1

A P2P-based Infrastructure for Adaptive Trustworthy andEfficient Communication in Wide-Area Distributed Systems

Haiying Shen*, Senior Member, IEEE , Guoxin Liu, Student Member, IEEE ,Jill Gemmill, Member, IEEE , Lee Ward1

Abstract—Tremendous advances in pervasive networking have enabled wide-area distributed systems to connect distributedresources or users such as corporate data centers and high-performance computing centers. These distributed pervasivesystems take advantage of resources and enhance collaborations worldwide. However, due to lack of central management, theyare severely threatened by a variety of malicious users in today’s Internet. Current reputation- and anonymity-based technologiesfor node communication enhance system trustworthiness. However, most of these technologies gain trustworthiness at the costof efficiency degradation. This paper presents a P2P-based infrastructure for trustworthy and efficient node communicationin wide-area distributed systems. It jointly addresses trustworthiness and efficiency in its operation in order to meet the highperformance requirements of a diversified wealth of distributed pervasive applications. The infrastructure includes two policies:trust/efficiency-oriented request routing and trust-based adaptive anonymous response forwarding. This infrastructure notonly offers a trustworthy environment with anonymous communication, but also enhances overall system efficiency throughharmonious trustworthiness and efficiency trade-offs. Experimental results from simulations and the real-world PlanetLab testbedshow the superior performance of the P2P-based infrastructure in achieving both high trustworthiness and high efficiency incomparison to other related approaches.Index Terms—Wide-area distributed systems, Peer to peer networks, Reputation systems, Anonymity, Efficiency

F

1 INTRODUCTIONThe immense popularity of the Internet has provided

a significant stimulus to the advancement of wide-areadistributed pervasive systems that provide high scalabil-ity, efficiency, and other benefits not found in centralizedmodels. These Internet-based distributed pervasive systems(e.g., corporate data centers and high-performance comput-ing centers) attract Internet users from across the worldto donate their computer resources for various objectivesranging from file sharing to distributed computing, frominstant messaging to content distribution. For example, overthe past year, the total traffic on the BitTorrent P2P filesharing application has increased by 12%, driven by 25%increases in per-peer hourly download volume [1], and 471.5million users in one day connect to the Akamai P2P-assistedcontent delivery network (CDN) [2].

An open wide-area distributed system consists of manydiverse and autonomous peers without preexisting trustrelationships, in which malicious or selfish users may dropforwarding messages in node communication. Thus, it isimportant for nodes to communicate with each other effi-ciently (i.e., quickly with low overhead), trustworthily (i.e.,reliably and anonymously). Currently, many technologies,including reputation- and anonymity-based approaches,have been proposed to prevent, detect, and countermalicious attacks and enhance system trustworthiness.

A reputation system collects, distributes, and aggregatesfeedback about participants’ past behaviors to help peersdecide whom to trust, encourage trustworthy behavior,and discourage uncooperative or dishonest behavior. In a

• * Corresponding Author. Email: shenh@clemson.edu; Phone: (864) 6565931; Fax: (864) 656 5910.

• Author1 is with the Sandia National Laboratories, Albuquerque, NM87185. Email: lee@sandia.gov.Other authors are with the Department of Electrical and ComputerEngineering, Clemson University, Clemson, SC, 29634.E-mail: {shenh, guoxinl, gemmill}@clemson.edu

distributed system, a node needs to choose a server from acandidate pool for a service such as forwarding a query orproviding a file. A straightforward approach for nodes touse reputation metrics is to select the node with the highestreputation value as a providing server. However, biasingthe nodes with the highest reputation may overload themand also prevent a system from fully taking advantage ofall resources to achieve system-wide high performance.

Current research on reputation systems [3–15] mainlyfocuses on accurate reflection of node trustworthiness andhigh scalability of systems. However, even the accuratecalculation of reputation values offered by a highly scalablereputation system may not be adequate as a mechanismto provide proper incentives for nodes to choose the bestservers, and to improve the achievable efficiency of dis-tributed systems. Reputation systems need to be comple-mented by an unbiased trust-based node selection policythat also considers efficiency for trustworthy and efficientnode communication.

For anonymous transmission, tunnelled communicationwith a number of proxies between the two endpoints in therouting path provides anonymity for the two endpoints, sinceeach node has no information about the message routingpath other than the identity of its previous and succeedingnode. Technologies such as Tor [16] randomly chooses theproxies. Directly using the randomized selection method inan open distributed system is not able to ensure successfulrouting, as the chosen nodes may be malicious nodes thatdrop or corrupt messages. Freenet [17] and Mute [18]achieve anonymity by requiring that all data is forwardedback hop-by-hop from a data provider to a requester ratherthan using direct communication. OneSwarm [19] pro-vides anonymity by multi-path message forwarding and byproviding users with configurable control over their data:data can be shared publicly or anonymously, with friends,with some friends but not others, or only among personaldevices. However, these methods introduce high commu-nication overhead. Efficiency for high performance shouldnot be greatly compromised while exploring trustworthytechnologies for distributed systems.

2

Unlike OneSwarm which relies on users’ extra effort forconfiguration and high-cost multi-path message routing, wetackle this problem from another angle: leveraging repu-tation systems. Specifically, we propose an infrastructurebuilt on a structured P2P middleware overlay to supplytrustworthy and efficient node communications for wide-area distributed systems. It can be easily used by a varietyof distributed systems such as P2Ps, grids, and collaborativeclouds. The infrastructure incorporates two policies:• Trust/efficiency-oriented request routing policy(FairTrust). FairTrust guides nodes to consider bothreputation and capacity in node selection in order to choosetrustworthy nodes while avoiding bottlenecks. It creates atrustworthy distributed communication environment, whileproviding flexibility in resource sharing between nodes.Furthermore, it facilitates taking full advantage of systemresources for high performance of distributed systems.• Trust-based adaptive anonymous response forwardingpolicy (TrustAar). TrustAar adapts the path lengthof response forwarding to node reputation in orderto protect client-server connectivity and anonymity,while enhancing communication efficiency over currentanonymity approaches.

In this paper, we use P2P file sharing systems as anexample for a wide-area distributed system. This articlecombines the methods proposed in previous conferenceversions [20, 21], refines and enhances the methods andpresents extensive experimental results. The rest of thispaper is structured as follows. Section 2 introduces the P2P-based infrastructure design including the aforementionedtwo policies. Section 3 shows the performance of thesepolicies in comparison with other related policies in sim-ulation and on PlanetLab. Section 4 concludes this paperwith remarks on possible future work. The supplementaldocument presents a concise review of related work andmore experimental results.

2 DESIGN OF THE P2P-BASED INFRAS-TRUCTURE2.1 Background and OverviewStructured P2P overlay networks are a class of decentralizedsystems that partition ownership of a set of objects amongparticipating nodes and can efficiently route messages tothe unique owner of any given object. The overlay networkprovides two main functions: insert(key,data) andlookup(key) to store the data to a node responsiblefor the key and to retrieve the data. The message foreach function is forwarded from node to node throughthe overlay until it reaches the data’s owner. Each nodemaintains a routing table, which records its neighbors inthe overlay network. After a node receives a message, itforwards the message to one of its neighbors in the routingtable based on the P2P routing algorithm.P2P overlayssuch as Tapestry [22] and Cycloid [23] have no rigidlydefined topologies and routing algorithms (i.e., an entryin a node’s routing table can have multiple node choices),which facilitates the implementation of anonymity in theinfrastructure. Any such P2P overlay can be the basis forour system’s infrastructure. We choose Cycloid [23] as anexample to serve as the foundation of the infrastructure.

Anonymity allows data sharing between clients andservers in such a manner that no one can determine theidentities of the clients and servers. In order to hide theclient and server of a communication, it is necessary to form

3/65

Challenges of DHT Congestion Control

NC

HG

D

F

J K

A

B

H

I

P

M

L

O

E

client

server

client clientFig. 1: Node communication in a structured P2P.

an anonymous path between the two endpoints and ensurethat nodes on the path do not know where the endpointsare. A P2P overlay contributes to achieving anonymity inthe application level. It obscures the physical locations ofnodes from each other, and restricts a node’s view only toits neighbors. In addition, initial messages and forwardedmessages are constructed and processed similarly, so nodescannot differentiate message forwarding neighbors from ini-tial message generating neighbors. Furthermore, tunnelledcommunication provides certain protection to two endpoints.

Figure 1 depicts a tunnelled communication betweenclient A and server E in traditional structured P2P overlays.The request is routed along the path A → B → C →D → E, and the response is forwarded directly from Eto A. We define a client-server path as a tunnelled pathfrom a client to a server, and a server-client path as atunnelled path from a server to a client. The client-serverpath in the figure is not directly between A and E; rather,it travels through three other nodes. Each node on the pathdoes not know the source or the final destination of themessages transferred. For example, node C does not knowif the communication is between nodes B and D or ifthey are passing the messages elsewhere. Nodes only haveknowledge of their immediate neighbors in the proxy chain.This provides a certain degree of anonymity. However, thedirect communication from E to A reveals their identities toeach other. Also, in most traditional structured P2P overlaynetworks, because of their strictly controlled topologies andrigidly defined routing algorithms, there is only one nodeoption in the system for each entry in a node’s routing table,and hence only one neighbor option to forward a request.This enables a malicious node to analyze the message trafficto identify the client, server, and path. Also, the rigid routingalgorithm cannot avoid overloaded nodes in routing, leadingto low efficiency. For example, in Figure 1, requests fromclients A, F and G towards E must travel through nodesC and D, which could easily become overloaded.

Cycloid’s flexibility in topology construction and routingalgorithm (that enables to select a neighbor from multipleoptions) facilitates the exploration of techniques for bothanonymity and efficiency. We propose the FairTrust policyto prevent traffic analysis in the client-server path, and theTrustAar policy for data forwarding in the server-clientpath. These policies provide anonymity to both clients andservers with reduced overhead through a harmonious trade-off between reliability/anonymity and efficiency.

