Trust Transitivity in Social Networks

Non-centralized recommendation-based decision making is a central feature of several social and technological processes, such as market dynamics, peer-to-peer file-sharing and the web of trust of digital certification. We investigate the properties of trust propagation on networks, based on a simple metric of trust transitivity. We investigate analytically the percolation properties of trust transitivity in random networks with arbitrary in/out-degree distributions, and compare with numerical realizations. We find that the existence of a non-zero fraction of absolute trust (i.e. entirely confident trust) is a requirement for the viability of global trust propagation in large systems: The average pair-wise trust is marked by a discontinuous transition at a specific fraction of absolute trust, below which it vanishes. Furthermore, we perform an extensive analysis of the Pretty Good Privacy (PGP) web of trust, in view of the concepts introduced. We compare different scenarios of trust distribution: community- and authority-centered. We find that these scenarios lead to sharply different patterns of trust propagation, due to the segregation of authority hubs and densely-connected communities. While the authority-centered scenario is more efficient, and leads to higher average trust values, it favours weakly-connected “fringe” nodes, which are directly trusted by authorities. The community-centered scheme, on the other hand, favours nodes with intermediate in/out-degrees, in detriment of the authorities and its “fringe” peers.


Introduction
Several social and technological systems rely on the notion of trust, or recommendation, where agents must make their decision based on the trustworthiness of other agents, with which they interact. One example are buyers in markets [1], who may share among themselves their experiences with different sellers, or lenders which may share a belief that a given borrower will not be able to pay back [2]. Another example are peer-to-peer filesharing programs [3], which often must know, without relying on a central authority, which other programs act in a fair manner, and which act selfishly. In the same line, an even more direct example is the web of trust of digital certification, such as the Pretty Good Privacy (PGP) system [4,5], where regular individuals must certify the authenticity of other individuals with digital signatures. In all these systems, the agents lack global information, and must infer the reliability of other agents, based solely on the opinion of trusted peers, thus forming a network of trust. In this paper, we present an analysis of trust propagation based on the notion of transitivity: If agent a trusts agent b, and agent b trusts agent c, then, to some extent, agent a will also trust agent c. Based on this simple concept, we define a trust metric with which the reliability of any reachable agent may be inferred. Instead of concentrating on the minutiae of trust propagation semantics, we focus on the topological aspect of trust networks, using concepts from network theory [6]. Using random networks as a simple model, we investigate the necessary conditions for trust to ''percolate'' through an entire system. We then apply the concepts introduced to investigate in detail the PGP web of trust, possibly the best ''real'' example of a trust propagation system, which is completely accessible for investigation. We focus on the role of the strongly connected nodes in the network -the so called trust authorities -which represent a different paradigm of trust delegation, in comparison to the decentralized community-based approach, which is also heavily present in the network. This paper is divided as follows. In section 1 we define the trust metric used; in section 2 we consider the problem of trust percolation in random networks with different trust weight distributions. In in section 3 we turn to the analysis of the PGP network, and provide an extensive analysis of its topology, and of trust propagation according to different trust distribution scenarios. Finally, we provide some final remarks and a conclusion.

Analysis 1 Trust metric
Trust is the measure of belief that a given entity will act as one expects. It is often associated with positive, desirable attributes, but it may not always be the case (e.g. one may have trust that someone will act undesirably). Humans use trust to make decisions when more direct information is unavailable. In general, humans will decide their level of trust based on arbitrary, heuristic rules, since there is no formal consensus on how to evaluate trust. We will deliberately avoid the detailed formalization of these rules, and instead rely on two simplifications: 1. We will treat trust simply as a probability that a given assessment about an agent is true or false (e.g. fair/reliable or not); 2. We further assume that this belief is transitive, i.e. if agent a trust agent b, which in turn trusts agent c, then a will also trust c, to some extent. This makes trust propagation easier to analyse, while retaining its most intuitive properties.
