Cryptoeconomics Cheat Sheet
Cryptoeconomics - generalized field that deals with large class of systems that try to use both cryptographic tools and economic incentives defined in the system in order to achieve information security goals of that system. (Vitalik Buterin)
Cryptoeconomics (alternative definition) - the application of incentive mechanism design to information security problems (Vlad Zamfir).
Incentives:
Cryptoeconomic resource - a resource, possession of which gives agents the right to collectively perform state transitions in the cryptoeconomic system. E.g. hashing power, stake, tokens.
Cryptoeconomic set - all agents possessing the cryptoeconomic resource.
Cryptoeconomic Security Margin - a fraction of cryptoeconomic resource X such that you can prove "either a given guarantee G is satisfied or those at fault for violating G are poorer than they otherwise would have been by at least X fraction of the cryptoeconomic resource". E.g. security margin of 0.5 means that it costs the attacker half of all hashing power to violate the guarantee G.
Cryptoeconomic proof - a message signed by an actor that can be interpreted as "I certify that either P is true, or I suffer an economic loss of size X".
The basic security assumptions that cryptoeconomics depends on are the following:
Security models are different in the assumptions that they make about the real world. It's not clear what assumptions are more realistic, nevertheless it's useful to perform analysis in different models to have the clearer picture about the security of a system.
Different security models give different security margins.
Honest Majority - assumes that up to X (usually a number less that 1/2) of agents are controlled by an attacker, and the remaining agents honestly follow the protocol.
Uncoordinated Majority - assumes that up to X (often between 1/4 and 1/2) of agents are capable of coordinating their actions, all agents are rational in a game-theoretic sense.
Coordinated Majority - assumes that all agents are controlled by the same actor, or are fully capable of coordinating on the economically optimal choice between themselves. We can talk about the cost to the coalition (or profit to the coalition) of achieving some undesirable outcome.
Bribing Attacker - takes the uncoordinated majority model, but instead of making the attacker be one of the participants, the attacker sits outside the protocol, and has the ability to bribe any participants to change their behavior. Attackers are modeled as having a budget, which is the maximum that they are willing to pay, and we can talk about their cost, the amount that they end up paying to disrupt the protocol equilibrium.
Bitcoin with selfish mining fix analysis:
Guarantee G: there is no double spending.
Model | Parameters | Security Margin |
---|---|---|
Honest Majority | ~0.5 (51% attack) | |
Uncoordinated Majority | Level of coordination ~0.5 | ~0.25 (selfish mining attack)* |
Coordinated Majority | Level of coordination ~1 | 0 |
Bribing Attacker | Budget > 13.2 * number_of_blocks | ~0 |
Shelling coin analysis:
Guarantee G: the result of voting represents the reality.
Model | Parameters | Security Margin |
---|---|---|
Honest Majority | 0.5 (51% attack) | |
Uncoordinated Majority | Level of coordination ~0.5 | ~0.25 ** |
Coordinated Majority | Level of coordination ~1 | 0 |
Bribing Attacker | Budget > 0.5 | ~0 |
** The attacker only needs to possess slightly more than half of the coordinated part of the economic set. The other half has the incentive to vote with the attacker.
A number of protocols, including consensus protocols, blockchain-based lotteries, scalable sampling schemes, etc, require some kind of random number generation in the protocol. There are a number of alternatives with their pros and cons: