MembershipConcealing Overlay Networks Eugene Vasserman - PDF document

thesenetworksarebuilttobedifculttojoinordetect,butmostdonotprotectfrommaliciousinsiders.Onetypicallybecomesamem-berthroughsocialmeans:anexistingmember“vouches”forthenewcomer[5].Academically,membershipconcealmentnetworkshaveremainedlessexploredthan,andfrequentlyconfusedwith,relatedtechnologiessuchasprivacy,anonymity,unlinkability,un-observability,pseudonymity,andcensorshipresistance.1Unobservability.Relatedtoanonymity,unobservabilityisusuallyendowedwithoneoftwomeanings.PtzmannandHansende-nethetermtomeanthataprincipalinananonymityschemecan-notbe“observed”tobesendingorreceivingamessage(i.e.othernodescannotdeterminewhetheranodesentorreceivedamessageatanyparticulartime)[35].Someauthorshaveinterpretedthistomeanthatitisdifculttodistinguishwhetheraprincipalpartici-patesinthenetworkornot[25,19].Theformerclearlydoesnotimplymembershipconcealment:aschemethatisunobservableinthissensewouldremainunobservableifallprincipalsperiodicallyannouncedtheirparticipation.Thelattersenseismembershipcon-cealmentintermsofanoutsider-onlyattack,sinceitisingeneralnecessaryforsomeparticipantstoberevealedtoothersinorderformessagestobedelivered.Pseudonymityandanonymity.Pseudonymouscredentialsystems[9,31,37]dissociatereal-worldidentitiesfromsemi-persistentnet-workidentities(pseudonyms).Areal-worldidentityisanyinfor-mationthatmayreducethesetofcandidateidentity-pseudonympairingsbyanon-trivialamount,suchasnames,creditcardnum-bers,orIPaddresses.MCONsmustusepseudonymstoaddressmembers,andforasystemtobemembership-concealingitmustbeimpossible,withoverwhelmingprobability,todeterminethereal-worldidentityofauserwithagivenpseudonym.Anonymity,ontheotherhand,doesnothavethepersistentiden-tityproperty,butinsteadhidesanyandallidentifyinginformation.Considertherelationshipbetweenanonymityandmembershipcon-cealment.Themaingoalofananonymousnetworkistoconcealwhoiscommunicatingwithwhom.However,thisunlinkabilityor“relationshipanonymity”doesnotrequireconcealmentofwhoparticipatesintheoverlay,andinfactaschemewithperfectrela-tionshipanonymitywouldnotsacricethispropertyifthelistofparticipantswasbroadcastonaregularbasis.Ontheotherhand,membershipconcealmentdoesnotguaranteethatmessagescan-notbelinked,e.g.eachmessagemaycontainthepseudonymofbothitssourceanddestination,destroyingrelationshipanonymitybutpreservingmembershipconcealment.MCONsclearlyrequiresometypeofminimalpseudonymitytopreventapassiveinsiderfromsimplyharvestingidentities–forexample,messagesshouldnotincludetherealidentityoftheoriginator.Whileaspectsofsomeanonymityschemesintheliteraturecanbeseenasimpliciteffortstoprovidemembershipconcealment,e.g.Bauer'sschemeseekstohidetheusersofamixnetamongalargersetofwebusers[4],nodeployedanonymityschemeexplicitlyclaimstoprovidemembershipconcealment,anditislargelyac-ceptedthatsenderanonymity(originobfuscation)canbeachievedwithoutit[16,38].Someschemes,suchasTarzan[21],explicitlydistributealistofmembers.However,sincethisinformationsim-pliescertainvariantsoftheintersectionattack[48],recentP2PanonymityschemessuchasSalsa[33]havementionedhidingthemembershiplistasasecuritygoal.Unfortunatelytheseschemesdonotprovidemembershipconcealmentunderadversarialconditions.Censorshipresistanceandavailability.Censorship-resistantnet-worksaredesignedtopreventadversariesfromdenyingusers'ac-cesstoaparticularresourceorle.Thistypeofsystemdoes 