1 Introduction

In 1993, Dwork and Naor proposed using computational puzzles to combat spam email  [43]. In the ensuing three decades, resource burning—verifiable consumption of resources—has become a well-established tool in distributed security. The resource consumed has broadened to include not just computational power, but also communication capacity, computer memory, and human effort.

The rise of permissionless systems has coincided with the recent increase in popularity of resource burning. In permissionless systems, any participant—represented by a virtual identifier (ID) in the system—is free to join and depart without scrutiny, while enjoying a high degree of anonymity. For example, an ID might be an IP address, a digital wallet, or a username.

In this setting, security challenges arise from the inability to link an ID to the corresponding user. A single malicious user may create a large number of accounts on a social media platform to wield greater influence; or present itself as multiple clients to disproportionately consume resources provided by the system; or inject many IDs in a peer-to-peer network to gain control over routing and content. This malicious behavior is referred to as the Sybil attack, originally described by Douceur  [41].

Such attacks are possible because users are not “ID-bounded” in a permissionless system; that is, there is no cost, and therefore no limit, to the number of IDs that the attacker (adversary) can generate. However, the adversary is often “resource-bounded”, even if this bound is unknown. In particular, it may be constrained, for example, in the number of machines it controls, or total channel capacity to which it has access. Resource burning leverages this constraint, forcing IDs to prove their distinct provenance by producing work that no single attacker can perform.

Paper Overview. Resource burning is a critical tool for defending permissionless systems. In support of this claim, we survey an assortment of topics: distributed ledgers, application-layer distributed denial-of-service (DDoS) attacks, review spam, and secure distributed hash tables (DHTs). Using these examples, we highlight how results in these different areas have converged upon resource burning as a critical ingredient for achieving security; this is summarized in Table 1.

Table 1. Summary of the domains surveyed, along with the corresponding resources, and core functionality that is secured by resource burning. We also make conjectures on the algorithmic spend rate. Here, T is the adversary’s spend rate; \(J_G\) is the join rate for good IDs; and \(P_G\) is the posting rate of good IDs. We elaborate on these notions in Sect. 2.5. The \(\tilde{O}\) notation omits polylogarithmic factors.
Full size table

As prelude to this survey, we predict how resource-burning may evolve, and how systems may adapt to this technique. These predictions are distilled in four position statements below.

figure a

PoW and CAPTCHAs have been around now for decades, persisting despite concerns over scalability, resource consumption, security guarantees, and predicted obsolescence (see discussion under Position 2 and Sect. 3). The continued practical success of resource burning aligns with theoretical justification from game-theoretic results on “money-burning” and “costly signaling” (Sect. 2.1). Given the increasing popularity of permissionless systems, and the need to defend them, resource burning will likely only increase in prevalence.

figure b

In May 2020, the annual energy consumption of Bitcoin was 57.92 terawatt-hours of electricity per year, which is comparable to the annual electricity consumption of Bangladesh; Ethereum was 7.9 terawatt-hours, comparable to that of Angola  [39]. In 2012, humans spent an estimated 150, 000 hours per day solving CAPTCHAS  [114, 137]. The rise of permissionless systems will likely only increase these rates of resource burning.

On the positive side, recent theoretical results suggest that resource burning can be analyzed and optimized just like any other computational resource  [59, 61]. But there is significant work needed to: (1) develop a theory of resource burning focused on distributed security; and to (2) translate this theory into practical resource savings.

In this paper, we discuss current theoretical work on reducing resource-burning rates across multiple application: blockchains (Sect. 3); DHTs (Sect. 4); application-layer DDoS attacks (Sect. 5); and review spam (Sect. 6).

figure c

Four decades of research have resulted in efficient and reliable algorithms for permissioned networks. We should leverage these results when addressing problems in new permissionless systems. One way to do this is to develop tools, based on resource burning, that bound the fraction of IDs controlled by the adversary (bad IDs) in permissionless systems. In Sect. 3, we discuss results on the problem GenID, which provides this bound for static, permissionless networks; and DefID which does so for permissionless networks with churn.

