Author Topic: Witness surety bonds  (Read 3587 times)

0 Members and 1 Guest are viewing this topic.

Offline Permie

  • Hero Member
  • *****
  • Posts: 606
  • BitShares is the mycelium of the financial-earth
    • View Profile
  • BitShares: krimduss
JonnyBitcoin votes for liquidity and simplicity. Make him your proxy?
BTSDEX.COM

Offline VoR0220

This actually has a good amount of game theory behind it as well. If the network notices that there is an attack and high amount of bans, then the voters are likely to set the bond fee to be much higher for newer sign ups for a temporary period until the network assumes that it is safe to drop them back down again, in addition to the snowballing effect of monetary loss.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
The reason it was not done was that the detection of such bad behavior was not always obvious, especially under the conditions last summer where the a few networks splits happened and some 40% of the delegates where signing blocks on a different chain without being intentionally dishonest.

But that shouldn't be double signing though? The block signing protocol should be constructed in such a way that a "double sign" proof cannot penalize a witness if they are only signing on one blockchain at a time. So in that scenario, if the witnesses were choosing one chain or the other, they would still be fine from automatic firing. It is only if they signed on both (for the same round) that they would be fired which should be avoidable if they are careful about the order in which they disable/enable block production on their nodes and they avoid automatic failover systems that can itself fail causing unintentional double signing of blocks .
I am not sure where the contradiction is here in case you implied one. But I am with you on the general strategy of witnesses putting up collateral that may be seized (through shareholder vote or an automated mechanism).

Offline BunkerChainLabs-DataSecurityNode

I think in addition to the (relatively small) fixed registration fee for witnesses, a witness should be required to deposit funds (of some fixed amount specified by the network) into a surety bond for them to be considered a valid candidate. These funds can be withdraw if the witness decides to retire (perhaps temporarily) but there would be a 2-week delay in that process (the retirement, meaning no more block production, would be immediate or at least would occur by the next maintenance perod, but the fund withdrawal would be delayed). A registered witness without a bond is not a valid candidate witness. People can still vote for those witnesses, but no matter how high their approval gets they will never become an active witness if they don't have a sufficient bond posted.

In addition to voting for a witness, stakeholders should optionally be able to vote to ban a particular witness. If the amount of stake voting to ban a particular witness exceeds some threshold, e.g. the median approval votes for active witnesses, the blockchain will ban that witness. Banning means that the blockchain takes away the funds in the surety bond from the witness and prevents that witness account from ever becoming a candidate witness again (obviously the person behind that account can always register a new witness account).

With this change there would be a financial incentive to not misbehave (for example by double signing blocks) even for witnesses who don't care about ever being a block producer again. It would also provide a mechanism for witnesses to legitimately retire without having to ask stakeholders to vote them out or compromise block production.


A more advanced alternative to banning witnesses would be to allow anyone to provide proof of a double sign and have the network do the banning automatically if a valid proof was provided (and also reward the proof provider from some fraction of the surety bond). A hybrid approach might also be desirable. For example, if the ban votes for a witness exceed some low threshold, then a double sign proof is enough to get the witness banned. If the ban votes exceed some higher threshold, the witness is banned without any crypographic proof required. This modification requires ensuring that the block signing protocol is designed in a way that small double signing proofs can be submitted and validated (I'm not sure if the current protocol is designed to support that).

Sounds like a reasonable mechanism to me.  +5%
+-+-+-+-+-+-+-+-+-+-+
www.Peerplays.com | Decentralized Gaming Built with Graphene - Now with BookiePro and Sweeps!
+-+-+-+-+-+-+-+-+-+-+

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
The reason it was not done was that the detection of such bad behavior was not always obvious, especially under the conditions last summer where the a few networks splits happened and some 40% of the delegates where signing blocks on a different chain without being intentionally dishonest.

But that shouldn't be double signing though? The block signing protocol should be constructed in such a way that a "double sign" proof cannot penalize a witness if they are only signing on one blockchain at a time. So in that scenario, if the witnesses were choosing one chain or the other, they would still be fine from automatic firing. It is only if they signed on both (for the same round) that they would be fired which should be avoidable if they are careful about the order in which they disable/enable block production on their nodes and they avoid automatic failover systems that can itself fail causing unintentional double signing of blocks .
« Last Edit: June 30, 2015, 12:25:46 am by arhag »

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
Giving witnesses at least the opportunity to lock up funds (and allow them to be taken away under certain conditions) doesn't sound like a bad idea. The only negative I could think of is that shareholders have yet another metric to take into consideration but I don't think that is really a big negative. Also some attacker might be able to buy into the network more easily (less time consuming) then through earning reputation - again not really a negative because the overall vote would be a weighted decision based on trust plus collateral.
The neat thing is that this would bring back some of the positives of traditional (NXT) POS in that a block signer always looses significant amount of stake instead of just his job / reputation.