1Forathoroughtreatmentofsomeoftheseterms,see[35].notrequiremembershipconcealment:mostaredesignedsuchthatitisdifculttodeterminewhatcontentagivenuserisaccessingorwhatnodeishostingagivenle,preventingtargetedattacks.Suchsystemsremaincensorship-resistantevenifthelistofpartic-ipantswaspublic.Membershipconcealmentdoesnotimplycen-sorshipresistance:amembership-concealingnetworkmayserveunencryptedcontent,socensorshipwouldonlyrequireblockinglesthatcontainselectedkeywordseveniftheidentitiesofcom-municatingnodesarehidden.ThisissimilartotheapproachusedbyChina's“GreatFirewall”[50].Aparticularlycriticalrequirementforcensorshipresistantnet-worksisavailability,sinceanattackagainstavailabilityisinit-selfanactofcensorship.Somecensorship-resistantsystems[47]havetakentheall-or-nothingapproach,assumingthatanadversarywouldwanttodisableaccesstoselectedcontent,butnottotheen-tiresystem.Weadvocateastrictlymorepowerfuladversarymodel–onethatiswillingtopreventaccesstoanentiresysteminordertoblocksometargetedcontent.Eventssuchas[2,3]supportourpo-sition.Evenwithoutjoininganetworkoridentifyingitsmembers,anadversarycanblockaccessto“undesirable”contentonalargescalebyusingdeeppacketinspectionorencryption-obliviouspro-tocolngerprints(andblockingmatchingpackets).Infranet[18]addressesthisproblembyusingsteganographictechniquestohidecontentrequestsandresponses.However,itrequiresactivepar-ticipationofanumberofwebservers.Feamsteretal.extendtheInfranetservicebyaddinganextralayerofindirectionintheformofuntrustedmessengers,whopassrequeststoaforwarder,whothenfetchestheactualcensoredcontent[19].Torbridges[14](dis-cussedinmoredetailinSection3)addcensorship-resistancefunc-tionalitytotheToranonymousoverlay[16].Thedesignissome-whatsimilartoInfranetwithuntrustedintermediaries,andbotharevulnerabletomanysimilarattacks.1.2ProposeddesignWeproposethreeproof-of-conceptdesigns–onethatismoreef-cient,anotherthatismorerobusttomembershipchurn,2andyetanotherwhichisahybridofthersttwo.Allschemesarerobustagainstinsiderandoutsiderattack,includingtargetedattackandnetworkpartitioning.OurMCONcanbebootstrappedfromanysocialgraphofofflineface-to-facerelationships.(BasinganetworkonasocialnetworkgraphallowsustouseSybilattack[17]mitiga-tionsystemssuchasSybilLimitorSybilInfer[49,23].)Member-shipisbyinvitationonly,soournetworkisnot“open”inthesamesenseasotherP2Psystems,whichallowanyonewhoknowsatleastonemembertobecomeamemberthemselves.Finally,ourdesignsusedistributedhashtables(DHTs)toenableefcientsearchandensurethatbothpopularandrarelescanbelocatedwithinapre-dictableperiodoftime.3DHTsarestructuredoverlaynetworksthatallowforveryefcientsearching[45,39,30].EachDHTnodehasarandompseudonym,isresponsibleforrespondingtoqueriesthatarelexicographicallyclosetothatpseudonym,andmaintainsaroutingtableofO(logN)peersthatenableittoefcientlyidentifythenoderesponsibleforaquery.2.MCONREQUIREMENTSInformally,wedeneanMCONtobeacommunicationsystemthathidestheidentitiesofitsmembersfrombothinsiderandout-siderattackers(networkmembersandnon-members,respectively),whileretainingmembers'abilitytocommunicateefciently.Thegoalistorevealnoinformationaboutthenetworkparticipantsthatwouldallowthemtobeidentiedinthe“realworld.”