Attack-resistant Spanning Tree Construction in Route-Restricted Overlay Networks
aa r X i v : . [ c s . CR ] A ug Attack-resistant Spanning Tree Construction inRoute-Restricted Overlay Networks
Martin Byrenheid
TU Dresden [email protected]
Stefanie Roos
Delft University of Technology [email protected]
Thorsten Strufe
TU Dresden [email protected]
Abstract —Nodes in route-restricted overlays have an im-mutable set of neighbors, explicitly specified by their users. Pop-ular examples include payment networks such as the Lightningnetwork as well as social overlays such as the Dark Freenet.Routing algorithms are central to such overlays as they enablecommunication between nodes that are not directly connected.Recent results show that algorithms based on spanning treesare the most promising provably efficient choice. However, allsuggested solutions fail to address how distributed spanning treealgorithms can deal with active denial of service attacks bymalicious nodes.In this work, we design a novel self-stabilizing spanning treeconstruction algorithm that utilizes cryptographic signatures andprove that it reduces the set of nodes affected by active attacks.Our simulations substantiate this theoretical result with concretevalues based on real-world data sets. In particular, our resultsindicate that our algorithm reduces the number of affectednodes by up to 74% compared to state-of-the-art attack-resistantspanning tree constructions.
I. I
NTRODUCTION
Payment or state channel networks like Lightning [13] arethe most promising approach to scaling blockchains, i.e.,enabling blockchain-based payment systems to process tensof thousands of transactions per second with nearly instantconfirmation. Participants in such payment networks establishchannels for trading assets such as digital coins. As estab-lishing channels requires use of the blockchain, which is bothtime- and cost-intensive, only nodes that frequently trade witheach other establish payment channels [6]. All other paymentspass from a sender to the receiver via multi-hop paths ofchannels. It is essential to find these paths in an effective,efficient, and privacy-preserving manner [16].Similarly, social overlays require finding paths from apeer to another in a network consisting only of connectionsbetween trusted pairs of nodes to realize scalable and privacy-preserving distributed services [3], [15].Both payment channel networks and social overlays henceshare the need for a routing algorithm. A number of promisingalgorithms for both networks rely on Breadth-First-Search(BFS) spanning trees [11], [15], [16], as these permit findingshortest paths and achieve the most efficient communication.The underlying spanning tree construction algorithm deter-mines the effectiveness, efficiency, and attack resilience ofthe routing. Resistance to attacks by malicious parties whoaim to prevent the tree construction from converging towardsa correct spanning tree is particularly important. Preventing the construction of a correct spanning tree results in routingfailures and hence constitutes a denial-of-service attack thatundermines communication. Such attacks are realistic for bothpayment channel networks and social overlays. For paymentchannel networks, adversarial parties may undermine therouting of payments to sabotage competing operators. Socialoverlays such as Freenet aim to protect communication fromcensorship [3]. They clearly require attack resistance againstparticipants aiming to execute censorship in the form of adenial-of-service attack.In the context of route-restricted overlays with potentiallymalicious participants, spanning tree algorithms have to fulfillthree requirements: (1) enable efficient communication byproviding short paths between honest nodes in the spanningtree, (2) efficiently adapt to changes of the network structure,and (3) maintain high availability in the presence of maliciousnodes that deliberately deviate from the construction protocolin order keep the network from converging. Yet, the existingwork on spanning tree-based routing only evaluates the firsttwo aspects jointly, leaving protection against malicious be-havior out of scope despite the likely existence of maliciousparties in both payment channel networks and social overlays.In this work, we focus on achieving all three requirementsjointly, giving rise to two key contributions: • We present a self-stabilizing algorithm for the compu-tation of a BFS spanning tree that uses cryptographicsignatures to check the integrity of statements about thedistance to the root node. We prove that the fraction ofnodes reaching a stable, non-compromised state is higherthan in state-of-the-art protocols. • We present results from an extensive simulation studybased on real-world data sets. The results demonstratethat the construction of BFS spanning trees without cryp-tographic measures is highly vulnerable to attacks, evenif the adversary establishes just a handful of connectionsto honest nodes. Furthermore, we show that our algorithmsubstantially raises the necessary number of such attackconnections to mislead a comparable number of nodes.II. R
ELATED W ORK
We review the existing work for routing in route-restrictedoverlays to show that the design of attack-resistant spanningtrees is indeed the key problem to solve. Afterwards, weconsider the existing work on attack-resistant spanning treeonstructions, which we then improve upon in the followingsections.
A. Routing in route-restricted overlays
We define an overlay network , or just overlay, as a networkbetween multiple logically connected nodes that communicatevia a public infrastructure such as the Internet. In route-restricted overlays , the logical connections between nodesare explicitly managed by their respective users and hard oreven impossible to adapt to create a topology that benefitsrouting. Apart from finding existing paths between nodes,routing algorithms have to be efficient and scalable withregard to delays for the delivery of messages, bandwidth andmemory consumption to provide adequate service for large-scale peer-to-peer networks such as payment channel networksand social overlays. Recent work [11], [15], [16] underlinesthat only routing algorithms based on rooted spanning treesprovide the necessary efficiency. Other approaches either useexpensive flooding for path discovery [10] or setup virtualtunnels [12], [14], [21], which, in face of network dynamics,require costly maintenance [17]. Alternatively, some paymentchannel networks of smaller size use source routing [13], [18],which requires that each node maintains a snapshot of theentire network. Source routing hence does not scale, as anychange to the network has to be broadcast.In the context of social overlays, Hoefer et al. [8] suggestedusing greedy embeddings based on rooted spanning trees toenable efficient routing between nodes. The approach haslater been extended to preserve the privacy of users and offerhigher attack resistance [15]. However, their adversarial modelonly considers the routing and not the construction of theunderlying spanning tree, which is an orthogonal approachto the one taken in this paper.For payment channel networks, Malavolta et al. [11] adaptedLandmark Routing [19], where a path between sender andreceiver is determined through an intermediate node via theconstruction of a breadth-first-search tree rooted at the latter.Roos et al. later on adapted the greedy embeddings to paymentchannel networks [16]. Both works aim to achieve efficiencyand privacy and do not consider security.It thus remains an open question, if and how such spanningtrees can be constructed in route-restricted overlays withmalicious participants.
B. Attack-resistant spanning tree construction
In the context of self-stabilization, Dubois, Masuzawa, andTixeuil proposed a BFS spanning tree algorithm and provedthat this algorithm guarantees that all nodes, except those thatare strictly closer to the adversary than to the root node,will eventually converge to a correct state [5]. While thealgorithm by Dubois et al. offers provable attack resistance,it considers a computationally unbounded attacker. Protectingagainst such a strong adversary disregards mechanisms such asdigital signatures that can help to further decrease the numberof affected nodes. In the context of distance vector routing, which implicitlyrelies on BFS trees, Zapata and Asokan [23] proposed aprotocol that utilizes hash chains to keep malicious nodes fromlying about their distance from the root node. Furthermore,their protocol employs cryptographic signatures to preventattacks on the mechanism for the detection of routing loops.Subsequently, Hu et al. [9] proposed a protocol that useshash chains both against attacks on the reported distanceas well as against attacks on loop-detection, thus reducingcomputational overhead compared to digital signatures. Incontrast to the work of Dubois et al., both approaches assumea computationally bounded attacker. However, they do notprovide a formal proof of their security guarantees.In summary, there exists no provably secure BFS treeconstruction algorithm under the assumption of a computa-tionally bounded attacker. We expect that such an algorithmcan provide protection to a larger set of nodes than the existinginformation theoretically secure algorithms.III. M
ODEL AND N OTATION
We now formalize route-restricted overlays as well as theproblem of computing a breadth-first-search tree in the contextof self-stabilization.
