Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing

209 views

Published on

Cloud computing has become an irreversible trend. Together comes the pressing need for verifiability, to assure the client the correctness of computation outsourced to the cloud. Existing verifiable computation techniques all have a high overhead, thus if being deployed in the clouds, would render cloud computing more expensive than the on-premises counterpart. To achieve verifiability at a reasonable cost, we leverage game theory and propose a smart contract based solution. In a nutshell, a client lets two clouds compute the same task, and uses smart contracts to stimulate tension, betrayal and distrust between the clouds, so that rational clouds will not collude and cheat. In the absence of collusion, verification of correctness can be done easily by crosschecking the results from the two clouds. We provide a formal analysis of the games induced by the contracts, and prove that the contracts will be effective under certain reasonable assumptions. By resorting to game theory and smart contracts, we are able to avoid heavy cryptographic protocols. The client only needs to pay two clouds to compute in the clear, and a small transaction fee to use the smart contracts. We also conducted a feasibility study that involves implementing the contracts in Solidity and running them on the official Ethereum network.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing

  1. 1. Betrayal, Distrust, and Rationality Smart Counter-Collusion Contracts for Verifiable Cloud Computing Changyu Dong† , Yilei Wang† , Amjad Aldweesh† , Patrick McCorry∗ , Aad van Moorsel† †: Newcastle University ∗: University College London Contact: changyu.dong@newcastle.ac.uk
  2. 2. What is a Smart Contract? Computer programs on top of a cryptocurrency system. Stored in the blockchain. Executed by the peers. The correctness of execution is guaranteed by the consensus protocol of the blockchain. Ideally, we can think the smart contracts as being executed by a trusted global machine. Self-Enforceable, Less Trust, Cheaper BLOCKCHAIN! BLOCKCHAIN! BLOCKCHAIN! BLOCKCHAIN! BLOCKCHAIN! BLOCKCHAIN! BLOCKCHAIN! BLOCKCHAIN! SMART CONTRACT! SMART CONTRACT! SMART CONTRACT! SMART CONTRACT! SMART CONTRACT! SMART CONTRACT! SMART CONTRACT! SMART CONTRACT! 2015 2017 changyu.dong@newcastle.ac.uk 2 / 38
  3. 3. changyu.dong@newcastle.ac.uk 3 / 38
  4. 4. Cloud Computing: the Truth changyu.dong@newcastle.ac.uk 4 / 38
  5. 5. Verifiable Cloud Computing: the Problem x, f() y Is y = f(x)? changyu.dong@newcastle.ac.uk 5 / 38
  6. 6. Verifiable Cloud Computing: the Landscape Based on Cryptography Use one cloud to compute The cloud also genreates a cryptographic proof Cannot generate a valid proof if the computation is wrong The client checks the proof Based on Replication Use multiple clouds to compute the same task. The client crosschecks results from all clouds About 1,010 results for “verifiable computation” in Google scholar. 97 155 195 246 168 0 100 200 300 2013 2014 2015 2016 2017 (July) No. of Papers "Verifiable Computation" papers each year changyu.dong@newcastle.ac.uk 6 / 38
  7. 7. How Verifiability Makes Me Bankrupt? Cloud is NOT free, you have to pay for what you compute. x, f() y Is y = f(x)? Without Verifiability changyu.dong@newcastle.ac.uk 7 / 38
  8. 8. How Verifiability Makes Me Bankrupt? Cloud is NOT free, you have to pay for what you compute. x, f() y, crypto proof My Money!! ! Crypto-based Verification changyu.dong@newcastle.ac.uk 8 / 38
  9. 9. How Verifiability Makes Me Bankrupt? Cloud is NOT free, you have to pay for what you compute. x, f() y1 Replication-based Verification … do it with n clouds … My Money!! ! x, f() yn Cloud 1 Cloud n changyu.dong@newcastle.ac.uk 9 / 38
  10. 10. The Goal Verifiable cloud computing at a competitively low cost. strong correctness guarantee pay similar or less than when using on-premises IT infrastructures Can we? changyu.dong@newcastle.ac.uk 10 / 38
  11. 11. The Goal Verifiable cloud computing at a competitively low cost. strong correctness guarantee pay similar or less than when using on-premises IT infrastructures Can we? Cryptography-base: very difficult if not impossible changyu.dong@newcastle.ac.uk 10 / 38
  12. 12. The Goal Verifiable cloud computing at a competitively low cost. strong correctness guarantee pay similar or less than when using on-premises IT infrastructures Can we? Cryptography-base: very difficult if not impossible Replication-based: possible if we pay for only 2 replicas changyu.dong@newcastle.ac.uk 10 / 38
  13. 13. The Challenge: Collusion The biggest challenge when using only 2 replicas is collusion. If the two clouds collude and output the same wrong result, the client cannot detect it. And the clouds do have motivation to collude cost saving, over selling, cutting corners ... for more profit And it is relatively easy for two clouds to collude Traditionally, to mitigate collusion, one must increase the number of replicas Not an option in our case changyu.dong@newcastle.ac.uk 11 / 38
  14. 14. Our Idea Use economic means to undermine the foundation of collusion: trust Key observations by economists Collusion is profit driven. Colluding parties have their own interests. Colluding parties do not necessarily trust each other. Without trust, they cannot collude. changyu.dong@newcastle.ac.uk 12 / 38
  15. 15. Key Instruments Theory: Game theory To make collusion a less favorable choice To create distrust so rational parties will not collude Practice: Smart Contracts To realize self-enforcing agreement To realize automated payments, penalty, and reward changyu.dong@newcastle.ac.uk 13 / 38
  16. 16. Disclaimers Ignore what I will say if you believe any of the following: clouds are reliable. cloud providers will admit wrongdoings and compensate fairly confidentiality is your only concern you are targeted by the clouds and they will attack you at all cost changyu.dong@newcastle.ac.uk 14 / 38
  17. 17. Adversary Model Client: honest (as in the literature). Goal: get a correct result while minimizing cost. 2 clouds: two individual, rational adversaries Always try to maximize their own payoff Always understand all consequences. Retain their separate judgement and act in their own interests A trusted third party (TTP) “in being” Offline unless a dispute arises if the clouds are rational, then the TTP will never be involved changyu.dong@newcastle.ac.uk 15 / 38
