Assessing Efficiency of Trust Management in Peer-to-Peer
R. Aringhieri1, E. Damiani1,
S. De Capitani Di Vimercati1, P. Samarati1
(1) Dip. di Tecnologie dell’Informazione
Universit` a di Milano
P2P applications support exchanging resources while preserving total or partial anonymity of both
requestors and providers. However, concerns have been raised about the possibility that anonymity may
encourage malicious peers to spread tampered-with resources (e.g., malicious programs and viruses). A
considerable amount of research is now being carried out on the development of trust and reputation
models in P2P networks. In this paper, we assess the efficiency of our approach to the design of reputation
systems involving flexible techniques for collecting and aggregating peers’ opinions via comparison with
A key requirement for large scale Peer-to-Peer (P2P) networks is allowing for different degrees of anonymity
during interactions. In particular, full anonymity is widely acknowledged to be of paramount importance
for establishing free marketplaces in many application environments [Damiani et al., 2003a]. On the other
hand, anonymity is critical in presence of rogue peers, and there is increasing interest in systems capable
of keeping the consequences of hostile behavior under control. In our previous work [Damiani et al., 2003b]
we described a distributed voting algorithm for collecting other peers’ views on a proposed transaction
based on a two-step-technique: i) we poll the community of P2P users for collecting the different rep-
utations on a candidate peer p, and ii) we merge the different opinions in a single value by means of
a fuzzy aggregation [Klir and Folger, 1988].The result of the vote is a quantitative estimation sum-
marizing peers’ evaluations that, taken individually, are subjective, dynamic, and often uncertain.
[Aringhieri et al., 2003] we proposed our fuzzy aggregation as a community-based operational definition
of trust. Other approaches [Yahalom et al., 1993] tried to deal with multiple types of trust based on a set of
different interaction pragmatics; others [Yu and Singh, 2000] dynamically assign to each peer a trust rating,
that is, a reputation based on the peer’s previous performance on the network and store it at a suitable
Any community-based technique for computing trust values must take into account the fact that fully anony-
mous environments are fundamentally different from centralized ones, inasmuch some basic assumptions
(for example, opinions’ trustworthiness) cannot be made without adopting strong countermeasures against
forgery. On the other hand, these countermeasures should not aggravate the computational cost of the
voting scheme. In this paper, after briefly recalling our P2P reputation system, we discuss its efficiency by
comparing it to recent probabilistic approaches1via a set of extensive simulations. The paper is organized as
1Note that while in this paper we assume reputations to be associated with peers, the approach can also be applied to
the exchange of opinions on resources [Damiani et al., 2002] and on many other aspects (e.g., quality of resources, opinions on
specified parameters, and so on).
follows: in Section 2 we describe our representation of trust [Aringhieri et al., 2003] [Aringhieri et al., 2005]
and describe our protocol for community-wide trust computation. In Section 3 we present a set of simula-
tions aimed at assessing the efficiency of our solution, comparing it with EigenTrust [Kamvar et al., 2003],
a recent probabilistic approach to trust computation. Finally, in Section 4 we draw the conclusion.
2 Trust and Reputation Protocol
P2PRep is a reputation-based protocol, formalizing the way each peer stores and shares with the community
the reputation of other peers [Damiani et al., 2003b]. P2PRep runs in a fully anonymous P2P environment,
where peers are identified using self-assigned opaque identifiers (e.g. a digest of a public key for which
only the peer itself knows the corresponding private key). For the sake of simplicity, here reputation and
trust are represented as fuzzy values in the interval [0,1]. Our approach can however be readily extended
to more complex array based representation taking into account multiple features [Aringhieri et al., 2005].