In this paper, we assume the existence of a decentralizedreputation system [3, 4] that is scalable and can accuratelyand securely provide reputation values of nodes. We alsoassume that a node’s reputation value can represent itsgeneral trustworthiness, and that a high-reputed node isunlikely to drop (or corrupt) a message or be a spy orunscrupulous organization that conducts censoring or anal-ysis of data traffic. Please refer to papers [3–15] for thedesigns of scalable, accurate and secure reputation systems.

3

As our work does not focus on reputation system design,these works are beyond the scope of this paper. Specifically,we can use the reputation system designed for anonymousnetworks proposed in [15]. In this reputation system, nodesare represented by pseudonyms. The reputation of each nodeis closely related to its real identity rather than to its currentpseudonym. This allows an honest node to switch to a newpseudonym, thus keeping its good reputation, while hinder-ing malicious nodes from erasing their bad reputations withnew pseudonyms. As a result, the reputation values can bereported and queried without disclosing node real identities.

2.2 Trust/Efficiency-Oriented Request RoutingPolicyProblem Statement. This section handles the problemof forwarding a request to its destination trustworthily(i.e., reliably and anonymously) and efficiently. Cycloidhas a flexible topology in that its routing table has aset of neighbors in each entry. For example, Cycloidnode i (4,10111010) has one neighbor entry pointing tonodes (3,10100000), (3,10100001) and (3,10100010). If itreceives a query that should be forwarded to this neighborentry based on its original routing algorithm, there are threecandidates to which the query can be sent. This topologyflexibility enables a node to choose a neighbor from severaloptions to forward a request along the client-server pathrouting. Then, how should a node be chosen to forward aquery for trustworthy and efficient communication?

Discussion on Existing Methods. Randomized nodeselection in Tor [16] is not enough to ensure communicationsecurity with successful routing in an open distributedsystem. With malicious nodes, the requests may be dropped,corrupted, or delivered to a malicious node instead of alegitimate file owner. Also, the randomized node selectioncannot guarantee that the selected nodes are never over-loaded, possibly degrading the routing efficiency.

With a reputation system, a straightforward approach fornodes to utilize reputation metrics is to select the node withthe highest reputation value as a providing server. Such anapproach may give rise to unexpected problems. First, bias-ing high-reputed nodes may overload them and cause inef-ficiency. Second, some high-reputed but not-highest-reputednodes are excluded from service offering. Consequently,their resources cannot be fully utilized, and they are de-prived of opportunities to earn their reputation. Eventually,this will result in gradual decomposition of the nodes in thesystem. Therefore, as explained in Section 1, the reputationvalues have to be complemented with an unbiased trust-based policy that helps a node decide a candidate for servicewith consideration of both trustworthiness and efficiency.

To avoid overloading high-reputed nodes, the “peer-approved” policy [24] enables nodes to download filesfrom others with lower or equal reputations, and the“comparable reputation” policy [25] restricts nodes tocommunicate only with other nodes at the same reputationlevel. These policies help high-reputed nodes to avoid low-reputed nodes, but also have a number of drawbacks. First,newly-joined nodes will be in a hazardous environment,surrounded by low-reputed or even malicious nodes forcommunication. Second, newly-joined nodes are providedwith few opportunities to increase their reputation. Third,median-reputed nodes are deprived of access to servicesprovided by high-reputed nodes, and also high-reputednodes are deprived of access to services provided by

median-reputed nodes. This prevents distributed systemsfrom achieving their ultimate goal of wide resource sharing.

Our Proposed Policy. In choosing a forwarder from theoptions for request routing, biasing the highest-capacitynodes cannot guarantee reliable routing due to uncooperativeparticipants. Similarly, biasing the highest-reputed nodescauses node overload and low efficiency. To address theseproblems, we introduce FairTrust that considers node ca-pacity and reputation simultaneously to choose a providingnode from a candidate pool. The policy contributes not onlyto the trustworthiness of the system but also to the overallhigh performance by making full utilization of all noderesources and avoiding overloading high-reputed nodes.

To identify trustworthy nodes from untrustworthy nodes,many reputation systems [3–15] set a reputation threshold.If a node has a reputation no less than the threshold, it isconsidered a trustworthy node; otherwise, it is consideredan untrustworthy node. Trustworthy nodes also providetrustworthy services, though their QoS may be lower thanthat of the highest-reputed node. In our daily life, when webuy a computer, we do not have to choose the one withthe highest rating and highest price. We can choose a lessexpensive computer with high rating that still meets ourrequirements. Similarly, in a distributed system, differentrequests have different requirements for the levels of repu-tation. For example, while a node must choose the highest-reputed nodes for confidential data, it does not necessarilydepend on such nodes when conveying public news withdelay tolerance. Also, a node may prefer to download a filefrom a higher-reputed node rather than from the highest-reputed node in order to avoid flooding the highest-reputednode with requests. Therefore, FairTrust trades reliabilityfor efficiency by mapping messages of different desiredtrust levels to nodes with corresponding reputation levels.Later on, we will introduce an economic payment methodto provide incentives for nodes to choose trustworthy nodesbased on their own needs instead of always choosing thehighest-reputed node.

Algorithm 1 (in the supplemental document) shows thepseudocode of the FairTrust policy. Specifically, when nodei needs to choose a server from a number of candidates, itfirstly determines reputation level T based on its desire. Itthen acquires the reputation value of each candidate, andfilters out candidates whose reputation values are below T .The rest of the candidates include both the highest-reputednodes and nodes that are trustworthy enough based on therequester’s desired trust level. Then, as an unbiased trust-based policy, FairTrust guides a node to sift the rest ofcandidates for the final choice for request routing with theconsideration of both trustworthiness and efficiency.

For efficiency purposes, the policy takes into accountload status and proximity to ensure that no node becomesa bottleneck for request routing for quick routing. Ourprevious work [26] introduced a method to calculate aninteger for a node to represent its proximity. We definecongestion of node i as li/ci, where li represents the loadof node i and ci represents the capacity of node i. We referto the node whose actual load is larger than its capacity(i.e. li > ci) as an overloaded node; otherwise, it is alightly loaded node. To select a forwarding node, node j firstconsiders load status by identifying lightly loaded nodes.From the identified candidates, it then considers proximity,in which nodes logically closer (in hops) to the destinationand then physically closer to node j have higher priority tobe chosen.

4

Checking every server’s load status and proximity isnot an efficient method. To reduce overhead, instead ofprobing all of the neighbors to find the best candidate, werestrict the search space to a small set of size b. That is,b nodes are randomly chosen first and then the nodes inthe set are probed to retrieve load status and proximityinformation. If all nodes are overloaded, then the nodewith the lowest congestion is selected. If only one nodeis lightly loaded, then this node is selected. If multiplenodes are lightly loaded, a node selects the best candidatewith two extra criteria explained previously: closeness tothe target ID by logical distance in the overlay networkand closeness to the node by physical distance. In the casethat the candidates have the same logical distance, thenode with shorter physical distance to the selecting node ischosen. In the case that the nodes have the same physicaldistance, then a node is randomly chosen. For example, ifb = 2, node i receives a query with key (2,10100011). Itfirst identifies its query forwarding neighbors according tothe Cycloid routing algorithm and chooses neighbors withreputations no less than the required trust level. Node i thenrandomly chooses two options (3,10100010), (3,10100001)among the identified neighbors. It then probes each node’scongestion and physical distance and finally chooses onenode based on the algorithm in the FairTrust policy.

In addition to message forwarding, the proposed methodfor choosing a server can also be used in server selectionfor other purposes, such as file server selection and rout-ing neighbor selection. Rather than always biasing on thehighest-reputed nodes, FairTrust enhances system efficiencyby distributing the load among trustworthy nodes with rep-utation values higher than the client’s required level; thus,it will not overload the highest-reputed nodes while avoid-ing untrustworthy nodes. Also, offering high-reputed (not-highest-reputed) nodes opportunities to provide servicesenables them to further increase their reputations and takesadvantage of their resources. Unlike rigid routing, FairTrustprevents a malicious node from identifying the routing pathto find the client and the server while improving routingtrustworthiness and efficiency by relying on randomized se-lection with consideration of trustworthiness and efficiency.

A node may tend to specify a desired reputation levelhigher than what it really needs in order to receive highQoS. Also, low-reputed nodes may not be motivated toprovide high QoS since their low reputations do not preventthem from receiving high QoS. To handle these problems,FairTrust adopts the economic payment method in [27].That is, a server prices its services based on its reputationand service quality, and a client pays a server for theservice it requests. The payment is in the form of virtualcredits. This economic payment method encourages nodesto provide high QoS in order to gain higher reputations thatallow them to earn more credits to buy services, while alsopreventing the situation where higher-reputed and lower-reputed nodes receive the same QoS for the same cost.Trustworthiness aside, efficiency can also be controlled bythe economic payment method. Servers can adaptively raisetheir service prices to discourage clients from asking forservice from them when overloaded, and offer discountswhen lightly loaded. The adaptive load control not onlyprevents servers from being overloaded, but also helps totake full advantage of server capacities. To address thenewly joined node problem mentioned above, we can offereach node a certain number of credits on first joining thesystem that can be used for transactions to increase its

reputation. This economic payment method makes serviceaccessible to all nodes and provides freedom in servicerequesting and offering while providing protection frommalicious nodes and leech nodes.