We will consider a system of N agents which form a directed trust network: Each agent v (represented by a vertex, or node) has a number of interactions (represented by directed edges, or links) with other agents fu i g for which a value c v,ui [ ½0,1 of direct trust is defined a priori, and which can be interpreted as a probability. This value represents a direct experience agent v had with u i , which is not inferred from any other agent. We note that this value fully reflects the directed nature of the network, so that if there is also an edge u i ?v, the value of c ui,v is in independent of c v,ui -in other words, direct trust does not need to be reciprocal. Additionally, we do not assume that there is an inherent self-loop from each vertex to itself. If a self-loop v?v exists, we do not ascribe any special meaning to the diagonal element c v,v , which can be arbitrarily chosen just as any other direct trust value. We then define the inferred trust t ij [ ½0,1 from agent i to any agent j, which is somehow based on the values of c v,ui , which is somehow based on the values of c v,ui . In a simple situation where there is only one possible path between any two given nodes (e.g. the network is a directed tree, as the example on the left in Fig. 1), one could simply multiply the values of c along the single path to obtain t, e.g. t Alice,Bob~c1 c 3 , in the example of Fig. 1 (throughout this work, a path is always considered to be self-avoiding, i.e. no edge or vertex is visited twice). In general, however, the situation may be more complicated, as in the example on the right of Fig. 1, where there is a variety of possible (often ''contradictory'') transitive paths between most pairs of nodes. Perhaps the simplest way of defining a trust metric would be to consider only the best transitivity path between two nodes, i.e., the one where the trust transitivity is maximum, where P uVv is the set of all paths from u to v, fe i g is the set of edges in a given path, and c e is the direct trust associated with a given edge (if there is no path from u to v, we consider the value of s u,v to be zero. Additionally, we consider the diagonal values of best trust to be equal to one, i.e. s u,u~1 ). This definition is an attractive one, since it corresponds directly to the concept of minimum distance on weighted graphs, which is defined as the sum of weights along the path with the smallest sum. This is easily seen by noticing that Pfe i g c ei~e xpf{ X feig v ei g, with v ei~{ lnc ei §0 being the edge weights (with the special value of v ei~? if c ei~0 ). However, it is clear that this approach leads to an optimistic bias, since the best path obviously favors large values of trust, and uses only a small portion of the information available in the network. As an illustration consider the network on the right of Fig. 1, where the value of s Alice,Bob is 1|0:9|0:6~0:54, via Dave and Chuck. However, if Chuck is directly consulted, the transitivity drops to 0:3|0:6~0:18. In principle, there is no reason to prefer any of the two assessments over the other. One may attempt to rectify this by considering instead all possible paths between two nodes, where v uVv is a weight associated with a given path uVv. It should be chosen to minimize the effect of a very large number of paths with very low values of trust, without introducing an optimistic bias on the final trust value. One apparently good choice is to consider the transitivity value of the path itself, but not including the last edge, where e ?v is the last edge in the path, and d is the Kronecker delta. The usage of Eq. 3 is apparently appropriate since it not only avoids a bias in the final value oft t u,v , but also v uVv has a simple interpretation as being the value of trust on the final recommendation, which is completed by the last edge. While this may seem reasonable, and uses all available information in the network, it has two major drawbacks: 1. It is very computationally costly to consider all possible paths between two nodes, even in moderately sized networks. It would represent an unreasonable effort on part of the agents to use all this information. 2. Computed as in Eq. 2, the value oft t u,v has the unsettling behaviour of tending to zero, whenever the number of paths become large (as they often are), even when paths are differently weighted. Consider a simple scenario where the network is a complete graph, i.e. all possible edges in the network exist, and all of them have the same direct trust value c. Since there are N{2 l l! paths of length lz1 between any two vertices, the value of inferred trust between any two nodes can be calculated as Figure 1.
where C is the upper incomplete gamma function, from which it is easy to see that lim N??t t u,v~0 for cv1. This is an undesired behavior, since one would wish that such highly connected topologies (which often occur as subgraphs of social networks, known as cliques) would result in higher values of trust. In order to compensate for this one would have to use a more aggressive weighting of the possible paths. We propose the following modification, which combines some features of both previous approaches: Instead of considering all possible paths, we consider only those with the largest weights to all the in-neighbours of the target vertex, as shown in Fig. 2. This leads to a trust metric defined as where the path weights are the best trust transitivity to the inneighbours, s G\fvg u,w , which are calculated after removing the target vertex from the graph (so that it cannot influence its own trust), and A w,v is the adjacency matrix, defined as if there is an edge w?v, Like for s u,v , we assume that t u,v~0 if there is no path from u to v, and t u,u~1 , for any u. We note that the term s G\fvg u,w 2 comes from the multiplication of the trust being averaged, s G\fvg u,w c w,v , and its corresponding weight s G\fvg u,w . We call this trust metric pervasive trust, and it corresponds to the intuitive strategy of searching for the nodes with a direct interaction with the target node (the final arbitrators), and weighting their opinions according to the best possible trust transitivity leading to them. It can be seen that this definition does not suffer from the same problems of Eq. 2, again by considering the same complete graph example, with uniform direct trust c. Since in this situation every target vertex has N{2 in-neighbours different from the source, and the shortest path to each of these in-neighbours is of length one, the value of pervasive trust can be easily calculated as for u=v, which converges to t u,v &c 2 for N&1. Thus the indirect opinions with value c 2 dominate the direct trust value c, but the inferred value does not vanish, as with the definition of Eqs. 2 and 3.
Considering again the example on the right of Fig. 1, we obtain the value t Alice,Bob~( 0:9 2 |0:6z(0:9|0:7) 2 |0:3)=(0:9z0:9|0:7) &0:4, from the edges outlined in blue in the figure. Additionally, the definition of pervasive trust works as one would expect in the trivial example on the left of Fig. 1, where s u,v and t u,v have the same values. We note that the numerical computation of s u,v can be done by using Dijkstra's shortest path algorithm [7,8], which has a complexity of O(NlogN). Thus the entire matrix s u,v can be calculated in O(N 2 logN) time. The same algorithm can be used to calculate t u,v , but since each target vertex needs to be removed from the graph, and thus a new search needs to be made for each different target, this results in O(N 3 logN) time. It is possible to improve this by performing searches in the reversed graph, i.e., for each target vertex v, the contribution to t u,v from all sources u can be calculated simultaneously, after v is removed, by performing a single reversed search from each of the in-neighbours of v to each source u. This way, the entire t u,v matrix can be computed in O(kN 2 logN) time (where k~E=N is the average in/out-degree of the network), which is comparable to the computation time of s u,v for sparse graphs.
