### 3.1 Overview of the Second Best

The theory of the second best has had a significant impact on economics throughout the past half-century, being applied to such subjects as health care, antitrust, and international trade [8]. In the case of peer-to-peer overlays, the original design of the overlay topology can be thought of as a first best solution that optimizes message delivery when all peers are non-malicious. Adapting individual peer routing behavior to the presence of malicious peers can therefore be viewed as a second best solution to this optimization problem.

Economic theory generally begins with economic subunits such as consumers, households, or firms that attempt to optimize their own objective functions subject to various constraints. These economic subunits work within a larger *administrative perspective* that is defined by the set of rules governing the system and the degree of decentralization. This leads to a larger *fundamental problem* first formulated by Nobel laureate Paul Samuelson [39], who observed that every society acts as if it is attempting to maximize a (known or unknown) *social welfare function* subject to constraints.^{a} The welfare function is so named because it incorporates the goals of all economic subunits. For any viable system, the optimal conditions derived from the fundamental problem must also be consistent with the optimal behavior of the economic subunits.

Following Samuelson and the later literature [

7], we write this problem in its most general form as:

The objective function is *F*, the binding constraint is *G*, and the choice variables are *x*
_{
i
}with *i* ∈ 1..*n*. In a decentralized, consumer-oriented economy these choice variables are selected by independent economic subunits (e.g., consumers). The objective function is related to the maximization of the consumers' objective functions (*utility functions*) subject to constraints reflecting consumer income limitations. In a peer-to-peer network the choice variables are selected by individual peers and the constraints are those imposed by the routing protocol and the overlay topology.

The first best solution to the problem formalized by Equation

1 has the following necessary conditions for an optimal solution [

7]:

where *F*
_{
i
}and *G*
_{
i
}are partial first derivatives and λ is a Lagrange multiplier^{b} associated with the constraint in Equation 1. To obtain the first best solution, individual subunits solve their respective constrained optimization problems, and these must be consistent with the necessary conditions given by Equation 2.

Samuelson was the first to recognize that when some economic subunits fail to adhere to Equation 2, the ramifications extend beyond that deviate sector:

*"First, what is the best procedure if for some reason a number of optimum conditions are not realized? What shall we do about the remaining ones which are in our power? Shall we argue that 'two wrongs do not make a right' and attempt to satisfy those we can? Or is it possible that failure of a number of conditions necessitates modifying the rest? Clearly the latter alternative is the correct one."* [[39], p. 252]

In other words, if the first best solution is unobtainable because one sector behaves suboptimally, then the second best solution does not necessarily imply that the remaining sectors should continue to satisfy their first best optimization conditions; many subunits may need to change their optimal behaviors.

Lipsey and Lancaster [

7] formalized the second best solution with an additional constraint containing the first-order behavior of the deviating sector. We use the concise presentation of Henderson and Quandt [[

40], p. 316], who append the following constraints to the problem given by Equation

1:

The second best optimal condition that replaces Equation

2 is

^{c}
where *F*
_{
ji
}and *G*
_{
ji
}are the partial cross-derivatives between subunits *i* and *j* and *μ* is the new Lagrange variable associated with constraint 3. Thus, unless the cross-derivatives are zero, each sector *i* ∈ 1..*n* has optimal behavior that deviates from Equation 2.

Negishi [

41] (cf., [

42]) further found that under standard economic assumptions of a competitive, decentralized economy (viz., concave functions and at least one interior solution) it is as if society seeks to maximize a specific social welfare function expressible as a weighted sum of the consumer utility functions

*U*
_{
i
}(

*x*
_{
i
}). The final form of the society's objective function is therefore

The coefficients α_{
i
}are the final weights given by the implicit social welfare to the utility of the economic subunits.^{d}

These weights have a specific economic interpretation: Each consumer or household's weight is the reciprocal of its marginal utility of income. Thus, if a wealthy family places relatively low value on the last dollar earned, it receives a relatively high weight in the objective function of the society. In essence, the system tends to weight the more successful households (in terms of income).

We find a similar result in the case of peer-to-peer systems. During a message-dropping attack, non-malicious peers can be defined as those that derive utility from message deliveries. This leads to a social welfare (administrative objective) function that weights peers by the reciprocal of their relative reliability--i.e., their message delivery success rates. When all weights are equal (a standard assumption when applying utility theory to information systems problems [43]), this corresponds to the special case where all peers in the network are equally reliable.