Protocol P2PRep consists of four phases. In Phase 1, a requestor r locates available resources sending a Query
broadcast message. Other peers answer with a QueryHit message notifying r that they may provide the
requested resource. Upon receiving a set of QueryHit messages, r selects an offerer o and polls the community
for any available reputation information on o sending a Poll message. Poll messages are broadcasted in the
same way as Query messages. All peers maintain an experience repository of their previous experiences with
other peers. When a peer receives a Poll message, it checks its local repository. If it has some information
to offer and wants to express an opinion on the selected offerer o, it generates a vote based on its experiences,
and returns a PollReply message to the initiator r. As a result of Phase 2, p receives a set V of votes, some
of which express a good opinion while others express a bad one. In Phase 3, r evaluates the votes to collapse
any set of votes that may belong to a clique and explicitly selects a random set of votes for verifying their
trustworthiness [Damiani et al., 2003b]. In Phase 4 the set of reputations collected in Phase 3 is synthesized
into an aggregated community-wide reputation value. Based on this reputation value, the requestor r can
take a decision on whether accessing the resource offered by o or not (Phase 5). After accessing the resource,
r can update its local trust on o (depending on whether the downloaded resource was satisfactory or not).
While a naive implementation of P2PRep can be expensive in terms storage capacity and bandwidth, this
cost can be minimized by applying simple heuristics. The amount of storage capacity is proportional to
the number of peers with which the initiating has interacted. With respect to the bandwidth, it is easy to
see that P2PRep increases the traffic of the P2P network by requiring both direct exchanges and broadcast
requests. It is however reasonable to assume that the major impact of the protocol on network performance
is due to broadcast messages and their answers. To overcome this issue, several heuristics can be applied.
For instance, intelligent routing techniques can be applied for enabling custom forwarding of poll packets
to the “right” peers. Vote caching is another technique that can be applied to improve the effectiveness
of P2PRep˙Finally, P2PRep scalability depends on the technique used for vote aggregation. Section 3 will
present a set of simulations showing the details of P2PRep behavior.
In P2PRep reputations are managed at two levels: local and community-wide reputation. Local reputation
is based on each individual peer’s direct experience of interactions with another peer, while community-wide
reputations represent the synthesis resulting by aggregating multiple opinions about a peer. In the remainder
of this Section, following [Aringhieri et al., 2003] and [Aringhieri et al., 2005], we recall our fuzzy technique
for computing local and community-wide reputations.
Let ri,j be the local reputation resulting from direct interactions between peer i and peer j. For each
interaction, we model the transaction outcome t(n)
that transactions can be heterogeneous for importance, resource value, and so on. Each local reputation
i,jas follows: t(n)
i,j= 1 if the outcome was satisfactory,
i,j= 0 otherwise. We use a fuzzy value to express local reputations to take into consideration the fact
is initialized after the first interaction by taking the value of t(1)
updated based on the outcome of the n-th transaction as follows.
i,j. At any time n > 1, local reputation is
if n = 1
if n ≥ 2
+ (1 − α(n))t(n)
where α(n), a value between 0 and 1, is the aggregation freshness,2that is, the importance of past transactions
in relation with the last one. If α(n)? 1 past experience will have a very high importance and the last
transaction has a little role in reputation evaluation; if α(n)? 0 then last experience is merely forgotten. Note
that our freshness value is not static, but can change at any single interaction, according to circumstances.
In particular, for the first encounters of i with j, (i.e., for low values of n), freshness should remain high while
it can decrease as n grows and therefore i has acquired enough experience on j. Note however that freshness
should never become too low, since this would mean having a blind trust in other peers. In our approach,
freshness evolution relies on feedback, by checking whether the current reputation value of a peer would give
an accurate prediction of the result of the next transaction with it. If this is the case, reputation value is
about right and freshness should not increase; otherwise, the current reputation is considered unreliable and
α is incremented. Our approach follows a well-known technique for feedback control, that quickly stabilizes to
a fair and efficient setting [Jacobson, 1988]. While other feedback strategies such as MIMD (Multiplicative
Increase/Multiplicative Decrease) could be adopted, they are known to be less robust and need careful tuning
to avoid oscillatory behavior [Chiu and Jain, 1989]. More specifically, if we consider the reputation r(n−1)
be a prediction of the outcome of i’s next download from j, the accuracy of this prediction can be computed
with a Boolean function which returns 0 (wrong prediction) if the value of r(n−1)
This accuracy value is then used to determine a coefficient β(n)taking into account past experience and
the outcome of the last transaction as follows. The coefficient is initialized to β(0)= 0 and is updated at
subsequent times as:
differs from the actual
i,jmore than a given error threshold E, and returns 1 (right prediction) otherwise. Namely,
if | r(n−1)
If the degree of similarity Acc(n)
If the requestor has no previous experience on a peer j or the local reputation is still considered not
reliable enough (i.e., for low values of n), the peer will, by using P2PRep run a poll and inquire other peers
about j’s reputation for them. Here, we assume the vote expressed by each peer k participating in the poll on
j to be its local reputation rk,jof j. The question now is how the poller should aggregate the different votes
received to produce a synthesized value.4A basic requirement for aggregating opinions is that if the pool
peers is stable and they maintain identical beliefs across all transactions from a given instant t0onwards,
then all interactions will asymptotically conform to these beliefs. In other words, if the majority of peers
i,j? 1, then α(n)will increase, granting more importance to past history3.