  18. 18. Assumptions The client cannot recompute the outsourced tasks. Tasks are deterministic or can be reduced to be deterministic Tasks are not time critical. Funds only flow among the parties under discussion, not to/from external parties. For simplicity, we also assume Clouds can pick a plausible wrong result at no cost The clouds have the same cost for computing the same task Parties are risk neutral changyu.dong@newcastle.ac.uk 16 / 38
  19. 19. The Prisoner’s Contract: the Rough Idea The client pays each cloud to compute f(x), the “salary” is w. The cost for computing f (x) is c The clouds must pay a deposit of amount d > c + ch (held by the smart contract) to get the job ch is the cost for TTP to resolve the dispute. Cheating cloud (if caught) will lose its deposit An honest cloud will get a reward if the other cheats. changyu.dong@newcastle.ac.uk 17 / 38
  20. 20. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 1: Set up 2 · w d d Cloud1 Cloud2 changyu.dong@newcastle.ac.uk 18 / 38
  21. 21. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 2: Outsource 2 · w + 2 · d Cloud1 Cloud2 f(), x f(), x let’s both send r as the result changyu.dong@newcastle.ac.uk 18 / 38
  22. 22. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 3: Deliver Results Case 1: no one deliver in time 2 · w + 2 · d Cloud1 Cloud2 changyu.dong@newcastle.ac.uk 18 / 38
  23. 23. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 3: Deliver Results Case 2: Results are Equal Cloud1 Cloud2 y1 y2 y1 = y2 OK w + d w + d changyu.dong@newcastle.ac.uk 18 / 38
  24. 24. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 3: Deliver Results Case 3: Different Results Cloud1 Cloud2 y1 y2 y1 6= y2 2 · w + 2 · d Help! f(), x changyu.dong@newcastle.ac.uk 18 / 38
  25. 25. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 4: Resolve Dispute Case 1: Cloud 1 cheats Cloud1 Cloud2 yt = f(x) yt Cheater: cloud 1 ch w 2 · d + w ch y1 6= yt, y2 = yt changyu.dong@newcastle.ac.uk 18 / 38
  26. 26. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 4: Resolve Dispute Case 2: Cloud 2 cheats Cloud1 Cloud2yt Cheater: cloud 2 ch w 2 · d + w ch yt = f(x) y1 = yt, y2 6= yt changyu.dong@newcastle.ac.uk 18 / 38
  27. 27. The Prisoner’s Contract Step 1 ⇓ Step 2 ⇓ Step 3 Case 1 Case 2 Case 3 ⇓ Step 4 Case 1 Case 2 Case 3 Step 4: Resolve Dispute Case 3: Both cheat Cloud1 Cloud2yt Cheater: both ch 2 · d + 2 · w ch yt = f(x) y1 6= yt, y2 6= yt changyu.dong@newcastle.ac.uk 18 / 38
  28. 28. The Game The clouds’ possible actions: f (x): deliver the correct output in time r: deliver r ≠ f (x) where r is agree by both clouds other: any other action. of the cheating cloud(s). 5.2 The Game and Analysis 0 C1 1 4 f (x) 5 r 6 other f (x) 2 7 f (x) 8 r 9 other r 3 10 f (x) 11 r 12 other other C2 C2 Game 1 ⇣w c w c ⌘ ⇣ z d ⌘ ⇣ z d ⌘ ⇣ d z ⌘ ⇣w w ⌘ ⇣ d d ⌘ ⇣ d z ⌘ ⇣ d d ⌘ ⇣ d d ⌘⇣u1 u2 ⌘ : z = w c + d ch,d > c + ch Figure 2: The game induced by the Prisoner’s contract. Bo changyu.dong@newcastle.ac.uk 19 / 38
