Merge pull request #8 from loiluu/master

fixing double quotes, rephrasing abstract
This commit is contained in:
vbuterin 2017-07-06 18:45:22 -04:00 committed by GitHub
commit ebe7db3e95
3 changed files with 19 additions and 16 deletions

3
casper4/papers/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
discouragement.aux
discouragement.log
x.log

Binary file not shown.

View File

@ -11,32 +11,32 @@
\begin{document} \begin{document}
\maketitle \maketitle
\begin{abstract} \begin{abstract}
We explore "discouragement attacks" on economic consensus mechanisms. A discouragement attack consists of an attacker acting maliciously inside a consensus mechanism in order to reduce other participants' revenue, even at some cost to themselves, in order to encourage the victims to drop out of the mechanism. This can be done either to increase the attacker's profit, as the mechanism may contain long-run "competitive" mechanics where some participants dropping out increases revenue to the remaining ones, or as part of a two-step strategy where the second step is to carry out a traditional 51\% attack on the consensus algorithm against a now much smaller set of "honest" paticipants warding off the attacker, and hence pay a much lower cost for the attack. We explore ``discouragement attacks" on economic consensus mechanisms. A discouragement attack consists of an attacker acting maliciously inside a consensus mechanism in order to reduce other participants' revenue, even at some cost to themselves, in order to encourage the victims to drop out of the mechanism. The motivations to conduct discouragement attacks are twofold. First, the attacks can increase the attacker's profit, as the mechanism may contain long-run ``competitive" mechanics where some participants dropping out increases revenue to the remaining ones. Second, the attacks can be part of a two-step strategy where the second step is to carry out a traditional $51\%$ attack on the consensus algorithm against a now much smaller set of ``honest" participants warding off the attacker, and hence pay a much lower cost for the attack.
\end{abstract} \end{abstract}
\section{Introduction} \section{Introduction}
We model an economic consensus mechanism as being a game where there is an infinite set of participants each with an infinitesimally small deposit (we'll call the "size" of the set the total sum of deposits), of which some portion is controlled by the attacker. The payout function takes as input $x$, the total size of the participant set, and $h$, the extent to which the attacker deviates from an "honest" strategy. The payout to each honest participant is $\frac{1-h}{x^p}$, where $p$ is a protocol parameter that determines how the protocol reward changes with the number of participants. For example: We model an economic consensus mechanism as being a game where there is an infinite set of participants each with an infinitesimally small deposit (we'll call the ``size" of the set the total sum of deposits), of which some portion is controlled by the attacker. The payout function takes as input $x$, the total size of the participant set, and $h$, the extent to which the attacker deviates from an ``honest" strategy. The payout to each honest participant is $\frac{1-h}{x^p}$, where $p$ is a protocol parameter that determines how the protocol reward changes with the number of participants. For example:
\begin{itemize} \begin{itemize}
\item $p=0$: constant "interest rate", eg. under optimal conditions each participant earns a return of 8\% per year. \item $p=0$: constant ``interest rate", eg. under optimal conditions each participant earns a return of $8\%$ per year.
\item $p=\frac{1}{2}$: the rewards (and penalties) to participants scale with the inverse square root of the size of the participant set, so \textit{total} rewards scale with the square root of the size of the participant set. This is a compromise between $p=0$ and $p=1$. \\ \item $p=\frac{1}{2}$: the rewards (and penalties) to participants scale with the inverse square root of the size of the participant set, so \textit{total} rewards scale with the square root of the size of the participant set. This is a compromise between $p=0$ and $p=1$.
\item $p=1$: constant total reward, ie. the total payout of the protocol is dependent only on what percentage of participants take what actions, not on the size of the participant set. \\ \item $p=1$: constant total reward, ie. the total payout of the protocol is dependent only on what percentage of participants take what actions, not on the size of the participant set.