1.1 Comparison with other trust metrics. Other trust metrics have been proposed in the literature, mainly by computer scientists, seeking to formalize the notion of trust in peer-to-peer computer systems. Some are quite detailed, like the usage of subjective logic by Jøsang et al [9], and others are comparable with the simplistic approach taken in this work, such as Eigentrust [3] and more recently TrustWebRank [10]. These last metrics are based on the notion of feedback centrality [8], which is usually defined as some linear system involving the adjacency matrix. The Eigentrust metric requires the trust network to be a stochastic matrix (i.e. the sum of the trust values of the out-edges of all vertices must sum to unity) and the inferred trust values are given by the steady state distribution of the corresponding Markov chain (i.e. the left eigenvector of the stochastic matrix with unity eigenvalue, hence the name of the metric). Thus the inferred trust values are global properties, independent of any source vertex (i.e. non-personalized), which is non-intuitive. Additionally, the requirement that the trust network is stochastic means that only relative values of trust are measured, and the absolute information is lost. Furthermore, such an approach is strongly affected by the presence of loops in the network, which get counted multiple times, which is also non-intuitive as far as trust transitivity is concerned. The metric TrustWebRank [10] tries to fix some of these problems by borrowing ideas from the PageRank [11] algorithm, resulting in a metric which also requires a stochastic matrix, but is personalised. However, in order for the algorithm to converge, it depends on the introduction of an damping factor which eliminates the contribution of longer paths in the network, independently of its trust value. This is an a priori assumption that these paths are not relevant, and may not correspond to reality. Additionally, the strange role of loops in the network is the same as in the Eigentrust metric. However, since there is no consensus on how a trust propagates, and the notion of trust lacks a formal, universally accepted definition, in the end there is no ''correct'' or ''wrong'' metric. We only emphasize that our approach is derived directly from the simple notion of trust transitivity, is easy to interpret, propagates absolute values of trust, and makes no assumption whatsoever about the network topology, and direct trust distribution.

Trust percolation
Trust transitivity is based on the multiplication of direct trust values, which may tend to be low if the paths become long. Therefore, it is a central problem to determine if the trust transitivity between two randomly chosen vertices of a large network vanishes if the system becomes very large. This provides important information about the viability of trust transitivity on large systems. As a simple network model, we will consider random directed networks with arbitrary in/out-degree distributions [12]. We will also suppose that the direct trust values in the range between c and czdc will be independently distributed with probability r c (c)dc, where r c (c) is an arbitrary probability density function (PDF). The objective of this section is to calculate the average best trust transitivity SsT, given by Eq. 1, and the average pervasive trust StT, Eq. 7, between randomly chosen pairs of source and target vertices. In random networks, the value of average pervasive trust will be given simply as StT~SsTScT, since the best paths to the in-neighbours of a given vertex are uncorrelated, and the probability that they pass through the node itself tend to zero, in the limit of large network size. Therefore we need only to concern ourselves with the average best trust transitivity SsT.
Directed networks are composed of components of different types and sizes: For each vertex there will be an out-component, which is the set of vertices reachable from it, and an in-component, which is the set of vertices for which it is reachable. A maximal set of vertices which are mutually reachable is called a strongly connected component. Random graphs often display a phase transition in the size and number of these components: If the number of edges is large enough, there will be the sudden formation of a giant (in-, out-, strongly connected) component, which spans a non-vanishing fraction of the network [6,12]. The existence of these giant components is obviously necessary for a non-vanishing value of trust to exist between most vertices, but it is not sufficient, since it is still necessary that the multiplication of direct trust values along most shortest paths do not become vanishingly small. As an illustration, consider a sparse graph (i.e. with finite average in/outdegree), with a arbitrary in/out-degree distributions. In the situation where there is a sufficiently large giant out-component in the graph, the average shortest path from a randomly chosen root vertex to the rest of the network is given approximately [12] by independently of the out-degree distribution (as long as SkT and Sk 2 T are finite positive), where N is the number of vertices, SkT is the average out-degree and Sk 2 T is the average number of second out-neighbours, and it is assumed that N&SkT and Sk 2 T&SkT (an analogous expression for the distance from the entire network to a randomly chosen target can be obtained by replacing SkT and Sk 2 T with the average in-degree and second in-neighbours, SjT and Sj 2 T respectively). Since the edges are weighted, the average length of the best paths can differ from l, but can never be smaller. Thus, an upper bound on the average best trust is given by where maxfc i g is the maximum value of direct trust in the network. In the situation where maxfc i gv1, we have that lim N?? SsT~o(0), since lim N?? l~?. Therefore, if there are no values of c~1 in the network, the average trust will always be Figure 3. Neighbourhood of vertex v with out-neighbours fw i g with direct trust fc i g. The best trust from v to an arbitrary vertex u, s v,u , is given as a function of fc i g and fs wi ,u g, according to Eq. 11. doi:10.1371/journal.pone.0018384.g003 zero in sparse networks. The only possible strategies for nonvanishing values of average trust is either to have a non-zero fraction of c~1 (which we will call absolute trust), or for the network to be dense, such that l remains finite for N??.