  29. 29. The Equilibrium Lemma If d > c + ch, then Game 1 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where ⎧⎪⎪⎪⎪⎪ ⎨ ⎪⎪⎪⎪⎪⎩ s1 = ([1(f (x)),0(r),0(other)]) s2 = ([1(f (x)),0(r),0(other)]) β1 = ([1(v0)]) β2 = ([1(v1),0(v2),0(v3)]) Theorem If d > c + ch and C1,C2 are rational, Game 1 will always terminate at v4. changyu.dong@newcastle.ac.uk 20 / 38
  30. 30. The Analysis of the cheating cloud(s). 5.2 The Game and Analysis 0 C1 1 4 f (x) 5 r 6 other f (x) 2 7 f (x) 8 r 9 other r 3 10 f (x) 11 r 12 other other C2 C2 Game 1 ⇣w c w c ⌘ ⇣ z d ⌘ ⇣ z d ⌘ ⇣ d z ⌘ ⇣w w ⌘ ⇣ d d ⌘ ⇣ d z ⌘ ⇣ d d ⌘ ⇣ d d ⌘⇣u1 u2 ⌘ : z = w c + d ch,d > c + ch Figure 2: The game induced by the Prisoner’s contract. Bold edges indicate the actions that parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey. The game induced by the prisoner contract is shown in Figure 2. In the game, the players are the two clouds, i.e. N = {C1,C2}. Although the contract also involves the client and the TTP, they can be eliminated from the game because they are honest and have 4 C1 8b C2 5, 6 C1 9, 10c C2 7, 10 C1 9, 10c C2 8 C1 8b C2 9, 11 C1 9, 10b C2 12 C1 8a or C2 (9, 10b Table 1: Pay because C2 will never play w c that is greater than th C1 will choose f (x) in ord Formally, we have the follo L 5.1. If d c + ch sequential equilibrium ((s1, 8 s1 = ([1( s2 = ([1( Prisoner’s dilemma. Collusion is not a stable state: If one cheats, the best strategy for the other is to be honest. Both clouds have motivation to deviate from collusion. Therefore both will be honest changyu.dong@newcastle.ac.uk 21 / 38
  31. 31. Prisoner’s Contract: the Weakness The equilibrium in the game holds only when both players cannot make credible commitments. This is not true when smart contracts can be used. changyu.dong@newcastle.ac.uk 22 / 38
  32. 32. Colluder’s Contract: the Rough Idea A contract to redistribute profit and police the collusion. The ringleader, who initiates the collusion, pays a bribe b to the other (follower). b c, otherwise collusion is a less profitable choice for the ringleader Both clouds, once agree to collude, pay a deposit t w + 2 ⋅ d − c − ch − b The cloud that deviates from the collusion agreement will be punished by losing the deposit t changyu.dong@newcastle.ac.uk 23 / 38
  33. 33. Colluder’s Contract b c t w + 2 ⋅ d − c − ch − b 2 · w + 2 · d ringleader follower f(), x f(), x t + b t changyu.dong@newcastle.ac.uk 24 / 38
  34. 34. Colluder’s Contract Both betray w + d ringleader follower t + b f(x) f(x) t w + d changyu.dong@newcastle.ac.uk 24 / 38
  35. 35. Colluder’s Contract Ringleader betrays w + 2 · d ch ringleader follower 2 · t + b r f(x) w changyu.dong@newcastle.ac.uk 24 / 38
  36. 36. Colluder’s Contract Follower betrays w + 2 · d ch ringleader follower 2 · t + b r f(x) w changyu.dong@newcastle.ac.uk 24 / 38
  37. 37. Colluder’s Contract Both send r w + d ringleader follower t + b r r w + d t changyu.dong@newcastle.ac.uk 24 / 38
  38. 38. The Game to es. er ds ty it. We R). ud u- 1 FLR 2 LDR 3 6 f (x) 7 r 8 other f (x) 4 9 f (x) 10 r 11 other r 5 12 f (x) 13 r 14 other other collude FLR FLR 0 LDR initGame 2 Game 1 ¬init Game 1 ¬collude ⇣w c w c ⌘ ⇣w c w c ⌘ ⇣w c w c ⌘ ⇣ z t b d+t+b ⌘ ⇣ z d ⌘ ⇣ d+t z t ⌘ ⇣w b w+b ⌘ ⇣ d+t d t ⌘ ⇣ d z ⌘ ⇣ d t b d+t+b ⌘ ⇣ d d ⌘⇣u1 u2 ⌘ : z = w c + d ch, d c + ch, b c, t z + d b Figure 3: The game induced by the Prisoner’s contract and the Colluder’s contract. Bold edges indicate the actions thatchangyu.dong@newcastle.ac.uk 25 / 38
