Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing

Betrayal, Distrust, and Rationality
Smart Counter-Collusion Contracts for
Veriﬁable Cloud Computing
Changyu Dong†
, Yilei Wang†
, Amjad Aldweesh†
,
Patrick McCorry∗
, Aad van Moorsel†
†: Newcastle University
∗: University College London
Contact: changyu.dong@newcastle.ac.uk

What is a Smart Contract?
Computer programs on top of a cryptocurrency system.
Stored in the blockchain.
Executed by the peers.
The correctness of execution is guaranteed by the
consensus protocol of the blockchain.
Ideally, we can think the smart contracts as being
executed by a trusted global machine.
Self-Enforceable, Less Trust, Cheaper
BLOCKCHAIN! BLOCKCHAIN!
SMART CONTRACT! SMART CONTRACT!
2015
2017
changyu.dong@newcastle.ac.uk 2 / 38

Cloud Computing: the Truth

Veriﬁable Cloud Computing: the Problem
x, f()
y
Is y = f(x)?

Veriﬁable Cloud Computing: the Landscape
Based on Cryptography
Use one cloud to compute
The cloud also genreates a cryptographic proof
Cannot generate a valid proof if the computation is wrong
The client checks the proof
Based on Replication
Use multiple clouds to compute the same task.
The client crosschecks results from all clouds
About 1,010 results for “veriﬁable computation” in Google scholar.
97
155
195
246
168
0
100
200
300
2013 2014 2015 2016 2017
(July)
No. of Papers
"Verifiable Computation" papers each year

How Veriﬁability Makes Me Bankrupt?
Cloud is NOT free, you have to pay for what you compute.
x, f()
y
Is y = f(x)?
Without Veriﬁability

x, f()
y, crypto proof
My Money!!
!
Crypto-based Veriﬁcation

x, f()
y1
Replication-based Veriﬁcation
…
do it with n clouds
…
My Money!!
!
x, f()
yn
Cloud 1
Cloud n

The Goal
Veriﬁable cloud computing at a competitively low cost.
strong correctness guarantee
pay similar or less than when using on-premises IT infrastructures
Can we?

The Goal
Can we?
Cryptography-base: very diﬃcult if not impossible

The Goal
Can we?
Cryptography-base: very diﬃcult if not impossible
Replication-based: possible if we pay for only 2 replicas

The Challenge: Collusion
The biggest challenge when using only 2 replicas is collusion.
If the two clouds collude and output the same wrong result, the client cannot
detect it.
And the clouds do have motivation to collude
cost saving, over selling, cutting corners ...
for more proﬁt
And it is relatively easy for two clouds to collude
Traditionally, to mitigate collusion, one must increase the number of replicas
Not an option in our case

Our Idea
Use economic means to undermine the foundation of collusion: trust
Key observations by economists
Collusion is proﬁt driven.
Colluding parties have their own interests.
Colluding parties do not necessarily trust each other.
Without trust, they cannot collude.

Key Instruments
Theory: Game theory
To make collusion a less favorable choice
To create distrust so rational parties will not collude
Practice: Smart Contracts
To realize self-enforcing agreement
To realize automated payments, penalty, and reward

Disclaimers
Ignore what I will say if you believe any of the following:
clouds are reliable.
cloud providers will admit wrongdoings and compensate fairly
conﬁdentiality is your only concern
you are targeted by the clouds and they will attack you at all cost

Adversary Model
Client: honest (as in the literature).
Goal: get a correct result while minimizing cost.
2 clouds: two individual, rational adversaries
Always try to maximize their own payoﬀ
Always understand all consequences.
Retain their separate judgement and act in their own interests
A trusted third party (TTP) “in being”
Oﬄine unless a dispute arises
if the clouds are rational, then the TTP will never be involved

Assumptions
The client cannot recompute the outsourced tasks.
Tasks are deterministic or can be reduced to be deterministic
Tasks are not time critical.
Funds only ﬂow among the parties under discussion, not to/from external parties.
For simplicity, we also assume
Clouds can pick a plausible wrong result at no cost
The clouds have the same cost for computing the same task
Parties are risk neutral

The Prisoner’s Contract: the Rough Idea
The client pays each cloud to compute f(x), the “salary” is w.
The cost for computing f (x) is c
The clouds must pay a deposit of amount d > c + ch (held by the smart contract)
to get the job
ch is the cost for TTP to resolve the dispute.
Cheating cloud (if caught) will lose its deposit
An honest cloud will get a reward if the other cheats.