(Fromnow 2Memberscangoofflinewithoutdisruptingthenetwork3Filescanbearbitrarynameddata,so“locatingles”doesnotimplyatraditionalle-sharingsystem. onwewillrefertothehumanparticipantsas“users,”whilede-notingtheircomputationalpresenceinthenetworkas“nodes.”)Honestusershaveonexednetworkpseudonym,whichallowsothermemberstouniquelyaddressthem.(Wewillrefertooverlay-levelidentitiesas“pseudonyms”andreal-worldidentitiesas“iden-tities.”)Forthepurposesofthispaper,weassumethatobtaininganode'snetwork(IP)addressisbothnecessaryandsufcienttoidentifythereal-worlduserofthenetwork.4Inadditiontohidingmemberinformation,thisnetworkmustberobusttolinkfailureandpartitioning:wemustmaintainavailabil-itybothinthepresenceofnormalnetworkeventsandattackers.(Arelatedrequirementisnode-equity,i.e.nonodeismoreim-portanttothenetworkthananother.)Itshouldalsobescalable,allowingforthemembershipsettogrowwhilemaintainingrout-ingefciencyandminimizingcommunication,computation,andstorageoverhead.Finally,itshouldprovideefcientsearchfunc-tionality,whichcanreliablylocateanyinformationstoredinthenetworkwithinapredictabletimewindow.WeassumeanadversarywiththeresourcesofalargeISPorstategovernment.Thismeansthattheadversarycanmonitorordisrupttrafconsomefraction`oflinks;cancommunicatewitharbitrarynodesonthenetwork;andcanselectively“corrupt”orotherwiseassumecontrolofsomefraction ofselectednodes.Wecallthisan(`; )-adversary.Formally,wesaythatanoverlaynetworkprotocolis(;�;f)-membership-concealingifno(`; )-adversarymonitoring`linksandcorrupting �memberscanidentifymorethanf( ;`;N)members,whereNisthetotalnumberofMCONparticipants.Whenf( ;`;N)=( +`)wecalltheprotocolamembership-concealingnetworkprotocol.Wenotethatnooverlayprotocolthatpermitscommunicationbe-tweenpeerscanbe(;�;o(+�))-membership-concealingsinceatleastonenodemustdelivermessagestoeachcorruptedormon-itoredidentity,andanadversarycanalwayschoosetocorruptormonitoridentitieswithnocommonneighbors.3.RELATEDWORKArguablytherstdarknetwasWASTE[20],designedtofacili-tatesecurecollaborationbysmallgroups.Somelesharingappli-cationshaverecentlyaddeddarknetfeatures[7],andapplicationsfor“friend-to-friend”(F2F)sharinghavebeendeveloped[27].Thelatterschemeismeanttoallowsharingthroughtrustedinterme-diaries,preventingthedisclosureoftheuploader'sidentity.Itisalsofundamentallydifferentfrompreviousdarknetdesigns,sinceithidesthenetworkmembersetevenfromothernetworkmembers.Unfortunately,allofthesenetworkshavesimilarproblemssuchasformingpartitionedgroupsinsteadoflargernetworks,scalabilitylimitations,searchefciencyissues,andsecurityvulnerabilities.3.1FreenetThesystemthatiscurrentlymostsimilartoanMCONisFreenet[10].Itisacensorshipresistantnetworkwhichhidesthepublisher,querier,andstoragelocationoflesbyobfuscatingtheirnamesandcontents,makingitdifcultforanypartyotherthanthequeriertoidentifythecontentthatisbeingretrieved.Moreover,Freenetusesrecursiveroutingtoreducethenumberofnodeswhoareawareofeachother'sexistence.(Recursiveroutingproceedsbyood-ingthroughintermediatenodesinsteadofdirectlybetweensourceanddestination.)Freenetversion0.7isdesignedtoallowfortwomodesofoperation:inopennetmode,nodesmayfreelyconnecttoanyotheropennetnode,whiledarknetmodeallowsconnectionswithothernodesonlybypriorout-of-bandagreement,presumably 4Ifusersvoluntarilydisclosetheirreal-worldattributesthenIPaddressesbecomesufcient,butnotnecessary,tode-anonymizethem.basedonmutualtrust[41].ThisprovidesprotectionfrommaliciousnodescrawlingFreenetformembershipinformation.Notethatbe-causedarknetnodesdonotcommunicatewithopennetnodes,theremaybemanydisconnecteddarknetsinsteadofonelargenetwork.3.2TorbridgesTor[16]isapopularanonymizingnetworkthatofferssenderanonymity.Itconsistsofarelativelysmallnumberofdedicatedvolunteer“routers,”andisthuseasilyblockedatanationalorser-viceproviderborderbydisallowingallconnectionstothoseded-icatedhosts.Tordesignersareactivelyworkingtoadd“bridge”functionality[14]thatwouldmakeitmoredifculttoblock.Torbridgesarenotdedicatedrouters;theyareTorclientswhoallowusersincensoredregionstocontactthemdirectlyasarststepintotheTornetwork.Sincebridgesareclientnodes,theyaremorenumerousandexperiencehigherchurnthandedicatedrelays,soblockingthemisamoredifculttask.Thisisimplicitlyamem-bershipconcealmentfeature.Torcurrentlyreliesonapublicly-knowncentralizedauthorityorout-of-band(social)communicationfordistributionofbridgedescriptors,buttheauthoritycanitselfbeblocked.Althoughtheauthoritytakesprecautionstoavoidprovid-ingbridgedescriptorsenmassetoanyonewhoasks,thesystemisvulnerabletoattack:anadversarywhocontrolsmanyIPaddressescanquerytheauthorityrepeatedly,pretendingtobedifferentnodesbehinddifferentIPaddresses.3.3OthersystemsOtheranonymityschemes[25,19]havealsoattemptedtopro-vide“blockingresistance”byhidingtheirmembersamongalargerset.However,evenifanadversarycannotblockaccesstoallmem-bersofanoverlay,hemightbeabletoblockqueriesforparticulartypesofcontent.Sincemoststoragenetworksprovideanefcientlookupfeature,anadversaryknowingtheidentifyinginformationofthecontent(hash,ID,etc.)canlookupthenode(s)storingthatcontentandselectivelydenyaccesstothosenodes.Censorshipre-sistancerequiresblockingresistance,butbothareorthogonaltomembershipconcealment.3.4UsingsocialnetworkstobootstraptrustFreenetdarknetlimitsidentitydisclosuretotrustedpeers,se-lectedfromanetworkofuntrustedmembersbasedonpastper-formanceandoff-linerelationships.Turtle[36]isoneexampleofanetworkthatbootstrapsfromasocialnetworkthatexpressesmu-tualtrust.LikeFreenet,queriesareoodedanddonotterminateuntileithereverynodeinthenetworkhasrespondedorthemax-imalquerydepthisreached.Kaleidoscope[44]alsousessocialnetworkstodistributeproxyinformation,mitigatingSybilattacks(itisfarmorelikelythatSybilnodesareconnectedtoadversariesthanhonestnodes).However,thesystemusesacentralizedservertodistributeinformationaboutproxiestonewly-joiningnodes,soitisvulnerabletothesameattacksastheTorbridgeauthority.Danezisetal.alsousesocialnetworkstobootstrapaSybil-resistantDHT[11].Basedonthesameassumptionasabove–thatadversariesareconnectedtoasocialnetworkinfewplacescomparedtohonestmembers–theSybil-resistantDHTbuildstrustprolesforindividualnodesalongaquerypathandfavorsnodeswhousuallyyieldcorrectresults.Sincethemajorityofadversar-ial(Sybil)nodeswillbeconnectedtotheDHTthroughveryfewhonestnodes,thoseconnectionpointswill(withhighprobability)returnSybilnodesasnexthops,eventuallyproducingincorrectre-sultswhenadversarialnodesmisbehave.4.ATTACKSONEXISTINGSYSTEMSTheprimarygoalofMCONsisresistancetomemberidentica-tionattacks,inwhicheitheraninsider(MCONmember)oranout-siderattemptstodeterminethe“real-world”identitiesofnetwork areincludedintheonion-wrappedportionssothateachhoponlyreceivesitsowntoken.DHT(overlay)messagesareintheformof(ID;EP1(R1;EP2(R2;E:::(R:::;z;Ek1(M));MACk2(ID;z;Ek2(M))))),PiistheithphysicalhopintherouteandIDisthemessageidentier,followedbyrepeatedlayersofonionencryptioncontainingroutetokens.Theinner-mostonionlayeriscomposedusingtheveriedDHkeysharedwiththelogicalhopandcontainsamessageMforthenalDHThop.MisintheformatofIBEL(h(searchterm)),whereListheDHT(logical)destination.Onionwrapping.Onion-wrappingmessagesandrandomizingrout-ingtokenspreventsA,B,andCfromlinkingmessagesorlearningtheMCONtopology.However,anyoneofthemmaymonitortheamountoftimebetweenqueryandresponsealongagivensourceroute,andcandeducethemagnitudeoftheIDprexmatchbe-tweenthesourceanddestinationnodes.(Messagessenttoanearlylogicalhopalongaroutewilltakealongtimetoreturnaresult,whilemessagessentfromthelastlogicalhoptothequerydesti-nationwouldseeanalmostimmediateresponse.)Wecanpreventthisattackbyaskingeachlogicalhoptodelayqueryresponsesforaxedamountoftime.Sincethenumberoflogicalhopsrequiredtocompleteaqueryisuniformforagivennetworksize,andsinceeachlogicalhopknowsitslogicaldistancefromthedestination,therequireddelaycanbeestimatedwithinafactorof2.Thisincreasesthetotaltimerequiredtoreceivearesponsetoeveryquery,butalsoensuresthatthetimeisconstant(soqueryfailureiseasytodetect).Ifthequeryoriginatororalogicalhopfailstoreceivearesponse(withinatimeoutperiod)fromthenextlogicalhop(whichcanbetheresultoffailureatthelogicalhoporanyphysicalhopalongtheway),itpicksthenextbestlogicalhopandrepeatstheattempt,untiliteithersucceeds(receivesaresponse)orrunsoutoflogicalhopstotry.Inthelattercase,itwouldadmitfailure,andnotre-turnaresponse.Whilethisisnotacompletesolutionforchurn,itdoesprovideacertainlevelofrobustnessagainstofflinenodesandpacketloss.Amorerobustschemeisdiscussedinthenextsection.5.2RobustdesignRobustnessissomewhattrickytoachieveintheefcientdesign,sinceasingleofflinephysicalhopalongasourcerouterenderstheentiresourcerouteunusable.Inthissection,wediscussadesignthattradesincreasedrobustnessfordecreasedefciencyandlargernumberofdisclosedIPaddresses.Weemploywhatwecalla“skip-pingstones”approach:9inadditiontosendingamessagetoasinglehopalongaphysicalroute,themessageissenttoeachneighborofthathop.Eachofthosenodessendstoeachoftheneighborsofthenextphysicalhop,andsoon.Thisreducestheprobabilityoffailurebecauseonlyonenodeper“neighborhood”needstobehon-estandonlineinorderforamessagetogetthrough.Tothatend,allMCONnodesmustknownotonlytheIPaddressesandcrypto-graphickeysofeachneighbor,butalsoaddressesandkeysofeachneighbor'sneighbor.TheMIAwillrevealthatinformationduringthebootstrapphase.Furthermore,theentireneighborhoodneedsasharedkeyforusewithroutetokens.ThiskeycaneitherbegivenoutbytheMIAoragreed-uponbyneighborhoodmembersusingakeyagreementschemesuchasin[28].AlthoughDHTroutingdoesnotchangeintherobustscheme,wemustalterourphysicalhoproutinganddiscoverytoaccom-modateneighborhood-wideroutingdecisions.Whenaneighbor-hoodreceivesaroutediscoveryreply,amajorityofneighborsmustcometoaconsensusregardingthecontentsoftheirroutingtoken(andthusthepreviousandnexthopsforthereply).Theysign 9Astoneskippedoverwatermakescontactwiththesurfacerepeatedly,creatingripplesateachcontactpoint.theagreed-upontokenusingathresholdsignaturescheme[43],10whichrequiresmoutofnnodestopartiallysignamessagebeforeafullsignaturecanbederived.Forasimplemajority,mwouldbedn+1 2e.Eachnodecanthenindependentlyencryptthesignedtokenwiththesharedneighborhoodkey,prependittotheroutere-ply,andforwardit.Notethatmajorityagreementisrequiredonlyduringroutediscoveryandduringsharedkeyexchangewiththeoriginator.Multiplerouterepliesarehandledthesamewayasintheefcientscheme,butnowtheyarefarlesslikelytobemalicioussincemultiplenodesmustagreeontheroute–amaliciousmajor-ityatoneoftheintermediateneighborhoodswouldberequiredtoproduceacompromisedroute.Inordertosendamessageintherobustscheme,theoriginatorsendsmessagestoeachneighborofthenextphysicalhopalongtheroute.Whenamessagearrives,eachneighborcanindependentlydecrypttheenclosedroutingtoken(usingtheneighborhoodkey)andverifythesignaturetoensureitiscorrectlyformed.SinceonlythenaldestinationcandeterminemessagevaliditybyverifyingtheenclosedMAC,intermediatenodeswillnotknowifamessageislegitimate.IfanintermediatenodegetsdifferentmessageswithidenticalIDs,itmustforwardoneofeachcopy,potentiallyincreas-ingthenumberofmessagesproportionallytothenumberofadver-sariesencounteredenroute.Whileofferingsuperiorrobustnessunderheavychurn,thisschemehashigheroverheadthanourefcientscheme.Wefaceaconstant-factorincreaseinthenumberofreal-worldidentitieseveryMCONmemberknows,sinceeverynodemustnowkeeptrackoftheIPaddressesnotonlyofitsphysicalneighbors,butalsooftheirneigh-bors.However,sincethenumberofidentitieseachnodeknowsisstillconstant,thisdoesnotcompromisemembership-concealment.Wealsoloseplausibledeniability:anyoneofanode'sneighborscanperformpacketcounting[42]andtimingattacks[16]todeter-mineifamessageisbeingforwardedororiginated.However,wecanrecoverplausibledeniabilitybyusingcovertrafc.5.3HybriddesignThehybridschememaintainsmostoftherobustnesspropertiesofthepreviousschemewhilesignicantlyreducingcommunica-tioncosts.WetakeasimilarapproachtoSaiaandYoung[40]andmodifyourrobustschemesuchthatnodesdiscovertheidentitiesoftheirneighbors'neighborsonlyifh1(ID1)modm=h2(ID2)modmforsomesmallconstantm,whereID1andID2aretheDHTIDsofthetwonodes.Iftheequalitydoesnothold,nodessim-plydonotlearnabouteachother.SinceintroductionsarehandledbytheMIA,thisinvariantistrivialtoenforce.Intuitively,thisde-signprobabilisticallyguaranteesthateverynodeofthenextneigh-borhoodreceivesatleastonecopyofeachmessage.Asweincreasethemodulusm,fewermessagesaresentandrobustnessdecreases.However,thisreductionisacceptablewhenweconsiderthatmes-sageoverhead(combiningcommunicationtime,bandwidth,andcryptographicoverhead)isreducedbyafactorofm.6.THEORETICALANALYSISOurMCONdesignsdonotsharetheawsofexistingschemessuchasFreenet[10],Torbridges[14],Turtle[36],orKaleidescope[44].Thelattertwo,beingbasedonsocialnetwork,aresuscep-tibletotargetedcorruptionandcelebrityattackssincenodesarenotdegree-constrained,andthereforesomeare“tastytargets”forcompromise.11Freenetopennetisvulnerabletothesameattacks, 