Cloud computing has become an irreversible trend. Together comes the pressing need for verifiability, to assure the client the correctness of computation outsourced to the cloud. Existing verifiable computation techniques all have a high overhead, thus if being deployed in the clouds, would render cloud computing more expensive than the on-premises counterpart. To achieve verifiability at a reasonable cost, we leverage game theory and propose a smart contract based solution. In a nutshell, a client lets two clouds compute the same task, and uses smart contracts to stimulate tension, betrayal and distrust between the clouds, so that rational clouds will not collude and cheat. In the absence of collusion, verification of correctness can be done easily by crosschecking the results from the two clouds. We provide a formal analysis of the games induced by the contracts, and prove that the contracts will be effective under certain reasonable assumptions. By resorting to game theory and smart contracts, we are able to avoid heavy cryptographic protocols. The client only needs to pay two clouds to compute in the clear, and a small transaction fee to use the smart contracts. We also conducted a feasibility study that involves implementing the contracts in Solidity and running them on the official Ethereum network.
Betrayal, Distrust, and Rationality: Smart Counter-Collusion Contracts for Verifiable Cloud Computing
1. Betrayal, Distrust, and Rationality
Smart Counter-Collusion Contracts for
Verifiable Cloud Computing
Changyu Dong†
, Yilei Wang†
, Amjad Aldweesh†
,
Patrick McCorry∗
, Aad van Moorsel†
†: Newcastle University
∗: University College London
Contact: changyu.dong@newcastle.ac.uk
2. What is a Smart Contract?
Computer programs on top of a cryptocurrency system.
Stored in the blockchain.
Executed by the peers.
The correctness of execution is guaranteed by the
consensus protocol of the blockchain.
Ideally, we can think the smart contracts as being
executed by a trusted global machine.
Self-Enforceable, Less Trust, Cheaper
BLOCKCHAIN! BLOCKCHAIN!
BLOCKCHAIN! BLOCKCHAIN!
BLOCKCHAIN! BLOCKCHAIN!
BLOCKCHAIN! BLOCKCHAIN!
SMART CONTRACT! SMART CONTRACT!
SMART CONTRACT! SMART CONTRACT!
SMART CONTRACT! SMART CONTRACT!
SMART CONTRACT! SMART CONTRACT!
2015
2017
changyu.dong@newcastle.ac.uk 2 / 38
6. Verifiable Cloud Computing: the Landscape
Based on Cryptography
Use one cloud to compute
The cloud also genreates a cryptographic proof
Cannot generate a valid proof if the computation is wrong
The client checks the proof
Based on Replication
Use multiple clouds to compute the same task.
The client crosschecks results from all clouds
About 1,010 results for “verifiable computation” in Google scholar.
97
155
195
246
168
0
100
200
300
2013 2014 2015 2016 2017
(July)
No. of Papers
"Verifiable Computation" papers each year
changyu.dong@newcastle.ac.uk 6 / 38
7. How Verifiability Makes Me Bankrupt?
Cloud is NOT free, you have to pay for what you compute.
x, f()
y
Is y = f(x)?
Without Verifiability
changyu.dong@newcastle.ac.uk 7 / 38
8. How Verifiability Makes Me Bankrupt?
Cloud is NOT free, you have to pay for what you compute.
x, f()
y, crypto proof
My Money!!
!
Crypto-based Verification
changyu.dong@newcastle.ac.uk 8 / 38
9. How Verifiability Makes Me Bankrupt?
Cloud is NOT free, you have to pay for what you compute.
x, f()
y1
Replication-based Verification
…
do it with n clouds
…
My Money!!
!
x, f()
yn
Cloud 1
Cloud n
changyu.dong@newcastle.ac.uk 9 / 38
10. The Goal
Verifiable cloud computing at a competitively low cost.
strong correctness guarantee
pay similar or less than when using on-premises IT infrastructures
Can we?
changyu.dong@newcastle.ac.uk 10 / 38
11. The Goal
Verifiable cloud computing at a competitively low cost.
strong correctness guarantee
pay similar or less than when using on-premises IT infrastructures
Can we?
Cryptography-base: very difficult if not impossible
changyu.dong@newcastle.ac.uk 10 / 38
12. The Goal
Verifiable cloud computing at a competitively low cost.
strong correctness guarantee
pay similar or less than when using on-premises IT infrastructures
Can we?
Cryptography-base: very difficult if not impossible
Replication-based: possible if we pay for only 2 replicas
changyu.dong@newcastle.ac.uk 10 / 38
13. The Challenge: Collusion
The biggest challenge when using only 2 replicas is collusion.
If the two clouds collude and output the same wrong result, the client cannot
detect it.
And the clouds do have motivation to collude
cost saving, over selling, cutting corners ...
for more profit
And it is relatively easy for two clouds to collude
Traditionally, to mitigate collusion, one must increase the number of replicas
Not an option in our case
changyu.dong@newcastle.ac.uk 11 / 38
14. Our Idea
Use economic means to undermine the foundation of collusion: trust
Key observations by economists
Collusion is profit driven.
Colluding parties have their own interests.
Colluding parties do not necessarily trust each other.
Without trust, they cannot collude.
changyu.dong@newcastle.ac.uk 12 / 38
15. Key Instruments
Theory: Game theory
To make collusion a less favorable choice
To create distrust so rational parties will not collude
Practice: Smart Contracts
To realize self-enforcing agreement
To realize automated payments, penalty, and reward
changyu.dong@newcastle.ac.uk 13 / 38
16. Disclaimers
Ignore what I will say if you believe any of the following:
clouds are reliable.
cloud providers will admit wrongdoings and compensate fairly
confidentiality is your only concern
you are targeted by the clouds and they will attack you at all cost
changyu.dong@newcastle.ac.uk 14 / 38
17. Adversary Model
Client: honest (as in the literature).
Goal: get a correct result while minimizing cost.
2 clouds: two individual, rational adversaries
Always try to maximize their own payoff
Always understand all consequences.
Retain their separate judgement and act in their own interests
A trusted third party (TTP) “in being”
Offline unless a dispute arises
if the clouds are rational, then the TTP will never be involved
changyu.dong@newcastle.ac.uk 15 / 38
18. Assumptions
The client cannot recompute the outsourced tasks.
Tasks are deterministic or can be reduced to be deterministic
Tasks are not time critical.
Funds only flow among the parties under discussion, not to/from external parties.
For simplicity, we also assume
Clouds can pick a plausible wrong result at no cost
The clouds have the same cost for computing the same task
Parties are risk neutral
changyu.dong@newcastle.ac.uk 16 / 38
19. The Prisoner’s Contract: the Rough Idea
The client pays each cloud to compute f(x), the “salary” is w.
The cost for computing f (x) is c
The clouds must pay a deposit of amount d > c + ch (held by the smart contract)
to get the job
ch is the cost for TTP to resolve the dispute.
Cheating cloud (if caught) will lose its deposit
An honest cloud will get a reward if the other cheats.
changyu.dong@newcastle.ac.uk 17 / 38
20. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 1: Set up
2 · w
d
d
Cloud1
Cloud2
changyu.dong@newcastle.ac.uk 18 / 38
21. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 2: Outsource
2 · w + 2 · d
Cloud1
Cloud2
f(), x
f(), x
let’s both send r
as the result
changyu.dong@newcastle.ac.uk 18 / 38
22. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 3: Deliver Results
Case 1: no one deliver in time
2 · w + 2 · d
Cloud1
Cloud2
changyu.dong@newcastle.ac.uk 18 / 38
23. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 3: Deliver Results
Case 2: Results are Equal
Cloud1
Cloud2
y1
y2
y1 = y2
OK
w + d
w + d
changyu.dong@newcastle.ac.uk 18 / 38
24. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 3: Deliver Results
Case 3: Different Results
Cloud1
Cloud2
y1
y2
y1 6= y2 2 · w + 2 · d
Help!
f(), x
changyu.dong@newcastle.ac.uk 18 / 38
25. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 4: Resolve Dispute
Case 1: Cloud 1 cheats
Cloud1
Cloud2
yt = f(x)
yt
Cheater:
cloud 1
ch
w
2 · d +
w
ch
y1 6= yt, y2 = yt
changyu.dong@newcastle.ac.uk 18 / 38
26. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 4: Resolve Dispute
Case 2: Cloud 2 cheats
Cloud1
Cloud2yt
Cheater:
cloud 2
ch
w
2 · d + w
ch
yt = f(x)
y1 = yt, y2 6= yt
changyu.dong@newcastle.ac.uk 18 / 38
27. The Prisoner’s Contract
Step 1
⇓
Step 2
⇓
Step 3
Case 1
Case 2
Case 3
⇓
Step 4
Case 1
Case 2
Case 3
Step 4: Resolve Dispute
Case 3: Both cheat
Cloud1
Cloud2yt
Cheater:
both
ch
2 · d + 2 · w ch
yt = f(x)
y1 6= yt, y2 6= yt
changyu.dong@newcastle.ac.uk 18 / 38
28. The Game
The clouds’ possible actions:
f (x): deliver the correct
output in time
r: deliver r ≠ f (x) where r
is agree by both clouds
other: any other action.
of the cheating cloud(s).
