This chapter describes the game theory and the modeling of economic security that we were doing in the fall of 2014. It tells how the “pirate striker model” led our research directly to a radical solution to the long -term attack problem.
Chapter 2: The bribes’ striker, economic security and the long-term attack problem
Vitalik and I had each reasoned on the incentives in the context of our research before meeting us, so that the proposal that “obtaining correct incentives” was crucial in the proof of implementation was never a question of debate. We were never ready to take “half of the pieces are honest” as a security hypothesis. (It is in bold because it is important.) We knew that we needed a kind of “incentive compatibility” between the incentives to the linked nodes and the safety guarantees of the protocol.
We have always been notice that the protocol could be considered a game that could easily lead to “bad results” if the protocol incentives encouraged this behavior. We considered this as a potential security problem. The security deposits have given us a clear way to punish bad behavior; The conditions of reduction, which are essentially programs which decide to destroy the deposit.
We had long observed that Bitcoin was safer when the price of Bitcoin was higher and less secure when it was lower. We also now knew that security deposits provided Slasher more economic efficiency than Slasher only on the awards. It was clear to us that economic security existed and we made it a high priority.
The bribes striker
I do not know how much Vitalik was in the theory of games (although it is clear that he had more than me). My own knowledge of game theory at the start of history was even more minimal than in the end. But I knew how to recognize and calculate Nash balances. If you have not yet learned about Nash balances, this next paragraph is for you.
A NASH balance is a strategy profile (players’ strategy choices) with a corresponding gain (giving ETH Away) where no player has an individually incitement to depart. “The incentive to depart” means “they get more than $ and if they change in a way what they do”. If you remember, and whenever you hear “Nash Equilbrium”, you thought “no point for individual strategy changes”, you will have.
During the end of the summer of 2014, I first met “The Bribing Attack Model” when I made a casual answer to a question of economic security that Vitalik asked me during a Skype call (“I can just bring them to do so”). I don’t know where I had the idea. Vitalik then asked me again on this subject perhaps a week or two later, putting myself on the spot to develop it more.
By welding participants in the game, you can change the gains of a game and, thanks to this operation, change its Nash balance. This is what it might look like:
The pot-brothers attack changes the Nash balance of the prisoner’s dilemma game (top left) to (down, right). The bribes’ striker in this example has a cost of 6 if (bottom, right) is played.
The brothel attacker was our first useful economic safety model.
Before the fucking attack, we generally consider economic attacks as controlling controls hostile by foreign buyers and extra-protocols of token or mining power. A bunch of external capital should enter the system to attack the blockchain. With the attack of bribes, the question has become “what is the price of welding the currently existing nodes to obtain the desired result?”.
We hoped that the attacks of fucking our protocol of evidence still to stage should spend a lot of money to compensate for the lost deposits.
Debate on the “reasonable character” apart, it was our first step to learn to reason on economic security. It was fun and simple to use a bribes’ striker. You just see how much you have to pay the players to do what the attacker wants. And we were already convinced that we would be able to make sure that an attacker must pay bribes of the security size to return to the chain in a double expenditure attempt. We knew we could recognize “double signature”. We were therefore roughly sure that this would give the proof of assistance a quantifiable economic security advantage on a protocol of evidence confronted with a blameter attacker.
The fucking economy of long -range attack
Vitalik and I applied the pirate striker to our research proof of bet. We found that the POS protocols without security deposits could be defeated trivially with small bribes. You just pay for parts to move their parts to new addresses and give you the key to their now empty addresses. (I do not know who originally thought of this idea.) Our insistence on the use of the corruption model has easily excluded all the protocols of proof of implementation that we know. I liked it. (At the time, we had not yet heard of the trend of Jae Kwon, the roller of Dominic William now smashed, or the credits of Nick Williamson.)
This brothel attack also posed a challenge to proof of assistance based on security deposits: the time after a security deposit has been returned to its original owner, the grasshopper opponent could buy the keys to their partner address linked to a minimum cost.
This attack is identical to long -term attack. He acquired old keys to take control of the blockchain. This meant that the attacker can create “false stories” at will. But only if they start at a height from which all the deposits have expired.
Before working on the definition of incentives for our proof of work protocol, so we had to solve the long -term attack problem. If we have not resolved the long -term attack problem, it would be impossible for customers to learn reliably who really had security deposits.
We knew that developers’ control points could be used to deal with the long -term attack problem. We thought it was clearly too centralized.
In the weeks following my conversion to evidence, while I was staying with Stephan Tual outside London, I discovered that there was a natural rule for the reasoning of customers on security deposits. Signed commitments are only significant if the sender Currently has a deposit. That is to say that after withdrawn from the deposit, the signatures of these nodes are no longer significant. Why would I trust you after withdrawing your deposit?
The pirate attack model demanded it. It would cost the sudden striker almost nothing to break the commitments after the withdrawal of the deposit.
This meant that a customer would hold a list of tied nodes and stop the blocks at the door if he was not signed by one of these nodes. Ignore the consensus messages of the nodes that do not Currently have security deposits solution Cover the long -term attack problem. Instead of authenticating the current state according to history from the Genesis block, we will authent it according to a list of who currently has deposits.
This is radically different from proof of work.
In POW, a block is valid if it is chained in the Genesis block, and if the hatching of the block meets the difficulties of difficulty of its chain. In this model based on warranty deposits, a block is valid if it has been created by a stakeholder with an existing deposit. This meant that you would need to have current information to authenticate the blockchain. This subjectivity has worried a lot of people a lot, but it is necessary that proof of commissioning based on security deposits is secured against the pirate striker.
This awareness clearly indicated me that the safety evidence model and the safety proof model is fundamentally compatible. So I abandoned any serious use of “hybrid” POW / pos solutions. Trying to authenticate a blockchain for proof of staging of Genesis now seemed very obviously false.
Beyond the modification of the authentication model, however, we had to provide a means of managing these lists of security deposits. We had to use signatures from glued nodes to manage the changes to the list of linked nodes, and we had to do it after the linked nodes come to consensus on these changes. Otherwise, customers would have different lists of linked validators, and they could not agree on the state of Ethereum.
The time of obligation had to be done for a long time, so that customers have time to discover the new set entering endorsed stakeholders. As long as customers were enough online, they could keep up to date. I thought we would use Twitter to share the list of linked nodes, or at least a chopping, so that new and hibernation customers can be synchronized after their user enters the user interface.
If you have the bad list of validators, you can get model. But it’s really not that bad. The argument was (and is still!)) You just have to be able to trust an external source for this information only once. After that once, you can update your list yourself – at least, if you can be online regularly to avoid the “long range” of withdrawal deposits.
I know it could take some time to get used to it. But we can only count on new security deposits. Vitalik was a little uncomfortable with this argument at the start, trying to keep the ability to authenticate Genesis, but was finally convinced by the need for this type of subjectivity in proof of stake proof. Vitalik has independently created his Low subjectivity rating ruleWho seemed to me to be a perfectly reasonable alternative to my idea at the time, which was essentially “having all the deposits sign each nème block to update the list of linked nodes”.
With the nails in the attacking coffins and long -range long -range, we were ready to start choosing our typing conditions.
The next chapter will document what we have learned from our first difficulties in defining a consensus protocol by specifying the striking conditions. I will also tell you about what we have learned by speaking with beautiful people about our space for our research. The history of game theory and economic modeling presented here will continue to develop in Chapter 4.
Note: The opinions expressed here are only my own personal opinions and do not represent those of the Ethereum Foundation. I am only responsible for what I wrote and I do not act as spokesperson for the Foundation.
