Saturday, January 28

The P + epsilon Attack


Special thanks to Andrew Miller for skipping this attack, and Zac Hess, Vlad Zamfir and Paul Stork for discussion and responses.

One of the most interesting surprises in cryptoeconomics came in the final weeks of the attack shillingcoin Andrew Miller got pregnant earlier this month. Although it has always been understood that SchellingCoin and similar systems (including the most advanced ones) truthcoin consensus), relying on what has hitherto been considered a new and untested assumption of crypto-economy security – that one can safely rely on people who act honestly in a concurrent consensus game just because they think anyone else will – the problems raised thus far must deal With relatively marginal issues such as the attacker’s ability to exert small but increasing amounts of impact on output over time by applying constant pressure. On the other hand, this attack shows a more fundamental problem.

The scenario is described as follows. Suppose there is a simple Schelling game where users vote on whether a given fact is true or not (1) or false (0); Say in our example that it is actually wrong. Each user can either vote 1 or 0. If the user votes with the same majority vote, he will get P bonus; Otherwise they would get 0. Thus, the reward matrix looks like this:

you vote 0 you vote 1
Others vote 0 s 0
Others voted 1 0 s

The theory is that if everyone expects everyone to vote honestly, their incentive is also to vote honestly in order to comply with the majority, which is why one would expect others to vote honestly in the first place; Self-reinforcing Nash equilibrium.

Now, the attack. Suppose the attacker credibly commits (eg, through an Ethereum contract, or simply by putting one’s reputation on the line, or by taking advantage of the reputation of a trusted escrow provider) to pay X to voters who voted 1 after the game ends, where X = P + ε if the majority votes 0, and X = 0 if the majority votes 1. Now, the reward matrix looks like this:

you vote 0 you vote 1
Others vote 0 s q + ε
Others voted 1 0 s

Thus, it is a dominant strategy for anyone to vote 1 regardless of what they think the majority will do. Hence, assuming the system is not controlled by influencers, the majority would vote 1, so the attacker would not need to pay anything at all. The attack succeeded in gaining control of the mechanism at no cost. Note that this differs from Nicholas Hoy’s argument 51% attacks at no cost to Proof of Stake (technically expandable argument for ASIC-based proof of work) in that here no cognitive acquisition wanted; Even if everyone remains dead convinced that the attacker will fail, their incentive remains to vote to support the attacker, because the attacker bears the risk of failure himself.

Save Schilling Schemes

There are quite a few ways one can try to save the Schilling mechanism. One approach is that instead of round N from the Schilling consensus itself deciding who gets to be rewarded based on the “majority right” principle, we use round N + 1 to determine who should be rewarded during round N, with the default balance being that only people should be rewarded Who voted correctly during Round N (both on the actual fact in question or about who should be rewarded in Round N – 1). In theory, this would require an attacker willing to perform a free attack to spoil not only one round, but all future rounds, thus making the required capital deposit that the attacker must make unlimited.

However, this approach has two drawbacks. First, the mechanism is fragile: if an attacker can spoil a round in the distant future by actually pushing a P+ to everyone, no matter who wins, the expectation of that corrupt round causes an incentive to cooperate with the attacker by propagating a backdoor for all previous rounds. Hence spoiling one round is expensive, but spoiling thousands of rounds is no more expensive.

Second, because of Discount, the deposit required to beat the scheme does not need to be unlimited; It just has to be very large (i.e. inversely proportional to the prevailing interest rate). But if all we want is to increase the required minimum bribery, there is a much simpler and better strategy for doing so, Created by Paul Storz: Requiring participants to make a large deposit, building a mechanism by which the feud can increase, and more money is at stake. At the limit, where just over 50% of the vote is in favor of one outcome and 50% in favor of the other, it’s the full deposit I took from minority voters. This ensures that the attack still works, but the bribe should now be greater than the deposit (roughly equal to the amount paid divided by the discount rate, giving us equal performance in the infinite round game) rather than just the payout per round. Hence, in order to overcome such a mechanism, one would need to be able to demonstrate that one is capable of a 51% attack, and we would probably simply feel comfortable assuming that there were no attackers of that size.