5.2 The Game and Analysis
0
C1
1
4
f (x)
5
r
6
other
f (x)
2
7
f (x)
8
r
9
other
r
3
10
f (x)
11
r
12
other
other
C2 C2
Game 1
⇣w c
w c
⌘ ⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣w
w
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
z = w c + d ch,d > c + ch
Figure 2: The game induced by the Prisoner’s contract. Bo
changyu.dong@newcastle.ac.uk 19 / 38
29. The Equilibrium
Lemma
If d > c + ch, then Game 1 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where
⎧⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎩
s1 = ([1(f (x)),0(r),0(other)])
s2 = ([1(f (x)),0(r),0(other)])
β1 = ([1(v0)])
β2 = ([1(v1),0(v2),0(v3)])
Theorem
If d > c + ch and C1,C2 are rational, Game 1 will always terminate at v4.
changyu.dong@newcastle.ac.uk 20 / 38
30. The Analysis
of the cheating cloud(s).
5.2 The Game and Analysis
0
C1
1
4
f (x)
5
r
6
other
f (x)
2
7
f (x)
8
r
9
other
r
3
10
f (x)
11
r
12
other
other
C2 C2
Game 1
⇣w c
w c
⌘ ⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣w
w
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
z = w c + d ch,d > c + ch
Figure 2: The game induced by the Prisoner’s contract. Bold
edges indicate the actions that parties will play in the unique
sequential equilibrium. The reachable terminal node of the
game is in grey.
The game induced by the prisoner contract is shown in Figure
2. In the game, the players are the two clouds, i.e. N = {C1,C2}.
Although the contract also involves the client and the TTP, they
can be eliminated from the game because they are honest and have
4
C1
8b
C2
5, 6
C1
9, 10c
C2
7, 10
C1
9, 10c
C2
8
C1
8b
C2
9, 11
C1
9, 10b
C2
12
C1 8a or
C2 (9, 10b
Table 1: Pay
because C2 will never play
w c that is greater than th
C1 will choose f (x) in ord
Formally, we have the follo
L 5.1. If d c + ch
sequential equilibrium ((s1,
8
s1 = ([1(
s2 = ([1(
Prisoner’s dilemma.
Collusion is not a stable state:
If one cheats, the best strategy for the other is to be honest.
Both clouds have motivation to deviate from collusion.
Therefore both will be honest
changyu.dong@newcastle.ac.uk 21 / 38
31. Prisoner’s Contract: the Weakness
The equilibrium in the game holds only when both players cannot make credible
commitments.
This is not true when smart contracts can be used.
changyu.dong@newcastle.ac.uk 22 / 38
32. Colluder’s Contract: the Rough Idea
A contract to redistribute profit and police the collusion.
The ringleader, who initiates the collusion, pays a bribe b to the other (follower).
b c, otherwise collusion is a less profitable choice for the ringleader
Both clouds, once agree to collude, pay a deposit t w + 2 ⋅ d − c − ch − b
The cloud that deviates from the collusion agreement will be punished by losing
the deposit t
changyu.dong@newcastle.ac.uk 23 / 38
33. Colluder’s Contract
b c
t w + 2 ⋅ d − c − ch − b
2 · w + 2 · d
ringleader
follower
f(), x
f(), x
t + b
t
changyu.dong@newcastle.ac.uk 24 / 38
38. The Game
to
es.
er
ds
ty
it.