  39. 39. The Equilibrium Lemma If d c + ch, b c and t z + d − b, then Game 2 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where s1, β1 are LDR’s strategy and beliefs, and s2, β2 are FLR’s strategy and beliefs: ⎧⎪⎪⎪⎪⎪ ⎨ ⎪⎪⎪⎪⎪⎩ s1 = ([1(init),0(¬init)],[0(f (x)),1(r),0(other)]) s2 = ([1(collude),0(¬collude)],[0(f (x)),1(r),0(other)]) β1 = ([1(v0)],[1(v2)]) β2 = ([1(v1)],[0(v3),1(v4),0(v5)]) Theorem If d c + ch, b c, t z + d − b and C1,C2 are rational, Game 2 will always terminate at v10. changyu.dong@newcastle.ac.uk 26 / 38
  40. 40. What Can We Do? The Colluder’s contract counters the Prisoner’s contract. The client can design a contract to counter back. Then the colluding clouds can have a counter counter contract which can be dealt with by a counter counter counter contract... Endless loop changyu.dong@newcastle.ac.uk 27 / 38
  41. 41. Traitor’s Contract: the Rough Idea Not to counter the Colluder’s contract directly. But to incentivize the clouds to report collusion. The first cloud who reports the collusion will not be punished by the Prisoner’s contract, and will get a reward if the collusion is true. If collusion is reported, the TTP will always be called. Once collusion is reported, there is no point to counter back Payoff depends only whether the cloud cheats, not the other cloud’s behavior. changyu.dong@newcastle.ac.uk 28 / 38
  42. 42. The Consequences The Traitor’s contract creates distrust between the clouds they both know the other’s best strategy is to betray If one tries to initiate collusion, the other will agree but also report. No rational cloud will want to initiate collusion Both will stay honest in the first place. changyu.dong@newcastle.ac.uk 29 / 38
  43. 43. Traitor’s Contract 2 · w + 2 · d traitor f(), x f(), x w + 2 · d ch ch Prisoner’s Contract Traitor’s Contract changyu.dong@newcastle.ac.uk 30 / 38
  44. 44. Traitor’s Contract If Traitor’s contract is signed, always invoke TTP 2 · w + 2 · d traitor Prisoner’s Contract Traitor’s Contract y1 y2, y0 2 w + 2 · d Help! f(), x changyu.dong@newcastle.ac.uk 30 / 38
  45. 45. Traitor’s Contract y1 = y2 = yt traitor Prisoner’s Contract Traitor’s Contract w + 2 · d ch w + d w + d OK ch yt = f(x) yt y1 = yt, y2 = yt changyu.dong@newcastle.ac.uk 30 / 38
  46. 46. Traitor’s Contract y1 = yt,y2 ≠ yt,y′ 2 = yt traitor Prisoner’s Contract Traitor’s Contract 2 · d ch w + 2 · d ch traitor cheated w + ch yt = f(x) yt y1 = yt y2 6= yt y0 2 = yt ch w changyu.dong@newcastle.ac.uk 30 / 38
  47. 47. Traitor’s Contract y1 ≠ yt,y2 ≠ yt,y′ 2 = yt traitor Prisoner’s Contract Traitor’s Contract 2 · w + 2 · d ch both cheated w + 2 · d yt = f(x) yt y1 6= yt y2 6= yt y0 2 = yt ch changyu.dong@newcastle.ac.uk 30 / 38
  48. 48. Traitor’s Contract all other cases traitor Prisoner’s Contract Traitor’s Contract yt All other cases w + 2 · d ch ch ch ? ? ? ? changyu.dong@newcastle.ac.uk 30 / 38