Another approach is to rely on counter-coordination; Basically, somehow coordinate, perhaps through credible commitments, about voting A (if A is the truth) with a probability of 0.6 and B with a probability of 0.4, the theory being that this will allow users (most likely) to demand the reward of the mechanism and part of the bribe attacker at the same time. (Apparently) this works especially well in games where instead of paying a fixed bonus to each voter compatible with the majority, the game is designed to have a fixed total payoff, and individual bonuses are adjusted to achieve that goal. In such cases, from a collective rationality point of view, it is the case where the group gets the highest profit with 49% of its members getting a B vote to claim the attacker’s reward and 51% an A vote to make sure the attacker’s reward is paid. .

However, this same approach has the drawback that if the attacker’s bribe is high enough, even from there one can defect. The basic problem is that given a mixed-probability strategy between A and B, the return always varies (almost) linearly with the probability coefficient of each. Hence, if voting for B makes more sense for an individual than voting for A, then it would also make more sense to vote with a probability of 0.51 for B rather than a probability of 0.49 for B, and voting with a probability of 1 for B would work even better.

Hence, everyone will defect to the “49% to 1” strategy once they always vote for 1, so 1 wins and the attacker succeeds in the inexpensive takeover. The fact that there are such complex schemes, very close to “it seems to be working”, suggests that perhaps in the near future a complex scheme of counter-coordination will actually appear; However, we must be prepared for the possibility of not developing such a scheme.

Other consequences

Given the sheer number of crypto-economy mechanisms that SchellingCoin enables, and the importance of these schemes in nearly all “trust-free” attempts to form any kind of connection between the crypto world and the real world, this attack poses a potentially serious threat – though, as we’ll see later, The Schilling schemes as a category can be partially salvaged in the end. However, what is more interesting is the larger class of mechanisms that do not look exactly like SchellingCoin at first glance, but actually have very similar sets of strengths and weaknesses.

In particular, let’s point to a very specific example: Proof of Work. Proof of Work is actually a multi-balance game in the same way Schelling schemes do: if there are two forks, A and B, then if you win at the end you get 25 BTC and if you miner at a crossroads you end up losing you get nothing .

You are mine on A You are me on b
Others mine on A 25 0
Others mine on b 0 25

Now, suppose the attacker launches a double-spending attack against many parties simultaneously (this requirement ensures that no single party has too strong an incentive to oppose the attacker, and instead the opposition becomes a public good; alternatively, the double-spends could just be an attempt Smashing the price with the attacker short at 10x leverage), calling the “main” chain A and the new double-spending fork of Attacker B By default, everyone expects A to win. However, the attacker credibly commits to paying 25.01 BTC to everyone who miners B if it expires Command B to lose. Hence, the reward matrix becomes:

You are mine on A You are me on b
Others mine on A 25 25.01
Others mine on b 0 25

Thus, mining on B is a dominant strategy regardless of the individual’s cognitive beliefs, so everyone is mining on B, so the attacker wins and pays absolutely nothing. In particular, note that in Proof of Work we have no deposits, so the level of bribe required is only proportional to the mining reward multiplied by the length of the fork, not the 51% capital cost of all mining hardware. Hence, from the point of view of the security of the crypto-economy, one could somehow say that Proof of Work doesn’t really have a margin of safety for the crypto-economy at all (if you are sick of opponents of Proof of Stake pointing you to This article was written by Andrew PolestraFeel free to link it here in response.) If one is really uncomfortable with weak subjectivity Pure Proof of Stake requirement, then it follows that the correct solution may be to increase Proof of Work with hybrid Proof of Stake by adding security deposits and double voting penalties to mining.

Of course, in practice, the proof of work has survived despite this drawback, and may indeed continue to exist for a long time; It might just be that there is such a high degree of altruism that attackers are not 100% convinced that they will succeed – but then, if we are allowed to rely on altruism, naive proof of stake works just as well. Hence, Schelling’s schemes too may simply end up working in practice, even if they are not entirely sound in theory.

The next part of this post will discuss the concept of “self” mechanisms in more detail, and how they can be used to theoretically circumvent some of these problems.


Leave a Reply

Your email address will not be published. Required fields are marked *