Scribd Logo
Importer

Bienvenue sur Scribd !

  • Identity and Reputation Systems On Ethereum

    Transféré par

    David Krmpotic
    249 vues8 pages
    This summary provides an overview of key points about identity and reputation systems on Ethereum: 1. The document discusses building identity and reputation systems on Ethereum to avoid Sybil attacks, where one user introduces many fake identities. It proposes making identities transferable tokens and reputations permanently attached to identities. 2. It also separates signing keys for activity from security keys that can revoke and replace signing keys if compromised, using multisig for identity security. 3. The document analyzes different relationships between reputation price and cost, finding a linear relationship best prevents Sybil attacks while bounding return on reputation cost. 4. It proposes "Cyril tokens" issued for human-solvable tasks to discourage

    Description originale:

    Explore Identity and Reputation Systems

    Titre original

    Identity and Reputation Systems on Ethereum

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    This summary provides an overview of key points about identity and reputation systems on Ethereum: 1. The document discusses building identity and reputation systems on Ethereum to avoid Sybil attacks, where one user introduces many fake identities. It proposes making identities transferable tokens and reputations permanently attached to identities. 2. It also separates signing keys for activity from security keys that can revoke and replace signing keys if compromised, using multisig for identity security. 3. The document analyzes different relationships between reputation price and cost, finding a linear relationship best prevents Sybil attacks while bounding return on reputation cost. 4. It proposes "Cyril tokens" issued for human-solvable tasks to discourage

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    249 vues8 pages

    Identity and Reputation Systems On Ethereum

    Transféré par

    David Krmpotic
    This summary provides an overview of key points about identity and reputation systems on Ethereum: 1. The document discusses building identity and reputation systems on Ethereum to avoid Sybil attacks, where one user introduces many fake identities. It proposes making identities transferable tokens and reputations permanently attached to identities. 2. It also separates signing keys for activity from security keys that can revoke and replace signing keys if compromised, using multisig for identity security. 3. The document analyzes different relationships between reputation price and cost, finding a linear relationship best prevents Sybil attacks while bounding return on reputation cost. 4. It proposes "Cyril tokens" issued for human-solvable tasks to discourage

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 8

    Identityandreputationsystemsonethereum

    Abstract

    Inthecontextofethereum,areputationisthatsomethingbywhichasmartcontractora
    DAOrecognizesauser.Anidentityhereisdefinedasacollectionofreputations,who
    areassociatedwitheachotherjustbyvirtueofbeingearnedbythatidentityor(we
    assume)user.Weexplorethelogisticsofbuildingidentityandreputationsystemson
    ethereum,withparticularemphasisplacedonavoidingandmitigatingSybilattackswith
    minimalimpactonthedynamicsofreputationsystems.

    Introduction

    Reputationsystemsareusefulforanysmartcontract,DO,orDAOwhoneedstokeep
    trackoftheirusersonanindividualbasis,likelysothattheycanrewardthemfortheir
    contributions.Everysystemthatcannotusecryptographicproofofcontributionmustuse
    socialproof.Socialproofinherentlyrequiresasecureidentityandreputationsystemin
    ordertofunctionwithoutbeingexploited.Tobeclear,ifnoreputationisrequired,an
    attackercanintroducemanyidentities(perhapsatsomeexpensetoherself)inorderto
    getwhateverbenefitismadeavailabletocontributorswithouthavingactuallymadea
    contribution.Asisconvention,wewillrefertothiskindofanattackasaSybilattack,and
    wewillrefertotheattackerasSybil,andheridentitiesasherfacesorpersonalities(after
    thebookmovieinspiredbyawomanwithmultiplepersonalitydisorder).Moreover,we
    willrefertoauserwhoisnotSybilasCyril.Wewillbeginbydevelopingaschemeforthe
    securityofidentityandreputationasidentifiers,andthenwillturnourattentiontothe
    securityofreputationsystems.

    Identityandreputation

    Werealizethatinasfarasreputationisvaluableanditispossible,reputationwillbe
    boughtandsold.However,theintuitionaboutreputationsisthattheyshouldnotbe
    transferable,foraftertheyhavebeentransferredtheywillnotbeasreliableanindicator
    oftheirownersintegrityorability.Wecouldattachreputationtopublickeysinorderto
    maketheirtrademoredifficult,butthenacompromiseofthecorrespondingprivatekey
    wouldcompromisetheusersreputation.Ifwemakereputationatransferrabletoken,
    thisproblemwouldbesomewhatmitigatedinthecasewheretheprivatekeymighthave
    beencompromised,butitalsofacilitatesthetransactionandtheftofreputation.Wecan
    dobetterbyinsteadmakingidentityatransferrabletoken,andhavingreputationsbe
    permanentlyattachedtoparticularidentities.Theproblemofreputationsaleismitigated
    withthisapproach,iftherearemorethanonereputationsattachedtoidentities.

    However,theissueofthecompromiseofasigningkeyleadingtoidentitytheftandloss
    ofcontrolisstillaconcern.Wethereforewillseparatethesigningkeyfortheactivity
    associatedwithanidentitysreputations(theusagekey),andthekeysrequiredto
    revokeandreplacetheusagekey(thesecuritykeys),incaseofapossiblecompromise.
    HerewewilluseanNofMmultisigschemeoftheuserschoosing,sothatuserscan
    choosetheirpreferedtradeoffbetweenidentitysecurityandconvenienceofusagekey
    revocationandreplacement.Wegototheselengthsbecausewepredictthatwithout
    them,identitytheftmaybecomeasbigofanissueasbitcointheft.Notealsothatthis
    schememakesthesaleofreputationandidentityevenmoredifficult,althoughitisstill
    possible.Wetentativelyregardthisasasatisfactorystateofaffairs,sowewillshiftour
    focusfromidentityandreputationasidentifierstothespecificationofreputation
    systems.

    Asocialreputationsystems

    Whilewewillmainlyfocusonreputationsystemswhosepurposeistoproducesocial
    proofs,itisworthnotingthatasocialreputationsystemsarepossible,forexamplewhen
    cryptographicproofcanbeusedtomeasurecontribution.Thesesystems,too,canbe
    subjecttoSybilattacksundersomecircumstances,aswewillsoonsee.Thisanalysis
    willbetrivial,butitprovidesusefulintuitionsthatwillcarrytotheanalysisofsocial
    reputationsystems.Aswehavementionedbefore,solongasreputationisvaluable,it
    willbeboughtandsold.Therefore,wewillusereputationprice(orrepprice,forshort)to
    refertothepriceatwhichtheparticularreputationinquestionwouldbetraded,perhaps
    inferredbythebenefitsreservedfortheidentitywhichholdsthatreputation.Additionally
    weintroducethenotionofreputationcost(orrepcost),whichisthecosttoaparticular
    userofobtainingaparticularreputation.Notethatrepcostmaybeuserdependent,
    whilereppriceisnot.Finally,wemightconsiderthatingeneralanyreputationsystem
    mightrequireamembershipfeeofusersbeforegrantingthemareputation,andthe
    correspondingaccessthatthatentails.

    Inthefiguresthatfollow,weplotpossiblefunctionalrelationshipsbetweenrep
    priceandrepcost.Theredcurve,commontoallplots,reflectsthecostofmembership
    incurredbyauseruponenteringthereputationsystem.Theslopeofthegreencurve,
    alsocommontoallplots,reflectsthebaselinereppricetorepcostratio.Finally,theblue
    curvereflectstherelationshipbetweenreppriceandrepcost,asimplementedinthe
    particularreputationsystem.Thedifferenceinslopesandtheintersectionpointbetween
    thegreenandbluecurvesareofparticularimportanceintheanalysis.

    Ifforanygivenusertherelationshipbetweenreppriceandrepcostisconcave
    down(asinFigure1),thenthereisarepcostwhichmaximizesthereppricetorepcost
    ratio.Thisincentivizesuserstospreadamultipleoftheoptimalcostevenlyacross
    multipleaccounts,therebymakingthereputationsystemvulnerabletoSybilattack.If,on

    theotherhand,therelationshipbetweenreppriceandrepcostisconcaveup(asin
    Figure2),thenusershaveanincentivetohaveonlyonereputation,andSybilattacks
    areprevented.Thedrawbackinthiscaseisthatuserswhoareabletoinvestmorerep
    costaregoingtodevalueorfarovershadowthereppriceofuserswhoarenotableto
    investasmuchcost,sincetheratioofreppricetorepcostisunbounded.However,
    thereisathirdpossibility(Figure3):lettherelationshipbe(atleastasymptotically)
    linear.Thisisappealingbecauseitsimultaneouslyboundsthereppricetorepcost
    rationandpreventsSybilattacksbyincentivizinguserstohaveonlyonereputation.