We
R).
ud
u-
1
FLR
2
LDR
3
6
f (x)
7
r
8
other
f (x)
4
9
f (x)
10
r
11
other
r
5
12
f (x)
13
r
14
other
other
collude
FLR FLR
0
LDR
initGame 2
Game 1
¬init
Game 1
¬collude
⇣w c
w c
⌘ ⇣w c
w c
⌘ ⇣w c
w c
⌘ ⇣ z t b
d+t+b
⌘ ⇣ z
d
⌘ ⇣ d+t
z t
⌘ ⇣w b
w+b
⌘ ⇣ d+t
d t
⌘ ⇣ d
z
⌘ ⇣ d t b
d+t+b
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
z = w c + d ch, d c + ch, b c, t z + d b
Figure 3: The game induced by the Prisoner’s contract and
the Colluder’s contract. Bold edges indicate the actions thatchangyu.dong@newcastle.ac.uk 25 / 38
39. The Equilibrium
Lemma
If d c + ch, b c and t z + d − b, then Game 2 has a unique sequential equilibrium
((s1,s2),(β1,β2)) where s1, β1 are LDR’s strategy and beliefs, and s2, β2 are FLR’s
strategy and beliefs:
⎧⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎩
s1 = ([1(init),0(¬init)],[0(f (x)),1(r),0(other)])
s2 = ([1(collude),0(¬collude)],[0(f (x)),1(r),0(other)])
β1 = ([1(v0)],[1(v2)])
β2 = ([1(v1)],[0(v3),1(v4),0(v5)])
Theorem
If d c + ch, b c, t z + d − b and C1,C2 are rational, Game 2 will always terminate
at v10.
changyu.dong@newcastle.ac.uk 26 / 38
40. What Can We Do?
The Colluder’s contract counters the Prisoner’s contract.
The client can design a contract to counter back.
Then the colluding clouds can have a counter counter contract
which can be dealt with by a counter counter counter contract...
Endless loop
changyu.dong@newcastle.ac.uk 27 / 38
41. Traitor’s Contract: the Rough Idea
Not to counter the Colluder’s contract directly.
But to incentivize the clouds to report collusion.
The first cloud who reports the collusion will not be punished by the Prisoner’s
contract,
and will get a reward if the collusion is true.
If collusion is reported, the TTP will always be called.
Once collusion is reported, there is no point to counter back
Payoff depends only whether the cloud cheats, not the other cloud’s behavior.
changyu.dong@newcastle.ac.uk 28 / 38
42. The Consequences
The Traitor’s contract creates distrust between the clouds
they both know the other’s best strategy is to betray
If one tries to initiate collusion, the other will agree but also report.
No rational cloud will want to initiate collusion
Both will stay honest in the first place.
changyu.dong@newcastle.ac.uk 29 / 38
43. Traitor’s Contract
2 · w + 2 · d
traitor
f(), x
f(), x
w
+
2 · d
ch ch
Prisoner’s
Contract
Traitor’s Contract
changyu.dong@newcastle.ac.uk 30 / 38
44. Traitor’s Contract
If Traitor’s contract is signed, always invoke TTP
2 · w + 2 · d
traitor
Prisoner’s
Contract
Traitor’s Contract
y1
y2, y0
2
w + 2 · d
Help!
f(), x
changyu.dong@newcastle.ac.uk 30 / 38
45. Traitor’s Contract
y1 = y2 = yt
traitor
Prisoner’s
Contract
Traitor’s Contract
w
+
2 · d
ch
w + d
w + d
OK
ch
yt = f(x)
yt
y1 = yt, y2 = yt
changyu.dong@newcastle.ac.uk 30 / 38
47. Traitor’s Contract
y1 ≠ yt,y2 ≠ yt,y′
2 = yt
traitor
Prisoner’s
Contract
Traitor’s Contract
2 · w + 2 · d ch
both cheated
w + 2 · d
yt = f(x)
yt
y1 6= yt
y2 6= yt
y0
2 = yt
ch
changyu.dong@newcastle.ac.uk 30 / 38
48. Traitor’s Contract
all other cases
traitor
Prisoner’s
Contract
Traitor’s Contract
yt
All other cases
w
+
2 · d
ch
ch
ch
?
?
? ?
changyu.dong@newcastle.ac.uk 30 / 38
49. The Case of Misreporting
One concern over reporting is whether a cloud can benefit from fabricating a case.
In the Traitor’s contract, the reporting cloud will have to bear the cost of dispute
resolution.
