛 =2?
𝑛 =4?
𝑛 = 2 lg(𝑛) −1 ?
𝑛 = 2 lg(𝑛) ?
𝑛 = 2 lg(𝑛) +2 ?
1 channel
2 channels
2 lg(𝑛) −2 channels
2 lg(𝑛) −1 channels
2 lg(𝑛) +1 channels
Epoch 1
Epoch 2
Epoch lg(𝑛) − 1
Epoch lg(𝑛)
……
……
Epoch lg(𝑛) + 2
time
14
The SimpleSybilSieve Protocol (Continued…)
• Once fraction of silent rounds reach some constant 𝛾1
• Nodes start accepting identities
• Once fraction of silent rounds reach some constant 𝛾2 > 𝛾1
• Nodes terminate
• Criteria for accepting an identity
• Heard that identity “sufficiently” often in current epoch
Epoch 1
Epoch 2
……
Epoch lg(𝑛) − 1
Epoch lg(𝑛)
……
Epoch lg(𝑛) + 2
time
15
SimpleSybilSieve’s gurantees
• [Theorem] For any 𝑡 ≤ min{𝑛, 𝑐}/α where 𝛼 ≥ 6, SimpleSybilSIeve
finishes within 𝑂(𝑛 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) slots, and guarantees the
following, with high probability: (a) there are at most 𝑂(𝑡 · max{1, 𝑛/
𝑐}) sybil identities accepted by the honest nodes, collectively; and (b)
every honest node accepts all other honest nodes.
• When 𝑐 ≥ 𝑛, running time is 𝑂(𝑛 lg 2 𝑛 ) and sybil bound is 𝑂(𝑡)
• Asymptotically optimal sybil bound
• When 𝑐 < 𝑛, running time is 𝑂(𝑛2 lg 2 𝑛 ) and sybil bound is 𝑂(𝑛)
• Hum… Not so good…
16
Can we do better?
• SybilCast: a protocol for centralized wireless networks
• SybilCast: guarantees 𝑂(𝑡) sybil bound even if 𝑐 < 𝑛
• Imagine such a protocol:
• First run SimpleSybilSieve
• Then run SybilCast many times, each time one identity is base station
• An identity is accepted only if it is not sybil in most of these SybilCast instances
SimpleSybilSieve
SybilCast:
Alice is BS
SybilCast:
Bob is BS
SybilCast:
Charlie is BS
……
SybilCast:
Zula is BS
time
[1] Seth Gilbert and Chaodong Zheng. SybilCast: Broadcast on the open airwaves.
17
But, wait…
• For SimpleSybilSieve:
• Nodes may terminate at different time…
• Nodes may accept different sets of identities…
• Need synchronization and consensus mechanism!
• We build a sybil-resistant consensus primitive: SybilSensus
• Based on existing Byzantine consensus protocol
SimpleSybilSieve???
SybilCast:
Alice is BS
SybilCast:
Bob is BS
SybilCast:
Charlie is BS
……
SybilCast:
Zula is BS
time
[1] T. Srikanth and S. Toueg. Simulating authenticated broadcasts to derive simple fault-tolerant algorithms.
18
SybilSieve and
2
SybilSieve
• SimpleSybilSieve to SybilSieve: add SybilSensus to end of each epoch
• Nodes terminate simultaneously
• Nodes have same estimation on network size
• Use SybilSensus again to agree on set of accepted identities
• Run repeated instances of (variant of) SybilCast
• Accept an identity if it not sybil in most repetitions
Epoch 1
SybilSensus
Epoch 2
SybilSensus
……
Epoch i
SybilSensus
SybilSieve2
SybilSieve
SybilSensus
SybilCast:
Alice is BS
SybilCast:
Bob is BS
SybilCast:
Charlie is BS
……
SybilCast:
Zula is BS
time
19
2
SybilSieve
guarantees
• [Theorem] For any 𝑡 ≤ min{𝑛, 𝑐}/α where 𝛼 ≥ 256, SybilSieve2
finishes within 𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐}) slots, and guarantees
the following, with high probability:
• (a) there are at most 𝑂(𝑡) sybil identities accepted by the honest
nodes, collectively;
• (b) every honest node accepts all other honest nodes;
• (c) all honest nodes terminate simultaneously and have same
estimation on network size which is either 2 lg(𝑛) or 2 lg(𝑛) +1 .
20
Comparison of variants
Running Time
Correctness
Sybil Bound
Synchronous
Termination
SimpleSybilSieve
𝑂(𝑛 lg 2 𝑛 ∙ max{1, 𝑛/𝑐})
YES
𝑂(𝑡 · max{1, 𝑛/𝑐})
NO
SybilSieve
𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐})
YES
𝑂(𝑡 · max{1, 𝑛/𝑐})
YES
SybilSieve2
𝑂(𝑛2 lg 2 𝑛 ∙ max{1, 𝑛/𝑐})
YES
𝑂(𝑡)
YES
21
To sum up…
• New algorithms for sybil-resistant identity establishment
• SimpleSybilSieve, SybilSieve, and SybilSieve2
• They provide trade-offs between runtime and sybil bound
• Pick the one that is most appropriate
• Useful subroutines that can be used elsewhere
• Sybil-resistant Byzantine consensus, networks size estimation
22
0