    WeobservethatBitcoinisanasocialreputationoftheconcaveupvariety,withhashing
    powerasreputation.Herethereppricecanberegardedasapiethatissplitbetween
    theusersinproportiontotheirreputation,becausereppriceisdeterminedbytheshare
    ofnewlymintedbitcointhatitrepresents.Theeffectisthatuserswhoareabletoinvest
    moreintomininggetmuchhigherrepprice,andtheytherebydilutethereppriceof
    otherusers.IfBitcoinsproofofworkfunctionwasrestrictedtoCPUs,therelationship
    betweenreppriceandrepcostwouldbemuchclosertolinear.

    Cyriltokens

    Ideally,mitigatingSybilattacksonsocialreputationsystemsdiscouragesasmuchas
    possibleSybilsmalicioususeofthesystemwithoutdiscouragingcontributors.Thefirst
    classofapproachesthatwewilldiscussaimstomakeitmoreexpensiveforSybiltouse
    thereputationsystem.Therearetwogoodwaysweknowofaccomplishingthis.One
    simplymakestheuserpayamembershipfeeinordertomakebeingSybilmore
    expensive,eitherthroughproofofburnorapaymentdirectlytothenetwork.Theotheris
    todesignchallengesortasksthatareresistanttoSybilattacksbecausetheyarerelatively
    easyforhumanstodoasmallnumberoftimes,butarehardtoautomate.Thefirstsetof
    solutionsisstraightforwardandisguaranteedtobeeffectivetoapointbuttheobvious
    drawbackisthatallusershavetopay.Solutionsofthesecondtype,ontheotherhand,are
    challengingtoimplementsustainablyparticularlybecauseofadvancesinmachinelearning.
    Iftheycanbedoneinaconvenientway,however,itwillsaveuserscoinandhelpkeep
    Sybiloffofthenetwork.Wewillfocusonsolutionsofthesecondtype,bycreatingasystem
    oftokens,calledCyriltokens,thatareissueduponcompletionofsuchtasks.

    AtaskbasedCyriltokenissaidtobebrokenifitiseasyforSybiltoearnthesetokens.A
    brokenCyriltokenisthereforecheap,andthiswillbereflectedinitspriceifitistradedona
    market.Ontheotherhand,agoodCyriltokenisexpensive,providingevidencethatSybil
    hasnotyetsucceededinautomatingitsproduction.Thereisastrongincentiveforpeople
    toautomatethecreationofthesetokensinasfarastheyareexpensiveorrequiredfor
    accesstoreputationsystems.Iftheysucceedinautomatingthecompletionofthese
    challenges,thepriceoftheCyriltokenswillfall,revealingthatthechallengehasbeen
    broken.

    IfareputationsystemrequiresCyriltokensforuse,insteadofdestroyingthem,itmaysell
    themontothemarket,therebyinterferingwiththepricethatismeanttosignalwhetheror
    nottheCyriltokenisbroken.Therefore,Cyriltokensshouldbeawareofwhethertheyare
    beingtransferredonto/fromtheexchangeornotiftheyaretransferredoutsideofthe
    exchange,theyshouldautomaticallybecomevoid.Whileenforcingsucharulehasits
    difficulties,ithastheadditionalbenefitofmakingthepricesignalstronger,bynearly
    eliminatingthepossibilityofadarkmarketforCyriltoken.

    Socialreputationsystems

    Themainchallengewhenbuildingsocialreputationsystems,aswehavealludedto,is
    avoidingtheeffectiveexploitationandsubsequentcooptingofthesystembySybiland
    hermanypersonalities.Wehavealreadymentionedthatareputationsystemmay
    requiretheexpenditureofCryiltokensforitsuse,howeverthisisntsufficientmitigation
    againstSybilattacksforareputationsystemwhosedesignisinherentlyvulnerable.For
    example,anaiveimplementationmightletanyuserincreaseanyotherusersreputation
    inproportiontotheirownreputation.WhilerequiringCyriltokensincreasesthecostto
    Sybilofusingthesystem,thiscostincreaseslinearlyinthenumberofnodes,whileSybil
    mayincreaseherreputationmuchfaster,inthenumberofreputablenodesintroduced.
    Inthiscase,wehaveaninstanceofFigure2,whereanincreaseincosttoSybilleadsto
    anacceleratingincreaseinherrepprice.Wethereforemustfindmethodsbywhich
    socialreputationscanensurethatSybilsreppriceincreaseslinearlyinherrepcost.
    Preferably,thismitigationwillnotcrippletheintendeddynamicsofthereputationsystem.