With the above consideration in mind, we now move to calculate the average trust transitivity values. We will obtain a selfconsistency condition for the distribution of best trust transitivity values, by describing the direct neighbourhood of a single vertex, similarly to what was done in [12] to obtain the distribution of component sizes. For simplicity, we will consider only the situation where the in-and out-degrees of the vertices are uncorrelated. The approach is based on the following observation. Consider two randomly selected vertices, v and u, and the best trust from v to u, s:s v,u , which is distributed according to a PDF r s (s). Let fw z i g be the set of out-neighbours of v (we assume that the probability of u[fw z i g vanishes for N??), with direct trust values fc i g, as illustrated in Fig. 3. It is clear that the value of s can be written as a function of the best trust from each out-neighbour w z i to u, s w z i ,u , as We note that an analogous equation can be obtained in the opposite direction, by considering the in-neighbours fw { i g of u, with direct trust values fc' i g, and their best trust values fs Each equation above can be used to establish a self-consistency equation for appropriately defined auxiliary distributions, which can be combined to obtain r s (s), as will be explained below. The main intuitive notion which will be explored is that on uncorrelated random graphs, the properties of a given vertex and its out/in-neighbours should be the same on average. Therefore, certain distributions associated with variables on the left hand side of Eqs. 11 and 12, are also associated with variables which appear on the right hand side. In order to express the selfconsistencies in detail, we need to introduce two auxiliary variables s z and s { and their PDFs r z (s z ) and r { s (s { ). The PDF r z s (s z ) will be associated with Eq. 11 and the out-degree distribution, and r { s (s { ) with Eq. 12 and the in-degree distribution. Without loss of generality, we describe only the self-consistency for r z s (s z ) in detail, since the development for r { s (s { ) can be obtained in an entirely analogous fashion, by replacing the out-degree with the in-degree. In order to transform Eq. 11 into a self-consistency equation, we need to define yet another auxiliary distribution,b b z (x), which is the cumulative probability that s z cvx, with c being the direct trust, distributed according to r c (c), given by , we obtain that the cumulative probability that the right hand side of Eq. 11 is less than x is given by ½b can be obtained by supposing that the value of s is distributed according to the same distribution as s w z i ,u , and considering all the possible out-degrees and their respective probabilities, as follows (see Fig. 4): The cumulative probability that svr z s z , where r z is an arbitrary value which will not influence the self-consistency, will be given by the sum of the probabilities that vertex v has outdegree k multiplied by the cumulative probability that maxfc' i s v,w { i gvr z s z for all k out-neighbours. Concisely, this can be expressed asr where p k is the out-degree distribution. Note that while Eq. 14 is a self-consistency condition from which r z s (s z ) can be obtained (given r c (c) and p k ), it cannot be used to obtain r s (s) directly, because of the arbitrary value r z which does not influence Eq. 14. We note however that, as mentioned previously, Eq. 12 can be used to obtain an equation for s { and r { s (s { ) which is entirely analogous to Eq. 14, with p k replaced by the in-degree distribution p j . This equation is also not affected by an analogous arbitrary value r { . Since we have two self-consistency relationships which are defined up to two arbitrary values, they can be used to complement each other by formulating the ansatz that r z~s{ and r {~sz , which leads to With this connection it is possible to obtain r s (s) from r z s (s z ) and and the average SsT~Ð 1 0 dssr s (s) more directly as Ss { TSs z T: ð19Þ By rewriting Eq. 14 in terms of the generating functions of the inand out-degree distributions, one obtains the self-consistency equations in a more compact form,r We turn now to the conditions necessary for non-vanishing average trust transitivity. Both Eqs. 21 and 22 accept the trivial solutionr r {=z s (s)~H(s), which corresponds to r {=z s (s)~d(s), i.e. the average best trust is zero. As discussed previously, for other solutions to be possible, we need to consider a non-vanishing fraction of edges with absolute trust c~1 in the network. Here we will consider direct trust distributions of the form, which correspond to a fraction c of edges with c~1, and a complementary fraction (1{c) with c given with probability density r' c (c). We will consider two different versions of r' c (c): A uniform distribution r' c (c)~1, and a single-valued distribution r' c (c)~d(c{g), with g~1=2. We will use two different in/outdegree distributions, the Poisson and Zipf, and their respective generating functions,  (2) N is the number of vertices (keys), and E is the number of edges (signatures), SjT is the average in-degree, r is the average reciprocity, a is the assortativity coefficient and c is the average clustering coefficient. doi:10.1371/journal.pone.0018384.t001 p j~j where f(t) is the Riemann f function, and Li n (x) is the nth polylogarithm of x. For simplicity, we will consider only the situation where p j~pk , and both the in-degree j and the outdegree k are independently distributed. In Fig. 5 are plotted the values of SsT and StT, as a function of c, for the different distributions. It is also compared with numerical computations on actual network realizations of different sizes. The main feature observed is a first-order transition from vanishing trust to positive trust, at specific values of c. This is an interesting feature, since it seems at first to be at odds with traditional percolation theory, which predicts a second-order transition. However, we point out that the order parameter SsT is very different from what usually characterises a percolation transition, namely the relative size of the largest connected component. Although we used a similar technique to obtain SsT, there