\item $p=\infty$: the protocol is dead-set on ensuring that the total size of the participant set is some specific constant $k$ no matter what. If the size exceeds $k$, the protocol keeps decreasing rewards until the size drops to $k$, and if the size is below $k$, the protocol keeps increasing rewards until the size rises to $k$. \\ \item $p=\infty$: the protocol is dead-set on ensuring that the total size of the participant set is some specific constant $k$ no matter what. If the size exceeds $k$, the protocol keeps decreasing rewards until the size drops to $k$, and if the size is below $k$, the protocol keeps increasing rewards until the size rises to $k$.
\end{itemize} \end{itemize}
Note that if revenues to participants are dominated by transaction fees, then $p=1$ will hold. Note that if revenues to participants are dominated by transaction fees, then $p=1$ will hold.
An attacker pays $\frac{1-\frac{h}{r}}{x^p}$ where $r$ is the \textit{proportional loss ratio} - the penalty incurred by victims divided by the penalty divided by the attackers where both are expressed as a fraction of the sizes of the two groups. The relationship between $r$ and the \textit{griefing factor} (ratio of victim losses over attacker losses expressed in absolute terms) is simple: $g = r * \frac{\alpha}{1-\alpha}$, where $\alpha$ is the portion of participants controlled by the attacker. An attacker pays $\frac{1-\frac{h}{r}}{x^p}$ where $r$ is the \textit{proportional loss ratio} - the penalty incurred by victims divided by the penalty divided by the attackers where both are expressed as a fraction of the sizes of the two groups. The relationship between $r$ and the \textit{griefing factor} (ratio of victim losses over attacker losses expressed in absolute terms) is simple: $$g = r * \frac{\alpha}{1-\alpha},$$ where $\alpha$ is the portion of participants controlled by the attacker.
We now rephrase the problem into the language of supply and demand: there exist a set of players, each of which has some \textit{reserve interest rate} at which they are willing to become participants in the consensus mechanism. This is the demand curve, where the interest rate is the price. The protocol, which offers interest rates for participation in the consensus mechanism, sets the supply curve. If $p=0$, the supply curve is horizontal - the protocol offers that interest rate to an unlimited number of participants. If $p=\infty$, the supply curve is vertical. For any other $p$, the supply curve is declining with a constant elasticity of $\frac{1}{p}$. We model the attacker as having unilateral power to set $d$ (by attacking), and this pushes down the supply curve. We now rephrase the problem into the language of supply and demand: there exist a set of players, each of which has some \textit{reserve interest rate} at which they are willing to become participants in the consensus mechanism. This is the demand curve, where the interest rate is the price. The protocol, which offers interest rates for participation in the consensus mechanism, sets the supply curve. If $p=0$, the supply curve is horizontal - the protocol offers that interest rate to an unlimited number of participants. If $p=\infty$, the supply curve is vertical. For any other $p$, the supply curve is declining with a constant elasticity of $\frac{1}{p}$. We model the attacker as having unilateral power to set $d$ (by attacking), and this pushes down the supply curve.
We model the demand curve as also being a simple exponential function, $x^d$. In general, we expect there to be wide disparities between the reserve interest rates of different players, as they have different levels of wealth, technical capability to operate a node in the consensus mechanism, and willingness to lock up their capital; additionally, we expect many players will be readily willing to lock up 50\% of their capital, somewhat willing to lock up 80\%, hard pressed to lock up 95\%, and not willing at all to lock up 100\%. Hence, $d > 1$ seems likely, though we will consider the problem abstractly and give results for various values of $d$. We model the demand curve as also being a simple exponential function, $x^d$. In general, we expect there to be wide disparities between the reserve interest rates of different players, as they have different levels of wealth, technical capability to operate a node in the consensus mechanism, and willingness to lock up their capital; additionally, we expect many players will be readily willing to lock up $50\%$ of their capital, somewhat willing to lock up $80\%$, hard pressed to lock up $95\%$, and not willing at all to lock up $100\%$. Hence, $d > 1$ seems likely, though we will consider the problem abstractly and give results for various values of $d$.