    Wehavediscoveredonesuchsolution,whichhappenstobebothcompellingand
    elegant.Itrequiresthatthereputationsystemgiveusersareputationallowance,an
    exhaustiblebudgetforgivingotherusersreputation.Reputationallowancemustbe
    earned,anditmustcostSybilmorethantheincreaseinreppricethatshemightreceive
    fromincreasingherownreputation.Specifically,areputationsystemshouldrequirethe
    expenditureofCyriltokensduringtheactivitythatearnsrepallowanceinaneffortto
    makeitpossibleforthereputationsystemtobeprofitableforCyril,butunprofitablefor
    Sybil.Howpreciselyasocialreputationsystemaccomplishesthiscoordinationwillhave
    tobeimplementationspecific,andthereforewillnotreceivetreatmenthere.


    Allothersolutionsthatwevecomeupwithhaveeitherbeencomputationallydifficultor
    havefailedtomaketheincreaseinreppriceforSybil,gainedbyaddingreputable
    nodes,linearintherepcostinvested.Wewilllistsomeofthesesolutionshere,for
    reference.Keepingtrackofpairsofuserstoinsurethattheydonotincreasetheirrep
    toomuchisanexpensivemitigation,anditonlyreducesthebenefittoSybiltobe
    quadraticinthenumberofnodes,inthebestcase.Havingethereumcreateinstances
    whereonlychosenuserscanincreaseeachothersreputationincreasesthecostor
    waitingtimetoSybil,butdoesnotchangethefundamentaldynamicsofthereputation
    systemitmerelymakesthesameinstancesofexploitationoccurprobabilistically.Using
    machinelearningtoidentifyabusivebehavioursisexpensivetothepointwhereitis
    unfeasibletobuildintotheethereumcontractsofthereputationsystems,althoughit
    providesfuzzypromise.Finally,itisalwayspossibletoemployaweboftrustmodel,in
    thiscaserequiringacentralizedinitializationprocesstobootstrapthenetwork.Whilea
    weboftrustmaybepromisingforsmallercommunities,itiscumbersomeandinhibitive
    onalargerscale.

    Discussion

    MembershipfeesofferasimplemitigationofSybilattacks.Additionally,tofurther
    preventSybilattacksandcentralizationofrepprice,itisimportantforreputationsystems
    tohaveanasymptoticallylinearrelationshipbetweenreppriceandrepcost.Thisistrue
    ofbothasocialandsocialreputationsystems.Insocialreputationsystems,requiring
    Cyriltokensfornetworkactivitythatmightearnauserreputationallowancecan
    successfullymitigateSybilattacks,iftheamountofCyriltokensrequiresiscalibrated
    correctly.However,thiscalibrationwillbecomemoredifficultovertimeasitbecomes
    harderforanygivenusertoprovethattheyarenotautomated.Therefore,thesooner
    weestablishaworkingidentityandreputationsystem,themorelikelywearetofind
    successwithoutexcessivedifficulty.Oncewecancheaplyautomatethecompletionofall
    Turingtests,however,securereputationsystemswillbecomeunprofitableforCyril.

    Conclusion

    Wehavedevelopedaschemethatmakesitpossibletocreateworkingidentityand
    reputationsystems,whichcannotbeexploitedbyautomatedattackers,solongas
    workingtestsforautomationcanbedesigned.Thisdoesnotthenmeanthattheycannot
    beattackedbydedicatedhumanattackers.Theonlymitigationagainstthesemore
    sophisticatedattacksistorequirethatareputationsystemsmembershavesomany
    reputationsattachedtotheiridentitiesthattheycouldnotpossiblyhavemanyidentities
    inthesystem.Thiswillwork,butisonlypossibleinamatureidentityandreputation
    system.Alternatively,usersofareputationsystemcouldberequiredtoconstantly

    broadcasteverythingtheyaredoing,sothattheycanconvincethenetworkthattheyare
    nottakingonmultipleidentities,butthisisnotanattractivesolutioninasfaraswecan
    solvethesameproblembymoreefficientmeans.

    Vous aimerez peut-être aussi