2.3 Trust-based Adaptive Anonymous ResponseForwarding PolicyProblem Statement. Most traditional P2P overlay networksuse direct connections to download files, thus disclosing theidentities of the server and the client. A general approach toachieving anonymity on overlay networks is to construct anindirect path between a client and a server. For instance, inFreenet [17], Mute [18] and OneSwarm [19], after a fileis located, instead of using a direct connection betweentwo nodes, the data is sent back along the nodes in therequest routing path. Figure 2 depicts an example of suchanonymous communication. However, the hop-by-hop fileforwarding comes at the cost of high communication over-head and leads to inefficient communication considering thefact that file downloading constitutes most Internet traffic.For instance, measurement results [28] showed that only2.24% of all connections were download connections, butthey were carrying 70.5% of the total traffic. P2P resourcesharing applications have evolved into one of the major traf-fic sources, approximately 80% of Internet traffic. To reducethe overhead for request forwarding, Mantis [29] allowsclients to exchange anonymity for download efficiency. Ituses anonymous communication to search for files and sendcontrol signals, while letting the data be sent directly fromthe server to the client using return address spoofed UDPas shown in Figure 3. Instead of providing full anonymity,Mantis only protects the privacy of servers.

A B C D ERequest: A -> B Request: A -> B -> C Request: B -> C -> D Request: C -> D -> E Request: D -> EReply: B->A Reply: C->B->A Reply: D->C->B Reply: E->D->C Reply: E->D

Fig. 2: Freeenet/MUTE: tunnelled server-client path.

A B C D E

Request: A -> B Request: A -> B -> C Request: B -> C -> D Request: C -> D -> E Request: D -> EReply: E->A

Fig. 3: Mantis: direct server-client path.

A B C D E

Request: A -> B Request: A -> B -> C Request: B -> C -> D Request: C -> D -> E Request: D -> EReply: C->A Reply: E->C

Fig. 4: TrustAar: reduced tunnelled server-client path.

Our Proposed Policy. We propose the TrustAar policyto provide anonymity for both clients and servers, and toreduce communication overhead by shrinking path lengthsbased on endpoint reputation. In order to prevent proxiesfrom seeing the contents of the queried data, a clientgenerates a public and private key pair for its request andsends the public key along with its request. The server usesthe public key to encrypt the queried file before forwardingit back to the client and the client uses the private key todecrypt the file. Since proxies on the path do not know theprivate key, they are not able to decrypt the file.

The server needs to prevent the client from identifyingthat it is the source of the file, and the client needs to preventthe server from identifying that it is the requester of the file.The level that an endpoint i needs protection from anotherendpoint j is determined by the trustworthiness of endpointj. That is, endpoint i needs higher protection from lower-reputed endpoint j and needs lower protection from higher-reputed endpoint j. Also, more tunnelled transfers along

5

the server-client response forwarding path provide higheranonymity but lower efficiency. We use tc and ts to denotethe reputation of the client and of the server, respectively.To provide anonymity while guaranteeing high efficiency,TrustAar adapts the extent to which a tunnelled server-client path length shrinks to the value of t = min{tc, ts}.Particularly, the higher the value of t, the fewer hops areneeded in the server-client path, and vice versa. If thereputation values of two endpoints are very high, i.e., both ofthem can be trusted, then it is acceptable not to use proxies.We describe this policy in more detail in the following.

As mentioned previously, we use the reputation systemdesigned for anonymous networks proposed in [15]. Inthis system, a node’s reputation is queried based on itspseudonyms, and nodes always change their pseudonymsto avoid being tracked. As with other structured P2Ps,Cycloid requires log n hops per lookup request on average,where n is the network size [23]. The reputation systemnormalizes node reputation values to the range of [1, log n].After a server receives a request from a client, it queries thereputation values of the client and itself (ts and tc) from thereputation system, using the client’s pseudonym containedin the file request and its own pseudonyms. Let l denotethe path length of the client-server path. Then, the responseis approximately passed l/t (t = min{tc, ts}) hops alongthe original client-server path from the server to the client.

For example, as shown in Figure 4, if t = 2, E sendsdata to C, and C repeats the same process to send data toA. One question is, how can E know C’s IP address, andcan C know A’s? We first introduce a simple method toaddress this question and then present a method for higheranonymity protection. In the simple method, the serverpasses an address request including its own IP address and acounter equal to t along the server-client path. The counter isdecremented each time before it is passed to the immediatepreceding node, and the node with counter equal to 0 is thenode t hops away from the server. The node then sends itsIP address back to the server, and repeats the operation afterit receives the file from the server.

However, if using a certain rule to determine theforwarding proxies, malicious nodes along the path maytamper with or falsify the counter for traffic analysis, andthe server may tamper with or falsify the counter to findproxies along the path. Also, disclosing the IP addressesof the server and relay proxies in the server-client path toevery group of t nodes in the path segment leaks partialpath information, which could be used by malicious nodesfor traffic analysis. We use a cryptography technique tohandle these problems. Algorithm 2 (in the supplementaldocument) shows the pseudocode of the TrustAar policy.The reputation system [15] signs the responses for {tc, ts}before replying to the server in order to prevent nodes fromtampering with the values. The server generates a publicand private key pair, and sends the public key and the signed{tc, ts} along the server-client path. Each message receiverfirst checks the authority of the signature of {tc, ts}, andthen decides if it becomes a proxy in the server-clientpath with 1/t probability. Specifically, a message receiveri generates a random number v from [0,1]. If v ≤ 1/t, itforwards the message to the next hop; otherwise, it becomesa server-client path proxy. In this case, proxy i uses theserver’s public key to encrypt its own IP address, and sendsit with its public key along the client-server path successorsuntil reaching the node that has the private key to decryptthe message to derive proxy i’s IP address (i.e., the server).

The server then encrypts the file using proxy i’s public keyand sends it to proxy i. Node i decrypts the message toderive the file. It conducts the same operation as the serverand sends the file encrypted by the next proxy j’s publickey to j in the server-client path. This process repeats untilthe client receives the message from a proxy k. The clientthen passes its encrypted IP address to node k, and receivesthe file encrypted by the client’s public key from node k.

Rather than relying on static hop-by-hop or directcommunication in response forwarding, TrustAardynamically adjusts path lengths based on the endpoints’trustworthiness, ensuring high anonymity and efficiency.Admittedly, there are problems that need to be solved forstrong anonymity protection. For example, the server andthe relay proxies in the server-client path may collude tofind the identity of the client, the client and the proxies inthe client-server path may collude to find the identity of theserver, or the server may try to find all the proxies in the pathby tampering with tc or ts. Also, as high-reputed endpointshave fewer proxies in file transfers, high-reputed nodesbecome weak points in the network for malicious nodes tocompromise in order to find identifies of file owners. Weleave these interesting problems as our future work.

3 PERFORMANCE EVALUATIONWe conducted experiments on a simulator developed byourselves and on the PlanetLab real-world testbed [30].We compared the performance of FairTrust with the Ran-dom, MaxTrust, and MaxCap policies. Given a number ofnodes, Random chooses a node randomly, while MaxTrustand MaxCap choose the node with the highest reputationand available capacity, respectively. We also compared theperformance of TrustAar with Freenet [17], Mute [18] andMantis [29], and include the results of the “comparablereputation” policy in [25] denoted by SameTrust, in whicha requester randomly selects a server from the servers withthe same reputation as itself.

TABLE 1: Environment and algorithm parameters.Environment parameter Default valueCycloid dimension d 8 (simulation), 6 (PlanetLab)Number of nodes n 2048 (simulation), 384 (PlanetLab)Number of options per hop 10 (simulation), 6 (PlanetLab)or file servers per requestr (node reputation) Negative Bounded Pareto: shape = 10

lower bound = 0.1upper bound = 1

Node routing capacity Bounded Pareto: shape = 2lower bound = 1upper bound = 100

Node file service capacity Bounded Pareto: shape = 2lower bound = 0.5upper bound = 50

Forwarding latency in 0.02/0.1 second (simulation)a light/overloaded node Actual time (a)/a + 0.25s (PlanetLab)File service latency in a 0.2/1 second (simulation)light/overloaded file server 1/5 second(s) (PlanetLab)

File requests were consecutively generated with a randomsource node and a random target. As in [31], file requestsare generated according to a Poisson process at an expectedrate of one per second. Table 1 lists the parameters and theirdefault values in simulation and on PlanetLab respectively,unless otherwise specified. We assumed a bounded Paretodistribution for the capacity of nodes [32]. In the experi-ment, a node with capacity ci can handle ci queries at onetime. We define node i’s load (li) as the number of requestsin its request processing queue. If node i has more than ciqueries in its queue, it is overloaded. In order to make sure

6

some high-capacity nodes have low reputations, we set thereputation of half of the nodes with capacity higher thanten times of the capacity lower bound to 0.2. We assumea bounded Pareto distribution for nodes’ reputation (i.e., amajority of nodes are not malicious). The probability that anode provides a requested service equals to its reputation.

The metrics to evaluate the performance are listed below:• Success rate. After a request arrives at a server, theprobability that a request can be resolved depends on theserver’s reputation. The success rate is the successfullyresolved service requests over the total requests. Thismetric shows the trustworthy performance on receivingsuccessful service from servers.• Number of failures. A request routing fails if one node inthe routing fails to forward a request. This metric representsthe effectiveness of a routing policy in trustworthy routing.• Congestion. Recall that node i’s congestion is definedas li/ci. Ideally, congestion should be no more 1, whichmeans that the node is lightly loaded. The higher thecongestion is greater than 1, the less efficient performance.We record the maximum congestion of each node during theexperiment process, and take the 99.9th (99th) percentile ofthese maximum congestions as the 99.9th (99th) percentilemaximum congestion to show the performance.• Number of overloaded nodes encountered. This metricshows the effectiveness of a policy in avoiding overloadednodes in directing traffic flow in order to reduce requestrouting latency.• Lookup path length. This is defined as the number ofhops in a routing path. We use this metric to evaluate theperformance of FairTrust on reducing lookup path length.• Request routing time. This is the time used for a requestrouting. The number of overloaded nodes in request routingand the lookup path length are main factors for requestrouting time. This metric represents the efficiency of routing.• Request processing time. This is the time used forprocessing file requests in servers. This metric representsthe efficiency of server selection policies in avoidingoverloaded file servers to achieve fair load distribution, andultimately speeding up service provision.• File retrieval time. This is the sum of the routing time,request processing time and response forwarding time. Themetric reflects the performance of efficient and trustworthyfile retrieval.