is no a priori reason to expect its transition to be continuous, and indeed it seems not to be the case. It is possible, however, to identify a very direct connection to the conventional percolation transition, given by the values c Ã where the transition for SsT occurs: If one considers the subgraph composed of all the vertices and only the edges with c~1, it can be easily concluded that this subgraph is a random graph on its own, since the values of c are randomly distributed on the edges. Its in/out-degree distributions will in general be different than for the complete graph, with an average given by cSkT. For a Poisson distribution, the usual percolation transition occurs when the average in/out-degree is one [12], which, for the c~1 subgraph, corresponds to c Ã~1 =SkT. These are indeed the transition points observed for SsT, when in/outdegree distributions are Poisson. Therefore, the transition values c Ã correspond exactly to the critical values of the formation of a giant component of the subgraph composed only of edges with c~1. It is worth observing that on finite graphs, the average trust does not vanish very rapidly, and is still non-zero for relatively large networks with N~10 6 vertices, even when c~0. This seems to be simply a finite size effect, intensified by the the socalled small-world property, where the average shortest path scales slowly as l*lnN, as in Eq. 10. As can be seen in in Fig. 5, for some of the networks of size up to 10 6 vertices, the values of vsw below the transition have not yet converged to a value which no longer depends on N, which clearly indicates a finite size effect. This is further corroborated by the values of SsT for c~0, which are sometimes above zero, even though in this situation they must be equal to zero in the limit N??, as explained in detail previously. This very strong finite size effect means also that in practical situations where networks are large but finite, cwc Ã it is not a strictly necessary condition for systemwide trust propagation.
Another interesting feature is the behaviour of the average trust in graphs with Zipf in/out-degree distribution. There, the transition to positive trust is of second order, and the critical points are also c~1=SkT. Additionally, the values of average trust are smaller than in networks with Poisson in/out-degree distribution and the same average in/out-degree, for intermediary values of c after the transitions. This is due to the smaller path multiplicity of graphs with scale-free distribution: Even though the average shortest path length is smaller in such graphs, the number of alternative paths is also smaller, due to the dominance of vertices with smaller in/out-degree. Thus, if the shortest path happens to have a small trust value, there will be a higher probability there will not be an alternative path. In Fig. 5 it is shown also the average best trust for 1vtv2, for which the average in/out-degree diverges. For such dense networks, the values of SsT are above zero for all values of cw0, which means that any small (but existing) fraction of edges with c~1 can be used by most shortest paths in this case.

The Pretty Good Privacy (PGP) Network
In this section we investigate trust propagation on the Pretty Good Privacy (PGP) network. In a broad manner PGP (or more precisely the OpenPGP standard [13]) refers to a family of computer programs for encryption and decryption of files, as well as data authentication, i.e. generation and verification of digital signatures. It is often used to sign, encrypt and decrypt email. It implements a scheme of public-key cryptography [14], where the keys used for encryption/decryption are split in two parts, one private and one public. Both parts are related in way, such that the  private key is used exclusively for decryption and creation of signatures, and the public key only for encryption and signature verification. Thus any user is capable of sending encrypted messages and verifying the signature of a specific user with her public key, but only this user can decrypt these messages and generate signatures, using her private key, which she should never disclose. The public keys are usually published in so-called key servers, which mutually synchronize their databases, and thus become global non-centralized repositories of public keys. However, the mere existence of public key in a key server, associated with a given identity (usually a name and an email address) is no guarantee that this key really belongs to the respective person, since there is no inherent verification in the submission process. This problem is solved by the implementation of the so-called web of trust of PGP keys, whereby a user can attach a signature to the public key of another user, indicating she trusts that this key belongs to its alleged owner. The validity of a given key can then be inferred by transitivity, in a self-organized manner, without the required presence of a central trust authority. As such, this system represents an almost perfect example of a trust propagation through transitivity.
As a rule, key signatures should only be made after careful verification, which usually requires the two parties to physically meet. Such a requirement transforms the web of trust into a snapshot of a global social network of acquaintances, since the vast majority of keys correspond to human users, which tend to sign keys of people with which they normally interact. There is also a tendency to sign keys (upon verification) from people which do not belong to a close circle of acquaintances, with the sole purpose of strengthening the web of trust with more connections. This tendency is well reflected by the so-called ''key signing parties'', where participants meet (usually after a large technological conference) to massively sign each other's keys [15]. Thus the structure of the PGP network reflects the global dynamics of selforganization of human peers in a social context. This section is divided in two parts. In the first part we present some aspects of the topology and temporal organization of the network. In the second part we analyze the trust transitivity in the network, in view of the trust metric we discussed previously.

Network topology.
The PGP network used in this work was obtained from a snapshot of the globally synchronized SKS key servers (available at http://key-server.de/dump/) in November 2009. It is composed of N&2:5|10 6 keys and E&7|10 5 signatures with a very low average in-degree of SjT~0:28. This means that many keys are isolated and contain no signatures. Therefore we will concentrate on the largest strongly connected component, i.e. a maximal set of vertices for which there is a path between any pair of vertices in the set. The number of vertices N&4|10 4 in this component is much smaller, but the network is much denser, with on average SjT&7:58 signatures per key (see summarized data in table 1). It represents the de facto web of trust, since the rest of the network is so sparsely connected that no trust transitivity can be inferred from it. We note that keys may have multiple ''subkeys'' which correspond to different identities (usually different email addresses from the same person) and which can individually sign other subkeys. For simplicity, in this work we have collapsed subkeys into single keys, and possible multiple signatures into a single signature. We have also discarded invalid, and revoked keys and signatures.
The number of keys and signatures in the strongly connected component has been increasing over time, as shown in Fig. 6. The number of keys (which are now valid) was approximately the same for some time and then slightly decreased for a period up to around 2002, and has been increasing with an approximately constant rate since then. We note that the number of keys may decrease, since keys can expire or be revoked. The number of signatures, on the other hand, seems to be increasing with an accelerated rate, with an approximately constant acceleration, which is similar to the rate of growth of the number of keys. This means that the average in/out-degree of the network is increasing with time, as can be seen in Fig. 6. Keys and signatures grow in an organized manner, as shown by the waiting time distribution between the creation of two subsequent keys or signatures, as shown in Fig. 6. These distributions are broad for several orders of magnitude, from the order of seconds to days, approximately following a power-law in this region. The fact that keys and signatures are often created only seconds apart, and the waiting time distribution lacks any discernible characteristic scale, except Table 2. The eleven keys with the largest number of signatures in the network, their respective in-degree j, out-degree k, average in-degree of the nearest out-neighbours SjT out , clustering coefficient c, and date of creation. for a cut-off at large times (*1 day), shows that the network does not grow in a purely random fashion (which would generate exponentially-distributed waiting times, as in an homogeneous Poisson process. If the Poisson process is non-homogeneous, with a constantly accelerating rate, the waiting times would follow instead a Weibull distribution, which also has an exponential tail), and serves as a signature of an underlying organized growth process. We will characterize the topology of the network by its in/outdegree distribution and nearest-neighbours in/out-degree correlations, as well as other standard network measures such as clustering [16], reciprocity [17] and community structure [18]. We will pay special attention to the most highly connected vertices, some of which correspond to so-called certificate authorities and display a distinct connectivity pattern, which has a special meaning for trust propagation.
The network has very heterogeneous in/out-degree distributions, as can be seen in Fig. 7, with some keys having on the order of 10 3 signatures. They are possibly compatible with a power-law with exponent *2:5 for large in/out-degrees, but the distributions are not broad enough for a precise identification. The number of signatures on a given key (the in-degree) and the number of signatures made by a the same key (the out-degree) are strongly correlated, as can be seen in Fig. 8, which shows the average outdegree SkT as a function of the in-degree j. This is explained by the high reciprocity of the edges in the network, i.e. if a key a signs a key b, there is a very high probability that key b signs key a as well. This is easy to understand, since key verification usually requires physical presence, and both parties take the opportunity to mutually verify each other keys in the same encounter. The edge reciprocity [17] is quantified as the fraction r~n < e =E, where n < e is the number of reciprocal edges and E is the total number of edges in the network. The PGP network has a high value of r~0:69. The reciprocity is distributed in a slightly heterogeneous fashion across the network, as is shown in Fig. 8, where is plotted the average reciprocity of the edges as a function of the in-and out-degrees of the source vertex. It can be seen that the keys with very few signatures tend to act in a very reciprocal manner, whereas the more prolific signers receive less signatures back. This heterogeneity is further amplified when one considers the in/outdegree correlation between nearest-neighbours, as shown in Fig. 7, where it is plotted the average in-and out-degree, SjT nn and SkT nn , of the nearest out-neighbours of the vertices in the network, as a function of the in-and out-degree of the source vertex, j and k. The in/out-degree correlation shows an assortative regime for intermediary in/out-degree values (*10 -40), meaning that vertices with higher in/out-degrees are connected preferentially with other vertices with high degree, but also some dissortative features for vertices with very high and very low in/ out-degrees, where vertices with low in/out-degree are connected preferentially with vertices with high in/out-degree, and vice versa. This mixed connectivity pattern leads to a very low scalar assortativity coefficient [19] of a~0:0332(3), which is an unusually small value for social networks [20] (the scalar assortativity coefficient is defined for an undirected graph as For the PGP network, the direction of the edges was ignored in the calculation of a). These differences become more clear when one investigates more closely the keys with the largest in-degree in the network, as it is shown in table 2. As with the rest of the network, most of the largest keys belong to individuals, with the exception of the first and third keys with the most signatures, which belong to entities. These entities are known as certificate authorities and are created by organizations with the intent of centralizing certification. The largest authority is the community-driven CAcert.org which issues digital certificates of various kinds to the public, free of charge (See the CAcert.org website: http://cacert.org). The second largest authority is the German magazine c't, which initiated a PGP certification campaign in 1997 (A second, older c't key is also still among the largest hubs, with 289 signatures. See http://www.heise.de/security/dienste/Krypto-Kampagne-2111. html for more details). These