aragon / governance

Proposals about governance models for the Aragon project and the Aragon Network
Creative Commons Zero v1.0 Universal
51 stars 11 forks source link

AGP6: Improved Bribery Resistance in Court Mechanism #14

Open lkngtn opened 7 years ago

lkngtn commented 7 years ago

The Aragon Court mechanism is based on a crypto economic game where a set of judges is selected to review a dispute and return their subjective opinion on a case. The dispute is resolved in favor of the party which has the majority of support from judges. Judges in the majority are rewarded, and those which present outlier opinions are penalized. The system uses a commit-reveal voting mechanism and random judge selection to prevent coordination between judges.

This mechanism works well if we assume that the majority of judges will act honestly and that this mechanism successfully prevents coordination between judges. However, in reality smart-contract based bribes may have a significant impact on the behavior of judges.

P + epsilon Attack

The “P+Epsilon Attack” is a bribery mechanism that can be used to influence outcome of a vote, where voters who are in the majority are rewarded and voters in the minority are punished. The attack requires a high budget, but if successful does not the cost the attacker at all.

In this scenario an attacker makes a credible pre-commitment to bribe judges that is only paid out in the event that the preferred action is in the minority of judges.

The attack creates a prisoners dilemma situation where judges are incentivize to take the bribe because they expect other judges to do the same, even though collectively judges are better off acting honestly.

Thus, the system can be manipulated with a sufficiently large budget, but ultimately zero cost. This attack was described much more thoroughly by Vitalik on the Ethereum blog.

Payoffs for Attackers

How impact of bribes can be mitigated

Proving a judge has taken a bribe

If we can prove a judge has taken a bribe then we can punish them, decreasing their willingness to accept a bribe and forcing the attacker to make a larger pre-commitment in order to effective influence judge behavior.

Unfortunately, It is straightforward for someone to manipulate the outcome of a dispute using either a basic bribe or the P + Epsilon Attack without having to make contact with judges directly, they simple create an Ethereum contract and deposit funds, then have a function to release funds which can be called by anyone after the dispute is settled and automatically pays out to judges or returns money to the attacker depending on the outcome. This means that no action is required from a judge directly, making it impossible to prove that a judges vote was influenced by a bribe.

This makes it very difficult to punish judges, which means that high security deposits or a judge reputation mechanism probably won’t be particularly effective at mitigating impact of bribes.

Appeals Process

We can introduce a multi-tiered appeals process, so that if the result of a arbitration is questioned we retry with a larger number of judges, or require judges to have more stake/reputation to participate in the appeal.

This will increase the amount P+epsilon would need to be in order to effectively influence the dispute. This process can be repeated until there is no desire for an appeal, or increasing the required stake would reduce the number of judges eligible to participate bellow a certain threshold.

Areas for Improvement

  1. It is difficult to punish dishonest judges. How can we make it more difficult for judges to accept bribes passively?
  2. Appeals require a deposit from an honest party. That honest party is taking a risk, as they may lose their deposit if the case is not-overturned, and the attacker may double down on their bribe and successfully influence the appealed case as well. How can we make compromised disputes more likely to be appealed?

Proposal: Judges privately report if dispute has been compromised by bribery

Introduce a new mechanism that enables judges, in additional to voting on how to resolve the dispute, self report when they suspect that a bribe has compromised dispute, the more judges which report a bribe, the cheaper an appeal becomes, and if a majority of judges report a bribe an appeal is automatically triggered.

The result enables judges to act honestly with less risk of ending up in the minority without an appeal being triggered (where they would lose reputation or their part of their staked deposit).

This modification makes it riskier for attackers to bribe, as judges are more likely to act honestly increasing the likelihood that the bribe will need to be paid out.

The combined effect should result in much more fair dispute resolution.

In order to implement a way for judges to privately indicate if they suspect a bribe has influenced the dispute, I’ve outlined two solutions bellow, both approaches essentially do the same thing, but have different strengths and weaknesses.

Possible implementations:

Anonymous Voting with ZKP

This mechanism is credited to the work @stonecoldplat and his work on Anonymous Voting which can be found on his Anonymous Voting repo where he implements the voting protocol in described in this paper.

It uses ZKP and homomorphic encryption to make it impossible for other contracts to know which judge reported being influenced by a bribe without the judge revealing publicly how they voted. Since there would be no reason to reveal this information other than to coordinate with an attacker, we can use this to identify and punish judges who accept bribes.

The main problem with this approach is that a judge can still choose to reveal their vote to an attacker. Which means attackers could write contracts that only allow judges to claim bribes if they confirm that they did not submit a bribe alert. This is still better than before because it requires the judge to interact with the attacker onchain, making it easier to prove the dishonest judges acted maliciously, however they can simply wait to claim a bribe until they have withdrawn their deposit to avoid or delay punishment.

Using Keep or another mechanism for secure multiparty computation

Using the approach described above Judges can still collude with attackers to accept bribes.

It would be more secure if we make it so judges are incapable of revealing their committed alert. Using a mechanism like keep.network to create private storage and execution environment for a smart contract we can have judges encrypt their votes using the public key of the keep, then using the keep to privately decrypt and tally the votes. Returning the result back to the smart contract securely.

This mechanism is objectively better at preventing bribery attacks, but requires sMPC which does not appear to be ready for a production implementation at this time.

lkngtn commented 7 years ago

Note this proposal could be used with the appeal system described in the whitepaper, or with the appeal mechanism described in #5

shyblugs commented 7 years ago

Great to see you working on this luke. One question

the more judges which report a bribe, the cheaper an appeal becomes, and if a majority of judges report a bribe an appeal is automatically triggered.

How can you stop a well funded attacker from triggering perpetual appeals

lkngtn commented 7 years ago

How can you stop a well funded attacker from triggering perpetual appeals

Perpetual appeals are not possible, depending on which appeal system is used ( whitepaper, or #5 ) there is a point where you cannot appeal further because there are not enough new judges that meet the appeal requirement.

A well funded attacker can trigger appeals to that final level, which I think is a good thing. It means that in the event there is a well funded attacker the network requires more judges and more stake in the decision, which makes the amount required to be successful in the attack much more.

If an attacker has enough money to influence the majority of judges at the "final level" then we may still have a problem, but by ensuring that its easier to get to the final level when there is a credible attacker it maximizes the amount the attacker has to have available.

It may make sense to have a rule which allows additional appeals at the final level (but not free), because the more iterations even with the same judges and attackers the more risk there is for the attacker, because it turns the game into an "iterative prisoners dilemma" but haven't really explored that yet.