3.1 Trust/Efficiency-Oriented Request RoutingPolicyThis experiment aims to show the performance of FairTrustin achieving both high trustworthiness and high efficiency inrequest forwarding. We varied the number of requests from1000 to 5000 with a step size of 1000. In FairTrust, weset two desired trust levels, 1 and 0.2, and represent themas FairTrust/1 and FairTrust/0.2, respectively. Figure 5(a)and Figure 6(a) show the number of failures in routings fordifferent policies in simulation and PlanetLab experiments,respectively. We observe that the number of failures of Max-Cap grows rapidly when the number of requests increases,followed by Random and FairTrust/0.2. We also observe thatMaxTrust and FairTrust/1 generate the least failures, andthat they exhibit similar behaviors. MaxCap considers nodeavailable capacity, but does not consider the trustworthinesswhen choosing a forwarding node. Thus, it performs theworst among the different policies in terms of trustworthyrouting. Random also does not consider trustworthiness, butit may choose high-reputed nodes, leading to fewer failures

than MaxCap. In contrast, MaxTrust and FairTrust take intoaccount node trustworthiness in routing, and achieve the besttrustworthy performance. FairTrust/0.2 has relatively morefailures. Considering its desired success rate is 0.2, it stillperforms effectively in terms of routing trustworthiness.

0

1000

2000

3000

4000

5000

1000 2000 3000 4000 5000

Nu

mb

er

of

req

ue

st

rou

tin

g f

ail

ure

s

The number of requests

Random MaxTrustMaxCap FairTrust/1FairTrust/0.2

(a) Number of failures in routings

0

20

40

60

80

100

120

1000 2000 3000 4000 5000Th

e 9

9.9

th p

erc

en

tile

ma

x.

co

ng

est

ion

The number of requests

Random MaxTrustMaxCap FairTrust/1FairTrust/0.2

(b) The 99.9th percentile max. cong.Fig. 5: Trustworthy and efficient routing in simulation.

0

500

1000

1500

2000

2500

3000

1000 2000 3000 4000 5000N

um

be

r o

f re

qu

est

ro

uti

ng

fa

ilu

res

The number of requests

Random MaxTrustMaxCap FairTrust/1FairTrust/0.2

(a) Number of failures in routings

0

50

100

150

200

1000 2000 3000 4000 5000

Th

e 9

9th

pe

rce

nti

le

ma

x.

co

ng

est

ion

The number of requests

Random MaxTrust

MaxCap FairTrust/1

FairTrust/0.2

(b) The 99th percentile max. cong.Fig. 6: Trustworthy and efficient routing on PlanetLab.

Trustworthiness aside, efficiency is also important inmeasuring the overall performance of the different routingpolicies. Figure 5(b) and Figure 6(b) demonstrate the99.9th percentile and 99th percentile maximum congestionin each policy in simulation and PlanetLab experiments,respectively. We see that the congestion rates increaseas query load increases. Also, MaxTrust has the highestcongestion. This is because MaxTrust biases on the highest-reputed nodes for routing. By comparison, Random haslower congestion than MaxTrust, because it is comparativelyefficient in load distribution due to its randomness. MaxCapand FairTrust lead to much lower congestion rates. Theytend to direct requests to lightly loaded nodes such thatnodes are not likely to be overloaded. FairTrust/0.2 hasa slightly lower congestion rate than FairTrust/1 becauseFairTrust/0.2 has more options for choosing a lightly loadednode. The results also show that FairTrust has marginallyhigher congestion than MaxCap. This is the cost for itshigh trustworthy performance. However, the low congestionbenefit of MaxCap is outweighed by its poor trustworthyperformance as shown in Figure 5(a) and Figure 6(a).

Routing latency is determined by two factors: the numberof overloaded nodes encountered in routings and lookuppath length. Figure 7(a) and Figure 8(a) show the numberof overloaded nodes encountered in request routings. Thenumber increases as the query load increases, and the num-ber of MaxTrust increases faster than others. This is becauseMaxTrust overburdens the highest-reputed nodes by biasingthem. This result confirms that MaxTrust cannot distributequery load among nodes in balance, while MaxCap andFairTrust avoid generating overloaded nodes. Fewer over-loaded nodes in routing leads to higher efficiency in routing.FairTrust has marginally higher results than MaxCap. Thisis because FairTrust considers node reputation when choos-ing a forwarding node, reducing the number of availableoptions. The relative performance between MaxTrust, Ran-dom, MaxCap and FairTrust is consistent with the 99.9thpercentile maximum congestion in Figures 5(b) and 6(b).

7

1

8

64

512

4096

32768

1000 2000 3000 4000 5000

Ove

rlo

ad

ed

no

de

s

en

co

un

tere

d in

ro

uti

ng

s

The number of requests

Random

MaxTrustMaxCap FairTrust/1FairTrust/0.2

(a) Overloaded nodes in routings

1

6

11

16

0 1000 2000

Ave

. lo

oku

p p

ath

le

ng

th

Number of nodes

RandomMaxTrustMaxCapFairTrust/1FairTrust/0.2

(b) Lookup path length

0

1000

2000

3000

4000

5000

1000 2000 3000 4000 5000

To

tal

req

ue

st

rou

tin

g t

ime

(se

c.)

The number of requests

Random MaxTrust

MaxCap FairTrust/1

FairTrust/0.2

(c) Total request routing time

Fig. 7: Efficiency of request routing policies in simulation.

0

5000

10000

15000

20000

1000 2000 3000 4000 5000

Ove

rlo

ad

ed

no

de

s

en

co

un

tere

d in

ro

uti

ng

s

The number of requests

Random MaxTrustMaxCap FairTrust/1FairTrust/0.2

(a) Overloaded nodes in routings

2

3

4

5

6

7

8

0 100 200 300 400

Ave

. lo

oku

p p

ath

le

ng

th

Number of nodes

RandomMaxTrustMaxCapFairTrust/1FairTrust/0.2

(b) Lookup path length

0

4000

8000

12000

1000 2000 3000 4000 5000

To

tal

req

ue

st

rou

tin

g t

ime

(se

c.)

The number of requests

Random MaxTrustMaxCap FairTrust/1FairTrust/0.2

(c) Total request routing time

Fig. 8: Efficiency of request routing policies on PlanetLab.

In this experiment, if a request was dropped dueto low reputation of a forwarder, the sender resentthe request and one more hop was added to thelookup path length. This process was repeated un-til the request was successfully forwarded. Figure 7(b)and Figure 8(b) show that average lookup path lengthover different numbers of nodes in simulation and onPlanetLab, respectively. The path length follows Max-Cap>Random>FairTrust/0.2≈FairTrust/1≈MaxTrust. Suc-cessful forwarding in each hop is a main factor in de-termining the path length as dropped requests are resent.Since the failure probability in forwarding follows Max-Cap>Random>FairTrust/0.2>FairTrust/1≈MaxTrust as inFigures 5(a) and 6(a), the lookup path length follows asimilar trend. These results confirm that FairTrust has moreefficient and trustworthy routing performance than others.Note that the average number of contacts to the reputationsystem per request of MaxTrust and FairTrust is similar tothe average lookup path of MaxTrust, while MaxCap doesnot need to contact the reputation system.

Figure 7(c) and Figure 8(c) show the total request routingtime of successfully delivered requests as the combinedeffect of overloaded nodes and lookup path lengths in sim-ulation and on PlanetLab, respectively. Three main obser-vations can be made from the figures: (1) MaxTrust has thehighest routing latency, followed by Random, due to theirneglect of node load status; (2) MaxCap has much lowerrouting latency because relying on lightly loaded nodesspeeds up the routing process; (3) FairTrust significantlydecreases routing latency because it directs query load tolightly loaded nodes, as does MaxCap, and reduces lookuppath length, although FairTrust does not perform as well asMaxCap in reducing overloaded nodes and congestion rates.The results show that the combined effect of overloadednode reduction and lookup path length reduction resultin great savings of routing latency, causing FairTrust tooutperform MaxCap. We calculated that FairTrust’s averagerouting time per request is around 1s on PlanetLab.

3.2 Trust-based Adaptive Anonymous ResponseForwarding PolicyAnonymity is important in building a trustworthyenvironment. The probability that an endpoint is at a

risk of ID exposure to the other endpoint depends on threefactors. First, whether the other endpoint is a maliciousnode or not. Second, the number of proxies forwarding afile back from a server to a client; more forwarding proxiesprovide higher anonymity protection to the endpoints.Third, whether the proxies are malicious or not. Since thethird factor is determined by the request routing policyand FairTrust chooses trustworthy nodes, we did notconsider it in the evaluation of TrustAar. Because the firstfactor depends on the node trustworthiness, we define theexposure probability due to the first factor as the minimumendpoint trustworthiness, and define the probability due tothe second factor as 1−d×0.1, where d denotes the numberof proxies between a server and a client. The product of thetwo factors is the probability that a server ID is disclosedto a malicious client. Freenet [17] and Mute [18] achieveanonymity by requiring that all data be forwarded backhop-by-hop along the server-client path, while Mantis [29]allows the data to be sent directly from a server to aclient. TrustAar provides a different degree of anonymitybased on the minimum endpoint trustworthiness by tuningthe number of forwarding hops to adapt to the minimumendpoint trustworthiness. In this experiment, we comparethe anonymity protection and efficiency performanceof these policies. We assume that there are 5 levels oftrustworthiness from 0.2 to 1 with a 0.2 increase for eachlevel. We assume that the server has trustworthiness 1,so the minimum endpoint trustworthiness is always theclient’s trustworthiness. In simulation, as file encryptionand decryption dominate the latency, we assumed that thelatency of finding a proxy and sending a file to the proxytakes 0.4s. In the PlanetLab experiments, the size of a fileand a key was set to 64KB and 1KB, respectively.