This make misreporting unprofitable and no one would do it.
changyu.dong@newcastle.ac.uk 31 / 38
50. The Misreporting Game
0
TRA
1
4
13
f (x)
14
r
15
other
f (x)
5
16
f (x)
17
r
18
other
r
6
19
f (x)
20
r
21
other
other
¬Report
2
7
22
f (x)
23
r
24
other
f (x)
8
25
f (x)
26
r
27
other
r
9
28
f (x)
29
r
30
other
other
Report, 0 = f (x)
3
10
31
f (x)
32
r
33
other
f (x)
11
34
f (x)
35
r
36
other
r
12
37
f (x)
38
r
39
other
other
Report, 0 , f (x)
OTH OTH
TRA TRA TRA TRA TRA TRA
⇣w c
w c
⌘ ⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣w
w
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘ ⇣ w c
w c ch
⌘ ⇣ z
d+w c
⌘ ⇣ z
d+w c
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ d
z
⌘ ⇣ w c
w c ch
⌘⇣ z
d
⌘ ⇣ z
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘ ⇣ d
z
⌘ ⇣ d
d
⌘ ⇣ d
d
⌘⇣u1
u2
⌘
:
Game 3
z = w c + d ch, d c + ch
Figure 4: The sub-game induced by the Prisoner’s contract and the Traitor’s contract. Bold edges indicate the actions that
parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey.
Before reporting, TRA needs to wait until the other cloud has
signed the contract, i.e. fully committed to collusion. Otherwise if
TRA reports and the other cloud decides not to sign the Colluder’s
L 7.1. If d c + ch, then Game 3 in Figure 4 has a unique
sequential equilibrium ((s1,s2), ( 1, 2)) wheres1, 1 are OTH’s strat-
egy and beliefs, and s2, 2 are TRA’s strategy and beliefs:
changyu.dong@newcastle.ac.uk 32 / 38
51. The Equilibrium
Lemma
If d c + ch, then Game 3 has a unique sequential equilibrium ((s1,s2),(β1,β2)) where
s1, β1 are OTH’s strategy and beliefs, and s2, β2 are TRA’s strategy and beliefs:
⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩
s1 = ([1(f (x)),0(r),0(other)])
s2 = ([1(¬report),0(report,y′
= f (x)),0(report,y′
≠ f (x))],
[1(f (x)),0(r),0(other)],[1(f (x)),0(r),0(other)],
[1(f (x)),0(r),0(other)])
β1 = ([1(v1),0(v2),0(v3)])
β2 = ([1(v0)],[1(v4),0(v5),0(v6)],[1(v7),0(v8),0(v9)],
[1(v10),0(v11),0(v12)])
Theorem
If d c + ch and TRA and OTH are rational, then Game 3 will always terminate at v13.
changyu.dong@newcastle.ac.uk 33 / 38
52. The Full Game
2
FLR/TRA
3
6
15
f (x)
16
r
17
other
f (x)
7
18
f (x)
19
r
20
other
r
8
21
f (x)
22
r
23
other
other
¬Report
4
9
24
f (x)
25
r
26
other
f (x)
10
27
f (x)
28
r
29
other
r
11
30
f (x)
31
r
32
other
other
Report, 0 = f (x)
5
12
33
f (x)
34
r
35
other
f (x)
13
36
f (x)
37
r
38
other
r
14
39
f (x)
40
r
41
other
other
Report, 0 , f (x)
LDR/OTH LDR/OTH
FLR/TRA FLR/TRA FLR/TRA FLR/TRA FLR/TRA FLR/TRA
⇣w c
w c
⌘
⇣ z t b
d+t+b
⌘
⇣ z
d
⌘ ⇣ d+t
z t
⌘
⇣w b
w+b
⌘
⇣ d+t
d t
⌘ ⇣ d
z
⌘
⇣ d t b
d+t+b
⌘
⇣ d
d
⌘ ⇣ w c
w c ch
⌘
⇣ z t b
d+w c+t+b
⌘
⇣ z
d+w c
⌘ ⇣ d+t
z t
⌘
⇣ d b
z+b
⌘
⇣ d+t
z t
⌘ ⇣ d
z
⌘
⇣ d t b
z+t+b
⌘
⇣ d
z
⌘ ⇣ w c
w c ch
⌘
⇣ z t b
d+t+b
⌘
⇣ z
d
⌘ ⇣ d+t
z t
⌘
⇣ d b
d+b
⌘
⇣ d+t
d t
⌘ ⇣ d
z
⌘
⇣ d t b
d+t+b
⌘
⇣ d
d
⌘
1
FLR
collude
0
LDR
init
Game 4
Game 3
¬init
Game 3
¬collude
⇣w c
w c
⌘ ⇣w c
w c
⌘
⇣u1
u2
⌘
:
⇣u1
u2
⌘
:
⇣u1
u2
⌘
:
z = w c + d ch, d c + ch, t z + d b
Figure 5: The game induced by the Prisoner’s contract, the Colluder’s contract and the Traitor’s contract. Bold edges indicate
the actions that parties will play in the unique sequential equilibrium. The reachable terminal node of the game is in grey.
changyu.dong@newcastle.ac.uk 34 / 38
53. The Equilibrium
Lemma
If d c + ch,b c and t z + d − b, then Game 4 has a unique sequential equilibrium
((s1,s2),(β1,β2)) where s1, β1 are LDR’s strategy and beliefs, and s2, β2 are FLR’s
strategy and beliefs:
⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪
⎨
⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩
s1 = ([1(¬init),0(init)],[0(f (x)),1(r),0(other)])
s2 = ([0(¬collude),1(collude)],
[0(¬report),1(report,y′
= f (x)),0(report,y′
≠ f (x))],
[0(f (x)),1(r),0(other)],[0(f (x)),1(r),0(other)],
[0(f (x)),1(r),0(other)])
β1 = ([1(v0)],[0(v3),1(v4),0(v5)])
β2 = ([0(v6),1(v7),0(v8)],[0(v9),1(v10),0(v11)],
[0(v12),1(v13),0(v14)])
Theorem
If d c + ch,b c and t z + d − b and LDR and FLR are rational, then Game 4 will always
terminate at v13 in Game 3.
changyu.dong@newcastle.ac.uk 35 / 38
54. Implementation
Smart contracts on Ethereum
In Solidity language
Captures the clause of the contracts
Some light crypto is used in the contracts to preserve data privacy
Data on the blockchain is publicly visible and cannot be removed
Don’t want plaintext of the input/output on chain
Pedersen’s commitment and NIZK (equality, inequality)
Tested on the official Ethereum network
all transactions can be viewed on the blockchain
e.g. Transaction 0x1dd851fb709d875d9f382b550032f20f24e29539336545b5fd733fd359f8951d
changyu.dong@newcastle.ac.uk 36 / 38
55. Cost of Using the Contract
Low cost is a major benefit of using
smart contracts vs traditional
contracts
Cost related to complexity of
computation and amount of data
stored
ro Knowledge Proofs (NIZK). Informally, a com-
a two-phase protocol. In the commitment phase,
its to a valuem by choosing a secret s to generate
ms (m). The commitment should be hiding, i.e. it
w m given only Coms (m) but not s; the commit-
e binding, i.e. it is infeasible to nd m0 , m and
oms0 (m0) = Coms (m). In our implementation,
own Pedersen Commitment Scheme [39]. NIZK
non-interactively convince a verier about a state-
ng information. We are interested in proving the
ality of values concealed in commitments. More
o commitments Coms1 (m1),Coms2 (m2) and the
m2), a prover can generate a proof = if m1 = m2
Given the commitments and proof, a verier
ion algorithm V (Coms1 (m2),Coms2 (m2), =) or
ms2 (m2), ,) that output 1 only if the relation to
xpect for a negligible probability). The NIZKs we
Contract Functions Cost in Gas Cost in $
Prisoner’s
Init 2,298,950 0.4015
Create 206,972 0.0361
Bid 74,899 0.0131
Deliver 94,373 0.0164
Pay 821,244 0.1434
Dispute 2,126,950 0.3714
Colluder’s
Init 1,971,270 0.3443
Create 281,852 0.0492
Join 58,587 0.0102
Enforce 103,156 0.0180
Traitor’s
Init 2,018,459 0.3525
Create 161,155 0.0281
Join 66,802 0.0117
Deliver 82,846 0.0145
Check 719,051 0.1256
Table 2: Cost of using the smart contracts on the oci
Ethereum network. The transactions are viewable on thchangyu.dong@newcastle.ac.uk 37 / 38
56. Future Work
Client as adversary
Multi-interaction and repeated game
More Efficient deposit mechanisms
Counter-collusion contracts for other cases, e.g. e-voting
changyu.dong@newcastle.ac.uk 38 / 38