A Survey of Solutions to the Sybil Attack

Many security mechanisms are based on specific assumptions of identity and are vulnerable to attacks when these assumptions are violated. For example, impersonation is the well-known consequence when authenticating credentials are stolen by a third party. Another attack on identity occurs when credentials for one identity are purposely shared by multiple individuals, for example to avoid paying twice for a service. Such shared accounts are common in practice: friends exchange iTunes passwords to share purchased music; BugMeNot.com is a community that shares website registration passwords; and network address translation [29] devices allow multiple users to pay for a single IP address which is then shared among them. In this paper, we survey the impact of the Sybil attack [26], an attack against identity in which an individual entity masquerades as multiple simultaneous identities. The Sybil attack is a fundamental problem in many systems, and it has so far resisted a universally applicable solution. Many distributed applications and everyday services assume each participating entity controls exactly one identity. When this assumption is unverifiable or unmet, the sevice is subject to attack and the results of the application are questionable if not incorrect. A concrete example of this would be an online voting system where one person can vote using many online identities. Notably, this problem is currently only solved if a central authority, such as the administrator of a certificate authority, can guarantee that each person has a single identity represented by one key; in practice, this is very difficult to ensure on a large scale and would require costly manual attention.