A. System model
We model a route-restricted overlay S = ( V, E ) as a finite set V of n nodes and a set of bidirectional communication links E ⊂ V × V . For each node u , the set N ( u ) = { v | { u, v } ∈ E } denotes the neighbors of u .We build upon the shared memory model where each pairof nodes { u, v } ∈ E can communicate via shared registers r uv and r vu , where u is only allowed to write into r uv andread from r vu . We thus call r uv u ’s output register and r vu its input register .Please note that we use the shared memory model solely tosimplify formal analysis, as it omits the modeling of messagetransmission. We consider this to be reasonable, as we focus onmalicious node behavior and neither link failures nor delays.For the computation of a BFS tree, every node u holds thefollowing elements: • ID u , a fixed, globally unique ID from a set ID , • level u , a non-negative integer variable denoting u ’s cur-rent, assumed distance to the root, • pID u , a variable holding the ID of the node that iscurrently considered parent, in other words, the neighborof u on the path to the root in the subgraph correspondingto the tree.Furthermore, each communication register holds two values ID and level such that each output register of a node u holds u ’s ID as well as its current level -value. Each inputregister r vu of a node u accordingly holds u ’s current viewof v ’s ID and level -value. In the following, we denote theset N min ( u ) = { v ∈ N ( u ) |∀ n ∈ N ( u ) : level v ≤ level n } as minimal neighbors of u . Parent nodes are always minimalneighbors in BFS spanning trees.e refer to the values currently held by the level - and pID -variable of a node u as well as the register contents, at onepoint in time, as the state of u . The state of u is said to be legitimate if it fulfills Def. 1. Definition 1. (Legitimate state)
Let S = ( V, E ) be a route-restricted overlay with a distinguished root node l ∈ V with ID -value ID L ∈ ID . The state of a node u whose minimalneighbors have level l min is called legitimate if it fulfills thefollowing conditions: level u = 0 iff ID u = ID L level u = l min + 1 if ID u = ID L pID u = ID u iff ID u = ID L ∃ v min ∈ N min ( u ) : pID u = ID v min if ID u = ID L B. Adversary model
In this work, we consider adversaries who aim to performlarge-scale denial of service attacks. For payment networks,they might be competing payment network operators who wantto attract more users by rendering other networks unusable.For social overlays, the adversary might aim to weaken theprivacy [1] or degrade utility so that users move to communi-cation services with weaker privacy protection.Allowing multiple adversaries to act in concert strictlyincreases their power. We hence assume a single, collectiveadversary who controls a set B of malicious (or adversarial )nodes and is able to set up a bounded number of connectionsbetween these malicious and honest nodes H . The motivationfor these bounds is the difficulty of large-scale social engineer-ing that will only be successful for a subset of participants.During an attack, each malicious node may report incorrectdata to the adjacent honest nodes in order to keep them fromreaching or remaining in a legitimate state. Thus, maliciousnodes may set their output registers arbitrarily and reportdifferent ID - and level -values to different neighbors.However, we assume that the adversary does not know allhonest nodes and their internal connections a priori. Hence, hecannot choose which nodes will be malicious or which nodeswill connect to malicious nodes. Given that social overlayand payment networks are large-scale and dynamic distributedsystems with participants from a multitude of countries, weconsider this assumption to be realistic.For all practical purposes, the Dolev-Yao model, whichassumes an adversary who is limited to polynomial-timeattacks – and hence unable to break secure cryptographicprimitives – has been accepted as realistic [4]. Hence, weaim for algorithms that protect against adversaries that arepolynomially bounded. C. Formalization of resilience and performance
We formalize the attack resistance of a spanning treeconstruction protocol via the concept of topology-aware (TA)strict stabilization [5]. To do so, we express the state of everynode in the overlay at one point in time as a configuration γ .Following the idea of self-stabilization, we consider thatevery node starts in an arbitrary state. Thus, nodes may change their state over time to reach a legitimate state. The sequenceof configurations γ , γ , . . . is called a computation Γ . Thetransition from γ t to γ t +1 is called a step and corresponds toat least one node processing the data in its input register andwriting corresponding data into its output register.Note that self-stabilizing algorithms never terminate butrepeatedly update their state and communication registers.However, a node executing a step may not actually changethe values of its variables or output registers (e.g., because itscurrent state is legitimate). a) Network dynamics: Route-restricted overlays are dy-namic: nodes may join and leave the system, connectionsbetween nodes are established or torn down over time. Anoverlay S = ( V, E ) changes into an overlay S ′ = ( V ′ , E ′ ) with a potentially different network size as a consequenceof such events. According to literature, we call such changes churn events . To account for the fact that computations aredefined for a fixed system S , a churn event interrupts acomputation on S and starts a new computation on S ′ .At the beginning of the new computation, all nodes in V ∩ V ′ have the same state as at the end of the computation on S ,reflecting the fact that they cannot detect the change until theyread from their registers. The remaining nodes in V ′ maystart in an arbitrary initial state. In route-restricted networks,the initial state includes information about the register ofneighbors, which the new node will eventually write to. b) Containment of attacks: TA strict stabilization for aset S B ⊂ H of honest nodes denotes that every honest node u except those in the set S B eventually reaches and remains ina legitimate state. We call the set S B the containment area of S , because S B (also called lost nodes ) represents the part ofthe network where the adversary can keep the state of nodesfrom converging, whereas all nodes outside of S B (called safenodes ) will eventually reach and remain in a legitimate state.We now formalize the concept of a node having only honestancestors on its path to the root. Definition 2. (Root-directed path)
Given a route-restrictedoverlay S and a configuration γ , the root-directed path P u of a node u is a finite sequence v , v , . . . , v n +1 of nodes ina legitimate state such that v n +1 = u and pID v i +1 = ID v i for all ≤ i ≤ n and either pID v = ID v (the legitimateroot) or v is a malicious node. We call u ill-directed if v i ismalicious for any ≤ i ≤ n and well-directed otherwise. As long as a node is ill-directed, it is subject to changesin the level -value reported by the adversarial node on itsroot-directed path. Thus, it is not guaranteed to remain in alegitimate state. However, an ill-directed node is not inherentlya lost node, because it might eventually become well-directedas the execution proceeds.We express the situation that a node’s state has convergedand remains unaffected by attacks as follows:
Definition 3. (Stable state)