Quote
double sign proofs submitted to the blockchain to automatically penalize delegates were part of bytemaster's original proposals for DPOS, but for some reason have been neglected.
Yes it was communicated as such initially if I remember correctly: "automatically voting out bad behaving delegates".
The reason it was not done was that the detection of such bad behavior was not always obvious, especially under the conditions last summer where the a few networks splits happened and some 40% of the delegates where signing blocks on a different chain without being intentionally dishonest. The motivation to keep on signing even if maybe not on the right chain was to not drop in participation rate. But such metrics could be prioritized - not signing two blocks being x times more important then participation rate?

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
There is the tendermint protocol which is build around this idea http://tendermint.com/docs/tendermint.pdf

Making the bond a soft criterion like you suggested is a lot better though.

I made a similar proposal once: https://bitsharestalk.org/index.php?topic=13045.0

Yeah, it seems to be a somewhat common idea in PoS circles. And if I remember correctly, I believe double sign proofs submitted to the blockchain to automatically penalize delegates were part of bytemaster's original proposals for DPOS, but for some reason have been neglected. Personally, I've been trying to push for this for a while now:
  • Allow delegates to take a vacation / retire from their delegate role and take back a percentage of their submitted delegate registration fee (called the surety bond portion), and if they want to go back to being a valid delegate candidate, they need to repost that surety bond. Then, the DAC should allow anyone to submit proof of a double-sign of a block by an active delegate to the blockchain which will automatically ban that delegate and claim the surety bond as revenue for the DAC. This increases the opportunity cost of misbehaving for any active delegate who is tired of being a delegate and wants to quit anyway.

Now with all the change to BitShares 2.0, I think it would be a shame if we didn't include something like this in there.
« Last Edit: June 30, 2015, 12:07:29 am by arhag »

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
There is the tendermint protocol which is build around this idea http://tendermint.com/docs/tendermint.pdf

Making the bond a soft criterion like you suggested is a lot better though.

I made a similar proposal once: https://bitsharestalk.org/index.php?topic=13045.0

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
I think in addition to the (relatively small) fixed registration fee for witnesses, a witness should be required to deposit funds (of some fixed amount specified by the network) into a surety bond for them to be considered a valid candidate. These funds can be withdraw if the witness decides to retire (perhaps temporarily) but there would be a 2-week delay in that process (the retirement, meaning no more block production, would be immediate or at least would occur by the next maintenance perod, but the fund withdrawal would be delayed). A registered witness without a bond is not a valid candidate witness. People can still vote for those witnesses, but no matter how high their approval gets they will never become an active witness if they don't have a sufficient bond posted.

In addition to voting for a witness, stakeholders should optionally be able to vote to ban a particular witness. If the amount of stake voting to ban a particular witness exceeds some threshold, e.g. the median approval votes for active witnesses, the blockchain will ban that witness. Banning means that the blockchain takes away the funds in the surety bond from the witness and prevents that witness account from ever becoming a candidate witness again (obviously the person behind that account can always register a new witness account).

With this change there would be a financial incentive to not misbehave (for example by double signing blocks) even for witnesses who don't care about ever being a block producer again. It would also provide a mechanism for witnesses to legitimately retire without having to ask stakeholders to vote them out or compromise block production.


A more advanced alternative to banning witnesses would be to allow anyone to provide proof of a double sign and have the network do the banning automatically if a valid proof was provided (and also reward the proof provider from some fraction of the surety bond). A hybrid approach might also be desirable. For example, if the ban votes for a witness exceed some low threshold, then a double sign proof is enough to get the witness banned. If the ban votes exceed some higher threshold, the witness is banned without any crypographic proof required. This modification requires ensuring that the block signing protocol is designed in a way that small double signing proofs can be submitted and validated (I'm not sure if the current protocol is designed to support that).
« Last Edit: June 29, 2015, 11:33:32 pm by arhag »