Davis and Whinston [9] used Negishi's result to provide a piecemeal approach to the second best problem. They concluded that the difficulties of implementing a complex set of second best conditions is often overestimated since, based on Equation 5, many of the second derivatives are zero in a decentralized system and can therefore be dropped. In the context of a peer-to-peer network, this implies that it is possible to approach the second best solution without the need to share global information amongst peers. Instead, each peer adapts its own behavior individually, based on its own knowledge.

Based on the economic development above, there are two separate aspects of the problem: the mathematical method proposed by Lipsey and Lancaster, and the welfare and utility considerations discussed by Samuelson and Negishi. Section 3.2 examines the former aspect and §4.2 the latter.

### 3.2 Example Application of the Second Best to a Peer-to-peer System

Application of the second best approach to resisting message-dropping attacks in peer-to-peer overlays can be illustrated by a simple example. We begin by considering a single peer *p* of degree *k* in a network of size *n* (with *k* ≪ *n*). Peer *p* periodically receives messages for other peers, each of which it must forward to one of its *k* neighbors. We assume a flat identifier space for this example, and that peer *p* may forward each message to any one of its *k* neighbors (though for any given message, certain neighbors are better positioned than others to deliver it).

The first best solution to this problem is the one addressed when designing the overlay topology, which assigns

*p* an optimal set of

*k* neighbors given an assumed distribution of message destinations seen by

*p*. Specifically, we seek the

*k* neighbors that minimize the absolute distance between each message's final destination and the nearest of the

*k* neighbors to that destination:

where

*N*
_{
i
}∀

*i* ∈ 1..

*k* are the desired neighbor identifiers in ascending order,

*N*
_{0} = 0 and

*N*
_{
k+1 }=

*n* are the limits of the identifier space, and

*D*
_{
p
}is the probability density of message destinations seen by

*p*. For example, if

*D*
_{
p
}is a uniform distribution, the optimal first order conditions (derived by setting the derivative of Equation

6 with respect to

*N*
_{
i
}to zero) are:

That is, a uniformly distributed set of random messages is delivered most effectively when the *k* neighbors of *p* have identifiers that are evenly spaced along the interval [0, *n*).

The above implicitly assumes that peers behave optimally, forwarding each message to the neighbor closest to its destination. A second best solution is needed when some peers behave suboptimally and there is no way (short of centralizing the system) to force optimal behavior. One option in this case is to implement a new first best solution, but this requires global information about the overlay topology, which isn't typically available to peers once the network has been deployed and malicious behavior becomes evident. The second best solution takes the topology as given and re-solves the optimization problem to obtain a new recommended optimal behavior for peer *p* given the suboptimal behavior of its neighbor(s).

For example, suppose that peer

*p* discovers that of the

*a*
_{
m
}messages it forwarded to peer

*m* ∈ 1..

*k* during some sampling period, only

of them were ultimately delivered to their final destinations. In the first best solution given by Equation

7, peer

*p* forwards an average of

*w*/

*k* of its messages to each of its neighbors, where

*w* is the total number of messages; thus, when

, neighbor

*m* is behaving suboptimally (possibly due to the suboptimal behavior of its neighbors). The second best solution with respect to peer

*m*'s actions requires appending the following constraint to Equation

6, with new Lagrange multiplier

*β*:

When not all messages that peer

*p* forwards to peer

*m* are ultimately delivered (i.e.,

*a*
_{
m
}<

*w*/

*k*), we obtain a different optimal identifier value for the neighbor on each side of neighbor

*m* (obtained by summing Equations 6 and 8, setting the derivative to zero, and solving for the unknowns):

Even though peer *p* cannot change the identifiers of its neighbors, it should forward its messages as if neighbor *m* - 1 had identifier
and neighbor *m* + 1 had identifier
. As peer *m*'s reliability decreases, *β* increases and
and
approach *N*
_{
m
}. Peer *p* therefore forwards fewer messages to neighbor *m* since fewer destinations are closer to *N*
_{
m
}than to
or
. In the limiting case where
(i.e., neighbor *m* is completely unreliable), peer *p* only forwards to *m* those messages whose final destinations are *m* itself.

We next generalize this approach to a larger class of topologies and message-dropping attacks, and we examine the second best approach from both the perspective of individual peers and that of the system as a whole.