  49. 49. The Case of Misreporting One concern over reporting is whether a cloud can benefit from fabricating a case. In the Traitor’s contract, the reporting cloud will have to bear the cost of dispute resolution. This make misreporting unprofitable and no one would do it. changyu.dong@newcastle.ac.uk 31 / 38
  50. 50. The Misreporting Game 0 TRA 1 4 13 f (x) 14 r 15 other f (x) 5 16 f (x) 17 r 18 other r 6 19 f (x) 20 r 21 other other ¬Report 2 7 22 f (x) 23 r 24 other f (x) 8 25 f (x) 26 r 27 other r 9 28 f (x) 29 r 30 other other Report, 0 = f (x) 3 10 31 f (x) 32 r 33 other f (x) 11 34 f (x) 35 r 36 other r 12 37 f (x) 38 r 39 other other Report, 0 , f (x) OTH OTH TRA TRA TRA TRA TRA TRA ⇣w c w c ⌘ ⇣ z d ⌘ ⇣ z d ⌘ ⇣ d z ⌘ ⇣w w ⌘ ⇣ d d ⌘ ⇣ d z ⌘ ⇣ d d ⌘ ⇣ d d ⌘ ⇣ w c w c ch ⌘ ⇣ z d+w c ⌘ ⇣ z d+w c ⌘ ⇣ d z ⌘ ⇣ d z ⌘ ⇣ d z ⌘ ⇣ d z ⌘ ⇣ d z ⌘ ⇣ d z ⌘ ⇣ w c w c ch ⌘⇣ z d ⌘ ⇣ z d ⌘ ⇣ d z ⌘ ⇣ d d ⌘ ⇣ d d ⌘ ⇣ d z ⌘ ⇣ d d ⌘ ⇣ d d ⌘⇣u1 u2 ⌘ : Game 3 z = w c + d ch, d c + ch Figure 4: The sub-game induced by the Prisoner’s contract and the Traitor’s contract. Bold edges indicate the actions that parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey. Before reporting, TRA needs to wait until the other cloud has signed the contract, i.e. fully committed to collusion. Otherwise if TRA reports and the other cloud decides not to sign the Colluder’s L 7.1. If d c + ch, then Game 3 in Figure 4 has a unique sequential equilibrium ((s1,s2), ( 1, 2)) wheres1, 1 are OTH’s strat- egy and beliefs, and s2, 2 are TRA’s strategy and beliefs: changyu.dong@newcastle.ac.uk 32 / 38
  51. 51. The Equilibrium Lemma If d c + ch, then Game 3 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where s1, β1 are OTH’s strategy and beliefs, and s2, β2 are TRA’s strategy and beliefs: ⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪ ⎨ ⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩ s1 = ([1(f (x)),0(r),0(other)]) s2 = ([1(¬report),0(report,y′ = f (x)),0(report,y′ ≠ f (x))], [1(f (x)),0(r),0(other)],[1(f (x)),0(r),0(other)], [1(f (x)),0(r),0(other)]) β1 = ([1(v1),0(v2),0(v3)]) β2 = ([1(v0)],[1(v4),0(v5),0(v6)],[1(v7),0(v8),0(v9)], [1(v10),0(v11),0(v12)]) Theorem If d c + ch and TRA and OTH are rational, then Game 3 will always terminate at v13. changyu.dong@newcastle.ac.uk 33 / 38
  52. 52. The Full Game 2 FLR/TRA 3 6 15 f (x) 16 r 17 other f (x) 7 18 f (x) 19 r 20 other r 8 21 f (x) 22 r 23 other other ¬Report 4 9 24 f (x) 25 r 26 other f (x) 10 27 f (x) 28 r 29 other r 11 30 f (x) 31 r 32 other other Report, 0 = f (x) 5 12 33 f (x) 34 r 35 other f (x) 13 36 f (x) 37 r 38 other r 14 39 f (x) 40 r 41 other other Report, 0 , f (x) LDR/OTH LDR/OTH FLR/TRA FLR/TRA FLR/TRA FLR/TRA FLR/TRA FLR/TRA ⇣w c w c ⌘ ⇣ z t b d+t+b ⌘ ⇣ z d ⌘ ⇣ d+t z t ⌘ ⇣w b w+b ⌘ ⇣ d+t d t ⌘ ⇣ d z ⌘ ⇣ d t b d+t+b ⌘ ⇣ d d ⌘ ⇣ w c w c ch ⌘ ⇣ z t b d+w c+t+b ⌘ ⇣ z d+w c ⌘ ⇣ d+t z t ⌘ ⇣ d b z+b ⌘ ⇣ d+t z t ⌘ ⇣ d z ⌘ ⇣ d t b z+t+b ⌘ ⇣ d z ⌘ ⇣ w c w c ch ⌘ ⇣ z t b d+t+b ⌘ ⇣ z d ⌘ ⇣ d+t z t ⌘ ⇣ d b d+b ⌘ ⇣ d+t d t ⌘ ⇣ d z ⌘ ⇣ d t b d+t+b ⌘ ⇣ d d ⌘ 1 FLR collude 0 LDR init Game 4 Game 3 ¬init Game 3 ¬collude ⇣w c w c ⌘ ⇣w c w c ⌘ ⇣u1 u2 ⌘ : ⇣u1 u2 ⌘ : ⇣u1 u2 ⌘ : z = w c + d ch, d c + ch, t z + d b Figure 5: The game induced by the Prisoner’s contract, the Colluder’s contract and the Traitor’s contract. Bold edges indicate the actions that parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey. changyu.dong@newcastle.ac.uk 34 / 38
