Making Contribution-Aware P2P Systems Robust to Collusion Attacks Using Bandwidth Puzzles Vyas Sekar, Carnegie Mellon University Joint work with Michael Reiter, Chad Spensky, UNC Chapel-Hill Zhenghao Zhang, Florida State 1

Peer-Assisted Content Distribution Peers upload data to other peers Reduces cost of server deployment Increases scalability Incentives for users to contribute upload capacity ? 2

Contribution Awareness for P2P Alice earns “credits” from Bob for uploading Alice earns “credits” from Bob for uploading Premium content Server-assist Downloads Priority service Freq. flyer discounts Alice exchanges “credits” for rewards Alice exchanges “credits” for rewards Do you see an obvious problem here ? 3

Collusion Attack ✕ Premium content Server-assist Downloads Priority service Freq. flyer discounts Defeats the purpose of contribution-awareness Not just hypothetical  Observed in real deployments! e.g., Lian et al, ICDCS 07 How can we mitigate such collusion attacks? Bandwidth Puzzles 4

Outline Collusion in Contribution-Aware P2P High-Level Idea Design and Analysis Implementation and Evaluation 5

Key Idea 1: Proof of Content Transfer 1. Bob wants to credit Alice 2.Prove that you really have the file! 3. Approve transaction 3. Credit Alice Logically centralized verifier with access to content e.g., Content Owner, CDN node in P2P-CDN Streaming Server Logically centralized verifier with access to content e.g., Content Owner, CDN node in P2P-CDN Streaming Server Puzzle tied to content. Easy, if you have it Difficult, if you dont Puzzle tied to content. Easy, if you have it Difficult, if you dont 6

One obvious problem with this idea.. 1. Bob wants to credit Alice 2.Prove that you really have the file! 3. Approve transaction 3. Credit Alice Bob doesn’t have the file Forwards puzzle to Alice; Alice solves puzzle for Bob! 7

Key idea 2: Simultaneous Puzzles Prove that you really have the file! Prove that you really have the file! Bob doesn’t have the file Forwards puzzle to Alice; Alice solves puzzle for Bob! ✕ Alice has limited compute resources 8

Outline Collusion in Contribution-Aware P2P High-Level Idea Design and Analysis Implementation and Evaluation 9

Puzzle Requirements Prove that you really have the file! Prove that you really have the file! 10 Doesn’t have file Has the file Low generation cost Low verification cost Tunable puzzle difficulty Low communication cost Difficult for Bob Relatively easy for Alice “Personalized”: Puzzles don’t Help each other

11 Basic Puzzle Construction …. content, filesize = n bits Security parameters: L, k Generate L index sets, |L|=k IndexSet  {i | i  rand(n)} Pick l*  rand(L) h*  Hash( content[IndexSet l* ]) Send h*, IndexSets to Bob Bob needs to return Within time T Generate IndexSets = O(kL) Overhead to send = O( kL log n) Overhead to send = O( kL log n)

12 Efficient Puzzle Construction …. content, filesize = n bits Security parameters: L, k, κ Generate L index sets, |L|=k IndexSet  {i | i  rand(n)} Pick l*  rand(L) h*  Hash( content[IndexSet l* ]) Send h*, IndexSets to Bob Bob needs to return Within time T PRFs: f 1 :{1..L}  {0,1} κ f 2 :{1..k}  {1..n} K1  Rand( {0,1} κ ) Pick l*  rand(L) K2  f 1 K1 (l*) str*  content[f 2 K2 (1)]|| … ||content[f 2 K2 (k)] Compute h*  Hash(str* ) Send K1, h* to Bob Generation time independent of L Communication costs independent of L,k

Security Analysis 13 Content Oracle Content Oracle Hash Oracle Hash Oracle Verifier sends P puzzles to a set of A adversaries Need to answer puzzles within T seconds Can make “A q hash “ queries Each makes “q post “ more queries Make “A q pre “ queries Models how many bits need to be transferred Captures compute constraints Bound the expected number of puzzles that these “A” adversaries can solve, given: n (filesize), P (#puzzles), q hash (#hash queries), q pre (#file bits before), q post (#file bits after) Equivalently, what is the minimum q post required to solve P puzzles. Key Implication: Can set parameters to ensure that q post = Ω(n)

An Example of the Theorem 14

Outline Collusion in Contribution-Aware P2P High-Level Idea Design and Analysis Implementation and Evaluation 15

Implementing Bandwidth Puzzles Media streaming using RTP – Jave, jlibrtip implementation AES for PRF, SHA-256 for Hash What we evaluate … – Client heterogeneity – Impact on application performance – Verifier Scaling – Effect of packet loss 16

Simple Verifier handles > clients 17 Take Away: 75 %ile CPU is largely invariant as #clients increases

Impact on application performance 18 Take Away: App performance is unaffected by puzzles

Simulating a P2P streaming system Streaming model similar to Splitstream – Stream divided into stripes – More stripes  greater quality Contribution-awareness (Maze, [ICDCS 07]) – Peer requests prioritized by “points” earned – 1.5 points for 1MB upload, -1 point for download Attack Model: Sybil-like – Fake identities generate fake transactions – Boosts score  improves attacker performance 19

Benefits of puzzles via simulation 20 Take Aways: Honest clients unaffected; Attackers don’t gain!

Some caveats.. Assumes files are incompressible – Not that big a deal; e.g., MPEG, DivX already pretty compressed Cannot exactly pinpoint who has file/doesn’t “Invisible” colluders – Get file, “leave” system – Not a problem in streaming system.. Setting puzzle threshold.. – 7x worst case allowed; can try memory bound? 21

Summary P2P  Incentives  Contribution-Awareness  Collusion – Strategic attackers can game system and deny service to honest users Mitigate collusion via Bandwidth Puzzles – Puzzle solution tied to content – Simultaneity to prevent shared solving – Forces bandwidth misbehaving nodes Easy and practical – Unoptimized implementation handles > clients – Doesn’t affect application Immediate performance benefits – Insulates honest clients from strategic attackers – Deters attackers by limiting scope for gaming the system 22