The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 1: Set up
2 · w
d
d
Cloud1
Cloud2

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 2: Outsource
2 · w + 2 · d
Cloud1
Cloud2
f(), x
f(), x
let’s both send r
as the result

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 3: Deliver Results
Case 1: no one deliver in time
2 · w + 2 · d
Cloud1
Cloud2

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Case 2: Results are Equal
Cloud1
Cloud2
y1
y2
y1 = y2
OK
w + d
w + d

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Case 3: Diﬀerent Results
Cloud1
Cloud2
y1
y2
y1 6= y2 2 · w + 2 · d
Help!
f(), x

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 4: Resolve Dispute
Case 1: Cloud 1 cheats
Cloud1
Cloud2
yt = f(x)
yt
Cheater:
cloud 1
ch
w
2 · d +
w
ch
y1 6= yt, y2 = yt

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Case 2: Cloud 2 cheats
Cloud1
Cloud2yt
Cheater:
cloud 2
ch
w
2 · d + w
ch
yt = f(x)
y1 = yt, y2 6= yt

Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Case 3: Both cheat
Cloud1
Cloud2yt
Cheater:
both
ch
2 · d + 2 · w ch
yt = f(x)
y1 6= yt, y2 6= yt

The Game
The clouds’ possible actions:
f (x): deliver the correct
output in time
r: deliver r ≠ f (x) where r
is agree by both clouds
other: any other action.
of the cheating cloud(s).
5.2 The Game and Analysis
0
C1
1
4
f (x)
5
r
6
other
f (x)
2
7
f (x)
8
r
9
other
r
3
10
f (x)
11
r
12
other
other
C2 C2
Game 1
⇣w c
w c
⌘ ⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣w
w
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
z = w c + d ch,d > c + ch
Figure 2: The game induced by the Prisoner’s contract. Bo

The Equilibrium
Lemma
If d > c + ch, then Game 1 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where
⎧⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎩
s1 = ([1(f (x)),0(r),0(other)])
s2 = ([1(f (x)),0(r),0(other)])
β1 = ([1(v0)])
β2 = ([1(v1),0(v2),0(v3)])
Theorem
If d > c + ch and C1,C2 are rational, Game 1 will always terminate at v4.

The Analysis
of the cheating cloud(s).
5.2 The Game and Analysis
0
C1
1
4
f (x)
5
r
6
other
f (x)
2
7
f (x)
8
r
9
other
r
3
10
f (x)
11
r
12
other
other
C2 C2
Game 1
⇣w c
w c
⌘ ⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣w
w
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
z = w c + d ch,d > c + ch
Figure 2: The game induced by the Prisoner’s contract. Bold
edges indicate the actions that parties will play in the unique
sequential equilibrium. The reachable terminal node of the
game is in grey.
The game induced by the prisoner contract is shown in Figure
2. In the game, the players are the two clouds, i.e. N = {C1,C2}.
Although the contract also involves the client and the TTP, they
can be eliminated from the game because they are honest and have
4
C1
8b
C2
5, 6
C1
9, 10c
C2
7, 10
C1
9, 10c
C2
8
C1
8b
C2
9, 11
C1
9, 10b
C2
12
C1 8a or
C2 (9, 10b
Table 1: Pay
because C2 will never play
w c that is greater than th
C1 will choose f (x) in ord
Formally, we have the follo
L 5.1. If d c + ch
sequential equilibrium ((s1,
8
s1 = ([1(
s2 = ([1(
Prisoner’s dilemma.
Collusion is not a stable state:
If one cheats, the best strategy for the other is to be honest.
Both clouds have motivation to deviate from collusion.
Therefore both will be honest

Prisoner’s Contract: the Weakness
The equilibrium in the game holds only when both players cannot make credible
commitments.
This is not true when smart contracts can be used.

Colluder’s Contract: the Rough Idea
A contract to redistribute proﬁt and police the collusion.
The ringleader, who initiates the collusion, pays a bribe b to the other (follower).
b c, otherwise collusion is a less proﬁtable choice for the ringleader
Both clouds, once agree to collude, pay a deposit t w + 2 ⋅ d − c − ch − b
The cloud that deviates from the collusion agreement will be punished by losing
the deposit t

Colluder’s Contract
b c
t w + 2 ⋅ d − c − ch − b
2 · w + 2 · d
ringleader
follower
f(), x
f(), x
t + b
t

Both betray
w + d
ringleader
follower
t + b
f(x)
f(x) t
w + d

Ringleader betrays
w + 2 · d
ch
ringleader
follower
2 · t +
b
r
f(x)
w

Follower betrays
w + 2 · d
ch
ringleader
follower
2 · t + b
r
f(x)
w

Both send r
w + d
ringleader
follower
t +
b
r
r
w + d t

The Game
to
es.
er
ds
ty
it.
We
R).
ud
u-
1
FLR
2
LDR
3
6
f (x)
7
r
8
other
f (x)
4
9
f (x)
10
r
11
other
r
5
12
f (x)
13
r
14
other
other
collude
FLR FLR
0
LDR
initGame 2
Game 1
¬init
Game 1
¬collude
⇣w c
w c
⌘ ⇣w c
w c
⌘ ⇣w c
w c
⌘ ⇣ z t b
d+t+b
⌘ ⇣ z
d
⌘ ⇣ d+t
z t
⌘ ⇣w b
w+b
⌘ ⇣ d+t
d t
⌘ ⇣ d
z
⌘ ⇣ d t b
d+t+b
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
z = w c + d ch, d c + ch, b c, t z + d b
Figure 3: The game induced by the Prisoner’s contract and
the Colluder’s contract. Bold edges indicate the actions thatchangyu.dong@newcastle.ac.uk 25 / 38

The Equilibrium
Lemma
If d c + ch, b c and t z + d − b, then Game 2 has a unique sequential equilibrium
((s1,s2),(β1,β2)) where s1, β1 are LDR’s strategy and beliefs, and s2, β2 are FLR’s
strategy and beliefs:
⎧⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎩
s1 = ([1(init),0(¬init)],[0(f (x)),1(r),0(other)])
s2 = ([1(collude),0(¬collude)],[0(f (x)),1(r),0(other)])
β1 = ([1(v0)],[1(v2)])
β2 = ([1(v1)],[0(v3),1(v4),0(v5)])
Theorem
If d c + ch, b c, t z + d − b and C1,C2 are rational, Game 2 will always terminate
at v10.

What Can We Do?
The Colluder’s contract counters the Prisoner’s contract.
The client can design a contract to counter back.
Then the colluding clouds can have a counter counter contract
which can be dealt with by a counter counter counter contract...
Endless loop

Traitor’s Contract: the Rough Idea
Not to counter the Colluder’s contract directly.
But to incentivize the clouds to report collusion.
The ﬁrst cloud who reports the collusion will not be punished by the Prisoner’s
contract,
and will get a reward if the collusion is true.
If collusion is reported, the TTP will always be called.
Once collusion is reported, there is no point to counter back
Payoﬀ depends only whether the cloud cheats, not the other cloud’s behavior.

The Consequences
The Traitor’s contract creates distrust between the clouds
they both know the other’s best strategy is to betray
If one tries to initiate collusion, the other will agree but also report.
No rational cloud will want to initiate collusion
Both will stay honest in the ﬁrst place.

Traitor’s Contract
2 · w + 2 · d
traitor
f(), x
f(), x
w
+
2 · d
ch ch
Prisoner’s
Contract

If Traitor’s contract is signed, always invoke TTP
2 · w + 2 · d
traitor
Prisoner’s
Contract
y1
y2, y0
2
w + 2 · d
Help!
f(), x

y1 = y2 = yt
traitor
Prisoner’s
Contract
w
+
2 · d
ch
w + d
w + d
OK
ch
yt = f(x)
yt
y1 = yt, y2 = yt

y1 = yt,y2 ≠ yt,y′
2 = yt
traitor
Prisoner’s
Contract
2 · d
ch
w + 2 · d ch
traitor cheated
w + ch
yt = f(x)
yt
y1 = yt
y2 6= yt
y0
2 = yt
ch
w

y1 ≠ yt,y2 ≠ yt,y′
2 = yt
traitor
Prisoner’s
Contract
2 · w + 2 · d ch
both cheated
w + 2 · d
yt = f(x)
yt
y1 6= yt
y2 6= yt
y0
2 = yt
ch

all other cases
traitor
Prisoner’s
Contract
yt
All other cases
w
+
2 · d
ch
ch
ch
?
?
? ?

