Ebb-and-Flow: what are the impacts of subprotocols sharing resources?

[nathan-at-least]

Suggested Improvement

In Ebb-and-Flow, specifically the Snap-and-Chat construction, the two subprotocols are _almost_¹ independent black boxes.

However, in the real-world, the two subprotocols are very likely to have correlated security, e.g. they share "security resources" such as staking tokens, or at the very least they share implementation vulnerabilities (e.g. compromising a host enables compromising the "node" of both subprotocols simultaneously).

So, given that the subprotocol compromise is likely linked, what are the implications for Snap-and-Chat security overall?

---

¹ The one exception we've noticed so far is on §1.D. (p. 3):

in the $\Pi{bft}$ sub-protocol, each honest node boycotts the finalization of snapshots that are not confirmed in $\Pi{lc}$ in its view

This ticket is more general than this specific quirk of Snap-and-Chat, although this quirk may be very important to the answer!

[nathan-at-least]

Another attempt at the problem statement:

If either subprotocol is compromised, what happens if the attack vector can compromise the other subprotocol instance on the same node?

Two different examples:

• the two subprotocol instances share a correlated "security resource" such as stake.
• the two subprotocol instances share software security vulnerabilities (e.g. a network exploitable code injection attack can be leveraged to compromise both components at once on a single host).

[daira]

@nathan-at-least wrote:

In Ebb-and-Flow, specifically the Snap-and-Chat construction, the two subprotocols are _almost_¹ independent black boxes.

However, in the real-world, the two subprotocols are very likely to have correlated security, e.g. they share "security resources" such as staking tokens, or at the very least they share implementation vulnerabilities (e.g. compromising a host enables compromising the "node" of both subprotocols simultaneously).

There's a conflation here (and in the original title of the issue) between whether the subprotocols are treated as unmodified black boxes by the overall protocol or by a security analysis, and whether they share security resources.

As I argue in https://github.com/Electric-Coin-Company/tfl-book/issues/42#issuecomment-1731331941, treating the subprotocols as black boxes can result in strictly worse security than having cross-links between the protocols to allow clients in each protocol to verify as much as possible of the other(s). In particular, it does not reduce security to enforce verification of "cross-protocol" conditions that are already supposed to be followed by honest nodes — even if part of the justification for not checking them was that it would introduce additional dependencies between subprotocols.

That is a distinct issue to whether the subprotocols share security resources (e.g. stake or issuance). Let's make it clearer that this ticket is about the latter.

[nathan-at-least]

To clarify and distinguish this ticket from #42:

In #42 we want to clarify the (possibly incorrect) intuition that the EMCKA to violate some security guarantees of Ebb-and-Flow is lower than the EMCKA of either PoS-BFT or PoW.

In this ticket, we want to reason about long term second order dynamics, such as (speculative brainstorm) "an attacker with < 33% stake influences $\Pi{bft}$ subtly to increase the leverage of a $\Pi{bc}$ (PoW) selfish mining attack" or "an attacker uses PoW selfish mining techniques to influence PoS-BFT staking dynamics in such and such a way."

(I haven't paused to consider if those particular brainstorms are feasible or not, but the existings of "Tail Thrashing" in the naive approach to bounded-DA seems like an example of a way to leverage other attacks.)

Since these are second order attacks, they seem like a lower priority concern than first order security.

This kind of second order attack is very difficult to reason about, and it's easy to hand-wave about them. For example, for pure PoS: "an attacker continues to accumulate stake while other participants come and go until they control ≥33% of stake to leverage a safety violation"… ok, but this depends on long term behavior of many different participants, and how can we reason about safety margins around that?