2Note that different values of freshness are used for different peers and therefore a peer i will use a different α for each
different peer j. For readability, we omit the subscripts when they are clear from the context.
3Note that, of course, this accuracy could also be defined as a fuzzy function, for example, by considering that not all
transactions have the same importance. We shall not elaborate on this possibility in this paper, assuming that the crisp β
coefficient summarizes all context representation.
4Note that since the individual reputations are fuzzy, their fuzzy aggregation will also be a value in the unit interval.
considers that peer j has a bad reputation, then j will be in the end excluded from all transactions.5This
property, called unanimity, is often considered a minimal standard of acceptability for an opinion aggregation
operator, and is held both by the weighted mean and the geometric mean [Acz´ el and Alsina, 1986]. The
simplest aggregation available is the arithmetic average of the votes received. However, arithmetic average
performs a rough compensation between high and low values, not taking into account different variations
between individual opinions that may characterize different polls. Luckily, arithmetic means are not the
only aggregation functions usually used in opinion pooling and many other combination methods had been
studied. The OWA (Ordered Weighted Average) operator, introduced by Yager in [Yager, 1988], allows the
decision maker to give different importance to the values of a criteria. The main difference between OWA
and the arithmetic means consists in the separability of the aggregation function: OWA considers that the
influence of each contribution on the result is not directly separable, but depends on the other contributions.
For instance, a very good reputation value in the midst of low ones should be treated differently than a good
value accompanied in the poll by fair ones. Technically, an OWA operator is a weighted average that acts
on an ordered list of arguments and applies a set of weights to tune their impact on the final result. Namely,
in our setting, we get
where n is the number of reputations to be aggregated considered in decreasing order, that is, assuming
rt1,j≥ rt2,j≥ ... ≥ rtn,jand [w1w2... wn] is a weighting vector. The behavior of this operator is largely
determined by the choice of weights. For instance, the result could be based on the most frequent values
simply by assigning lower weights to extreme ones. Alternatively, high weights can be given to extreme values
to increase the operator responsiveness to them.6In our case, we set the OWA weights asymmetrically, since
our aggregation operator needs to be biased toward the lower end of the interval, increasing the impact of low
local reputations on the overall result. The reason is that we assume that peers are usually trustworthiness
and a malicious behavior is the exception. According to this assumption, low local reputations should be
considered as relevant and their impact on the overall reputation should be significant. Of course, there
are many ways to do this, for example, by increasing weights linearly or non-linearly with the position k of
the corresponding opinion rtk,j in the OWA ordered set of arguments. Also, it is possible to give a bonus
to multiple occurrences of the same weight (group votes). This can be done by defining the operator on a
(usually small) set of different reputation values d rather than on the (usually large) number of peers, as
i=1| Vi| wi
where V1,...,Vdis a partitioning of the set of votes grouping together votes with the same value vi, and
where viare considered ordered, that is, v1> ... > vd.
Since our local opinions take values in the unit interval [0,1], in principle there is no reason to favor group
votes; however, computational efficiency and values’ rounding to a fixed number of decimal may make this
a viable solution for practical implementations. In the algorithm shown below, we simply partition the unit
interval in d + 1 sub-intervals and use their extreme values (discarding 0 and 1) as a (linearly increasing)
set of weights for aggregating the d distinct reputation values to be aggregated via the OWA operator. In
other words, we set:
5Of course, the delay can be arbitrarily long if communications on the network are slow.