The Case of Misreporting
One concern over reporting is whether a cloud can beneﬁt from fabricating a case.
In the Traitor’s contract, the reporting cloud will have to bear the cost of dispute
resolution.
This make misreporting unproﬁtable and no one would do it.

The Misreporting Game
0
TRA
1
4
13
f (x)
14
r
15
other
f (x)
5
16
f (x)
17
r
18
other
r
6
19
f (x)
20
r
21
other
other
¬Report
2
7
22
f (x)
23
r
24
other
f (x)
8
25
f (x)
26
r
27
other
r
9
28
f (x)
29
r
30
other
other
Report, 0 = f (x)
3
10
31
f (x)
32
r
33
other
f (x)
11
34
f (x)
35
r
36
other
r
12
37
f (x)
38
r
39
other
other
Report, 0 , f (x)
OTH OTH
TRA TRA TRA TRA TRA TRA
⇣w c
w c
⌘ ⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣w
w
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘ ⇣ w c
w c ch
⌘ ⇣ z
d+w c
⌘ ⇣ z
d+w c
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ w c
w c ch
⌘⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
Game 3
z = w c + d ch, d c + ch
Figure 4: The sub-game induced by the Prisoner’s contract and the Traitor’s contract. Bold edges indicate the actions that
parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey.
Before reporting, TRA needs to wait until the other cloud has
signed the contract, i.e. fully committed to collusion. Otherwise if
TRA reports and the other cloud decides not to sign the Colluder’s
L 7.1. If d c + ch, then Game 3 in Figure 4 has a unique
sequential equilibrium ((s1,s2), ( 1, 2)) wheres1, 1 are OTH’s strat-
egy and beliefs, and s2, 2 are TRA’s strategy and beliefs:

The Equilibrium
Lemma
If d c + ch, then Game 3 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where
s1, β1 are OTH’s strategy and beliefs, and s2, β2 are TRA’s strategy and beliefs:
⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩
s1 = ([1(f (x)),0(r),0(other)])
s2 = ([1(¬report),0(report,y′
= f (x)),0(report,y′
≠ f (x))],
[1(f (x)),0(r),0(other)],[1(f (x)),0(r),0(other)],
[1(f (x)),0(r),0(other)])
β1 = ([1(v1),0(v2),0(v3)])
β2 = ([1(v0)],[1(v4),0(v5),0(v6)],[1(v7),0(v8),0(v9)],
[1(v10),0(v11),0(v12)])
Theorem
If d c + ch and TRA and OTH are rational, then Game 3 will always terminate at v13.

The Full Game
2
FLR/TRA
3
6
15
f (x)
16
r
17
other
f (x)
7
18
f (x)
19
r
20
other
r
8
21
f (x)
22
r
23
other
other
¬Report
4
9
24
f (x)
25
r
26
other
f (x)
10
27
f (x)
28
r
29
other
r
11
30
f (x)
31
r
32
other
other
Report, 0 = f (x)
5
12
33
f (x)
34
r
35
other
f (x)
13
36
f (x)
37
r
38
other
r
14
39
f (x)
40
r
41
other
other
Report, 0 , f (x)
LDR/OTH LDR/OTH
FLR/TRA FLR/TRA FLR/TRA FLR/TRA FLR/TRA FLR/TRA
⇣w c
w c
⌘
⇣ z t b
d+t+b
⌘
⇣ z
d
⌘ ⇣ d+t
z t
⌘
⇣w b
w+b
⌘
⇣ d+t
d t
⌘ ⇣ d
z
⌘
⇣ d t b
d+t+b
⌘
⇣ d
d
⌘ ⇣ w c
w c ch
⌘
⇣ z t b
d+w c+t+b
⌘
⇣ z
d+w c
⌘ ⇣ d+t
z t
⌘
⇣ d b
z+b
⌘
⇣ d+t
z t
⌘ ⇣ d
z
⌘
⇣ d t b
z+t+b
⌘
⇣ d
z
⌘ ⇣ w c
w c ch
⌘
⇣ z t b
d+t+b
⌘
⇣ z
d
⌘ ⇣ d+t
z t
⌘
⇣ d b
d+b
⌘
⇣ d+t
d t
⌘ ⇣ d
z
⌘
⇣ d t b
d+t+b
⌘
⇣ d
d
⌘
1
FLR
collude
0
LDR
init
Game 4
Game 3
¬init
Game 3
¬collude
⇣w c
w c
⌘ ⇣w c
w c
⌘
⇣u1
u2
⌘
:
⇣u1
u2
⌘
:
⇣u1
u2
⌘
:
z = w c + d ch, d c + ch, t z + d b
Figure 5: The game induced by the Prisoner’s contract, the Colluder’s contract and the Traitor’s contract. Bold edges indicate
the actions that parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey.