In Sects. 5 and 6, we discuss the threats posed by application-layer denial-of-service (DDoS) attacks and review spam. Neither problem aligns perfectly with a permissionless model. For example, servers are under administrative control, and online review systems often require credentials for account creation. However, these systems still remain vulnerable to malicious participants that are difficult to identify, and who monopolize system resources. We define a hybrid system model as one that contains both permissioned and permissionless properties. We note that any tools designed for permissionless systems will also work for hybrid systems. However, we would expect to be able to develop more efficient techniques to adapt tools from permissioned systems to these hybrid systems.

figure d

As theoreticians, we should generalize as much as possible. Algorithms that use resource burning should require a certain “cost” that specifies the amount of the resource to be consumed, but should allow for that resource to be anything: computation, computer memory, bandwidth, human effort, or some other resource yet to be defined. As much as possible, theoretical results should be stated in terms of this cost, irrespective of the resource consumed. This ensures our theoretical results will continue to be relevant, even as underlying technologies providing verifiable resource burning may change.

Additionally, a key research focus should be on problems that generalize across multiple domains. In this paper, we describe two examples: GenID and DefID (Sect. 3.1). Our remaining three examples are domain-specific. We believe it is important to work on both types of problems.

2 Background and Preliminaries

Resource burning has found application in various areas of computer security; indeed, its use was proposed by Douceur  [41] as a defense against the Sybil attack  [40, 75, 100, 106]. However, resource burning has a broader history, with similar ideas appearing in several other scientific domains.

In Sect. 2.1, we present this background. In Sects. 2.22.3, and 2.4, we elaborate on the notion of resource burning. Finally, in Sect. 2.5, we describe a general problem model that provides a unifying set of assumptions and terminology used throughout this document.

2.1 Game Theory, Biology and Economics

Resource burning is analogous to what is referred to as money burning in the game theory literature. To the best of our knowledge, the first significant algorithmic game theory study of money burning, due to Hartline and Roughgarden, analyzed the use of money burning in mechanism design  [61]. Their main result is a near-optimal mechanism for multi-unit auctions, where the quantity optimized is social welfare or the sum of utilities of all players. They also give results showing that, under certain conditions, an auction utilizing money burning can obtain a \(\varOmega \left( \frac{1}{1+ \log (n/k)}\right) \) fraction of the optimal social welfare, where the auction consists of n bidders who are bidding for k units. They conclude that “the cost of implementing money-burning ... is relatively modest, provided an optimal money-burning mechanism is used”.

Money burning is also known as costly signaling in the game theory literature, and it has two main uses in this context. First, it can signal commitment to a certain action, as is illustrated in the “lunch” gameFootnote 1  [29, 68]. Second, it can signal the “type” of a player, as is in the“college” game  [29]. We present these two games below.

Lunch Game. Two friends want to eat lunch together, but the first friend prefers option A and the second prefers option B. They each obtain payoff of \(-1\) if they choose different locations. If they both pick option A, they obtain payoffs of 10 and 1 respectively. Conversely, if they both pick option B, they obtain payoffs of 1 and 10.

Now, if the first friend verifiably burns money equal to 1 unit of utility prior to playing the game, this signals a commitment to their preferred option, since if they were to choose the unpreferable option, their utility would now be at most 0. Thus, they would not have played the game. In this way, a friend who burns money can expect higher utility.

College Game. Each student is one of two types: smart or daft. Each student is considering college and can choose either the action attend or not attend. A smart student pays a cost of 1 (in terms of time and effort) to attend college, and a daft student pays a cost of 3 to attend college. We assume that the decision of the student to attend college is publicly known, but that otherwise, college has no impact: daft students stay daft even after attending.Footnote 2

An employer wants to hire smart students. If the employer hires a smart student, their benefit is 2, and if they hire a daft student, their cost is 2. If a student is hired by the employer, they have a benefit of 2, and if they are not hired, they have a benefit of 0.

It is easy to verify that the following is a Nash equilibrium for this game:

\(\circ \):

Smart students attend college.

\(\circ \):

Daft students do not attend college.

\(\circ \):

The employer hires only students that attend college.

Here, smart students all choose to attend, even though college has no intrinsic benefit. Thus, the choice to attend college is a costly signal made by the smart students, and college itself is an example of resource burning.

If the option to attend college were removed from the game, and the fraction of smart students were less than 1/2, then a Nash equilibrium would be for the employer to never hire. In this case, the overall social welfare—the sum of expected benefits to all players—would decrease.