\section{Analysis} \section{Analysis}
We want to learn two things. First, are there opportunities to perform a discouragement attack for profit? Second, what is the difficulty of performing a discouragement attack in order to set up a cheaper later attack on consensus? To examine the second case, we can compare the pre-discouragement and post-discouragement intersections of the supply and demand curves. We want to learn two things. First, are there opportunities to perform a discouragement attack for profit? Second, what is the difficulty of performing a discouragement attack in order to set up a cheaper later attack on consensus? To examine the second case, we can compare the pre-discouragement and post-discouragement intersections of the supply and demand curves.
Pre-discouragement, the intersection is between $y = \frac{1}{x^p}$ and $y = x^d$. The unique solution is clearly $x=1$ and $y=1$. Note that we can adjust the currency unit and the time unit so that the default equilibrium of 1 unit and an interest rate of 100\% per period holds; hence, the omission of adjustable constants in the supply and demand curve formulas does not sacrifice generality. Pre-discouragement, the intersection is between $y = \frac{1}{x^p}$ and $y = x^d$. The unique solution is clearly $x=1$ and $y=1$. Note that we can adjust the currency unit and the time unit so that the default equilibrium of 1 unit and an interest rate of $100\%$ per period holds; hence, the omission of adjustable constants in the supply and demand curve formulas does not sacrifice generality.
\includegraphics[width=300px]{disc_chart1.png} \includegraphics[width=300px]{disc_chart1.png}
@ -50,13 +50,13 @@ $x=(1-h)^{\frac{1}{d+p}}$
Let us now look at the attacker's interest rate, $\frac{1-\frac{h}{r}}{x^p}$. First, let us take the easy case: $r \le 1$. In this case, $\frac{1-\frac{h}{r}}{x^p} \le \frac{1-h}{(1-h)^{\frac{p}{d+p}}} = (1-h)^{\frac{d}{d+p}} < 1$. Hence, if $r \le 1$, the attacker will always lose money. This may seem counterintuitive; one might ask, what if the discouragement attack pushes out so many other participants that the new equilibrium is on the very high part of the the supply curve close to zero? The important thing to keep in mind, however, is that if $r = 1$ (i.e. the attacker gets the same interest rate as the victims), then the attacker's revenue will necessarily be at some point along \textit{the original, unchanged, upward sloping demand curve}. Because the demand curve is upward sloping, and the number of participants decreased, the interest rate paid to the attacker must have also decreased. If $r < 1$, then the attacker loses \textit{even more} than the victims, at least if expressed as an interest rate, and so the attacker's interest rate will end up \textit{below} the lower point along the demand curve experienced by victims. Hence, if $r \le 1$, discouragement attacks are necessarily costly. Let us now look at the attacker's interest rate, $\frac{1-\frac{h}{r}}{x^p}$. First, let us take the easy case: $r \le 1$. In this case, $\frac{1-\frac{h}{r}}{x^p} \le \frac{1-h}{(1-h)^{\frac{p}{d+p}}} = (1-h)^{\frac{d}{d+p}} < 1$. Hence, if $r \le 1$, the attacker will always lose money. This may seem counterintuitive; one might ask, what if the discouragement attack pushes out so many other participants that the new equilibrium is on the very high part of the the supply curve close to zero? The important thing to keep in mind, however, is that if $r = 1$ (i.e. the attacker gets the same interest rate as the victims), then the attacker's revenue will necessarily be at some point along \textit{the original, unchanged, upward sloping demand curve}. Because the demand curve is upward sloping, and the number of participants decreased, the interest rate paid to the attacker must have also decreased. If $r < 1$, then the attacker loses \textit{even more} than the victims, at least if expressed as an interest rate, and so the attacker's interest rate will end up \textit{below} the lower point along the demand curve experienced by victims. Hence, if $r \le 1$, discouragement attacks are necessarily costly.