authorities interact with individuals in a different manner, acting as a central mediator between loosely connected peers. This is evident by the low clustering coefficient (c&0:003), which is one order of magnitude lower than the other (human) hubs (c*0:05 -0:11), and the average in-degree of their out-neighbours, which is also significantly smaller than their human counterparts (*17 vs. 60 -80, respectively). These different patterns represent distinct paradigms of trust organization: Authority vs. Community-based; each with its set of advantages and disadvantages. An authority-based scenario relies on few universally trusted vertices which mediate all trust propagation. In this way, the responsibility of key verification is concentrated heavily on these vertices, which reduces the total amount of verification necessary, and is thus more efficient. The most obvious disadvantage is that the authorities represent central points of failure: if an authority itself is not trusted, neither will be the keys it certifies. Additionally, this approach may increase the probability of forgery, since only one party needs to be deceived in order for global trust to be achieved. The complementary scenario is the community-based approach, where densely-connected clusters of vertices provide certification for each other. This obviously requires more diligence from the participants, but has the advantage of larger resilience against errors, since the multiplicity of different paths between vertices is much larger. In the PGP network both these paradigms seem to be present simultaneously, as can be observed in detail by extracting its community structure [18]. This is done by obtaining the community partition of the network which maximizes the modularity Q of the network, defined as where E is the total number of edges, A ij is the adjacency matrix of the network, k i is the degree of vertex i, s i is the community label of vertex i and d is the Kronecker delta. According to this definition, a partition with high values of Q is possible for networks with densely-connected groups of vertices, with fewer connections between different groups. The maximum value of Q~1 is achieved only for "perfect" partitions of extremely segregated communities. We note that the above definition is meaningful only for undirected graphs, and thus we apply it to the undirected version of PGP network, where the direction of the edges is ignored. We used the method of Reichardt et al [21] to obtain the best partition, which resulted in modularity value of Q&0:73. As a comparison, we computed the modularity for a shuffled version of the network, where the edges were randomly placed, but the in/ out-degrees of the vertices were preserved, which resulted in the significantly smaller value Q&0:03. The distribution of community sizes seems to have a power-law tail with exponent *2:3 (*3:8 for the shuffled network), characterizing a scale-free structure. By isolating the individual communities, one can clearly see strong differences between those in the vicinity of the certificate authorities and ''regular'' communities. In Fig. 9 is shown two representative examples of these two types of communities: On top is the community around the CAcert.org certificate authority, and is composed of 677 keys, with an average 6:9 signatures per key. Its in/out-degree distributions are shown on the side, from which the large discrepancy between the most central vertex and the rest of the community can be observed. The colors on the vertices correspond to the Top-Level Domain (TLD) of the email addresses associated with each key, and serve as a coarse indication of the geographical proximity of the individuals. For the community containing CAcert.org, a high degree of geographical heterogeneity is present. This is corroborated also by the fact that there are fewer direct edges between individuals. On the bottom of Fig. 9 it is shown a community composed almost exclusively of keys with Austrian email addresses (.at TLD) which show a completely different pattern, lacking any central authority.
It is smaller, with 287 keys, but denser, with 10 signatures per key. This pattern is repeated for most of the largest communities in the graph. Some non-centralized communities have a broader in/outdegree distribution than the Austrian community, but only those associated with certificate authorities display a centralized pattern such as in the top of Fig. 9.
We now turn to the trust propagation on the PGP network.
2.2 Trust transitivity. In order to properly investigate trust transitivity in the PGP network, it is necessary to know the direct trust values associated with each signature, which indicate the level of scrutiny in the key verification process. The OpenPGP standard [13] defines four trust ''classes'' for signatures, according to the degree of verification made. Unfortunately, these classes are universally ignored, and most signatures fall into the ''generic'' class, from which no assertion can be made. Since the actual level of verification of the keys is in fact unknown, we will investigate hypothetical situations which represent different strategies the PGP users may use to verify keys. In the last section we have shown that the network is composed of different connection patterns: community clusters and centralized trust authorities. Depending on how these connection patterns are judged more trustworthy, the values of transitive trust will be different. Here we will consider three possible scenarios: 1. Random distribution, 2. Authority-centered trust, and 3. Community-centered trust. In all situations we will consider that all signatures have the same trust value of c~1=2, except for a fraction c of edges which have absolute trust c~1, which is selected as follows for each situation: 1. Random: The cE edges are chosen randomly among all E edges. 2. Authority-centered: The cE edges with the largest betweenness [22] b e are chosen, which is defined as where s i,j is the number of shortest paths from vertex i to j, and s ij (e) is the number of these paths which contain the edge e. This distribution favours edges adjacent to nodes with high in/ out-degree, and also edges which bridge different communities. 3. Community-centered: The cE edges with the largest edge clustering t e are chosen, which is defined as where s(e) and t(e) are the source and target vertices of edge e, A i,j is the adjacency matrix, and j i and k i are the in-and outdegrees of vertex i, respectively. This quantity measures the density of out-neighbours of the s(e) which are also inneighbours of t(e), and simultaneously the density of inneighbours of t(e) which are out-neighbours of s(e) (this definition is equivalent to a normalized version of the edge multiplicity defined in [23][24][25]). This distribution favours edges with belong to densely-connected communities. For instance, the edges of a clique (i.e. a complete subgraph) will all have the value t e~1 {1=(n{1), where n is the size of the clique, which will approach the maximum value t e ?1 for a sufficiently large clique size.