Figure 9(a) and Figure 10(a) show the average and the1st and 99th percentiles of exposure probabilities versus theminimum endpoint trustworthiness level in simulation andPlanetLab experiments, respectively. A number of importantobservations can be made from this figure: (1) As weexpected, the exposure probability of each policy decreasesas the minimum endpoint trustworthiness increases. Whenclients have the highest trustworthiness, the exposure proba-bility is 0, which means there is no response forwarding that

8

0.20.40.60.81

osure pobability Freenet/Mute

TrustAarMantis

00.2 0.4 0.6 0.8 1E

xpo

Minimum endpoint trustworthiness 

(a) Exposure probability

0 40.5

0.30.4

posure 

bility

0.10.2

ve. exp

probab

F t/M t T tAd M ti01000 2000 3000 4000 5000

Av

l b f l k

Freenet/Mute TrustAdp Mantis

Total number of lookups

(b) Average exposure probability

0

50000

100000

150000

1000 2000 3000 4000 5000

To

ta

l h

op

s o

f f

ile

fo

rw

ard

ing

Total number of requests

Freenet/MuteTrustAarMantis

(c) Total hops of file forwarding

0.0E+00

5.0E+04

1.0E+05

1.5E+05

1000 2000 3000 4000 5000

To

tal

ho

ps o

f re

sp

on

se

fo

rwa

rdin

g

Total number of requests

Freenet/MuteTrustAarMantis

(d) Total hops of forwarding

Fig. 9: Efficiency of different anonymity response forwarding policies in simulation.

0

0.2

0.4

0.6

0.8

1

0.2 0.4 0.6 0.8 1

Exp

osu

re p

ob

ab

ilit

y

Minimum endpoint trustworthiness

Freenet/MuteTrustAarMantis

(a) Exposure probability

0.2

0.3

0.4

1000 2000 3000 4000 5000

Ave

. e

xp

osu

re

pro

ba

bil

ity

Total number of lookups

Freenet/MuteTrustAarMantis

(b) Average exposure probability

0

10000

20000

30000

40000

1000 2000 3000 4000 5000

To

tal

ho

ps o

f fi

le

forw

ard

ing

Total number of requests

Freenet/MuteTrustAarMantis

(c) Total hops of file forwarding

0

10000

20000

30000

40000

50000

1000 2000 3000 4000 5000

To

tal

ho

ps o

f re

sp

on

se

fo

rwa

rdin

g

Total number of requests

Freenet/MuteTrustAarMantis

(d) Total hops of forwarding

Fig. 10: Efficiency of different anonymity response forwarding policies on PlanetLab.

0.0E+00

1.0E+04

2.0E+04

3.0E+04

4.0E+04

5.0E+04

1000 2000 3000 4000 5000

To

tal

late

ncy

of

forw

ard

ing

(se

c.)

Total number of requests

Freenet/MuteTrustAarMantis

(a) Simulation

0.E+00

2.E+04

4.E+04

6.E+04

8.E+04

1.E+05

1000 2000 3000 4000 5000

To

tal

late

ncy

of

forw

ard

ing

(se

c.)

Total number of requests

Freenet/MuteTrustAarMantis

(b) PlanetLabFig. 11: Total latency of forwarding.

makes a server unsafe; (2) Mantis has the highest exposureprobability, TrustAar reduces the probability more than onethird, and Freenet generates the least exposure probability;(3) Freenet/Mute exhibits a larger variance than TrustAar,while Mantis has no variance at all. This is because theexposure rate of Mantis depends on the minimum endpointtrustworthiness directly without the involvement of proxies.Figure 9(b) and Figure 10(b) show the average exposureprobability of the policies versus the number of requests insimulation and PlanetLab experiments, respectively. Theydemonstrate similar behaviors for each policy as in Fig-ure 9(a) and Figure 10(a). As predicted, more hops alongthe server-client path result in higher server privacy pro-tection. Mantis has the highest exposure probability dueto its direct communication between a client and a server.On the other hand, Freenet/Mute has the lowest exposureprobability due to its static hop-by-hop routing along theserver-client path. However, its benefits are outweighed byits high overhead and efficiency degradation in forwarding.By adapting the number of hops to the minimum endpointtrustworthiness elastically, TrustAar improves the privacyprotection of Mantis significantly, and reduces the overheadof Freenet/Mute considerably.

Next, let’s see the efficiency performance of differentpolicies. Figure 9(c) and Figure 10(c) show the total numberof hops for file forwarding along the server-client paths tothe clients versus the number of requests in simulation andPlanetLab experiments, respectively. We can observe thatFreenet/Mute has the highest results, Mantis has the lowestresults, and TrustAar lies in the middle. The results implythat Freenet/Mute incurs a high forwarding cost, leadingto efficiency degradation; TrustAar decreases the overhead

dramatically, and Mantis achieves the highest efficiencyin file forwarding. Figure 9(d) and Figure 10(d) show thetotal number of hops for forwarding files and messagesalong the server-client paths to clients using our proposedcryptography technique versus the number of requests.TrustAar produces the highest number of forwarding hopssince it first transmits a message to find a file transmissionproxy hop by hop and then transmits a message from theproxy to the server or the previous proxy hop by hop.Then, the file is transmitted from the server or the previousproxy to the identified proxy. However, only around 1/4of forwarding hops in TrustAar are for file forwarding,which generates longer latency than message forwarding.Figure 11(a) and Figure 11(b) show the total latency offorwarding along the server-client paths to clients versus thenumber of requests. We used file encryption and decryptionfor each file transmission in each method. Because filetransmission takes long time than message transmission,Freenet/Mute produces the highest latency. TrustAarsignificantly reduces the latency of Freenet/Mute due tomuch less file forwarding operations. These experimentalresults show that Freenet/Mute provides high anonymityprotection at a high cost, while Mantis does not providesufficient anonymity though it has high efficiency. TrustAarachieves a harmonious trade-off between anonymity andefficiency by reducing overhead while maintaining a highlevel of anonymity for both clients and servers.

3.3 Performance of the P2P-based infrastructureIt is known that some Internet-based distributed systemssuch as P2P systems are characterized by dynamism,in which nodes join, leave, and fail continually andrapidly. This experiment aims to evaluate the behaviorof the P2P-based infrastructure integrating FairTrust andTrustAar policies under different levels of dynamism. Weuse FairTrustAar to denote the infrastructure for a harmo-nious trade-off between trustworthiness and efficiency. Wecompared the performance of FairTrustAar with Random,MaxTrust and MaxCap. These policies use TrustAar forresponse forwarding. In this experiment, the desired trustlevel was set to 1. There were 3000 queries, and the queryrate was modeled by a Poisson process with a rate of 1;one request per second. The node join/departure rate was

9

0

500

1000

1500

2000

2500

1 2 3 4 5

Nu

mb

er

of

req

ue

st

fail

ure

s

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(a) Total request failures

0

20

40

60

80

1 2 3 4 5

Th

e 9

9.9

th p

erc

en

tile

m

ax.

co

ng

est

ion

est

fa

ilu

res

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(b) The 99.9 percentile max.cong.

0

10000

20000

30000

40000

50000

60000

1 2 3 4 5

To

tal

file

re

trie

va

l

tim

e (

se

c.)

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(c) Total file retrieval time with-out file encryption/decryption

0

20000

40000

60000

1 2 3 4 5

To

tal

file

re

trie

va

l ti

me

(se

c.)

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(d) Total file retrieval time withfile encryption/decryption

Fig. 12: Effectiveness of combination of FairTrust and TrustAar in dynamism in simulation.

0

500

1000

1500

2000

2500

0.1 0.2 0.3 0.4 0.5

Nu

mb

er

of

req

ue

st

fail

ure

s

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(a) Total request failures

0

50

100

150

0.1 0.2 0.3 0.4 0.5

Th

e 9

9th

pe

rce

nti

le

ma

x.

co

ng

est

ion

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(b) The 99 percentile max. cong.

5000

10000

15000

20000

25000

30000

0.1 0.2 0.3 0.4 0.5

To

tal

file

re

trie

va

l ti

me

(se

c.)

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(c) Total file retrieval time with-out file encryption/decryption

5,000

15,000

25,000

35,000

45,000

55,000

0.1 0.2 0.3 0.4 0.5

To

tal

file

re

trie

va

l ti

me

(se

c.)

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(d) Total file retrieval time withfile encryption/decryption

Fig. 13: Effectiveness of combination of FairTrust and TrustAar in dynamism on PlanetLab.

also modeled by a Poisson process [33]. We varied thenode interarrival/interdeparture rate from 1 to 5 per secondwith a step increment of 1 in simulations, and varied itfrom 0.1 to 0.5 per second with a step increment of 0.1 onPlanetLab. A rate of 1 corresponds to one node joining andleaving per second on average. A higher rate corresponds tohigher dynamism. Our results are collected from all nodesincluding the departed nodes and current nodes in the systemwhen all query processing operations complete.

A query failure occurs when it is dropped by a routingnode or it cannot be routed due to dynamism. We assumethat if a query arrives at its file server successfully, thesubsequent time that routing nodes stay in the system islong enough for response forwarding. Therefore, we did notconsider the failures in response forwarding. Figure 12(a)and Figure 13(a) show the total number of query fail-ures in simulation and on PlanetLab, respectively. We seethat the number of failures increases as the node interar-rival/interdeparture rate increases. This is because a fasternode join/departure rate leads to higher failures. Anotherfactor that affects the number of failures is trustworthiness.Since Random and MaxCap do not consider node trust-worthiness in routing, they have the highest failures. Max-Trust and FairTrustAar, which consider node trustworthi-ness in routing, significantly reduce the number of failures.This implies that the reputation system provides importantguidance for node selection based on trustworthiness, andFairTrustAar generates a high success rate for file queries.

We then tested the efficiency performance of each policy.Figure 12(b) and Figure 13(b) illustrate the 99.9th percentileand 99th percentile maximum congestion of each policyin simulation and PlanetLab experiments, respectively. Therate of MaxTrust still is the highest because it biases on thehighest-reputed node. Random has a lower congestion ratebecause it distributes load among nodes by randomizednode selection. MaxCap achieves the best congestion rateas it considers node available capacity. FairTrustAar hasa marginally higher rate than MaxCap because it choosesthe node with the lowest congestion among the trustworthynodes and offers higher trustworthy performance.

0

10000

20000

30000

40000

50000

1000 2000 3000 4000 5000

To

tal

file

re

trie

va

l ti

me

(se

c.)

Total number of requests

Random MaxTrustMaxCap FairTrustAar

(a) Simulation

0

20,000

40,000

60,000

80,000

1000 2000 3000 4000 5000

To

tal

file

re

trie

va

l ti

me

(se

c.)

Totalnumber of requests

RandomMaxTrustMaxCapFairTrustAar

(b) PlanetLabFig. 14: Total file retrieval time without node dynamism.

In this experiment, we set the same resending policy asFigures 7(c) and 8(c). Figure 12(c) and Figure 13(c) showthe total file retrieval time of each policy in simulationand PlanetLab experiments without the file decryptionand encryption operations, respectively. Figure 12(d)and Figure 13(d) show the total file retrieval time ofeach policy in simulation and PlanetLab experimentswith the file decryption and encryption operations,respectively. We can see that the time grows as the nodeinterarrival/interdeparture rate increases. This is becausenode departures and failures result in invalid entries innode routing tables. Consequently, detour routings lead tolonger routing path lengths, and thus longer transmissionlatencies. The results show that the latencies of MaxTrustare much higher than those of Random, and the latenciesof Random are much higher than those of FairTrustAarand MaxCap. These observations are consistent withthose of Figure 12(b) and Figure 13(b). This implies thatFairTrustAar and MaxCap perform the best in reducingoverloaded nodes and query processing even in dynamism.The results also show that the latencies of FairTrustAarare slightly lower than those of MaxCap because FairTrusthas a shorter routing time than MaxCap, as shown inFigures 7(c) and 8(c). We calculated that the average fileretrieval time per request of FairTrustAar is approximately7.9s and 2.93s on PlanetLab with and without file decryptionand encryption, respectively, which is acceptable. Fromthe results, we can determine that FairTrustAar performsthe best with dynamism in term of trustworthiness andefficiency compared to the other policies.

10

Figure 14(a) and Figure 14(b) show the total file retrievaltime without dynamism versus the number of requests insimulation and on PlanetLab, respectively. We see thatFairTrustAar has the lowest file retrieval latency, followedby MaxCap, Random and MaxTrust due to the same reasonsas in Figure 12(d) and Figure 13(d). The results confirm thatFairTrustAar performs the best in term of trustworthinessand efficiency in a stable environment without dynamism.

4 CONCLUSIONSMost of today’s advanced technologies for Internet-baseddistributed systems gain trustworthiness at the cost of over-head or performance degradation. This paper presents a P2P-based infrastructure that jointly considers trustworthinessand efficiency in node communication in order to meetthe high trustworthiness and efficiency requirements of awealth of diverse distributed applications. The infrastructureincludes two policies: a trust/efficiency-oriented requestrouting policy and a trust-based adaptive anonymous re-sponse forwarding policy. Depending upon the reputationsystem, the infrastructure not only offers a trustworthyenvironment, but also enhances overall system performancewith a harmonious trade-off between trustworthiness andefficiency. It provides a high probability of successful nodecommunication, protects node privacy, and improves nodecommunication efficiency by making full use of each node’scapacity while keeping each node’s load below its capacity.Simulation and PlanetLab experimental results illustratethe superior performance of the infrastructure comparedwith other related approaches in both static and dynamicenvironments, and show the effectiveness of each policycomponent in the infrastructure. In the future work, we willstudy the impact of the proposed policies on node behaviorsand investigate strategies to combat malicious behaviors thattry to take advantage of these policies.

ACKNOWLEDGMENTThis research was supported in part by U.S. NSFgrants CNS-1254006, CNS-1249603, CNS-1049947, CNS-1156875, CNS-0917056 and CNS-1057530, CNS-1025652,CNS-0938189, CSR-2008826, CSR-2008827, MicrosoftResearch Faculty Fellowship 8300751, and Sandia NationalLaboratories grant 10002282.

REFERENCES[1] J. S. Otto, M. A. Snchez, D. R. Choffnes, F. E. Bustamante, and

G. Siganos. On Blind Mice and the Elephant-Understanding theNetwork Impact of a Large Distributed System. In Proc. of Sigcomm,2011.

[2] B. Maggs. A first look at a commercial hybrid content deliverysystem. http://research.microsoft.com/apps/video/default.aspx?id=154911/ [Accessd in Feb. 2012].

[3] L. Xiong and L. Liu. Peertrust: Supporting reputation-based trust forpeer-to-peer electronic communities. TKDE, 16(7):843–857, 2004.

[4] R. Zhou and K. Hwang. PowerTrust: A Robust and ScalableReputation System for Trusted Peer-to-Peer Computing. TPDS, 2007.

[5] A. Satsiou and L. Tassiulas. Reputation-Based Resource AllocationIn P2P Systems of Rational Users. TPDS, 2010.

[6] A. Gutowska and K. Buckley. Computing Reputation Metric in Multi-Agent E-Commerce Reputation System. In Proc. of ICDCS, 2008.

[7] K. Chen, K. Hwang, and G. Chen. Heuristic Discovery of Role-BasedTrust Chains in Peer-to-Peer Networks. TPDS, 2009.

[8] L. Lu, J. Han, Y. Liu, L. Hu, J. Huai, L. Ni, and J. Ma. Pseudo Trust:Zero-knowledge Authentication in Anonymous P2Ps. TPDS, 2008.

[9] T. G. Papaioannou and G. D. Stamoulis. Achieving Honest Ratingswith Reputation-Based Fines in Electronic Markets. In Proc. ofINFOCOM, 2008.

[10] P. Dewan and P. Dasgupta. P2P Reputation Management UsingDistributed Identities and Decentralized Recommendation Chains.TKDE, 22(7):1000–1013, 2010.

[11] Z. Li, H. Shen, and K. Sapra. Leveraging Social Networks to CombatCollusion in Reputation Systems for Peer-to-Peer Networks. In Proc.of IPDPS, 2011.

[12] H. Shen and G. Liu. An Efficient and Trustworthy Resource SharingPlatform for Collaborative Cloud Computing. TPDS, 2013.

[13] H. Shen, Y. Lin, and Z. Li. Refining Reputation to Truly SelectHigh-QoS Servers in Peer-to-Peer Networks. TPDS, 2012.

[14] Z. Li and H. Shen. Game-Theoretic Analysis of CooperationIncentive Strategies in Mobile Ad Hoc Networks. TPDS, 2011.

[15] E. Androulaki, S. G. Choi, S. M. Bellovin, and T. Malkin. ReputationSystems for Anonymous Networks. In Proc. of PETS, 2008.

[16] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In Proc. of USENIX Security, 2004.

[17] I. Clarke, O. Sandberg, B. Wiley, and T. W. Hong. Freenet: A dis-tributed anonymous information storage and retrieval system. In Proc.of Workshop on Design Issues in Anonymity and Unobservability,2001.

[18] The mute file sharing systems. http://mute-net.sourceforge.net/.[19] T. Isdal, M. Piatek, A. Krishnamurthy, and T. E. Anderson. Privacy-

preserving P2P Data Sharing With OneSwarm. In Proc. of Sigcomm,pages 111–122, 2010.

[20] H. Shen and Y. Zhu. Fairtrust: Toward secure and high performancep2p networks. In Proc. of ICPADS, 2007.

[21] H. Shen. A security/efficiency-optimized infrastructure for wide-areadistributed systems. In Proc. of CIC, 2008.

[22] B. Y. Zhao, L. Huang, J. Stribling, S. C. Rhea, A. D. Joseph, andJ. Kubiatowicz. Tapestry: An Infrastructure for Fault-tolerant Wide-Area Location and Routing. J-SAC, 12(1):41–53, 2004.

[23] H. Shen, C. Xu, and G. Chen. Cycloid: A scalable constant-degreeP2P overlay network. Performance Evaluation, 63(3):195–216, 2006.

[24] K. Ranganathan, M. Ripeanu, A. Sarin, and I. Foster. To share ornot to share: An analysis of incentives to contribute in collaborativefile sharing environments. In Proc. of P2PECON, June 2003.

[25] G. P. Thanasis and D. S. George. Effective use of reputation in peer-to-peer environments. In Proc. of GP2PC, 2004.

[26] H. Shen and C. Xu. Locality-aware and churn-resilient load balancingalgorithms in structured peer-to-peer networks. TPDS, 2007.

[27] Z. Li and H. Shen. Game-Theoretic Analysis of CooperationIncentive Strategies in Mobile Ad Hoc Networks. TMC, 2011.

[28] K. Tutschku. A measurement-based traffic profile of the edonkeyfilesharing service. In Proc. of PAM, 2004.

[29] S. Bono, C. Soghoian, and F. Monrose. Mantis: A lightweight, server-anonymity preserving, searchable P2P network. Technical report, TR-2004-01-B, Information Security Institute, Johns Hopkins University,2004.

[30] PlanetLab. http://www.planet-lab.org/.[31] D. Qiu and R. Srikant. Modeling and performance analysis of

Bittorrent-like Peer-to-Peer networks. In Proc. of SIGCOMM, 2004.[32] K. Psounisa, P. M. Fernandezb, B. Prabhakarc, and F. Papadopoulosd.

Systems with multiple servers under heavy-tailed workloads. Perfor-mance Evaluation, 2005.

[33] I. Stoica, R. Morris, D. Liben-Nowell, D. R. Karger, M. F. Kaashoek,F. Dabek, and H. Balakrishnan. Chord: A Scalable Peer-to-PeerLookup Protocol for Internet Applications. TON, 2003.

[34] M. Castro, M. Costa, and A. Rowstron. Debunking some myths aboutstructured and unstructured overlays. In Proc. of NSDI, 2005.

[35] Y. Chawathe, S. Ratnasamy, L. Breslau, N. Lanham, and S. Shenker.Making Gnutella-like P2P Systems Scalable. In Proc. of ACMSIGCOMM, 2003.

[36] H. Shen and C. Xu. Elastic Routing Table With Provable Performancefor Congestion Control in DHT Networks. TPDS, 2009.

[37] M. Gunes, U. Sorges, and I. Bouazzi. Ara – the ant-colony basedrouting algorithm for manets. In Proc. of IWAHN, 2002.

[38] M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymousconnections and onion routing. IEEE JSAC, 16:482–494, 1998.

[39] D. Chaum. The dining cryptographers problem: Unconditional senderand recipient untranceability. Communications of the ACM, 1988.

[40] J. Han, Y. Liu, L. Xiao, R. Xiao, and L. M. Ni. A mutual anonymouspeer-to-peer protocol design. In Proc. of IPDPS, 2005.

11

Haiying Shen received the BS degree in Computer Science and Engineering from Tongji University, China in 2000, and the MS and Ph.D. degrees in Computer Engineering from Wayne State University in 2004 and 2006, respectively. She is currently an Assistant Professor in the Holcombe Department of Electrical and Computer Engineering at Clemson University. Her research interests include distributed and parallel computer systems and computer networks, with an emphasis on peer-to-peer and content delivery networks, mobile computing, wireless sensor networks, and grid and cloud computing. She was the Program Co-Chair for a number of international conferences and member of the Program Committees of many leading conferences. She is a Microsoft Faculty Fellow of 2010 and a member of the IEEE and ACM.

Cheng-Zhong Xu received B.S. and M.S. degrees from Nanjing University in 1986 and 1989, respectively, and a Ph.D. degree in Computer Science from the University of Hong Kong in 1993. He is currently a Professor in the Department of Electrical and Computer Engineering of Wayne State University and the Director of Sun’s Center of Excellence in Open Source Computing and Applications. His research interests are mainly in distributed and parallel systems, particularly in scalable and secure Internet services, autonomic cloud management, energy-aware task scheduling in wireless embedded systems, and high performance cluster and grid computing. He has published more than 160 articles in peer-reviewed journals and conferences in these areas. He is the author of Scalable and Secure Internet Services and Architecture (Chapman & Hall/CRC Press, 2005) and a co-author of Load Balancing in Parallel Computers: Theory and Practice

Haiying Shen Haiying Shen received the BSdegree in Computer Science and Engineeringfrom Tongji University, China in 2000, andthe MS and Ph.D. degrees in Computer Engi-neering from Wayne State University in 2004and 2006, respectively. She is currently anAssistant Professor in the ECE Department atClemson University. Her research interests in-clude distributed computer systems and com-puter networks with an emphasis on P2P andcontent delivery networks, mobile computing,wireless sensor networks, and grid and cloud

computing. She was the Program Co-Chair for a number of interna-tional conferences and member of the Program Committees of manyleading conferences. She is a Microsoft Faculty Fellow of 2010 and amember of the IEEE and ACM.

Guoxin Liu Guoxin Liu received the BS de-gree in BeiHang University 2006, and theMS degree in Institute of Software, ChineseAcademy of Sciences 2009. He is currentlya Ph.D. student in the Department of Elec-trical and Computer Engineering of ClemsonUniversity. His research interests include dis-tributed networks, with an emphasis on Peer-to-Peer, data center and online social net-works. He is a student member of IEEE.

Jill Gemmill Jill Gemmill holds a PhD inComputer and Information Sciences and hasover 30 years of experience in building uni-versity research computing and infrastructureand support organizations of new academicresearch support organizations at the Univer-sity of Alabama at Birmingham and ClemsonUniversity. She is currently Research Pro-fessor in Clemsons Electrical and ComputerEngineering Department. Dr. Gemmill’s ex-pertise includes trust relationship manage-ment frameworks for federated virtual orga-

nizations, network application performance and three-dimensionalcomputer graphics. Her past experience includes university Data Se-curity Officer, network applications specialist, and Technical Directorfor a Neurobiology Image Reconstruction Facility. Dr. Gemmill haspublished 33 articles and 2 technical books; and is cited for technicalcontributions in 16 publications.

Lee Ward Lee Ward is a principal member oftechnical staff in the scalable systems com-puting department at Sandia National Lab-oratories. As an inveterate student of op-erating systems and file systems, his inter-ests have provided the opportunity to makecontributions in high performance, parallelfile systems, IO libraries, hierarchical storagemanagement and compute cluster integra-tion/management systems.

12

5 PSEUDOCODE OF TWO ALGORITHMS

——————————————————————————-Algorithm 1: Pseudocode for the FairTrust policy.——————————————————————————-

Determine the set of neighbors for the requestrouting based on the P2P routing algorithm//choose trustworthy neighbors with required reputation levelDetermine the required reputation level TQuery reputation value (R) of each neighborChoose a set of options J = {j1, j2 . . . } with R > TRandomly choose b nodes Jb = {j1, j2 . . . jb} from J//choose a node from Jb

Probe each node in Jb for its congestionif all nodes in Jb are overloaded nodes then

Select the node with the lowest congestionelse

if only one node is lightly loaded thenSelect this lightly loaded node

else //many nodes in Jb are all lightly loaded nodesCompute the logical distance from each lightly loadednode in Jb to destination respectivelyif all nodes do not have the same logical distance then

Choose the node with the lowest logical distanceelse

Acquire the physical distance from each lightlyloaded node in Jb to destination respectivelyif all nodes do not have the same physical distance then

Choose the node with shortest physical distanceelse

Randomly choose a lightly loaded node in Jb

Ask the selected node for routing servicePay virtual credits to the server for its received service

——————————————————————————-

—————————————————————————————-Algorithm 2: Pseudocode for the TrustAar policy executed by node i.—————————————————————————————-/*i−1: the predecessor of node i in the client-server path*//*i+1: the successor of node i in the client-server path*/

if isServer() then {Query the reputations of client and itself, {tc, ts},based on pseudonymsGenerate a pair of public and private keys (Ks

pub, Kspri)

Send Msg({tc, ts}, Kspub) to node i−1 }

if receive Msg({tc, ts}, Kspub) from node i+1 then {

Check the authority of the signature of {tc, ts}Decide if it becomes a proxy with probability 1/t(t = min{tc, ts})

if it becomes a proxy then {//notify its previous proxy in the server-client pathUse Ks

pub to encrypt its IP address: (i)Kspub

Generate a pair of public and private keys (Kppub, Kp

pri)Send Msg(Kp

pub,(i)Kspub

) to node i+1}//look for its successor proxy in the server-client pathGenerate a pair of public and private keys (Ks

pub, Kspri)

Send Msg({tc, ts}, Kspub) to node i−1}

else //it is not a forwarding proxyForward received Msg({tc, ts}, Ks

pub) to node i−1 }

if receive Msg(Kppub,(j)Ks

pub) from node i−1 then

if it does not have Kspri to decrypt the message then

Forward Msg(Kppub,(j)Ks

pub) to node i+1

else //send the file to the next proxy in the server-client pathDecrypt (j)Ks

pubusing its Ks

pri and retrieve IP address j

if isNotServer() thenDecrypt the file using its own Kp

pri

Encrypt the file using Kppub and send it to node j}

—————————————————————————————-

6 PERFORMANCE EVALUATION ON THE EF-FECTIVENESS IN FILE SERVER SELECTIONWe now evaluate the effectiveness of FairTrust in fileserver selection. We assume that a client can locate thefive servers successfully. We assume there are five levelsof reputation, with the probability of successfully providingservice ranging from 0.2 to 1, with a 0.2 increase foreach level. Each node is randomly assigned one of the fivereputation levels.

11.2 Random

0 60.8

1

ss rate MaxTrust

S T t

0.20.40.6

Succes SameTrust

FairTrust/10

0.2 0.4 0.6 0.8 1

S

Desired trust levelFairTrust/desiredDesired trust level sired

(a) Simulation

0

0.2

0.4

0.6

0.8

1

0.2 0.4 0.6 0.8 1

Su

cce

ss r

ate

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(b) PlanetLabFig. 15: Success rate of service requests.

0

0.1

0.2

0.3

0.2 0.4 0.6 0.8 1

Ave

. m

ax.

no

de

co

ng

est

ion

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(a) The average of max. congestions

0

1

2

3

4

5

0.2 0.4 0.6 0.8 1

Ma

x.

no

de

co

ng

est

ion

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(b) The 99.9th percentile max. cong.Fig. 16: Node congestion in simulation.

0

0.1

0.2

0.3

0.4

0.5

0.2 0.4 0.6 0.8 1

Ave

. m

ax.

no

de

co

ng

est

ion

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(a) The average of max. cong.

0

2

4

6

8

0.2 0.4 0.6 0.8 1

Ma

x.

no

de

co

ng

est

ion

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(b) The 99th percentile max. cong.Fig. 17: Node congestion on PlanetLab.

An efficient server selection policy should distribute theload among the servers while considering trustworthinessand efficiency. In this experiment, we study the effect ofFairTrust in trustworthiness and efficiency compared toother related policies. In the experiment, 1000 different fileswere requested, with each file requested 10 times. We variedthe desired trust level in FairTrust from 0.2 to 1, with a0.2 increase for each step. We also took this rate as thereputation level of requesters in SameTrust. We compare thesuccess rate (i.e., the percent of the successfully resolvedservice requests) between FairTrust, Random, MaxTrust,FairTrust/1, and FairTrust/desired. FairTrust/desired repre-sents the policy with different desired trust levels as setin the experiment. Figure 15(a) and Figure 15(b) plot thesuccess rate versus the desired trust level in the simulationand PlanetLab experiments, respectively. Both figures showthat the success rates of FairTrust/1 and MaxTrust are thehighest compared to the others, and the rates are close to 1.The rate of FairTrust/desired is marginally lower than therates of FairTrust/1 and MaxTrust, and it increases as thedesired trust level increases. The results imply that FairTrustand MaxTrust achieve highly trustworthy performance. We

13

expected that the curve of FairTrust/desired would be y=x.It is surprising to see that FairTrust/desired achieves amuch higher success rate than expected. This is becauseFairTrust/desired guarantees the desired trust level first, andthen seeks a higher trust level while considering efficiency.Random does not consider reputation in node selection, so ithas a lower success rate. Unlike the others, the success rateof SameTrust increases dramatically with the desired trustlevel, i.e., the trust level of requesters. Recall that SameTrustrestricts communication to nodes in the same reputationlevel. Therefore, in addition to the server reputation, whetheror not there exists a server with the same reputation level asthe requester also determines the success of a request. Forexample, if a requester has reputation level 0.2, but there isno server of the requested file within reputation level 0.2,the requester has nowhere to request the file. If there issuch a server, the probability of successful file provisionis only 0.2. Consequently, the success rate increases asthe requester reputation level increases, and is much lowerthan others due to the constraint of server reputation. Theexperimental results show the effectiveness of FairTrust intrustworthy performance in comparison to the other relatedpolicies. Next, we evaluate the performance of each policywith regards to efficiency.

64

256

1,024

0.2 0.4 0.6 0.8 1Nu

mb

er

of

ove

rlo

ade

d

se

rve

rs c

ho

sen

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(a) Number of overloaded servers

0

20000

40000

60000

1 2 3 4 5

To

tal

file

re

trie

va

l ti

me

(se

c.)

Node interarrival/interdeparture rate

Random MaxTrust

MaxCap FairTrustAar

(b) Service request processing timeFig. 18: Request processing efficiency in simulation.

64

256

1,024

0.2 0.4 0.6 0.8 1Nu

mb

er

of

ove

rlo

ade

d

se

rve

rs c

ho

sen

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(a) Number of overloaded servers

10000

11000

12000

13000

14000

0.2 0.4 0.6 0.8 1

To

tal

req

ue

st

pro

ce

ssin

g t

ime

(se

c)

Desired trust level

Random

MaxTrust

SameTrust

FairTrust/1

FairTrust/desired

(b) Service request processing timeFig. 19: Request processing efficiency on PlanetLab.

We measured each node’s maximum congestion duringall test cases and calculated the average and 99th percentileof the maximum node congestions. Figure 16(a) andFigure 17(a) show the average of maximum congestionrate versus desired trust level in simulation and PlanetLabexperiments, respectively. We can see that MaxTrustand SameTrust generate the highest rates. This is withinexpectations because MaxTrust and SameTrust stronglybias on the highest-reputed or same reputation level nodesfor service provision and those nodes may turn out tobe overloaded. The results indicate that MaxTrust andSameTrust have poor efficiency performance, althoughMaxTrust has high trustworthy performance as illustratedin Figure 15(a) and Figure 15(b). In contrast, FairTrust/1and FairTrust/desired have much lower congestion rates.Since FairTrust/1 has the highest reputation level as itsdesired trust level, how can it achieve a lower congestionrate than MaxTrust? This is because FairTrust/1 distributes

load between nodes among the highest-reputed nodes ratherthan biasing on a single node. On the other hand, witha lower desired trust level, FairTrust/desired expands theserver candidate pool and achieves a more balanced loaddistribution, thus achieving higher efficiency.

Figure 16(b) and Figure 17(b) show the 99.9th percentileand 99th percentile maximum congestion of each policybased on the average maximum congestions in simulationand PlanetLab experiments, respectively. We can observethat the rates of MaxTrust and SameTrust are much higherthan the others, and that FairTrust/1 has lower rates thanMaxTrust and SameTrust due to the same reason as inFigure 16(a) and Figure 17(a). Random keeps the ratearound 1 in simulation but around 4.5 on PlanetLab sincePlanetLab provides fewer servers, so a low-capacity serveris more easily to be overloaded. FairTrust/desired keepscongestion low, which slightly increases as the desired trustlevel increases. This is because FairTrust/desired expandsthe server candidates to the servers above the desired repu-tation level rather than biasing on the highest-reputed node,which increases the possibility of selecting a lightly loadedserver. The results confirm the high efficiency performanceof FairTrust.

We also tested the service request processing efficiencyin different server selection policies. Figures 18(a) and(b), and Figures 19(a) and (b) show the number of over-loaded servers chosen and service request processing timeversus the desired trust level in simulation and PlanetLabexperiments, respectively. The figures show that MaxTrustand SameTrust have significantly higher results than theothers. This is due to the side-effect of high trustworthyperformance by biasing the highest-reputed or same rep-utation level nodes. The biasing policy overburdens thosenodes, generating more overloaded nodes and longer requestprocessing times. In contrast, FairTrust and Random havemuch fewer overloaded servers and processing times. Thefigures also illustrate that FairTrust/desired has lower resultsthan Random and FairTrust/1, and it has fewer overloadedservers chosen in most cases. FairTrust/desired trades sur-plus trustworthiness for efficiency by mapping tasks ofdifferent desired trust levels to nodes with correspondingtrustworthiness levels. The results imply the efficiency ofFairTrust in avoiding overloaded nodes and speeding upservice request processing.

The experimental results show that in server selection,MaxTrust and SameTrust can achieve high trustworthiness,but have difficulty in improving efficiency. Random canachieve high efficiency, but does not consider trustworthi-ness. FairTrust has superior performance over the otherswith both high trustworthiness and efficiency.

7 RELATED WORKRouting algorithms and reputation systems. In orderto improve the routing efficiency in P2P networks, somepreviously proposed routing algorithms choose the highest-capacity nodes in routing. Castro et al. [34] proposed aneighbor selection algorithm to direct most traffic to highcapacity nodes. Some algorithms [34–36] forward queriesto high capacity nodes in routing to enhance communicationefficiency. However, these algorithms cannot guaranteereliable routing because of uncooperative participants.

To provide incentives that promote cooperative (or dis-courage uncooperative) behavior, many reputation sys-tems [3–15] have been proposed in the last few years. Mostworks aim to design a reputation calculation method to

14

more accurately reflect node trustworthiness (e.g., [3]) and(or) realize decentralized reputation management for higherscalability (e.g., [3, 4]).

Though many reputation systems help to achieve accuracyof reputation values, higher scalability, and security ofreputation systems, effectively using reputation values isalso critical for building a trustworthy environment fordistributed systems. Most of the approaches for using rep-utation metrics are to select the node with the highestreputation as a providing peer. However, this may lead to un-expectedly low efficiency of high-reputed nodes and preventP2P systems from making full use of system resources. Toaddress this problem, Ranganathan et al. proposed a “peer-approved” policy [24] in which nodes can download filesonly from others with a lower or equal rating. This policyencourages a node to provide high-quality service in order toimprove its reputation. However, a node’s received quality isquestionable, as it may select services from lower reputed-nodes. To handle this problem, Papaioannou [25] proposeda “comparable reputation” policy aiming to restrict nodesto communicate only with others at the same reputationlevel. Restricting the eligibility of a node to interact withothers prevents nodes from sharing resources freely, whichis a main goal of P2P systems. We develop the FairTrustserver selection policy that not only enables nodes to shareresources freely, but also ensures trustworthy resource allo-cation. It avoids overloading high-reputed nodes and takesfull advantage of all resources in the system.Anonymity protocols. Anonymity protocols aim to hide therelationship between an observable action and the identityof the users involved with this action. The Mute [18] andMantis [29] anonymity systems implement the Ants proto-col [37], in which a requester broadcasts a query, and theresponse is forwarded back along its query route. Tor [16]provides anonymity using the Onion routing protocol [38],in which messages are randomly routed, and each routerobtains no information about the message routing path otherthan the identity of the following router through the useof encryption technology. Freenet [17] is a searchable P2Psystem which makes it impossible for an attacker to find allcopies of a particular file by allowing each node to store allthe files that pass across it. Freenet uses response forwardingalong its query route to enable provider anonymity, and usesbroadcast to obscure the intended recipient. Some systemsincluding DC-nets [39] and Secret-sharing-based mutualanonymity protocol [40] rely on broadcasting to achieveanonymity.

These protocols and systems are effective in building asecure environment with anonymity protection. However,approaches such as broadcasting in Ants, random routerselection in Tor, tunnelled communication in Freenet lead tosystem scalability and efficiency penalties. Motivated by theobservation that most current anonymity approaches focuson enforcing security while neglecting efficiency, we aim toexplore an approach that considers both.

OneSwarm [19] also aims for a trade-off degree ofanonymity for communication efficiency. OneSwarm usesmulti-path message forwarding and provides users withexplicit configurable control over the amount of trust theyplace in peers and in the sharing model for their data:the same data can be shared publicly, anonymously, orwith access control, with both trusted and untrusted peers.Though sharing similar goals with OneSwarm, our workis different in that it leverages reputation systems to tacklethe trade-off problem for providing both high anonymity

protection and efficiency.Our proposed request routing and response forwarding

policies are unique in that they provide trustworthy (i.e., re-liable and anonymous) communication between nodes whileenhancing the efficiency of node communication based onthe reputation system.