6With the OWA operator the decision makers can express their preferences in relation of the values of the criteria, they
cannot express preferences between criteria. This drawback is important when criteria are heterogeneous and is usually solved
using the WOWA (Weighted OWA) operator [Torra, 1997] instead of OWA. Here, however, we are in a homogeneous scenario,
so using OWA looks perfectly safe.
We include local reputation in the computation by adding a new class Vd+1= rp,j and associate with
it the highest possible weight, with weights now computed for d + 1 values. The final definition of our
aggregation operator for P2PRep is the following one:
While implementations of P2PRep are available [Damiani et al., 2002], our protocol’s large-scale efficiency
and effectiveness as compared to other proposed approaches can only be assessed via simulation. In this
Section, after describing the simulation model we adopted for P2PRep we describe the simulation experiments
that we carried out to investigate the efficiency of our solution, reporting and discussing the main results
Our simulation model refers to a P2P network where each peer is reachable from all others7and does not
take into account delays due to message routing. Over this broadcast network, we simulate a set of queries,
each asking for a randomly chosen resource. For each query, the peer querying the network is randomly
chosen (with a uniform probability distribution) over all available peers. Then, a preferred offerer o is
selected, randomly choosing some peers among those having the resource required. In our simulation, a
malicious peer is more likely to be selected as the offerer o than a well-behaved one. The main settings of
our simulation model are the following: the number of peers P in the network is uniformly distributed in
[300,400]; the number of malicious peers M, M ⊂ P is the 40% of |P|; the number of different kinds of
resources is 20; the max poll cardinality is uniformly distributed in [5,15]. We also assume all well-behaved
peers i participate in a poll on offerer o by returning the local reputation ri,oif such a value is recorded; no
response is returned otherwise. Moreover, we modelled the behavior of malicious peers in M by assuming
that: 1) malicious peers provide only malicious resources; 2) malicious peers respond to the polling on a peer
o by always providing a (malicious) 1 reputation if o ∈ M, and by providing a genuine opinion, otherwise.
Our simulation consists of a number of repeated experiments, each one evaluating a different and randomly
generated scenario. We have set the total number of experiments to 50 while the number of queries for each
experiment ranges from 1,000 to 10,000 with an increment of 1,000. Higher values are not infrequent on
real P2P systems like Gnutella[Damiani et al., 2002]; however we chose this range to enforce the assumption
that the set of peers remains more or less stable across the experiments. To perform a simple comparison,
the model provides also a random policy in which the offerer is randomly chosen and reputation checks are
The performance of P2PRep with fuzzy aggregation is shown in Figure 1: the fuzzy solution has a slow
start but the percentage of malicious downloads decreases as the quality of the network reputation increases
following the diffusion of information about malicious peers. Although it steadily decrease, we note that
after a number of queries (about 15000 in our experiments) the percentage of malicious downloads tends
to become more stable. Table 2 reports a comparison between OWA and arithmetic means showing the
beneficial impact of using a fuzzy ”intelligent” aggregation operator with respect to a flat one like arithmetic
7In real P2P systems this condition is only verified within a fixed horizon.
5000 10000 15000 20000 25000
percentage of malicious downloads
number of queries
Fig. 1: Behavior of P2PRep protocol
Figure 1: The performance of our solution
Table 1: Percentage of malicious downloads with OWA and arithmetic mean:
Number of queries
Figure 2: OWA vs. arithmetic mean
Table 2: Eigentrust and Random Policy: percentage of malicious downloads
1000 2000 3000 4000
Random37.41 38.28 38.0437.81
EigenTrust16.82 18.5417.36 15.92
Number of queries
Figure 3: Comparison with Eigentrust
Table 3: Changing peer’ status: percentage of malicious downloads
Number of queries
Figure 4: Three different scenarios
Comparisons with EigenTrust and Random Policy
Trust [Kamvar et al., 2003], a probabilistic approach to trust computation. In our experiments we have
set the number of pre-trusted peers equal to 5% of | P |. The results are reported in the Table 3.
Our analysis shows that EigenTrust ensures good performance even for a small number of transactions.