The Equilibrium
Lemma
If d c + ch,b c and t z + d − b, then Game 4 has a unique sequential equilibrium
((s1,s2),(β1,β2)) where s1, β1 are LDR’s strategy and beliefs, and s2, β2 are FLR’s
strategy and beliefs:
⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩
s1 = ([1(¬init),0(init)],[0(f (x)),1(r),0(other)])
s2 = ([0(¬collude),1(collude)],
[0(¬report),1(report,y′
= f (x)),0(report,y′
≠ f (x))],
[0(f (x)),1(r),0(other)],[0(f (x)),1(r),0(other)],
[0(f (x)),1(r),0(other)])
β1 = ([1(v0)],[0(v3),1(v4),0(v5)])
β2 = ([0(v6),1(v7),0(v8)],[0(v9),1(v10),0(v11)],
[0(v12),1(v13),0(v14)])
Theorem
If d c + ch,b c and t z + d − b and LDR and FLR are rational, then Game 4 will always
terminate at v13 in Game 3.

Implementation
Smart contracts on Ethereum
In Solidity language
Captures the clause of the contracts
Some light crypto is used in the contracts to preserve data privacy
Data on the blockchain is publicly visible and cannot be removed
Don’t want plaintext of the input/output on chain
Pedersen’s commitment and NIZK (equality, inequality)
Tested on the oﬃcial Ethereum network
all transactions can be viewed on the blockchain
e.g. Transaction 0x1dd851fb709d875d9f382b550032f20f24e29539336545b5fd733fd359f8951d

Cost of Using the Contract
Low cost is a major beneﬁt of using
smart contracts vs traditional
contracts
Cost related to complexity of
computation and amount of data
stored
ro Knowledge Proofs (NIZK). Informally, a com-
a two-phase protocol. In the commitment phase,
its to a valuem by choosing a secret s to generate
ms (m). The commitment should be hiding, i.e. it
w m given only Coms (m) but not s; the commit-
e binding, i.e. it is infeasible to nd m0 , m and
oms0 (m0) = Coms (m). In our implementation,
own Pedersen Commitment Scheme [39]. NIZK
non-interactively convince a verier about a state-
ng information. We are interested in proving the
ality of values concealed in commitments. More
o commitments Coms1 (m1),Coms2 (m2) and the
m2), a prover can generate a proof = if m1 = m2
Given the commitments and proof, a verier
ion algorithm V (Coms1 (m2),Coms2 (m2), =) or
ms2 (m2), ,) that output 1 only if the relation to
xpect for a negligible probability). The NIZKs we
Contract Functions Cost in Gas Cost in $
Prisoner’s
Init 2,298,950 0.4015
Create 206,972 0.0361
Bid 74,899 0.0131
Deliver 94,373 0.0164
Pay 821,244 0.1434
Dispute 2,126,950 0.3714
Colluder’s
Init 1,971,270 0.3443
Create 281,852 0.0492
Join 58,587 0.0102
Enforce 103,156 0.0180
Traitor’s
Init 2,018,459 0.3525
Create 161,155 0.0281
Join 66,802 0.0117
Deliver 82,846 0.0145
Check 719,051 0.1256
Table 2: Cost of using the smart contracts on the oci
Ethereum network. The transactions are viewable on thchangyu.dong@newcastle.ac.uk 37 / 38

Future Work
Client as adversary
Multi-interaction and repeated game
More Eﬃcient deposit mechanisms
Counter-collusion contracts for other cases, e.g. e-voting

Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing

Recomendados

Recomendados

Más contenido relacionado

Similar a Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing

Similar a Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing (20)

Último

Último (20)

Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing