Some context

With the release of SAFE-Fleming, we’ll have assembled all of the components required for a fully-functional permissionless decentralised network. The data layer will soon follow. But this is big news by itself. The previous post in the series, The Big Questions: SAFE Fleming and Beyond, outlines some of the challenges that we’re tackling.

The crucial part here is that one word: ‘permissionless’. It lies at the heart of a number of design decisions made across the SAFE Network. One is ordered consensus - something that we touched upon in the first post. Another, which is both orthogonal and complementary, is Sybil Resistance which we’ll now expand on a little here.

Let’s start with the Wikipedia definition of Sybil attacks:

“The attacker subverts the reputation system of a peer-to-peer network by creating a large number of pseudonymous identities, using them to gain a disproportionately large influence.”

Perhaps you know other Networks better. Let’s take Bitcoin for example. There, the proof-of-work (PoW) mechanism is effective in countering Sybil attacks because no matter how many identities an attacker creates, she still needs to control >50% of the network hash rate for any attack to be effective.

But as we know, a PoW blockchain isn’t a viable solution in the SAFE Network for a whole range of reasons (including lack of scalability and asynchronicity). So we have to achieve this using other means.

Before continuing, we should make an obvious point: Sybil attacks are of course not the only form of attack on the Network. But it’s a sufficiently important category that warrants separate consideration.

But, why?

To think about Sybil attacks, it might be useful to think about one of the weaknesses of existing social media networks. In most cases, it super-easy for someone to create a large number of fake identities in order to wield a disproportionate level of influence. Whether these identities are semi- or fully automated, the results are the same. In aggregate, they can be used to manipulate the discourse to their advantage. In some cases, that’s done simply to drive up sales of banal products. In others, it gives the attacker the power to subvert the foundations of freedom and democracy.

In the context of the SAFE Network, preventing Sybil attacks is crucial for a number of reasons - including preventing a malicious actor trying to perhaps set up a huge number of nodes to control consensus within Sections or attempting to double spend Safecoins.

So how do we stop Sybil attacks?

To guard ourselves from this happening there are a number of steps we can take. Fundamentally it boils down to making it prohibitively expensive for the attacker, both in time and resources spent. In Bitcoin, proof-of-work makes a Sybil attack very expensive because it requires any attacker to have control of more than 50% of the hash rate of the Network. In the same way, we want to make it so expensive to attack the SAFE Network that it becomes infeasible.

More concretely

We can identify at least two properties that would increase the cost for an attacker dramatically.

Dilute the attacker’s resources so that it prevents them from gaining a local advantage.

Delay the attacker’s ability to gain meaningful influence.

We can achieve this through a combination of mechanisms:

Don’t blindly add all new vaults that want to join

The SAFE Network only accepts new Vaults when there is a capacity deficiency. This means a user can’t just create 10 million vaults and connect to the Network. Clearly, this needs to be balanced against the fact that we don’t want to prevent home users from joining.

Balanced relocation

A node that joins the Network has no choice. It is assigned to a location that is chosen by other nodes. This means that an attacker is diluted to the point that it has no local influence. Crucially, attacking nodes are not given a chance to cluster.

Node ageing

Adjusting the influence that a node has according to the amount of work it has performed over time means that an attacker can’t take control by setting up and providing extensive resources to the Network. The number of nodes and resource provided to the network don’t matter if your nodes are young because - put simply - they have very little say in the decision-making. As nodes age, they are also relocated, which also helps to prevent any kind of local concentration of malicious nodes. Empirical data from other P2P networks show that the oldest nodes are always by far the most stable, meaning they are unlikely to churn and will provide a robust core structure that is inherently difficult to challenge for Sybil nodes.

You could also argue that node ageing in practice returns a similar result to proof-of-stake (where you need to put significant resources at stake before you can wield influence).

Combine these to a number of well-considered SAFE parameters (such as the number of nodes in a typical Disjoint Section), and an attack becomes infeasible (similar to how PoW works in blockchains). And the longer the network is active, the stronger the protection from Node Ageing becomes.

Sounds good and all, but I want more details

In upcoming posts, we’ll be taking this a bit further to elaborate on these mechanisms and what they achieve. In particular, we’ll be discussing the work we’ve been doing in exploring the parameter space using simplified models so that we can get a feel for what is necessary in terms of e.g. minimum section sizes and number of Elders.