The state of a node u is said tobe stable if it is legitimate and u never changes its level u -and pID u -variable as long as no churn event occurs. Inarticular, actions performed by malicious nodes do not affect u . A configuration γ is called S B -stable if the state of everynode in V \ S B is stable. We define a S B -topology-aware-strictly-stabilizing ( S B -TA-strictly-stabilizing) algorithm as follows: Definition 4. ( S B -TA-strictly-stabilizing algorithm) A dis-tributed algorithm A is S B -TA-strictly-stabilizing if and onlyif starting from an arbitrary configuration, every executioncontains a S B -stable configuration.c) Time complexity: To be able to reason about the timecomplexity that a distributed algorithm requires to reach a le-gitimate state, we use the concept of asynchronous rounds . Thefirst asynchronous round of a computation Γ is the shortestprefix Γ ′ of Γ such that each node has read from and wroteto all of its registers at least once. The second asynchronousround then is the first asynchronous round of the computationfollowing Γ ′ and so on. In other words, the length of anasynchronous round corresponds to the maximum amount oftime needed for the slowest node (regarding computationalspeed) to process its inputs and write the correspondingoutputs.IV. S IGNATURE - BASED COMPUTATION OF
BFS
TREES
The state-of-the-art algorithm for the construction of BFS treesproposed by Dubois et al. [5] ensures that all honest nodeswhose distance from the closest malicious node is higher orequal than their distance from the root will eventually reacha stable state. As the set of nodes that do not reach a stablestate is often quite large for this algorithm, we investigatealgorithms that achieve a higher number of stable nodes. Incontract to previous work, we assume our adversary to becomputationally bounded.In our design, each node u holds a public/private key pair p u , s u of an asymmetric cryptosystem. The public key p u ofeach node u is stored in the ID -register and the secret s u isstored in a new register called secret u . The given leader ID ID L then is the public key of the corresponding root node,implicitly choosing it as leader. Nodes do not require globalknowledge of all other nodes’ keys. a) Assumptions: Four assumptions underlie our design: • There is an honest root node whose key is known to allnodes (e.g., bank in a payment network [11]). • The clocks of any pair of nodes differ at most by aglobally known constant ∆ C . • The time needed for one iteration of each node’s mainloop is bounded by a globally known constant ∆ E . • The delay needed until a value written into an outputregister is available in the corresponding input register isbounded by a globally known constant ∆ D .The first assumption is in accordance with the existing liter-ature on tree-based routing in route-restricted overlays [11],[15], [16]. The remaining assumptions allow us to computeexpiration times for the data contained in the input registerof each node, thus keeping malicious nodes from reportingoutdated values obtained in previous computations. b) Level attestation: To keep malicious nodes from ly-ing about their distance to the root, we add a levelAtt -variable to each node u , which holds a finite sequence P =( p , t , sig ) , ( p , t , sig ) , . . . , ( p n , t n , sig n ) of tuples calleda level attestation . The elements p i , t i , and sig i denote a publickey, a timestamp, and a cryptographic signature, respectively.We say that such a sequence is valid for node u at time t ifthe following conditions are satisfied:1) p = ID L ,2) ∀ i ∈ { , .., n } : t − t i ≤ ∆ C + ( ∆ D + ∆ E )( n − i + 1) ,3) ∀ i ∈ { , .., n − } : sig i is a signature over p i +1 || t i thatis valid for p i ,4) sig n holds a signature over ID u || t n that is valid for p n ,where a || b denotes the concatenation of a and b .Condition (1) ensures that the first tuple of the attestationhas indeed been generated by the root node. Condition (2)ensures that adversarial nodes cannot use obsolete attestations(e.g., from an earlier computation) forever. Condition (3) and(4) ensure that the signatures are computed correctly. c) Link signatures: Additional to the level attestation,each node assigns a randomly chosen neighbor ID nID v to each neighbor v once in the beginning of the algorithm.During the computation, every honest node tells each neighborits respective neighbor ID. Whenever a neighbor of a node u transmits a new level attestation, it also has to send acorresponding neighbor signature that includes its neighborID assigned by u . Given a valid level attestation P with thelast element ( p, t, sig ) and a cryptographic hash function h , aneighbor signature s is valid for node u and neighbor v if s is a valid signature over nID v || h ( P ) for p . This addendumkeeps malicious nodes from sending a shortened version of anattestation received by an honest neighbor. d) Adaptive neighbor preference: To ensure stabilizationin the case that a node has multiple neighbors that are minimalaccording to Def. 1, each node u assigns a unique numberbetween and | N ( u ) | − to each neighbor and choosesthe minimal neighbor with the lowest number as parent. Thenumber of the current parent is kept in a variable prnt . Asthe preferred neighbor may be ill-directed, the algorithm ofDubois et al. [5] adaptively changes which neighbor will bepreferred whenever a node changes its parent. We implementedthis strategy as follows: We add an offset counter i start ∈{ , .., | N ( u ) | − } such that u traverses its neighbors from i start to ( | N ( u ) | −
1) + i start mod | N ( u ) | . Whenever a node u changes its parent from the neighbor with number prnt toa neighbor with a number prnt ′ that, counting from i start with wraparound, comes after prnt , then u will set i start to prnt ′ , thus favoring prnt ′ over prnt in the future. To comparenodes’ positions a and b with regard to i start , we say that a ≺ i start b if either i) i start ≤ a < b , ii) b < i start ≤ a oriii) a < b < i start . Informally, a ≺ i start b indicates that b bewill be reached later than a when counting from i start modulo | N ( u ) | . e) Spanning Tree Algorithm: Algorithm 1 displays thepseudocode for our spanning tree construction algorithm: Eachoutput register of every node u holds 5 elements, namely lgorithm 1: Attestation-based spanning tree on node u while true do foreach i in N ( u ) do lr iu := read ( r iu ) ts := getCurrentTime () i start := i start mod | N ( u ) | if ID = ID L then pID := ID level := 0 levelAtt := nil else parentF ound := false N valid := { i ∈ N ( u ) | isValidAtt ( lr iu . levelAtt , lr iu . level + ) ∧ isValidLink ( lr iu . levelAtt , lr iu . sig adj ) } level := min { lr iu .level | i ∈ N valid } + 1 foreach i in .. | N ( u ) | do j := i + i start mod | N ( u ) | if not parentF ound and N ( j ) ∈ N valid and level = lr ju .level + 1 then if prnt ≺ i start j then i start := j prnt := j pID := lr ju .ID levelAtt := lr ju .levelAtt parentF ound := true foreach i in N ( u ) do sig lvl := sign ( lr iu .ID || ts ) exAtt := append ( levelAtt, ( ID, ts, sig lvl )) sig adj := sign ( lr iu .nID || h ( exAtt )) write ( r ui ) := ( ID, level, exAtt, nID i , sig adj ) the ID - and level -value of u as well as the levelAtt - and nID -value together with the neighbor signature sig adj for thecorresponding neighbor. The algorithm leverages the followingcryptographic functions: The sign -function uses the key storedin the secret -register to compute a signature sig . The function h is a cryptographic hash function.Every node periodically reads the content of each input reg-ister, processes the content, and writes corresponding outputsto output registers. The leader node first ensures that its pID -and level -value are set correctly (Line 7–8). Subsequently, itgenerates a level attestation for each neighbor