In general, it is certainly feasible to design a consensus mechanism where we can ensure $r \le 1$ as long as the attacker controls less than 50\% of participants, so this is already a very useful result. Now, let us examine the case where $r > 1$. For very high values of $r$, it is easy to see how the attacker can theoretically make a net gain from a discouragement attack: In general, it is certainly feasible to design a consensus mechanism where we can ensure $r \le 1$ as long as the attacker controls less than $50\%$ of participants, so this is already a very useful result. Now, let us examine the case where $r > 1$. For very high values of $r$, it is easy to see how the attacker can theoretically make a net gain from a discouragement attack:
\includegraphics[width=300px]{disc_chart3.png} \includegraphics[width=300px]{disc_chart3.png}
However, with the right bounds we can still prevent such an attack from being profitable. Consider the case where $p=1$, and where the attacker must maintain a 50\% share of active participants to exert $r > 1$ griefing (note that at the 50\% boundary, the \textit{proportional loss ratio} $r$ and the \textit{griefing factor} are the same value). The next question is, does the attacker remove some of their own participants to keep their share at 50\%, or do all of the participants controlled by the attacker stay? However, with the right bounds we can still prevent such an attack from being profitable. Consider the case where $p=1$, and where the attacker must maintain a $50\%$ share of active participants to exert $r > 1$ griefing (note that at the $50\%$ boundary, the \textit{proportional loss ratio} $r$ and the \textit{griefing factor} are the same value). The next question is, does the attacker remove some of their own participants to keep their share at $50\%$, or do all of the participants controlled by the attacker stay?
In the first case, as long as $r \le 1$, no matter how high $r$ is, the attacker's revenue must still decrease, or in the worst case where $r = \infty$, the attacker's revenue will be unchanged. In the second case, we note that the size of the participant set will decline more slowly - specifically, $x = \frac{1}{2} + \frac{1}{2} * (1-h)^{\frac{1}{d+p}}$. Suppose $r \le 2$, and $p \le 1$. Then: In the first case, as long as $r \le 1$, no matter how high $r$ is, the attacker's revenue must still decrease, or in the worst case where $r = \infty$, the attacker's revenue will be unchanged. In the second case, we note that the size of the participant set will decline more slowly - specifically, $x = \frac{1}{2} + \frac{1}{2} * (1-h)^{\frac{1}{d+p}}$. Suppose $r \le 2$, and $p \le 1$. Then:
@ -77,13 +77,13 @@ Hence, if the griefing factor is bounded by 2, we want $p \le \frac{1}{2}$, and
\section{Discouragement Attacks for Breaking Consensus} \section{Discouragement Attacks for Breaking Consensus}
Here we evaluate the feasibility of attackers with a two-step plan. First, run a discouragement attack to push other participants out. Second, attack the network against a now much smaller participant set. The second attack could either be a finality reversion attack, or it could be censorship. In the given model, this is clearly doable: an attacker can grief with $h > 1$ to push all other participants out, then remove most of their own participants, then use the remainder to perform the attack. This can be overcome with an honest minority assumption, where some participants are willing to stay despite the lack of economic incentive, and it can also be overcome with outside donations to "honest" participants. A third way that it can be overcome is if, when such an attack starts taking place, a large number of outside players temporarily join the participant set, diluting the attacker to below 50\% and thereby making their attack ineffective. Here we evaluate the feasibility of attackers with a two-step plan. First, run a discouragement attack to push other participants out. Second, attack the network against a now much smaller participant set. The second attack could either be a finality reversion attack, or it could be censorship. In the given model, this is clearly doable: an attacker can grief with $h > 1$ to push all other participants out, then remove most of their own participants, then use the remainder to perform the attack. This can be overcome with an honest minority assumption, where some participants are willing to stay despite the lack of economic incentive, and it can also be overcome with outside donations to ``honest" participants. A third way that it can be overcome is if, when such an attack starts taking place, a large number of outside players temporarily join the participant set, diluting the attacker to below $50\%$ and thereby making their attack ineffective.
