Strong Connections. Part I: Recovery

Why Recovery Connections are Strong

Recovery connections can be used as a stronger connection than one that is simply subjectively labeled (such as “already known”), because they inherently have something at stake: the ownership of a BrightID account along with its verifications and links to apps. The value at stake makes it far less likely that a person would choose an attacker as a social recovery connection. The separation between sybil and honest regions would be maintained; this is what is meant by a “strong” connection: one that isn’t likely to span sybil and honest regions. By contrast, a “weak” connection could more easily be the result of social engineering and therefore connect an honest person to an attacker’s sybil. For example, it doesn’t cost much to label someone “just met,” so it can be done casually and would be considered “weak.”

Considerations for Graph Analysis

When someone chooses a recovery connection, the person they choose doesn’t have to agree to it. Even if they did, the relation would still be a directed one: the person choosing the recovery connection has much more at stake than the person accepting it; the connection is only strong in one direction. Several anti-sybil analysis methods rely on trust propagating through a graph of connections. When considering social recovery connections, trust would flow in the “strong” direction only or at least be greatly attenuated in the “weak” direction.

I’ve changed my mind about recovery connections being strong connections. If an attacker creates several sybil accounts and connects them to their friends as “already known,” the friends won’t be any less likely to upgrade their connections to “recovery” after having connected to one of the sybils. Even if we require the presence of mutual friends before a recovery connection is counted as such, the attacker can still partition their connections carefully among sybils with one sybil per each of their social circles. “Strong” connections should be designed to defeat partitioning attacks, which the “family vouch” connection is designed to do.