and writes itsown ID and level -value together with the respective nID -value, level attestation, and neighbor signature into the corre-sponding output register (Line 24–27). Because the levelAtt -variable is set to nil , the append -operation in Line 25 justreturns its second argument.During the processing stage (Line 11–22), an honest non-leader node recomputes its current pID -, prnt -, level - and levelAtt -value. It first checks the validity of the received levelattestations and neighbor signatures and computes the set ofvalid neighbors in Line 12. The isV alidAtt -function checkswhether a given level attestation is valid, as defined above. Ifthe given level attestation is valid, isV alidAtt further checkswhether the length of the attestation equals the given levelvalue and returns false in case of a mismatch. Given this checksucceeds, the isV alidLink -function checks if a given sig adj - value is valid for the corresponding neighbor. If a parent nodewith a valid level attestation has been chosen, the node firstchecks if its previous parent became either non-minimal orits attestation became invalid and if so, sets i start to j . It ispossible that prnt might hold a value larger than | N ( u ) | − (e.g. because its former parent had this number and left theoverlay). prnt will then be set to j that holds a value fromthe range { , .., | N ( u ) | − } (Line 15). Afterwards, it sets its prnt -, pID - and levelAtt -value accordingly. Finally, the nodecomputes the corresponding level attestation for each neighborand writes it into the respective output register (Line 24–27).V. A NALYSIS
We prove that, given an honest root node r , Algorithm 1 is S ′ B -TA-strictly-stabilizing with S ′ B = { u ∈ H | ∃ b ∈ B : d Bmin + d S ( b, u ) − ≤ d S ( r, u ) } (1)where d Bmin = min b ∈ B d S ( r, b ) . The “-1” stems from thefact that a malicious node can copy the outputs of an honestneighbor into its output registers (hence pretending to beits own predecessor), thus avoiding the need to append anattestation tuple and hence increase its maximum level.Furthermore, let d HS ( u, v ) denote the length of the shortestpath between u and v in S that does not contain a maliciousnode. If no such path exists, we set d HS ( u, v ) = ∞ . Ifmalicious nodes repeatedly change their outputs in order to de-stabilize honest nodes, we show that our algorithm guaranteesthat all nodes in the set S ′ L = { u ∈ H | ∃ b ∈ B : d Bmin + d S ( b, u ) − < d HS ( r, u ) } (2)eventually reach a stable state. Informally, we show that S ′ L ⊂ S ′ B is the containment area for an adversary that focuses ondisrupting convergence by changing its behavior. However, foran arbitrary adversary aiming to maximize the fraction of ill-directed nodes, we achieve only a smaller containment area of S ′ B .Since the system starts in an arbitrary state, a maliciousnode may initially hold a level attestation that is valid but forwhich no corresponding path in the overlay exists. We hencesay that a level attestation ( p , t , sig ) , . . . , ( p n , t n , sig n ) is consistent for node u if it is invalid or if there exists a path v , . . . , v n in the system such that (1) p i is the public key of v i for all ≤ i ≤ n and (2) u either is a neighbor of v n or both u and v n are neighbors of a malicious node b . Otherwise, wesay that the attestation is inconsistent . A configuration is calledconsistent if the levelAtt -values as well as the in- and output-registers of all nodes only contain consistent level attestations.In the following, we assume that at the beginning of acomputation at time t , all timestamps of every inconsistentattestation are at most t + ∆ C . We consider this to bereasonable since t + ∆ C is the highest value that a honestnode (including the root) may use as timestamp and thus amalicious node cannot have a valid attestation with a highertimestamp from a previous computation. As a consequence,every inconsistent attestation of length n becomes invalid aftert most ∆ C + ( ∆ D + ∆ E ) n time units. So, every route-restricted overlay S with diameter diam ( S ) reaches a con-sistent configuration after at most ∆ C + ( ∆ D + ∆ E ) diam ( S ) time units. A. Proof of S ′ B -TA-strict stabilization We start the actual proof by establishing key properties oflevel attestation to later leverage in the proof. In a nutshell,malicious nodes can only influence keys that are used afterthe d Bmin -th element of a valid and consistent level attestation P but before the | P | − d Bu,min -th element with d Bu,min =min b ∈ B { d S ( u, b ) } . Based on this result, we can then showthat a node is well-directed if their levelAtt -value is of lengthless than d Bmin + d Bu,min − . Convergence to a stable statefor all nodes in S ′ B follows from the fact that the system atsome point reaches a state when these nodes have a valid andconsistent levelAtt -value with minimal levels and hence willnot change parents anymore. Lemma 1.
Let P = ( p , t , sig ) , . . . , ( p n , t n , sig n ) be a levelattestation. Consider a node u such that sig n is a signatureover ID u || t n . At time t , we have t − t i ≤ ∆ C + ( ∆ D + ∆ E ) · ( n − i + 1) for all ≤ i ≤ n and the computation has startedat least ∆ C + ( ∆ D + ∆ E ) · n time units before, so that P isconsistent for u . If P is valid, then the following two statementshold: For j ≤ d Bmin , p j is the public key of an honest node v and d S ( v, r ) < j . For j > n − d Bmin,u + 1 , p j is the public key of an honestnode v and d S ( v, u ) ≤ n − j + 1 .Proof. We show the first claim by induction on j . As p always needs to be the public key of the leader and theleader is honest by assumption, the claim holds for j = 1 .Let < j ≤ d Bmin and assume the claim holds for j − .Then sig j − is a signature over p j || t j − using the secretkey s j − associated with p j − . By induction hypothesis, p j − is the public key of an honest node w with distance d S ( w, r ) < j − ≤ d Bmin − . d S ( w, r ) < d Bmin − impliesthat w has only honest neighbors, which only write their ownkeys to its output register for w to sign.Furthermore, because w itself is honest, w only signs keysand timestamps that it reads from its input registers. Thus,for p j || t j − to be signed by w , p j needs to be the key ofan honest neighbor v of w . Given that w ’s distance to theroot is less than j − by induction hypothesis, we also have d S ( v, r ) ≤ d S ( w, r ) + 1 < j . This proves the first claim.Similarly, we show the second claim by induction on j ′ = n − j + 1 . Note that if d Bmin,u = 1 , i.e., u is the neighbor ofa malicious node, then there is nothing to show as there is no p j such that j > n − d Bmin,u + 1 . So, we assume d Bmin,u > .For j ′ = 1 , we only have to consider the key p n . As u ishonest, it only writes its own key into output registers to besigned by neighbors. If d Bmin,u > , all of u ’s neighbors arehonest. They would hence only sign u ’s key concatenated witha timestamp with their own, meaning that any node v withpublic key p n is indeed an honest node and d S ( v, u ) = 1 . Consider < j ′ < d Bmin,u and assume the claim holds for j ′ − . Hence, p n − ( j ′ − is the public key of an honestnode w with d S ( w, u ) ≤ j ′ − . w writes its public key and atimestamp to the registers that will be read by its neighbors. As j ′ − < d Bmin,u − , these neighbors are honest and will signthe key and timestamp with their own keys. Hence, any publickey p n − j ′ +1 whose corresponding secret key has been usedto sign p n − ( j ′ − || t n − ( j ′ − belongs to an honest neighbor v of w with d S ( v, u ) ≤ d S ( w, u ) + 1 = j ′ . So, the secondclaim follows by induction as well. Lemma 2.
