The second chapter of Casper’s story focuses on the economic security modeling and game theory conducted in the fall of 2014. Our research has uncovered a powerful solution for long-range attacks.
Chapter 2: Economic Security and the Long-Range Attack Problem
Vitalik and I had been discussing incentive structures for our research. We knew that it was essential to not take the assumption that “half the coins are honest” as a safety guarantee. We had to find a way to ensure that the protocol’s security guarantees lined up with the incentives of bonded nodes.
We viewed the protocol as a game, and if certain behaviors were rewarded, it could become a security issue. We determined that security deposits could be used to punish bad behavior.
I had always assumed that the security of the Bitcoin network was highest when the price was highest, and least secure when the price was lowest. But economic security was paramount, so we prioritized it.
The Bribing Attacker
Vitalik had a more solid background in game theory than I did, but I was still able to comprehend and calculate Nash equilibria. This strategy profile describes the strategy options of players and has a corresponding payout (give $ETH or take $ETH away). A Nash Equilibrium is when neither player has an incentive to change their strategy.
It was during a Skype call in the summer of 2014 that I first heard of the “bribe attacker model”. When I was asked about my financial security, I was asked if someone could bribe me to do something. I didn’t know where the idea came from, but I had to continue my learning.
Bribery is a way to alter a game’s payouts, and thus alter the game’s participants’ Nash equilibria. Here’s an example of what it could look like: In the Prisoner’s Dilemma, the bribing attacker has a cost of $6 if they play Down, Right.
The bribery attack was the first practical model of economic security. Economic attacks are usually thought of as hostile takeovers or non-protocol mine powers by external token purchasers. It would take a lot of capital to attack the blockchain. We wondered what the price of bribing the existing nodes would be to get the desired result.
We expected that bribery attempts from our yet-to-be-defined proof-of-stake protocol would require a large amount of money to replace deposits that were lost. We took the discussion of “reasonableness” to understand economic security. It was easy to bribe an attacker. We wanted to know how much players would pay for the job of an attacker and if we could identify a double signature.
The Long-Range Attack: The Bribery Economy
I used the “bribery” attack to advance our proof-of-stake research. We found that PoS protocols that did not require security deposits were easily defeated by small bribes. You could pay the coin holder to transfer your coins to new addresses and they would give you the keys. (I’m unsure who initially came up with the idea. It was something I hadn’t heard of yet, though Jae Kwon’s Tendermint, Dominic William’s now-defunct Pebble, and Nick Williamson’s Credits all use it.)
Security deposit-based proofs of stake are also vulnerable to attacks. The bribery antagonist can purchase the keys to their target’s address at a very low price if a security deposit has been returned to its owner.
Our research revealed a groundbreaking solution to the long-range attack problem: economic security. We found that a protocol that requires security deposits held by bonded nodes can be used to prevent the bribery attack. Not only does this create a secure environment for users, it also incentivizes bonded nodes to act honestly and for the benefit of the network.
The long-range strike is the same as a regular attack. You have the ability to control the blockchain by obtaining old keys. The attacker can also fabricate “fake stories”. It’s up to you, but only if they start off at a lower level than the expiry of all deposits.
Before we could create the reward system for proof-of-stake protocols, we had to first tackle the long-range attack problem. If this isn’t addressed, customers wouldn’t be able to authenticate who had security deposits.
We knew that developer checkpoints could be used to carry out these attacks. This seemed a bit too centralized.
During the week I converted to proof-of-stake and stayed at Stephan Tual’s home, I learnt that customers must abide by a simple rule when taking into consideration security deposits in the suburbs of London. Only if the sender understands that commitments are important nowadays should they have a deposit. That’s because these signatures don’t have any meaning after the deposit has been withdrawn. What would happen if I wanted to take out my deposit? Would you trust me?
The bribery system required it. It would be almost impossible for a briber to cancel commitments after taking out the deposit.
A customer would need a list that contains linked nodes. This would prevent customers from placing blocks on the gate that are not signed by these nodes. Nodes that don’t have consensus messages can send them to each other nowadays to protect their deposits. This prevents long-range attack problems. Instead of authenticating the current status using history from the Genesis blocks, we authenticate using the list of all bucket holders.
This is fundamentally different to proof-of-work.
Proof-of-Work is a block that has been chained to a Genesis block and hash that meets its difficulty requirement. This security deposit-based system can only create a block if it was created by a stakeholder who has a current deposit. This meant that you had to have the most up-to-date information to authenticate the blockchain. Many people were concerned about this issue. To protect yourself from bribery attackers, proof-of-stake must be established using security deposits.
Realizing this made it clear to me that the proof-of-work security model and the proof-of-stake security model were fundamentally incompatible. Therefore, I have avoided any serious use of “hybrid” PoW/PoS solutions. It was evident that authenticating a blockchain genesis proof-of-stake was not correct.
We had to do more than just change the authentication model. We also had to provide a way for security buckets management. We had to use linked node signatures to manage changes to linked node list. Once all the linked nodes had reached an agreement on the changes, this was done. Customers could have different lists of validators, and not be in a position to agree on the state. To share the list or hash with linked nodes, you can use Twitter. These could be new users and hibernating users who might sync up after their user has entered a hash in the UI.
If you don’t have the validator list, it won’t work. Man-in-the-middle. But it’s not that bad. The argument was and is still valid. To get this information only once, you only need to have enough internet access. After you have enough internet access, you can easily update your list without being hacked. “Long-range” retired deposits.
It takes time to get used to it. But we can only trust security deposits. Although I was initially uncomfortable with the argument at first, I tried to preserve my ability to authenticate from genesis. I realized the value of this type of subjectivity in proof-of-stake protocols. Individually conceived “Low Subjectivity” scoring rule seemed like an acceptable option to my original idea. “Make all repositories sign every N block to update the list of linked nodes.”
With the long-range attack nails and the no-stakes-coma coffins in place, it was time to get started mowing.
The next chapter will discuss what we learnt in our early attempts to set up a consensus protocol for defining cutoff conditions. We’ll also tell you about what we learnt by speaking with the top experts in our field about research. This section will cover the history of economic modeling, as well as game theory and other aspects. Chapter 4.
NOTE: These opinions are mine and do not reflect those of others. I’m only responsible for the content of my writing and do not serve as spokesperson for any organisation. Ethereum Foundation.