Biology. Costly signaling is a well-known phenomena in biology. A relevant example from animal behavior is stotting, in which quadrupeds, such as deer and gazelles, repeatedly jump high into the air. This is often done in view of a predator, suggesting that stotting is a costly signal to the predator that the prey is too healthy to catch  [49]. Other examples occur in sexual-selection, where the use of plumage, large antlers, and loud cries are a costly signal of fitness  [156].

Economics. In 1912, the economist Thostein Veblen coined the term “conspicuous consumption” to describe costly signaling used by people to advertise both wealth and leisure. For example, Veblen writes, “The walking stick serves the purpose of an advertisement that the bearer’s hands are employed otherwise than in useful effort, and it therefore has utility as an evidence of leisure”  [134]. Decades of economic studies suggest that conspicuous consumption is a critical part of historical and modern economies  [98, 113, 118, 119, 131]. For example, Sundie et al write: “Although showy spending is often perceived as wasteful, frivolous, and even narcissistic, an evolutionary perspective suggests that blatant displays of resources may serve an important function, namely, as a communication strategy designed to gain reproductive reward” [131].

2.2 What is Resource Burning?

We define resource burning as the verifiable consumption of a resource. In particular, it is computationally easy to verify both the consumption of the resource, and also the ID that consumed the resource  [6]. Below we describe several resource-burning techniques.

Proof-of-Work (PoW). PoW is arguably the current, best-known example of resource burning. Here, the resource is computational power. Proof-of-work has been proposed for spam-prevention  [43, 85, 90]; blockchains  [103]; and defense against Sybil attacks  [10, 88].

CAPTCHAs. A completely automated public Turing test to tell computers and humans apart, or a CAPTCHA, is a resource-burning tool where the resource is human effort  [147]. CAPTCHAs may be based around text, images, or audio; however, several design and usability issues exist  [148].

Proof-of-Space. Proof-of-space requires a prover to demonstrate utilization of a certain amount of storage space  [1, 13, 42, 44]. This approach is foundational for Spacemint cryptocurrency  [111]. Like PoW, proof of space demonstrates the consumption of a certain amount of a physical resource, but can require less electrical power. A related proposal is “Proof of Space-Time”  [102], which demands proof of consumption of a certain amount of storage space for a certain amount of time.

Resource Testing. Resource testing requires a prover to demonstrate utilization of a radio channel  [55, 56, 101].Footnote 3 Consider a wireless setting where each device has a single radio that provides access to one of several channels. Thus, an adversary representing two bad IDs, but with a single device, can only listen to one channel at a time. A base station can assign each ID to separate channels; send a random message on one of these channels chosen randomly; and demand that the message be echoed back by the corresponding ID. Since the adversary can only listen to a one channel at a time, it will fail this test with probability at least 1/2.

2.3 What is not Resource Burning

Proof-of-Stake (PoS) is a defense for permissionless systems, wherein security relies on the adversary holding a minority stake in an abstract finite resource  [2]. It has been proposed primarily for cryptocurrency systems (Sect. 3). When making a group decision, PoS ensures that each ID has voting weight proportional to the amount of cryptocurrency that ID holds. Well-known examples of such systems are ALGORAND  [54], which employs PoS to form a committee, and Ouroboros  [83], which elects leaders with probability proportional to their stake. Hybrid approaches using both PoW and PoS exist, including one proposed for the Ethereum system  [8], and under the name “Proof of Activity”  [27]. In contrast to the above examples, PoS involves a measurement, rather than a consumption of, a resource.

Disadvantages of Proof-of-Stake. Unfortunately, PoS can only be used in systems where the “stake” of each ID is globally known. Thus, it seems likely to remain relevant primarily in the domain of cryptocurrencies. Moreover, even within that community, there are concerns about proof-of-stake. To quote researcher Dahlia Malkhi: “I think proof-of-stake is fundamentally vulnerable ...In my opinion, it’s giving power to people who have lots of money”  [35].

2.4 Resource Burning Does Not Require Waste of the Resource

While resource burning requires verifiable consumption of a resource, it does not necessarily require waste of that resource. For example, Von Ahn et al.  [137] developed the reCAPTCHA system which channeled human effort from solving CAPTCHAs into the problem of deciphering scanned words that could not be recognized by computer. Their system achieved an accuracy exceeding professional human transcribers, and was responsible for sucesssfully transcribing hundreds of millions of words from public domain books.