10Thresholdsignaturesallowsomenodestodisagreeorbeofineduringroutediscovery.11Wenoteacelebritycouldsplitsplithercontactlistsintomanynodeswithasmallnumberofneighborseach,andremainalogicallytastytargetwhilemaintainingalowtargetproleatthe 100billionnodes.Inthenextsectionwepresentsimulationresultsmeasuringreachabilitywhenre-routingistakenintoaccount.Denialofserviceattacks.Anunfortunatesideeffectofplausibledeniabilityintheefcientschemeistheinabilitytopreventnodesfromoodingthenetwork,sinceitisimpossibletodetermineifanodelegitimatelyinitiatedsuchaoodorisforwardingthemes-sageforanothernode.Thisleadstotheproblemofdenialofservice(DoS)attacksthroughnetworkoods.Wecancounterthisusingdata-obliviousthrottling,whereneighborsofanodesendingpack-etsfasterthanacertainthresholdwillrefusetoforwardsomeofthosepackets,independentoftheirultimateoriginordestination.Thispreventsundueusageofnetworkbandwidthbutdegradesthemaximumpossibleperformanceofthenetwork.Evenwithoutplausibledeniability,therobust(andhybrid)schemefallsvictimtoDoSduetotheamplicationfactorofmessages–foreverymessagesentbyanode,multiplemessagemustbesentbyrecipients.Whilenodescanrefusetoforwardduplicatemessages,adversarialintermediariesmodifyingmessageswillcauseboththeoriginalandthemodiedmessagestobepropagated.Withenoughadversaries,thenaldestinationcouldbeoverwhelmedwithmes-sages,allofwhichrequiredecryptionandverication.7.SIMULATIONRESULTSWesimulatedMCONconstructionandroutingusingtheOrkutdatasetfromMisloveetal.[32].Thedatacontains3,072,606nodes,13withanaveragenodedegreeof74.Totesttherobustrout-ingschemewegeneratedasmallersyntheticsocialnetworkusingamodiedversionofthealgorithmin[29].Ournetworkcontained1,324,134nodesandhadadegreedistribution,diameter,andclus-teringcoefcientcomparabletotheOrkutdataset.7.1MCONconstructionFromthesocialnetworkdataset,weconstructedanMCONwithanodedegreelimitof7.14Thebootstrapprotocolrandomlyselectsaninitialseedcliqueoffournodes(d7 2e)fromthesocialnetworkanditerativelyaddsnodestotheseedbasedonsocialnetworkre-lationships.ThenalMCONcontainedjustover85%ofthenodesinthesocialnetwork.Slightlymorethan35%ofMCONnodeshadunder-fullroutingtables,resultinginaveragenodedegreeof5:997,withanaveragepairwisephysicaldistanceof10.7.2RoutingandsearchOurDHTusestheKad Figure4:CumulativedistributionofphysicalhopsperDHTqueryroutingprotocol(avari-ationofKademlia[30]),usingroutingtableof16bucketsof8entrieseach.TheaveragenumberofDHThopsbetweenanytwoMCONnodesis2:5,whichtranslatestoanav-erageof13physicalhopsintheefcientcase,and26hopsintherobustcase.(Theprobabilitydistri-butionofphysicalhopsperquerywithnochurnisshowninFigure4.)Notethatduetothegreedynatureofroutingtableconstruction,whichpreferentiallyin-corporatesthenearestnodewithagivenprexmatch,theaveragenumberofphysicalhopsperlogicalhopislowerthantheaver-agenumberofphysicalhopsbetweenanytworandomnodesintheMCON.Assumingaverageroundtriptimesof180ms(computedfromthe“King”dataset[24]),asearchshouldcompleteinfewerthan2:5secondswithouttimepadding. 