  53. 53. The Equilibrium Lemma If d c + ch,b c and t z + d − b, then Game 4 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where s1, β1 are LDR’s strategy and beliefs, and s2, β2 are FLR’s strategy and beliefs: ⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪ ⎨ ⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩ s1 = ([1(¬init),0(init)],[0(f (x)),1(r),0(other)]) s2 = ([0(¬collude),1(collude)], [0(¬report),1(report,y′ = f (x)),0(report,y′ ≠ f (x))], [0(f (x)),1(r),0(other)],[0(f (x)),1(r),0(other)], [0(f (x)),1(r),0(other)]) β1 = ([1(v0)],[0(v3),1(v4),0(v5)]) β2 = ([0(v6),1(v7),0(v8)],[0(v9),1(v10),0(v11)], [0(v12),1(v13),0(v14)]) Theorem If d c + ch,b c and t z + d − b and LDR and FLR are rational, then Game 4 will always terminate at v13 in Game 3. changyu.dong@newcastle.ac.uk 35 / 38
  54. 54. Implementation Smart contracts on Ethereum In Solidity language Captures the clause of the contracts Some light crypto is used in the contracts to preserve data privacy Data on the blockchain is publicly visible and cannot be removed Don’t want plaintext of the input/output on chain Pedersen’s commitment and NIZK (equality, inequality) Tested on the official Ethereum network all transactions can be viewed on the blockchain e.g. Transaction 0x1dd851fb709d875d9f382b550032f20f24e29539336545b5fd733fd359f8951d changyu.dong@newcastle.ac.uk 36 / 38
  55. 55. Cost of Using the Contract Low cost is a major benefit of using smart contracts vs traditional contracts Cost related to complexity of computation and amount of data stored ro Knowledge Proofs (NIZK). Informally, a com- a two-phase protocol. In the commitment phase, its to a valuem by choosing a secret s to generate ms (m). The commitment should be hiding, i.e. it w m given only Coms (m) but not s; the commit- e binding, i.e. it is infeasible to nd m0 , m and oms0 (m0) = Coms (m). In our implementation, own Pedersen Commitment Scheme [39]. NIZK non-interactively convince a verier about a state- ng information. We are interested in proving the ality of values concealed in commitments. More o commitments Coms1 (m1),Coms2 (m2) and the m2), a prover can generate a proof = if m1 = m2 Given the commitments and proof, a verier ion algorithm V (Coms1 (m2),Coms2 (m2), =) or ms2 (m2), ,) that output 1 only if the relation to xpect for a negligible probability). The NIZKs we Contract Functions Cost in Gas Cost in $ Prisoner’s Init 2,298,950 0.4015 Create 206,972 0.0361 Bid 74,899 0.0131 Deliver 94,373 0.0164 Pay 821,244 0.1434 Dispute 2,126,950 0.3714 Colluder’s Init 1,971,270 0.3443 Create 281,852 0.0492 Join 58,587 0.0102 Enforce 103,156 0.0180 Traitor’s Init 2,018,459 0.3525 Create 161,155 0.0281 Join 66,802 0.0117 Deliver 82,846 0.0145 Check 719,051 0.1256 Table 2: Cost of using the smart contracts on the oci Ethereum network. The transactions are viewable on thchangyu.dong@newcastle.ac.uk 37 / 38
  56. 56. Future Work Client as adversary Multi-interaction and repeated game More Efficient deposit mechanisms Counter-collusion contracts for other cases, e.g. e-voting changyu.dong@newcastle.ac.uk 38 / 38

×