In 2018, Ball et al. developed proof-of-work puzzles whose hardness is based on worst-case assumptions  [25]. These puzzles are based on the Orthogonal Vectors, 3SUM, and All-Pairs Shortest Path problems, and any problem that reduces to these problems, including deciding any graph property statable in first-order logic. Hence, their work enables design of PoW puzzles that can be useful for solving computational problems of practical importance.

In  [126], Shoker developed proof-of-work puzzles that solve real-world matrix-based scientific computation problems. He named this technique “Proof of Exercise”.

All algorithms discussed in this paper are compatible with this type of “useful” resource burning, where the consumption of the resource solves practical problems. Our only requirement of the resource burning mechanism is that the consumption of the resource be easily verifiable, which holds true for the above results.

2.5 A General Model

We discuss broad aspects of a general model for permissionless systems. This allows us to highlight commonalities between different application domains, while retaining the same terminology throughout.

The system consists of virtual identifiers (IDs). An ID is good if it obeys protocol and belongs to a unique user; otherwise, the ID is bad. Good and bad IDs cannot necessarily be distinguished a priori.

Communication. Communication is synchronous and occurs either via point-to-point or via a broadcast primitive. The former is typical for peer-to-peer systems and the general client-server setting. The latter corresponds to permissionless blockchains, where it is a standard assumption that a good ID may send a value to all other good IDs within a known and bounded amount of time, despite an adversary; for examples, see [30, 52, 54, 92] and see  [97] for empirical justification.

Adversary. A single adversary controls all bad IDs; this pessimistically represents perfect collusion and coordination by malicious users. Bad IDs may arbitrarily deviate from our protocol, including sending incorrect or spurious messages. The adversary can send messages to any ID at will, and can view any communications sent by good IDs before sending its own. It knows when good IDs join and depart, but it does not know in advance the private random bits generated by any good ID.

Often, the adversary is assumed to control only an \(\alpha \)-fraction of the network resources, for \(\alpha >0\). Generally, in settings where correctness is threatened, \(\alpha \) must be a small constant; for example, often bounded below 1/3 or 1/4. Alternatively, there are settings where \(\alpha \) can be any constant bounded away from 1; typically, this corresponds to problems of performance (rather than correctness).

Tunable Costs. We measure cost as the amount of resource consumed. Our model is agnostic with respect to the particular resource used. However, we assume that it is possible to arbitrarily tune the cost. In particular, we assume that, for any value x, an ID can be issued a challenge of difficulty x that will require consumption of x units of whatever resource is used.

Resources such as computation, computer memory, and bandwidth have inherently tunable costs. For CAPTCHAs, cost could be adjusted in two possible ways. First, by adjusting the difficulty of the puzzle, by either (1) adjusting the number of alphanumeric digits or the number of images to be classified; or (2) adjusting the difficulty of an individual recognition task as described in the ScatterType CAPTCHA system  [24]. Second, by adjusting the expected difficulty by adjusting a probability of being required to solve a CAPTCHA.

Joins and Departures. Often, the system is dynamic, with IDs joining or departing over time. There is no a priori method for determining whether a joining ID is good or bad. Joins and departures by bad IDs may be scheduled in a worst-case fashion, and pessimistically we often assume the adversary also has a limited ability to schedule these events for good IDs. We will generally assume a lower bound on the number of IDs in the system, and that the lifetime of the system is polynomial in this lower bound.

Key Notation. Through out this work, let T denote the adversarial spending rate, which is the cost to the adversary over the system lifetime divided by the lifetime of the system. Let the algorithmic spending rateA, be the cost to all good IDs over the system lifetime divided by the lifetime of the system.

In the blockchain and DHT problems, we let \(\textit{\textbf{J}}_{\textit{\textbf{G}}}\) denote the good ID join rate, which is the number of good IDs that join during the system lifetime divided by the lifetime of the system. Finally, for the review spam problem, we let \(\textit{\textbf{P}}_{\textit{\textbf{G}}}\) denote the good posting rate, which is the number of posts made by good IDs during the system lifetime divided by lifetime of the system.

2.6 Game Theoretic Analysis

For many of our problems, we can analyze the defense of a system as a two-player zero sum game  [45] as follows. There is an adversary that can choose to attack or not, and an algorithm that can choose to defend or not. There is a system invariant, which the algorithm seeks to protect, that has some value V. There is a function f that gives the cost incurred when the algorithm chooses to defend as follows: if the adversary spends T to attack, then the algorithm will spend f(T) to defend. Thus the payoff matrix for the algorithm is given below.

figure e

Solving this game, we get that in the Nash equilibrium, the algorithm player will defend with probability \(p = \frac{V}{T-f(T) + f(0) + V}\). Thus, the expected utility of the game to the algorithm player will be \(\frac{-Vf(0)}{T-f(T) + f(0) + V}\). In many of our problems, \(f(T) = f(0) + o(T)\), and so we obtain a value that is \(\varTheta \left( \frac{-Vf(0)}{T + V}\right) \). Smaller T optimizes the utility for the adversary, in which case, the expected utility of the algorithm is \(\varTheta (-f(0))\).

3 Blockchains and Cryptocurrencies

A blockchain is a distributed ledger. In particular, it is a distributed data structure that stores transactions between IDs in a network. Each transaction represents flow of a resource from one ID to another. Every transaction added must be legitimate, in the sense that the source ID owns the resource to be transferred, as indicated by the distributed ledger, at the time of the transaction. Importantly, transactions can only be added to the blockchain, and once added, can never be deleted or edited.

3.1 GenID and DefID

Perhaps the current, most frequently-used application of resource-burning is for blockchains. Permissionless blockchains are vulnerable to Sybil attacks  [89]. The next two problems use resource burning to defend against this. Recall that the adversary controls an \(\alpha \)-fraction of the resource that is being burned.

The GenID Problem. The problem stated below, GenID, was first defined and studied by Aspnes, Jackson, and Krishnamurthy  [11]. They proposed a solution with latency of 3 rounds, and \(\tilde{O}(n^2)\) bits sent per good ID, at a burned resource cost of O(1) per good ID.

figure f

Several other solutions to GenID have been proposed in the literature  [4, 10, 67, 81]. Andrychowicz and Dziembowski described an algorithm with a latency of \(\varTheta (n)\) rounds; \(\tilde{O}(n^2)\) bits sent per good ID; and a burned resource cost of \(\tilde{O}(1)\) per good ID  [10]. Concurrent to this work, Katz, Miller and Shi [81] proposed another solution with similar costs. Hao et al.  [67] improved on these results via using a randomized leader election protocol. Their algorithm has, in expectation, a latency of \(\varTheta \left( \frac{\ln n}{\ln \ln n}\right) \) rounds; \(\tilde{O}(n)\) bits sent per good ID; and a burned resource cost of \(\varTheta \left( \frac{\ln n}{\ln \ln n}\right) \) per good ID.

The most recent work in this domain is by Aggarwal et al.  [4], which requires in expectation: O(1) latency; O(n) bits sent per good ID; and a burned resource cost of O(1) per good ID.

It is still not known if these costs can be reduced for the general problem, or for an “almost-everywhere” versions of the problem, where all but a o(1) fraction of the IDs must learn S. To the best of our knowledge, there are no current lower-bounds on the problem.

The DefID Problem. The following problem, called DefID, considers the GenID problem in the presence of churn.

figure g

A first algorithm to solve DefID was proposed in by Gupta, Saia and Young in [58]. It required algorithmic spend rate of \(O(J_G + T)\); recall that \(J_G\) is the join rate of good IDs per time step, and T is the spend rate of the adversary. Note that this result holds without any additional assumptions. Gupta, Saia and Young further improved this result in [59, 60] to \(O(J_G + \sqrt{TJ_G})\), subject to two assumptions on the join rate of good IDs, which are found to be supported by real-world data [59].

Specifically, the assumptions needed are as follows. Define an epoch to be the length of time it takes for the fraction of good IDs to change by 3/4 fraction. First, the join rate for good IDs changes by at most a multiplicative factor between any two successive epochs. Second, in any epoch the actual join rate for good IDs over any “sufficiently large” period of time is within constant factors of the join rate for good IDs over the entire epoch.

