Brief Announcement: Improving Social-Network-based Sybil-resilient Node Admission Control Nguyen Tran Jinyang Li Lakshminarayanan Subramanian Sherman S.M. Chow New York University, New York, NY, USA {trandinh,jinyang,lakshmi,schow}@cs.nyu.edu ABSTRACT We present Gatekeeper, a decentralized protocol that per- forms Sybil-resilient node admission control based on a so- cial network. Gatekeeper can admit most honest nodes while limiting the number of Sybils admitted per attack edge to O(log k), where k is the number of attack edges. Our result improves over SybilLimit [3] by a factor of log n in the face of O(1) attack edges. Even when the number of attack edges reaches O(n/ log n), Gatekeeper only admits O(log n) Sybils per attack edge, similar to that achieved by SybilLimit. Categories and Subject Descriptors: C.2.4 [Computer Communication Networks]:Distributed Systems - distributed applications General Terms: Algorithms, Design, Security Keywords: Sybil attack, social network, Gatekeeper 1. INTRODUCTION Open networked systems, such as Digg, YouTube, Face- book, BitTorrent, thrive on the participation of users in the form of content creation, sharing and voting. Unfortunately, these user-participation driven open systems are vulnerable to the Sybil attack where a single adversary can join the system using many bogus identities to amplify his attacking power. The root cause for the Sybil attack is the lack of a strong user identity thereby making it easy for an adver- sary to obtain new identities in the system. As a result, an adversary who launches the Sybil attack can use diﬀerent identities to pollute the system with bogus information (in the form of content or votes) and aﬀect the functioning of the system. Social-network-based admission control oﬀers the most promising defense against Sybil attacks. This approach seeks to limit the number of fake identities admitted into the sys- tem based on a social network. In particular, such a social- network-based Sybil defense exploits the assumption that an attacker has few social links to honest users since establish- ing these links often requires signiﬁcant human eﬀort. More concretely, the Sybil-resilient Admission Control prob- lem can be stated as follows: Consider a social network G where each node represents a user and each link represents a trust relationship between two users. While most nodes in G are honest, some nodes are adversarial and an attack edge is a trust relationship between an honest and an adversarial Copyright is held by the author/owner(s). PODC’10, July 25–28, 2010, Zurich, Switzerland. ACM 978-1-60558-888-9/10/07. node. Each user is initially aware of only their immediate neighbors in G and seeks to discover all the other honest users in G. An adversary can disrupt the discovery process of honest users by propagating Sybil identities across each attack edge. Sybil-resilient node admission control is a de- centralized protocol that enables an honest user to discover and admit most honest users in the system while limiting the number of Sybil nodes admitted. Social-network-based node admission control has been stud- ied previously. SybilGuard [4] is the ﬁrst work to show an ad- mission protocol which limits the number of admitted Sybil identities to be O( √ n log n) per attack edge, where n is the number of honest users in the social network. SybilLimit [3] signiﬁcantly improves over SybilGuard and limits the num- ber of Sybils admitted per attack edge to O(log n). In this brief announcement, we present a new protocol called Gate- keeper, that can limit the number of Sybils admitted per attack edge to O(log k), where k is the number of attack edges and the social network is random expander graph. Our result establishes optimality and improves over Sybil- Limit by a factor log n under the assumption of O(1) attack edges. The security guarantee provided by Gatekeeper de- grades gracefully with increasing numbers of attack edges; for example, in the face of O(log C n) attack edges for any positive constant C, Gatekeeper admits O(log log n) Sybil identities per attack edge. In the face of o(n/ log n) attack edges, Gatekeeper achieves the same level of resilience as SybilLimit: both protocols admit O(log n) Sybils per attack edge with high probability. The proofs of these results and more details of the protocol can be found in [1]. To achieve these results, Gatekeeper uses an improved ver- sion of the ticket distribution process proposed in our prior work [2]. We have evaluated Gatekeeper on real-world social networks with varying number of attack edges. Our results show that Gatekeeper is able to drastically limit the num- ber of admitted Sybil identities to a very small number while admitting almost all honest identities. 2. TICKET DISTRIBUTION The principle building block of Gatekeeper is a ticket dis- tribution protocol where each node acting as a ticket source disseminates n “tickets” throughout the social network. We originally designed the distribution algorithm for SumUp [2], a centralized Sybil-resilient vote collection system. SumUp performs max-ﬂow computation from a vote collector to the set of voting users in order to limit the number of bogus votes cast by Sybil identities. It relies on ticket distribu- tion to assign link capacities for the max-ﬂow computation.