However, the very same results show that a single variation has a small impact and EigenTrust cannot
improve much over time. Although it has a slower start, our fuzzy solution overtakes EigenTrust after 6000
nowcomparethe behavior of
withfuzzy aggregationwith respectto Eigen-
Changing P2P population
We are now ready to investigate the effects on P2PRep of an high mortality rate, which is a typical feature of
P2P environments. Namely, we consider three different scenarios. In scenario S1we increase the number of
malicious peers by changing rogue peers into well-behaved ones. Vice versa, in S2the number of rogue peers
is decreased by changing them into well-behaved peers. Finally, the third scenario S3is a mix of S1and S2.
Referring to our simulation model, we introduce two new parameters: a population change is carried out
every itchangeiterations and a peer changes its status with pchangeof probability. Table 4 reports the results
of our experiments setting itchange= 2500 and pchange= 10%.
The first two scenarios models the case in which peer’ population drastically changes. When malicious
peers increases, we observe that the gap between random policy and P2PRep is about 50%. On the other
side, when malicious peers decreases, P2PRep is quite stable with respect to the scenario in which changes
are not allowed. Scenario S3 models high turnover in peer’ population: P2PRep confirms its robustness
showing a percentage of malicious downloads greater about 1% than scenario with no changes. Finally, we
observe that comparison with EigenTrust is not possible since it requires stable peer’ population in order to
guarantee the convergence of probabilistic model.
Voting systems are at the base of the design of reputation systems in fully anonymous P2P environments.
In order to be efficient as well as effective, vote collection and aggregation must rely on advanced flexible
techniques for collecting and aggregating peers’ opinions. In this paper, we discussed the efficiency of our
voting protocol P2PRep when used in association with a OWA fuzzy aggregation operator, comparing it
with the performance of EigenTrust [Kamvar et al., 2003] probabilistic approach.
This work was supported in part by the European Union within the PRIME Project in the FP6/IST Pro-
gramme under contract IST-2002-507591 and by the Italian Ministry of Research Funds for Basic Research
(FIRB) within the KIWI and MAPS projects.
[Aberer and Despotovic, 2001] Aberer, K. and Despotovic, Z. (2001). Managing trust in a peer-2-peer in-
formation system. In Proc. of the Tenth International Conference on Information and Knowledge Man-
agement (CIKM 2001), Atlanta, Georgia.
[Acz´ el and Alsina, 1986] Acz´ el, J. and Alsina, C. (1986). On synthesis of judgements. Socio-Econom Plan-
ning Science, 20/6:333–339.
[Aringhieri et al., 2003] Aringhieri, R., Damiani, E., De Capitani di Vimercati, S. , Paraboschi, S., Samarati,
P. Fuzzy Logic Techniques for Reputation Management in Anonymous Peer-to-Peer Systems In Proc. of
the International Conference in Fuzzy Logic and Technology, Zittau, Germany, 2003
[Aringhieri et al., 2005] Aringhieri, R., Damiani, E., De Capitani di Vimercati, S. , Paraboschi, S., Samarati,
P. Fuzzy Techniques for Trust and Reputation Management in Anonymous Peer-to-Peer Systems Journal
of the American Society of Information and Software Technology (JASIST), to appear
[Carter et al., 2002] Carter, J., Bitting, E., and Ghorbani, A. (2002).
information sharing multiagent architectures. Computational Intelligence, 18(4):515–534.
Reputation formalization within
[Chiu and Jain, 1989] Chiu, D. and Jain, R. (1989). Analysis of the increase and decrease algorithms for
congestion avoidance. Journal of Computer Networks, 17(1):1–14.
[Damiani et al., 2003a] Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Pesenti, M., Samarati,
P., and Zara, S. (2003a). Fuzzy logic techniques for reputation management in anonymous peer-to-peer
systems. In Proc. of the Third International Conference in Fuzzy Logic and Technology, Zittau, Germany.
[Damiani et al., 2003b] Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., and Samarati, P. (2003b).
Managing and sharing servents’ reputations in P2P systems. IEEE Transactions on Data and Knowledge
[Damiani et al., 2002] Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P., and Violante,
F. (2002). A reputation-based approach for choosing reliable resources in peer-to-peer networks. In Proc.
of the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA.