This kind of attack is difficult to economically model because under certain assumptions the cost is zero: if an attacker can credibly announce that they will grief with $h > 1$, then all other participants will leave, and the attacker will then be free to join with one single participant and perform a censorship attack at infinitesimal cost. This result is true in \textit{any} game where the net profit of a participant can be made to drop below zero through no fault of their own, which is itself true of any consensus algorithm where a censorship attack has nonzero cost, because of the fundamental fault inattributability of censorship versus a minority going offline. This kind of attack is difficult to economically model because under certain assumptions the cost is zero: if an attacker can credibly announce that they will grief with $h > 1$, then all other participants will leave, and the attacker will then be free to join with one single participant and perform a censorship attack at infinitesimal cost. This result is true in \textit{any} game where the net profit of a participant can be made to drop below zero through no fault of their own, which is itself true of any consensus algorithm where a censorship attack has nonzero cost, because of the fundamental fault inattributability of censorship versus a minority going offline.
What we \textit{can} do is model the game in various ways that add realistic "friction" to non-attacking participants' economic reasoning, and see how the parameters of the game can be optimized so as to maximize the cost of attack given these frictions. One possibility is to model it as a three-phase game, where in phase 1 the attacker griefs with some $h$, all participants get their due rewards and penalties ($y_0 * (1 - h)$ for the attacker, $y_0 * (1- r * h)$ for everyone else, where $y_0 = \frac{1}{x_0^p}$ is the default "peacetime" interest rate), then in phase 2 both the attacker and other participants make choices about how to allocate their resources and finally in phase 3 the attacker decides whether or not to attack. The attacker is modeled as having a \textit{budget} $b$; the attacker is only willing to lose $b$ in order to carry out the attack. What we \textit{can} do is model the game in various ways that add realistic ``friction" to non-attacking participants' economic reasoning, and see how the parameters of the game can be optimized so as to maximize the cost of attack given these frictions. One possibility is to model it as a three-phase game, where in phase 1 the attacker griefs with some $h$, all participants get their due rewards and penalties ($y_0 * (1 - h)$ for the attacker, $y_0 * (1- r * h)$ for everyone else, where $y_0 = \frac{1}{x_0^p}$ is the default``peacetime" interest rate), then in phase 2 both the attacker and other participants make choices about how to allocate their resources and finally in phase 3 the attacker decides whether or not to attack. The attacker is modeled as having a \textit{budget} $b$; the attacker is only willing to lose $b$ in order to carry out the attack.
Let us first consider finality reversion attacks. In a finality reversion attack, if the total validator set has size $x$, the cost of an attack is $\frac{x}{3}$. An attacker's strategy is easy: grief with $h = \frac{1}{r}$ in phase 1, drive all other participants away as their revenue drops to zero, and then attack in phase 2. The attacker's cost here, assuming the attacker had 50\% of the validator set in phase 1, is $x_0 * \frac{1}{2} * (1 - \frac{1}{r})$. Let us first consider finality reversion attacks. In a finality reversion attack, if the total validator set has size $x$, the cost of an attack is $\frac{x}{3}$. An attacker's strategy is easy: grief with $h = \frac{1}{r}$ in phase 1, drive all other participants away as their revenue drops to zero, and then attack in phase 2. The attacker's cost here, assuming the attacker had $50\%$ of the validator set in phase 1, is $x_0 * \frac{1}{2} * (1 - \frac{1}{r})$.
Now, let us modify the game slightly: suppose that of the $\frac{x}{3}$ penalized, half goes to all other participants. Suppose the total validator set has size $x_1$ in phase 1, with base interest rate $y_1 = \frac{1}{x_1^p}$. The attacker griefs with some $h$ in phase 1, and as a result in phase 2 the validator set drops in size to $x_2$, with base interest rate $y_2 = \frac{2}{x_2^p}$. The attacker then attacks with probability $P_{attack}$. Now, let us modify the game slightly: suppose that of the $\frac{x}{3}$ penalized, half goes to all other participants. Suppose the total validator set has size $x_1$ in phase 1, with base interest rate $y_1 = \frac{1}{x_1^p}$. The attacker griefs with some $h$ in phase 1, and as a result in phase 2 the validator set drops in size to $x_2$, with base interest rate $y_2 = \frac{2}{x_2^p}$. The attacker then attacks with probability $P_{attack}$.