In Fig. 10 it is shown the average best trust transitivity, Eq. 1 and average pervasive trust Eq. 7 for the PGP network, as a function of c according to the different approaches. We note that no discontinuous transition is seen. This is probably due to the numerous topological differences from purely random networks (i.e. correlations, reciprocity, community structure, clustering), as described previously, as well as relatively small size of the network, all of which may cause the transition to disappear. The authority-centered trust leads to significantly higher values of SsT and StT, and the community-based distribution to the lowest values. This is expected, since distributing trust according to the edge betweenness essentially optimizes trust transitivity, putting the highest values along the shortest paths between vertices. The community-centered approach does exactly the opposite, favoring intra-community connections, and results in the lowest values of average trust. Thus, favoring the hubs and authorities is clearly more efficient, if the objective is solely to increase the average trust in the network. However, pure efficiency may not be what is desired, since it relies in the opinion of a much smaller set of vertices, which eases the job of dishonest parties, which need only to convince these vertices in order to be trusted by a large portion of the network. Some of these issues become more clear by observing how nodes with different in-degrees receive trust with each of these strategies, as show in Fig. 11. More specifically, what is shown is the average pervasive and best in-trust for vertices with different in-degrees, which are respectively defined as s in v~X u=v s u,v =(N{1) and t in v~X u=v t u,v =(N{1), for a given vertex v. For a random distribution of direct trust, the vertices with higher in-degree receive a natural bias in the values of average best in-trust, Ss in T, since the shortest paths leading to them tend to be smaller. But the fair nature of the definition of t compensates for this, and the values of St in T are almost independent of the in-degree of the vertices. The highly connected nodes become more trusted only with the authoritycentred approach. Interestingly, in this situation the nodes with the smallest in-degrees also receive a large value of trust, since most of them are ''fringe'' nodes connected only with the hubs (see Fig. 7). The vertices with intermediary in-degrees are thus left in the limbo, and are in effect penalized for their community pattern. The almost symmetrically opposite situation is obtained with the community-centered trust distribution, where both the vertices with smallest and largest in-degrees receive the smallest trust values, and the intermediary nodes are judged more trustworthy due to their strong communities. We note that this effect is not due simply to the way the values of trust are distributed, but depend strongly on the existence of communities in the network. This is evident when the same trust distribution is applied to a shuffled version of the network, with the same in/ out-degree sequence, as is shown in Fig. 11. For such a network, the community structure disappears, and the highly connected nodes come again in the lead.

Discussion
We investigated properties of trust propagation on network based on the notion of trust transitivity. We defined a trust metric, called pervasive trust which provides inferred trust values for pairs of nodes, based on a network of direct trust values. The metric extends trust transitivity to the situation where multiple paths between source and target exist, by combining the best trust transitivity to the in-neighbours of a given target node, and their direct trust to the target. The trust values so-obtained are unbiased, personalized and well defined for any possible network topology. Equipped with this metric we analyzed the conditions necessary for global trust propagation in large systems, using random networks with arbitrary in/out-degree distributions as a simple model. We analytically obtained the average best trust transitivity (as well as pervasive trust) as a function of the fraction c of edges with absolute trust c~1. We found that there is a specific value of c~c Ã , below which the average trust is always zero. For c §c Ã the average value jumps discontinuously to a positive value.
Using the defined trust metric, we investigated trust propagation in the Pretty Good Privacy (PGP) network [4,5]. We gave an overview of the most important topological and dynamical features of the PGP network, and identified mixed connectivity patters which are relevant for trust propagation: namely the existence of trust authorities and of densely-connected noncentralized communities. Based on these distinct patterns, we formulated different scenarios of direct trust distribution, and compared the average inferred trust which results from them. We found that an authority-centered approach, where direct trust is given preferentially to nodes which are more central, leads to a much larger average trust, but at the same time benefits nodes at the fringe of the network, which are only connected to the authority hubs, and for which no other information is available. Symmetrically, a community-centered approach, where edges belonging to densely-connected communities are favoured with more trust, results in less overall trust, but both the fringe nodes and the authorities receive significantly less trust than average. These differences are not simply due to the different ways the direct trust is distributed, but rather to the fact that the dense communities and the trust authorities are somewhat segregated. These differences illustrate the advantages and disadvantages of both paradigms of trust propagation, which seem to be coexist in the PGP network. It also serves as an insightful example of how dramatically the direct trust distribution can influence the inferred trust, even when the underlying topology remains the same.
In this work, we have concentrated on static properties of trust propagation. However most trust-based systems are dynamic, and change according to some rules which are influenced by the trust propagation itself. One particularly good example is market dynamics [1,2] where sellers (or borrowers) do not perform well if they have a poor track record, which will be partially influenced by trust. Thus, it remains to be seen how trust transitivity can be carried over to such types of models, and what role it plays in shaping their dynamics.