13Lessthan12%ofOrkut'snetworkatthetimeofcollection14Wealsosimulatedk=5andk=9.Theresultsconformtoexpectations–smallerkreducesconnectivityandefciency. Figure5:ProbabilityofqueryfailureinMCONsimulations.ChurnisthefractionofMCONmemberswhoareoffline.Whenaroutefails,weselectthenextbestrouteandcontinuetry-inguntilwereach25failedroutespernodeorthequerysucceeds.TheratesofDHTqueryfailurewithchurnforallthreeschemesareshowninFigure5.Datawascollectedusing500independenttri-als,routingbetweentworandomly-selectednodes.Intheefcientscheme,theworst-casenumberoflogicalhopsis18andtheworstcaseforphysicalhopsis178,whichtranslatestoaquerytimeofjustunder33seconds.Intheworstcasefortherobustscheme,aver-ageperformanceis127logicalhopsand395physicalhops,whichwouldrequire71secondsonaverage.(Notethatmanyofthesephysicalhopsarecontactedinparallel,makingthetimeestimatestrictlypessimistic.)Theefcientschemereacheditsperformancelimitat21%churn,andtherobustschemeat75%churn.Hybridschemeperformancedependsonthemodulus.Finally,therobustschememayprovideworse-than-expectedre-silienceincertaintopologies,suchaswhenadversarialnodesformclustersintheMCONduetodensesocialnetworkrelationshipsamongthem.Clustersreducetheadversaries'knowledgeofhon-estMCONnodes(sincemostofherneighborsaremalicious),butimpederouting–adversarialclustershaveahighchanceofform-ingneighborhoodswithmaliciousmajorities.However,assum-ingroutediscoveryproceedscorrectly,weonlyrequireonehonestnodeperneighborhoodformessageforwardingtosucceed.8.CONCLUSIONInthispaperweinitiateasystematicstudyofmembershipcon-cealmentasasecuritygoal.Whiletheideahasbeenimplicitlyde-scribedinotherwork,itwasnotrigorouslydened,andthereforeonlyimplementedinanad-hocfashion,usuallyresultinginvul-nerabilities.Wepresentedattacksagainsttwowell-knowncensor-shipresistancetools(FreenetandTorbridges),anddescribedthreedesignsformembership-concealingoverlaynetworks(MCONs).Onedesignisefcient,oneismorerobusttochurn,andoneisahybrid,balancingrobustnessandefciency.Insimulation,churnsignicantlydegradestheperformanceofallschemes,butthero-bustschemeperformswellunderchurnupto75%.Fromacom-binationoftheoreticalanalysisandsimulation,weconcludethatbothschemesarepractical,offeringbounded-timesearchthatlo-catesbothpopularandrarelesequallywell.Intheworstcase,oursearchtimeislessthan90secondsintherobustscheme,andlessthan35secondsintheefcientscheme.Someopenproblemsremainwithourdesigns.First,our“infec-tion”approachtoconstructingtheMCON,whilemitigatingboot-strapattacks,isnonethelesscumbersome.AbetterapproachwouldbetosomehowallowpeopletoaskformembershipintheMCONwhilepreservingsecurity.Second,thecurrentroutediscoverymech-anismrequiresaoodofthenetworkatnodejointime.Thisimposessignicantmessageoverhead,soweneedamechanismthatismoreefcientandstillmaintainsmembershipconcealmentpropertiesandsender-receiverunlinkability.Finally,althoughourMembershipandInvitationAuthoritycanremainofflineandhid-den,itstillrepresentsacentralpointoffailure15–ifitwerecom- 15withtheexceptionofavailabilityattacks