[Dellarocas, 2000] Dellarocas, C. (2000). Immunizing online reputation reporting systems against unfair
ratings and discriminatory behavior. In Proc. of the 2nd ACM Conference on Electronic Commerce,
Minneapolis, MN, USA.
[Dingledine et al., 2001] Dingledine, R., Freedman, M. J., Hopwood, D., and Molnar, D. (2001). A reputation
system to increase MIX-net reliability. Lecture Notes in Computer Science, 2137:126+.
[Dingledine and Syverson, 2002] Dingledine, R. and Syverson, P. (2002). Reliable MIX cascade networks
through reputation. In Proc. of Financial Cryptography.
[eBay Feedback Forum, 2003] eBay
FeedbackForum (2003).eBay FeedbackForum.
[Friedman and Resnick, 2001] Friedman, E. and Resnick, P. (2001). The social cost of cheap pseudonyms.
Journal of Economics and Management Strategy, 10(2):173–199.
[Gupta et al., 2003] Gupta, M., Judge, P., and Ammar, M. (2003). A reputation system for peer-to-peer
networks. In Proc. of the ACM 13th International Workshop on Network and Operating Systems Support
for Digital Audio and Video, Monterey, California, USA.
[Jacobson, 1988] Jacobson, V. (1988).
Communication Review, 18(4):314–329.
Congestion avoidance and control. ACM SIGCOMM Computer
[Kamvar et al., 2003] Kamvar, S., Schlosser, M., and Garcia-Molina, H. (2003). The eigentrust algorithm
for reputation management in P2P networks. In Proc. of the Twelfth International World Wide Web
Conference, Budapest, Hungary.
[Damiani et al., 2003a] Damiani, E., Khosla, R., Grosky W. (2003). Human-centered E-business. Kluwer
Academic Publisher, 2003.
[Kinateder and Pearson, 2003] Kinateder, M. and Pearson, S. (2003). A privacy-enhanced peer-to-peer rep-
utation system. In Proc. of the 4th International Conference of E-Commerce and Web Technologies,
Prague, Czech Republic.
[Klir and Folger, 1988] Klir, G. and Folger, T. (1988). Fuzzy Sets, Uncertainty, and Information. Prentice-
[Oram, 2001] Oram, A., editor (2001). Peer-to-Peer: Harnessing the Power of Disruptive Technologies.
O’Reilly & Associates.
[Rahman and Hailes, 2000] Rahman, A. and Hailes, S. (2000). Supporting trust in virtual communities. In
Proc. of the IEEE Hawaii International Conference on System Sciences, Maui, Hawaii.
[Rasmusson and Jansson, 1996] Rasmusson, L. and Jansson, S. (1996). Simulated social control for secure
internet commerce. In Proc. of the New Security Paradigms Workshop, Lake Arrowhead, CA, USA.
[Torra, 1997] Torra, V. (1997). The weighted owa operator. International Journal of Intelligent Systems,
[Wang and Vassileva, 2003] Wang, Y. and Vassileva, J. (2003). Trust and reputation model in peer-to-peer
networks. In Proc. of the Third International Conference on Peer-to-Peer Computing, Link¨ oping, Sweden.
[Xiong and Liu, 2003] Xiong, L. and Liu, L. (2003). A reputation-based trust model for peer-to-peer ecom-
merce communities. In Proc. of the IEEE International Conference on E-Commerce, Newport Beach,
[Yager, 1988] Yager, R. (1988). On ordered weighted averaging aggregation operators in multi-criteria deci- Download full-text
sion making. IEEE Transactions on Systems, Man and Cybernetics, 18(1):183–190.
[Yahalom et al., 1993] Yahalom, R., Klein, B., and Beth, T. (1993). Trust relationships in secure systems.
In Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, USA.
[Yu and Singh, 2000] Yu, B. and Singh, M. (2000). A social mechanism for reputation management in
electronic communities. In Proc. of the 4th International Workshop on Cooperative Information Agents,
[Zacharia et al., 1999] Zacharia, G., Moukas, A., and Maes, P. (1999). Collaborative reputation mechanisms
in electronic marketplaces. In Proc. of the 32nd Hawaii International Conference on System Sciences,