An asymptotically matching lower bound was obtained for a large class of algorithms  [59]. An open problem is to generalize this bound to all algorithms.

4 Distributed Hash Tables

Distributed hash tables (DHTs) are a popular P2P distributed data structure [3, 80, 87, 96, 117, 129] with several implementations over the years  [46, 128, 141]. Generally, the design entails hashing attributes of a user’s machine to a key value (or ID) in a virtual space; similarly, for data items. The various DHT constructions differ in their overlay topologies, but typically IDs need only maintain state on a small number of neighbors, and routing is possible with a small number of messages, where small means at most logarithmic in the number of IDs in the system.

These systems are vulnerable to attack. A bad ID that participates in routing can drop or corrupt any message it receives. A good ID can be completely isolated from the rest of the network if all of its neighbors are bad; this is often referred to as an eclipse attack  [63, 127]. Finally, content can be compromised if bad IDs alone are responsible for storing a particular data item. Generally, the behavior of bad IDs is modeled by Byzantine faults. For almost two decades, there has been a sustained interest in the design of secure DHTs that can tolerate such attacks  [135].

Byzantine Fault Tolerance in DHTs. A popular approach to tolerating bad IDs depends makes use of groups: these are small sets of IDs, each of which have a good majority. Intuitively, a group is used in place of an individual peer, and the group members act by using majority action or secure multiparty computation to coordinate actions. For example, routing can be performed robustly via all-to-all communication between each pair of groups along the path from source to destination. Examples of group-based DHT constructions include  [21,22,23, 48, 72, 105, 122, 125, 151].

As an alternative to using groups, bad IDs may be tolerated by employing some form of redundant routing  [32, 65, 74, 78, 82, 104]. Several other results do not explicitly apply to DHTs, although they may be compatible. For example, the challenge of tolerating bad IDs is exacerbated in highly-dynamic P2P systems, and there is a growing body of work in this area  [14,15,16,17,18, 57]. Self-healing networks are another approach for achieving security, where bad IDs are identified and evicted  [84, 120, 121].

In all of these works, a critical assumption is that the fraction of bad IDs is a small constant. However, given that DHTs are often permissionless, this assumption is easily violated via a Sybil attack. Thus, while many tools have been developed for securing DHTs against Byzantine faults, additional work is required to limit the fraction of bad IDs in the permissionless setting.

Sybil Resistance. Several approaches have been proposed for mitigating the Sybil attack. The influence of bad IDs can be limited via containment schemes that leverage the network topology in structured overlays  [124] and in social networks  [7, 86, 99, 143, 152,153,154]. However, the information required—particularly social networks—may not always be available.

An alternative defense is to use measurements of communication latency or wireless signal strength to verify the uniqueness of IDs  [26, 38, 53, 91, 140]. However, these techniques are sensitive to measurement accuracy.

For DHTs, an early result by Danezis et al.  [37] gives a heuristic to limit the impact of bad IDs using bootstrapping information, but unfortunately provides no formal guarantees. Results that employ resource burning are scarce. The use of computational puzzles in decentralized systems is explored by Borisov  [31] and Tegeler and Fu  [132] as a means for identifying and excluding bad IDs from the system. Computational puzzles are also used by Rowaihy et al.  [116] to throttle the rate of bad IDs added to a structured P2P system; however, this does not limit their number. Arguably the best-known result is the SybilControl scheme by Li et al.  [88], which provides for a DHT construction that limits the number of bad IDs through the use of computational puzzles. Good IDs periodically challenge their neighbors under the Chord DHT topology  [129, 130], and blacklist those who do not respond with a solution in time. Experimental results indicate that this approach, in conjunction with limited data replication, allows for almost all searches to succeed.

4.1 Why DefID is Not Enough

The DefID problem (Sect. 3.1) captures many of the challenges required for secure DHTs. However, current solutions to DefID depend heavily on a means to coordinate resource burning. The main approach is to use a committee—a small set of IDs with a good majority—which issue resource-burning challenges. To apply results on DefID to DHTs requires decentralizing the functionality provided by the committee.

Additionally, while DefID always guarantees a minority of bad IDs, this is not enough. In particular, to ensure reliable routing and protection from eclipse attacks, group-based approaches demand that all groups have a minority of bad IDs. Fortunately, there are already clever techniques to spread the bad IDs uniformly across the groups. Informally, when a new ID joins a group, some IDs in the group are evicted and resettled in random locations, and their replacements are selected uniformly at random  [21,22,23, 57].