Let the computation have started a least ∆ C +( ∆ D + ∆ E ) · n time units before and u ∈ V \ S ′ B be a nodewith a valid levelAtt -value of length n < d Bmin + d Bu,min − .Then u is well-directed.Proof. Because ∆ C + ( ∆ D + ∆ E ) · n time units have passed,the levelAtt -value of u is also consistent. By Lemma 1, thefirst d Bmin public keys have to belong to honest nodes and thelast d Bu,min − keys have to belong to honest nodes as well.Hence, if n < d Bmin + d Bu,min − , all keys p j have to belongto an honest node v j for ≤ j ≤ n . Set v n +1 = u . u can only be ill-directed if at least one v j has their pID -value set to a key provided by a malicious node. First, considerthe case that j < d Bmin . By Lemma 1, d S ( v j , r ) < d Bmin − ,meaning that v j only has honest neighbors. Honest nodes onlywrite their own keys in the register of their neighbors, so that v j can hence only set its pID -value to one of their keys. Now,consider j > d Bmin , i.e., n − j +1 < n − d Bmin +1 ≤ d Bu,min − .According to Lemma 1, d S ( v j , u ) ≤ n − j + 1 < d Bu,min − .Again, v j has only honest neighbors and can hence only setits pID -value to one of their keys.It remains to consider the case j = d Bmin . By the first partof the proof, v j is the only node that can have maliciousneighbors. Assume that v j has set its pID to a maliciousneighbor b . For u ’s levelAtt to correspond to a valid attes-tation, v j − has to sign p j || t j − resulting in sig j − , append ( p j − , t j − , sig j − ) to the attestation, and write the attestationto the register corresponding to the neighbor that wrote p j to the register. Because v j − has only honest neighbors, therespective neighbor has to be v j , the only honest node thatwould claim p j as its key. So, for u ’s levelAtt -value toinclude ( p j − , t j − , sig j − ) , v j must have read the registerand disseminated ( p j − , t j − , sig j − ) as part of a level at-testation. Consequently, v j is aware that v j − offers a root-directed path of supposed length j − ≤ d Bmin − . For v j to choose a different parent, b has to produce a validattestation e P = ( e p , e t , f sig ) , . . . , ( e p l , e t l , f sig l ) with l ≤ j − and f sig l being a signature over ID v j || e t l . Furthermore, b hasto ensure that the isV alidLink -function returns true . Theneighbor-related signature has to be signed by the secret key e s l corresponding to e p l . As b can not forge signatures, e P hasto be a (potentially shortened) attestation that b has read fromone of its input registers. For such an attestation, e p l belongsto an honest node w at distance at most l − from the rootby Lemma 1. Due to d HS ( w, r ) ≤ l − < d Bmin − , w has nomalicious neighbors. By Algorithm 1, w only writes signaturesver nID w || h ( L ) for some L to registers of neighbors. Beinghonest, these neighbors do not disseminate the respectivesignatures. As a consequence, b can not obtain the requiredneighbor signature and hence v j does not accept any attestationfrom b as its levelAtt -value.In summary, none of the nodes v j has its pID -value set toa key provided by a malicious node and hence u is indeedwell-directed. Theorem 1.
Given any route-restricted overlay S with diam-eter diam ( S ) , a computation of Algorithm 1 starting froman arbitrary configuration reaches a consistent configurationafter at most ∆ C + ( ∆ D + ∆ E ) · diam ( S ) time units. Further-more the computation will reach a S ′ B -stable configuration γ ∗ within at most diam ( S ) + 1 additional asynchronous rounds.Thus, Algorithm 1 is S ′ B -TA-strictly-stabilizing.Proof. Arrival at a consistent configuration follows from theassumption that the timestamps of every inconsistent levelattestation do not exceed the starting time of the computationby more than ∆ C time units, as explained at the beginning ofthis section. To prove the subsequent convergence to a S ′ B -stable configuration, we first show that after l + 1 rounds, allnodes u ∈ V \ S ′ B within distance l of the root are well-directedand have valid levelAtt -values of length l . The properties fromDefinition 1 follow. Last, we show that these nodes remainwell-directed.After the first round, the root has written its information toall registers. After the second round, the neighbors of the roothave processed these registers. Hence, each such neighbor u will set its levelAtt -value to a valid attestation of length 1. If u ∈ V \ S ′ B , the distance d S ( u, b ) ≥ for any malicious node b and hence by Lemma 2, u is well-directed. So, the claimholds for l = 1 .Assume the claim holds for l , i.e., after l + 1 rounds, allnodes v ∈ V \ S ′ B within distance l of the root are well-directed and have valid levelAtt -values of l . They know theIDs their neighbors have assigned to them as l > indicatesthat they have read it from the register at least once. As aconsequence, they can construct a valid attestation of length l + 1 for each neighbor w as well as the necessary signatureover the neighbor ID nID w . They write this information tothe register r vw . After l + 1 rounds, any node u ∈ V \ S ′ B atdistance l +1 from the root has read the register correspondingto its neighbors at distance l to the root. As a consequence, u ’s levelAtt -value is of length l +1 . As u ∈ V \ S ′ B , Lemma 2shows that u is well-directed. It follows by induction thatwithin diam ( S ) rounds, all nodes u ∈ V \ S ′ B are well-directed.It remains to prove that the nodes in V \ S ′ B remain well-directed. To become ill-directed, a node has to change its pID -value. Let u be the first node to change its pID -value.According to Algorithm 1, u selects the parent from thoseneighbors that provide the shortest valid attestation and a validneighbor signature. By assumption, u breaks ties consistently,meaning u only changes its parent if either i) u ’s previousparent does not provide any valid attestation of the shortest length or provides an invalid neighbor signature, or ii) aneighbor that is not the current parent writes an attestationof a shorter length than u ’s levelAtt -value to its register andthe content of the register passes the two validity checks.In order to conclude that neither i) or ii) are possible,consider the following: Let v be u ’s parent and note that v ∈ V \ S ′ B by the definition of S ′ B as d S ( v, r ) = d S ( u, r ) − and d S ( v, b ) ≥ d S ( u, b ) − for all malicious nodes b . It followsrecursively that all nodes on a root-directed path of u are in V \ S ′ B . Case i) would imply that a node on the root-directedpath changed its parent, as honest nodes do not write invalidattestations or neighbor signatures to registers. However, sucha parent change contradicts the definition of u as the first nodein V \ S ′ B to change its parent. If case ii) holds, by Lemma 1, u has to be well-directed after its parent change. Hence, itsnew parent w is an honest node. By the above, w and allnodes on the new root-directed path are in V \ S ′ B and at leastone of them has to have changed its parent for w to writean attestation of a different length. Again, such a change inparent is a contradiction to the definition of u . Consequently,nodes u ∈ V \ S ′ B do not change their pID -value for the restof the computation and remain well-directed. B. Proof of stabilization for S ′ L under attacks Building upon Theorem 1, we now show that under anattacker that frequently changes the output values of its nodes,all nodes u with d Bmin − d HS ( b, u ) − d HS ( r, u ) eventuallyreach a stable state as well. Our result requires the conceptof a S B -disturbance, a concept similar to Dubois et al. [5]’s S B -disruption. Definition 5. ( S B -disturbance) Two consecutive configura-tions γ and γ are a S B -disturbance if at least one node u ∈ V \ S B changes its level u - or pID -variable. In contrast to a S B -disruption, a S B -disturbance does notassume that all nodes in V \ S B have a legitimate state. Theorem 2.
Given any route-restricted overlay S with di-ameter diam ( S ) and deg sum = P u ∈ S ′ B \ S ′ L | N ( u ) | , a com-putation of Algorithm 1 starting from an arbitrary con-figuration reaches a S ′ B -stable configuration γ + within atmost ∆ C + ( ∆ D + ∆ E ) · diam ( S ) time units plus at most diam ( S ) + 1 asynchronous rounds. After reaching the config-uration γ + , S will reach a S ′ L -stable configuration within atmost ( deg sum − | S ′ B \ S ′ L | ) S ′ L -disturbances.Proof. The S ′ B -stability after ∆ C + ( ∆ D + ∆ E ) · diam ( S ) time units plus diam ( S ) + 1 asynchronous rounds followsfrom Theorem1. In order to have S ′ L -stability, all nodes in S ′ B \ S ′ L have to reach a stable and legitimate state.Let u ∈ S ′ B \ S ′ L . The proof consists of showing thefollowing four claims:1) u ’s level -value is level u = d HS ( u, r ) for any configura-tion after γ + .2) If u has a parent v such that v is a node on a path from u to the root of length d HS ( u, r ) consisting of only honestodes, then v ∈ V \ S ′ L and u will not change its pID -value in any subsequent configuration if prnt = i start .3) u will choose such a node v as a parent after at most (2 | N ( u ) | − S ′ L -disturbances that affect u , i.e., inwhich u changes its level or parent.4) The maximal number of S ′ L -disturbances until u is in astable and legitimate state is deg sum − | S ′ B \ S ′ L | .By definition of S ′ B and S ′ L , u has at least one path con-sisting of only honest nodes to the root r . Furthermore,as d Bu,min + d Bmin − d HS ( u, r ) , u never receives avalid level attestation of length less than d HS ( u, r ) . So, weclaim that after diam ( S ) + 1 asynchronous rounds, u has tohave level d HS ( u, r ) . The previous claim obviously holds for d HS ( u, r ) = 1 and by induction holds for all d HS ( u, r ) as anyhonest neighbor v of u with d HS ( v, r ) = d HS ( u, r ) − sendsa valid level attestation to u . Hence, u ’s level -value does notchange and the first claim holds.For the second claim, consider Algorithm 1. u alwaysselects the minimal neighbor whose unique index is reachedfirst. If prnt = i start , u first considers its current parent, whichis v (Line 15). u only replaces v if it does not receive a validattestation of length d HS ( v, r ) and link signature from v . As v ishonest, it does not send invalid attestations or link signatures.So, a change would only happen if v changes its level -value.We now show that v does not change its level -value and hence u does not change its pID -value. If v ∈ V \ S ′ B , v is in astable state and hence does not change its level -value. By thefirst part of the proof, v ∈ S ′ B \ S ′ L also does not change its level -value. So, it remains to show that v / ∈ S ′ L . By definition, v has a path to r consisting of only honest nodes and being oflength d HS ( v, r ) = d HS ( u, r ) − . Similarly, as v is a neighborof u , we have d Bv,min ≥ d Bu,min − , i.e., v is at most 1 hopcloser to any malicious node than u . So, d Bv,min + d Bmin − ≥ d Bu,min + d Bmin − − ≥ d HS ( u, r ) − d HS ( v, r ) . Thethird step follows from Eq. 2 because u ∈ V \ S ′ L . So, d Bv,min + d Bmin − ≥ d HS ( v, r ) and hence again by Eq. 2, v / ∈ S ′ L . So, indeed, u does not change its pID -value.The third claim ascertains that u chooses such a v as parentafter at most (2 | N ( u ) | − S ′ L -disturbances affecting u . Bythe above, a S ′ L -disturbance can only affect u ’s pID -value.We determine an upper bound on the number of times the pID -value can change until i start = prnt and v is the parentnode. Let l be the local index of v assigned by u and h ( m, i ) = ( m − i if m ≥ im − i + | N ( u ) | if m < i As the result of a S ′ L -disturbance, u ’s parent changes toeither v or a node with pointer prnt ′ = prnt with h ( prnt ′ , i start ) < h ( l, i start ) . If it changes to prnt ′ , we eitherhave h ( prnt ′ , i start ) < h ( prnt, i start ) or h ( prnt ′ , i start ) >h ( prnt, i start ) . In this first case, i start remains the same(Line 17). However, the maximal number of consecutivedecreases of the function h ( prnt, i start ) is h ( l, i start ) − ≤| N ( u ) | − . Once i start = prnt , h ( prnt, i start ) = 0 .Any further change corresponds to the second case, as the Table IS
TRUCTURAL PROPERTIES OF GRAPHS USED FOR SIMULATION , WITH AVG . SHORTEST PATH LENGTH (CPL)
AND CLUSTERING COEFFICIENT (CC).
Graph
Facebook 63,392 816,886 4.32 0.253Ripple 67,149 99,787 3.82 0.154Randomized Facebook 63,392 816,886 3.58 0.005Erdös-Renyi 824,096 3.74 < 0.001 condition in Line 17 will hold for any new parent andso h ( p, i start ) continues to be . In the second case, i.e., h ( prnt ′ , i start ) > h ( prnt, i start ) , i start is now set to p ′ , i.e., h ( l, i start ) decreases. h ( l, i start ) can decrease at most | N ( u ) | times. So, the total number of S ′ L -disturbances until u chooses v as a parent are the sum of possible instance of the first andthe second case, namely | N ( u ) | − | N ( u ) | = 2 | N ( u ) | − .Furthermore, i start = prnt holds after these disturbances.The fourth and last claim establishes that all nodes in V \ S ′ L are in a legitimate and stable state after at most deg sum −| S ′ B \ S ′ L | disturbances. First note that each S ′ L -disturbance hasto affect a node in S ′ B \ S ′ L . This is a direct consequence of thedefinition of S ′ L -disturbance and the fact that S is S ′ B -stable.A S ′ L -disturbance requires a node in V \ S ′ L to change its levelor parent but nodes in V \ S ′ B are in a stable state already,so the affected node has to be in ( V \ S ′ L ) ∩ S ′ B = S ′ B \ S ′ L .Combining the second and third claim, nodes u ∈ S ′ B \ S ′ L areaffected at most | N ( u ) |− times by a S ′ L -disturbance. So, thetotal number of S ′ L -disturbances until no node in V \ S ′ L canbe affected anymore is P u ∈ S ′ B \ S ′ L (2 | N ( u ) |−
1) = 2 deg sum −| S ′ B \ S ′ L | . It remains to show that all these nodes are indeed inlegitimate states. By the second and third claim, all nodes in S ′ B \ S ′ L have an honest parent in V \ S ′ L . In addition, all nodesin V \ S ′ B have an honest parent in V \ S ′ L because of the S ′ B -stability. Hence, a node u ∈ S ′ B \ S ′ L cannot have an ancestorin B ∪ S ′ L and is hence well-directed and in a legitimate state.Furthermore, u is in a stable state by the second claim.VI. E VALUATION
Using OMNeT++ [20], we implemented a simulation toevaluate the impact of our attestation-based algorithm onthe number of lost nodes compared to the non-cryptographicstate-of-the-art. Furthermore, we investigated the impact ofthe network structure, the position of the root node, and theplacement of edges between honest and malicious nodes.
A. Metrics, Data Sets, and System Parameters
Given a distributed system S = ( V, E ) with a subset H of hon-est nodes and a S B -TA stabilizing spanning tree constructionalgorithm, we measured the ratio of lost nodes (RLN) | S B | / | H | .A low ratio of lost nodes indicates high attack resistance.Route-restricted overlays include both social overlays andpayment networks. We hence utilized a real-world graphfor each of them and compare the results with syntheticgraphs for the purpose of characterizing the impact of varioustopological features. Facebook denotes a real-world graph ofFacebook [22], as used in several prior studies [12], [15]. ithout attestation with attestation honestly behaving adversary0.00.20.40.60.81.0 No. of attack edges r a ti oo f l o s t nod e s
25 200 1000 5000Facebook 0.00.20.40.60.81.0 No. of attack edges25 200 1000 5000Randomized Facebook 0.00.20.40.60.81.0 No. of attack edges25 200 1000 5000ER 0.00.20.40.60.81.0 No. of attack edges25 200 1000 5000RippleFigure 1. Observed mean ratio of lost nodes over 100 runs per configuration for 25, 200, 1000, and 5000 attack edges under the first adversarial behavior.The bars above and below each point represent confidence intervals.without attestation with attestation honestly behaving adversary0.00.20.40.60.81.0 No. of attack edges r a ti oo f l o s t nod e s
25 200 1000 5000Facebook 0.00.20.40.60.81.0 No. of attack edges25 200 1000 5000Randomized Facebook 0.00.20.40.60.81.0 No. of attack edges25 200 1000 5000ER 0.00.20.40.60.81.0 No. of attack edges25 200 1000 5000RippleFigure 2. Observed mean ratio of lost nodes over 100 runs per configuration for 25, 200, 1000, and 5000 attack edges under the second adversarial behavior.The bars above and below each point represent confidence intervals.
Ripple denotes a real-world graph from the Ripple paymentnetwork [16]. Ripple has a low number of edges and a heavilyskewed degree distribution: of all nodes have a degreeless or equal than the average degree of approximately 3.Our synthetic data sets are i) a random synthetic network(denoted randomized Facebook ) with the same degree dis-tribution as the Facebook graph and ii) an Erdös and Renyigraph ( ER ) with approximately the same number of nodesand edges as Facebook but normal distributed degrees [7]. Wecompare
Facebook with randomized Facebook to characterizethe impact of clustering while the comparison of randomizedFacebook and ER reveals the impact of the degree distribution.We considered the number of malicious nodes and the timeof their presence to be unbounded but limit the total number g of connections between honest nodes and malicious nodes.To model that all nodes are colluding, we represented them asa single node with g edges. B. Set-up
We investigated the resistance of spanning tree algorithmsto adversarial behavior given structural differences of thenetworks and a varying number g of attack edges. For allscenarios, we performed 100 runs to obtain statistically sig-nificant results.We assumed the adversary knows all nodes but can onlyestablish a connection to a subset with limited size. Follow-ing [2] we also assumed that users with many contacts aremore likely to accept new requests and thus connect witha malicious node. We hence added a single adversary m tothe graph and choose the g honest neighbors at random, with a probability proportional to their degree. Afterwards, a rootnode r was chosen uniformly at random from all honest nodesand the leader ID of each honest node was set accordingly.We executed different spanning tree constructions for var-ious adversarial behaviors. The two spanning tree algorithmsare Algorithm 1, i.e., spanning tree construction with levelattestation, and the state-of-the-art protocol by Dubois etal. [5]. The two adversarial behaviors are:1) The attacker aims to prevent convergence by causingdisturbances. By Theorem 2, the set of lost nodescorresponds to S ′ L as defined in Eq. 2. Similarly, theset of lost nodes for the state-of-the-art protocol is S L = { u ∈ H : d S ( u, m ) < d S ( u, r ) } [5].2) The attacker aims to maximize the number of ill-directednodes. In this case, the adversary always pretends to beas close to the root as possible and does not performany disturbances. In this case, the set of lost nodes is S ′ B as defined in Eq. 1 according to Theorem 1. For thestate-of-the-art protocol, the set of lost nodes is S B = { u ∈ H : d S ( u, m ) < d S ( u, r ) } .To investigate how strongly the cheating by one level (de-scribed in Sec. V) affects the number of lost nodes whenAlgorithm 1 is used, we furthermore simulated a modifiedadversary which does not cheat, effectively following Algo-rithm 1 correctly. C. Impact of Level Attestation
Figure 1 show the obtained mean RLN with confidenceintervals for the four graphs and both algorithms under the atio of lost nodes average distance to the root node average distance to the attacker node0 20 40 60 80 10001234567 Run index v a l u e Facebook 0 20 40 60 80 10001234567 Run indexRandomized Facebook 0 20 40 60 80 10001234567 Run indexER 0 20 40 60 80 10001234567 Run indexRippleFigure 3. Obtained RLN values for the state-of-the-art protocol together with the average shortest path length to the root node and average shortest pathlength to the adversary node of the respective simulation run with 25 attack edges. The runs are ordered according to the RLN value in ascending order.ratio of lost nodes average distance to the root node effective average distance to the attacker node0 20 40 60 80 10001234567 Run index v a l u e Facebook 0 20 40 60 80 10001234567 Run indexRandomized Facebook 0 20 40 60 80 10001234567 Run indexER 0 20 40 60 80 10001234567 Run indexRippleFigure 4. Results for the simulation runs of Algorithm 1 and 1000 attack edges. The effective average distance to m denotes the term d ( m ) + d ( m, r ) − .The runs are ordered according to the RLN value in ascending order. first adversarial behavior. Figure 2 shows the correspondingdata under the second adversarial behavior. Especially for theFacebook graph, its randomized version, and the ER graph,Algorithm 1 considerably reduced the ratio of lost nodes com-pared to the state-of-the-art protocol. For the latter, an attackwith 25 edges resulted in a mean RLN of . , . , . ,and . for the Facebook graph, the randomized Facebookgraph, the ER graph and the Ripple graph, respectively, underthe first adversarial behavior. Under the second adversarialbehavior, the mean RLN increased to . , . , . and . for the four graphs. When applying Algorithm 1, themean RLN at 25 attack edges under the first adversarialbehavior dropped down to . , . , . , and . for the Facebook graph, the randomized Facebook graph, theER graph, and the Ripple graph, respectively. Similarly, themean RLN at 25 attack edges under the second adversarialbehavior decreased to . , . , . and . for thefour graphs. Even for 1000 attack edges, the mean RLNfor the Facebook graph, its randomized variant, and the ERgraph significantly decreased from . , . , and . to . , . , and . , respectively under the first adversarialbehavior. Under the second adversarial behavior, the meanRLN at 1000 attack edges was reduced from . , . , . and . to . , . and . for the Facebook graphs andthe ER graph. In summary, while the exact numbers differ forthe two adversarial behaviors, the overall result is the same:Algorithm 1 achieves a considerable higher number of welldirected nodes than the state of the art.In the scenario with an adversary that does not cheat by alevel, the mean RLN was considerably lower than in the sce- nario with Algorithm 1 alone, especially with 1000 and 5000attack edges for both adversarial behaviors. Referring to TableI we realize that all graphs used in our experiment have a verylow average path length, and all nodes are in short distancefrom the root node. Increasing the adversary’s reported level value by 1 then represents a significant disadvantage for theattack. We conjecture that this causes many nodes to remainwell-directed and investigate this relationship in more detailin the following.For the Ripple graph, the improvement regarding meanRLN was considerably lower than for the other graphs. Inthe following, we describe the impact of distances betweenhonest nodes, malicious nodes, and the root node on the RLNto explain this stark difference. D. Impact of Network Structure
We start with a discussion of our results for the state-of-the-art algorithm and subsequently present results for Algorithm 1.Because the correlations between the different aspects weresimilar for both adversarial behaviors, we focus on our resultsfor the first adversarial behavior. a) State-of-the-Art Spanning Tree Construction:
We con-sidered the average hop distance over all honest nodes tothe root node d ( r ) and to the attacker node d ( m ) for eachsimulation run. The lower d ( r ) is compared to d ( m ) , the morehonest nodes will have a lower hop distance to r than to m and thus be well-directed. Therefore, we expected a positivecorrelation between d ( r ) − d ( m ) and the RLN.Figure 3 shows the obtained RLN values in ascending ordertogether with the corresponding value of d ( r ) and d ( m ) for5 attack edges and both adversarial behaviors. Indeed, thedifference d ( r ) − d ( m ) generally correlated with the RLN.While d ( m ) only varied slightly between the different runs oneach graph, there are notable differences in the behavior of d ( r ) : It varied highly for the Facebook graphs and to someextent for the Ripple graph but barely for the ER graph.The reason for the small variance in d ( r ) for ER is due tothe uniform probability of two nodes being connected. As aconsequence, it was very unlikely that the average distance ofany node significantly differs from the other nodes. The degreeof m , corresponding to the 25 attack edges, was close to theaverage degree of 26. However, the mean RLN was only . ,because there was a high number of nodes whose distanceto the root node equalled that to the malicious node. Thesenodes chose the path to the root node when the maliciousnode continuously causes disturbances.For the Facebook graphs and Ripple, there is a highervariance of the root node degree and hence of the averagedistance to the root. The distances in the randomized graphwere generally lower than in the original Facebook graph dueto its lower average path length. Furthermore, d ( r ) correlatedmore strongly with the RLN, possibly due to the absence ofoutlier nodes with increased shortest path length. Because ofthe highly skewed degree distribution of the Ripple graph, therandom root node’s degree was in 73 out of a 100 runs. Thedegree of the adversarial node, i.e., 25, was hence generallyhigher than the degree of the root, leading to shorter paths tothe malicious nodes and hence the observed high RLN. b) Algorithm 1: In addition to d ( r ) , we computed theeffective average hop distance D ( m ) = d ( m ) + d ( m, r ) − ,as d ( m, r ) − is the level -value that m propagated duringa simulation run. We expected a positive correlation between d ( r ) − D ( m ) and the RLN, i.e., nodes closer to the root nodethan D ( m ) should be well-directed and otherwise not.In all runs with 25 attack edges, D ( m ) was considerablyhigher than d ( r ) such that only a very small number of nodesbecame ill-directed. Figure 4 thus shows our more distinctresults for an adversary with 1000 attack edges, ordered bythe RLN. The results indeed validated the expected correlation.Due to the high number of attack edges, the d ( m ) value ofeach run only differed slightly from its mean value of . , . , . , and . for the Facebook graph, the randomizedFacebook graph, the ER graph, and the Ripple graph, respec-tively. Thus, the values of D ( m ) mainly depended on d ( m, r ) and hence differed by integer values.Again, the degree of correlation between d ( r ) − D ( m ) and the RLN varied between graphs. The Facebook graphgenerally had a longer average shortest path length and hencevaried in d ( r ) considerably. In contrast, the value of d ( r ) wasmore stable for the randomized Facebook graph and the ERgraph, so that d ( m, r ) is indeed the main impact factor.Here, we also find the explanation for the strong differencebetween the mean RLN values for the simulations of Algo-rithm 1 with a cheating adversary and those of Algorithm 1with a non-cheating adversary on the Ripple graph. It stemsfrom the fact that the d ( m, r ) value decreased very slowly as the number of attack edges increases. Concretely, the meanvalue of d ( r ) was roughly . , irrespective of the number ofattack edges and the construction algorithm. In the case of25 attack edges, the mean value for D ( m ) was . and inthe case of edges, it was . , such that the level valuepropagated by m was low enough to cause a high numberof nodes to become ill-directed. As the value of D ( m ) wasincreased by 1 when the adversary does not cheat, it was higherthan d ( r ) for any considered number of attack edges, resultingin a negative d ( r ) − D ( m ) − and hence a low impact of theattack. In contrast, d ( r ) − D ( m ) was positive, correspondingto an attack of high impact. c) Summary of Results: The first part of our evaluationshowed that our protocol based on cryptographic signatures ismuch more robust to malicious behavior and attacks than state-of-the-art solutions without the usage of cryptography. Indeed,as displayed in Figure 1, to compromise a similar number ofnodes, the adversary needs to establish up to 200 times asmany attack edges compared to the algorithm by Dubois etal. [5]. VII. C
ONCLUSION
In this paper, we leveraged cryptographic signatures todesign a BFS tree algorithm that greatly reduces the number ofnodes affected by attacks. Based on the concept of topology-aware strict stabilization, we proved that this algorithm onlyallows malicious nodes to report a distance to the root thatdiffers by at most one from the correct value. Our evaluationbased on real-world scenarios demonstrates that this novel con-struction provides crucial security improvements over existing,non-cryptographic algorithms. Yet, our results indicate that theresistance to attacks is highly correlated with the degree ofthe root node, highlighting the need to develop secure leaderelection algorithms that prioritize high-degree nodes.VIII. A
CKNOWLEDGEMENTS
We thank Sebastién Tixeuil for shepherding our work andthe reviewers for their constructive feedback. This work hasbeen funded by the German Research Foundation (DFG) GrantSTR 1131/2-2 and EXC 2050 “CeTI´´.R
EFERENCES[1] Nikita Borisov et al.,
Denial of service or denial of security? , Computerand Communications Security, 2007.[2] Yazan Boshmaf et al.,
The socialbot network: when bots socialize forfame and money , Computer Security Applications, 2011.[3] Ian Clarke et al.,
Private communication through anetwork of trusted connections: The dark freenet ,https://freenetproject.org/assets/papers/freenet-0.7.5-paper.pdf, 2010.[4] Danny Dolev and Andrew Yao,
On the security of public key protocols ,Transactions on Information Theory (1983).[5] Swan Dubois, Toshimitsu Masuzawa, and Sébastien Tixeuil,
Maximummetric spanning tree made byzantine tolerant , Algorithmica (2015).[6] Stefan Dziembowski, Sebastian Faust, and Kristina Hostáková,
Generalstate channel networks , Computer and Communications Security, 2018.[7] P Erdös and A Rényi,
On random graphs i , Publicationes MathematicaeDebrecen (1959).[8] Andreas Hoefer, Stefanie Roos, and Thorsten Strufe,
Greedy Embedding,Routing and Content Addressing for Darknets , KiVS/NetSys, 2013.9] Yih-Chun Hu, David B Johnson, and Adrian Perrig,
Sead: Secureefficient distance vector routing for mobile wireless ad hoc networks ,Ad hoc networks (2003).[10] Tomas Isdal et al.,
Privacy-preserving p2p data sharing with oneswarm ,ACM SIGCOMM Computer Communication Review (2011).[11] Giulio Malavolta et al.,
Silentwhispers: Enforcing security and privacyin credit networks , Network and Distributed System Security, 2017.[12] Prateek Mittal, Matthew Caesar, and Nikita Borisov,
X-vine: Secureand pseudonymous routing in dhts using social networks , Network andDistributed System Security, 2012.[13] Joseph Poon and Thaddeus Dryja,
The bitcoin lightningnetwork: Scalable off-chain instant payments , Tech. report,https://lightning.network/lightning-network-paper.pdf, 2016.[14] Pavel Prihodko et al.,
Flare: An approach torouting in lightning network , 2016, Available at:https://bitfury.com/content/downloads/whitepaper_flare_an_approach_to_routing_in_lightning_network_7_7_2016.pdf.[15] Stefanie Roos, Martin Beck, and Thorsten Strufe,
Anonymous addressesfor efficient and resilient routing in f2f overlays , INFOCOM, 2016.[16] Stefanie Roos et al.,
Settling payments fast and private: Efficient decen-tralized routing for path-based transactions , Networks and DistributedSystems Security, 2018.[17] Stefanie Roos and Thorsten Strufe,
On the impossibility of efficient self-stabilization in virtual overlays with churn , INFOCOM, 2015.[18] Vibhaalakshmi Sivaraman et al.,
Routing cryptocurrency with the spidernetwork , arXiv preprint arXiv:1809.05088 (2018).[19] Paul F Tsuchiya,
The landmark hierarchy: a new hierarchy for routingin very large networks , SIGCOMM Computer Communication Review,1988.[20] Andras Varga,
OMNeT++ Discrete Event Simulator ,https://omnetpp.org/, Accessed November 2018.[21] Eugene Vasserman et al.,
Membership-concealing overlay networks ,Computer and Communications Security, 2009.[22] Bimal Viswanath et al.,
On the evolution of user interaction in facebook ,Workshop on Online social networks, 2009.[23] Manel Guerrero Zapata and Nadarajah Asokan,