@ -113,12 +113,12 @@ In general, what this analysis suggests is that (i) discouragement attacks for c
Suppose that victims ($\le 50\%$ of the participant pool) are concerned that their revenue will decrease from $y_0$ to 0 as part of a discouragement attack. They can choose to bribe outsiders to enlist in order to prevent this from happening. Bribing outsiders individually is expensive, because the bribe must overcome the outsider's concern that they themselves will suffer from the attack. However, with an assurance contract we can create a bribe that only works if enough outsiders show up. A bribe to increase the participant set by a factor of $n$ would cost $(n - 1) * (n^d - \frac{1}{n^p})$. If $p = d = 1$, this equals $n * (n - \frac{1}{n}) = n^2 - 1$. Hence, such a bribe would be rational to organize if $n \le \sqrt{2}$. Suppose that victims ($\le 50\%$ of the participant pool) are concerned that their revenue will decrease from $y_0$ to 0 as part of a discouragement attack. They can choose to bribe outsiders to enlist in order to prevent this from happening. Bribing outsiders individually is expensive, because the bribe must overcome the outsider's concern that they themselves will suffer from the attack. However, with an assurance contract we can create a bribe that only works if enough outsiders show up. A bribe to increase the participant set by a factor of $n$ would cost $(n - 1) * (n^d - \frac{1}{n^p})$. If $p = d = 1$, this equals $n * (n - \frac{1}{n}) = n^2 - 1$. Hence, such a bribe would be rational to organize if $n \le \sqrt{2}$.
However, suppose that participants fear not just loss of profits, also heavy losses, because they believe that an attacker will launch an attack and destroy a large portion of their deposits. Then, $n$ can be increased further, especially if the choice is between a small change between already relatively low interest rates and a large short-term harm of losing a large portion of one's deposit. To assist this mechanism, it is worth considering paying a small interest rate to those who are not participating in the consensus game, but are willing to make their deposits "conscriptable", in the sense that they automatically join the consensus game as soon as some condition is triggered (for example, net interest rates including penalties dropping below zero). However, suppose that participants fear not just loss of profits, also heavy losses, because they believe that an attacker will launch an attack and destroy a large portion of their deposits. Then, $n$ can be increased further, especially if the choice is between a small change between already relatively low interest rates and a large short-term harm of losing a large portion of one's deposit. To assist this mechanism, it is worth considering paying a small interest rate to those who are not participating in the consensus game, but are willing to make their deposits ``conscriptable", in the sense that they automatically join the consensus game as soon as some condition is triggered (for example, net interest rates including penalties dropping below zero).
\section{Conclusion} \section{Conclusion}
Discouragement attacks as a cheaper way of attacking a consensus algorithm are one of the hardest classes of attacks to come up with defenses against. This is true in proof of work as well: if a 51\% attack succeeds, then there is a coordination problem opposing "honest" miners trying to recover the original fork, as none have the private incentive to participate in a fork unless everyone else does. Hence, our recommendations at this point can consist only of two parts. First, there exist marginal tweaks that can be made to mechanisms to reduce the effectiveness of discouragement, increasing difficulty of leaving the validator pool and keeping $p$ values low (particularly by not relying solely on transaction fees) being chief among them. Second, if a discouragement attack does start happening, expect an assurance contract bringing in more participants to be an important building block in the solution. Discouragement attacks as a cheaper way of attacking a consensus algorithm are one of the hardest classes of attacks to come up with defenses against. This is true in proof of work as well: if a 51\% attack succeeds, then there is a coordination problem opposing ``honest" miners trying to recover the original fork, as none have the private incentive to participate in a fork unless everyone else does. Hence, our recommendations at this point can consist only of two parts. First, there exist marginal tweaks that can be made to mechanisms to reduce the effectiveness of discouragement, increasing difficulty of leaving the validator pool and keeping $p$ values low (particularly by not relying solely on transaction fees) being chief among them. Second, if a discouragement attack does start happening, expect an assurance contract bringing in more participants to be an important building block in the solution.
In general, this is still an active area of research, and more research in counter-strategies is desired. In general, this is still an active area of research, and more research in counter-strategies is desired.