Unfortunately, performing such shuffling for every joining ID, even when there are no bad IDs in the system, incurs large bandwidth costs. A major open problem is to devise an algorithm that minimizes both bandwidth and resource-burning costs, as a function of adversarial spend rate.

4.2 The Permissionless DHT Problem

Problem 3 gives our formal problem in this domain. It assumes that the adversary controls an \(\alpha <1/3\) fraction of the burnable resource. We now describe some ideas about how to solve it.

figure h

Recall from Sect. 3.1 that DefID imposes a cost of \(O(J_G + \sqrt{TJ_G})\) on the good IDs. Informally, a plausible extension to this result is for each group in the DHT to act as a committee that runs an algorithm to solve DefID. In many group-based constructions, a good ID belongs to a number of groups that is logarithmic in the system size. Consequently, the algorithmic spend rate is likely to increase by a logarithmic factor. This yields our conjectured bound of \(\tilde{O}(\sqrt{T J_G} + J_G)\). Note that this aligns with Position 2 since costs to the good IDs are low when the adversary expends little effort (or does not attack at all), and grows slowly relative to the adversary’s cost when a significant attack occurs. In the absence of a single committee that can track global information (such as the join rate of IDs), setting the hardness of challenges is tricky, and new ideas are needed to obtain the conjectured upper bound.

Finally, while we have focused on DHTs, new defenses for them might generalize to providing security in permissionless settings for other structured P2P systems  [12, 20, 47, 51, 62, 71, 158].

5 Application-Layer DDoS Attacks

A denial-of-service (DoS) attack prevents good IDs from accessing resources of a system. A distributed denial-of-service (DDoS) attack occurs when multiple bad IDs carry out a coordinated DoS attack. In an application-layer DDoS attacks, an adversary attacks by issuing many requests for system resources, as opposed to say swamping the network bandwidth. Here, we discuss defenses against application-layer DDoS attacks based on resource burning.

Filtering Methods. Many DDoS defenses rely on techniques for filtering out malicious traffic, including IP profiling [94, 155]; CAPTCHAs  [109, 136]; capability-based schemes  [9, 149]Footnote 4; and anomaly detection  [70]. An extensive survey of defenses can be found in  [157]. Unfortunately, these techniques are imperfect, and an adversary may bypass them by issuing traffic that appears legitimate. This has led to resource-burning defenses against DDoS attacks, which are sometimes referred to in the literature as currency-based or resource-based schemes  [139].

Resource-Burning Approaches. A number of proposed defenses require IDs to solve puzzles before their requests for service are honored  [19, 76, 77, 112]. A challenging aspect of these proposals is the lack of a theoretically-backed method to tune the puzzle difficulty. To address this issue, Mankins et al.  [95] propose a pricing mechanism to set the difficulty based on the service-request type; however, the pricing functions are set by the server a priori, and may fail as the incentives or capabilities of the attacker change over time. A dynamic strategy to determine puzzle difficulty is given by Wang and Reiter  [142]. A client requesting service chooses the puzzle difficulty based on the effort it is willing to expend, while the server prioritizes service according to the difficulty of the puzzles solved. However, this approach may starve IDs with limited resources, and requires the server to maintain state on the difficulty of the puzzles solved. Finally, Noureddine et al.  [108] employ a game-theoretic model to pre-compute the difficulty of puzzles assuming all IDs (good and bad) are rational.

An alternative resource—communication capacity—is consumed by the speak-up defense of Walfish et al.  [138]. During an attack, it is common for bad IDs to bombard the server with requests, using much (or all) of the data rate available to the adversary. Speak-up encourages good IDs to respond in kind by increasing their respective request rates. A front-end server known as a “thinner” randomly drops requests in order to impose a manageable service load. If the aggregate capacity of the good IDs is comparable to that of the bad IDs, then this resource-burning scheme can allow good IDs to obtain a commensurate amount of service.

5.1 The Application-Layer DDoS Problem

There are many similarities between the application-layer DDoS attack and the Sybil attack. The DDoS model is not purely permissionless, since the server is a trusted authority. However, the attacks involve IDs whose distinctness cannot be ascertained, and where an adversary may create many bad IDs to facilitate attacks. In this sense, the DDoS model is a hybrid of permissionless and permissioned systems. Thus, it is not surprising that resource burning would be useful to defend against DDoS attacks.

In this vein, we propose the open problem below.

figure i

Problem 4 shares much in common with DefID (Sect. 3.1). Requests from client IDs correspond to join events; satisfying requests corresponds to departures. Here, \(\alpha \) need not be bounded, since we are not making a correctness guarantee analogous to maintaining a good majority in DefID. Rather, our new requirement concerns performance: good IDs receive a \(1-O(\alpha )\) fraction of service. In this sense, Problem 3 seems strictly easier than DefID.

However, a new difficulty is heterogeneity: requests may differ in the amount of effort required to service them. Thus, enforcing a bound on the fraction of bad requests serviced does not ensure that the goal of Problem 4 will be met. In light of this issue, it may be helpful to consider a weighted version of DefID, and whether existing solutions can be extended to this more general setting. While we are optimistic that for large T, o(T) is possible for Problem 4, a tight upper bound is an interesting direction for future work.

6 Review Spam

Online user-generated reviews play an important role in influencing the purchasing decisions of consumers. These systems are subject to manipulation where an adversary employs multiple accounts to create fake reviews that falsely promote or disparage a product  [50]; this malicious behavior is often referred to as review spam, but also goes by other labels such as astroturfing  [133] and opinion spam  [69].

Review spam threatens online retailers—such as Amazon or Walmart  [33, 50]—and merchants who depend on income from online sales. While online review systems typically have some form of admission control, such as requiring credentials for the creation of an account, this can be bypassed. For example, an attacker can hire users that possess a sufficient online presence in order to engage in review spam  [36, 66], and social-media credentials can be automatically generated  [133]; examples of these attacks are described in  [69, 93].

In response to this threat, the research community has proposed various strategies for detecting fraudulent reviews; these employ a range of techniques including machine learning  [34, 73], anomaly detection  [123, 145, 146], linguistic evaluation  [79, 115], graph analysis  [5, 28, 66], and many others. A comprehensive overview of these techniques is given in  [64, 144, 150].

Progress in this area offers the ability to classify a review as either spam or legitimate, with some small error probability; for example, the work in  [110] achieve an accuracy of almost \(90\%\). This classification functionality is a promising ingredient for designing more general tools for mitigating review spam.

6.1 The Review Spam Problem

The problem of review spam largely aligns with our general model in Sect. 2.5. While online systems often require some credentials for creating an account, this admission control can be circumvented, and the system is effectively permissionless. However, the review spam model has some novel features. IDs join the system, but they may never formally depart. Even IDs that are regularly in use may have periods where the corresponding user is offline. Thus, any attempt to simultaneously challenge all IDs, in order to reveal some as bad, will fail.

On the positive side, as noted above, machine learning can now help. In particular, we may assume a classifier that correctly classifies reviews as spam or not with some fixed probability of error. Over a sufficiently large number of reviews, this classifier can be used to obtain a good approximation of the current fraction of spam reviews, and this information can be used to set the amount of resource burning required to post a review. Our conjecture of \(O(T^{2/3} + P_G)\) in Table 1 follows from a preliminary analysis that leverages a classifier in this way. Informally, we increase the cost for posting a review when a significant attack is ongoing—that is, many reviews are diagnosed as spam by the classifier. Otherwise, we reset the cost to the lowest level.

We formalize the challenge of review spam as Problem 5.

figure j

7 Conclusion

In this paper, we surveyed the literature on resource burning and established it as critical a tool for securing permissionless systems. We described results from four domains: blockchains, DHTs, application-layer distributed DDoS attacks, and review spam. We noted shared security vulnerabilities in both permissionless and hybrid systems, and how resource burning is well-suited for addressing common threats.

We observed that resource burning costs are prohibitively high for most current systems. Thus, a high-priority area for theoretical research is the design of resource-burning defenses that reduce these costs. In particular, whenever possible, good IDs should spend at a rate which is asymptotically less than the adversary when the system is under attack. To encourage research efforts, we defined several open problems, along with conjectured upper bounds for these problems.