Voting Pool Security Measurement
- 1 Introduction
- 2 Theoretical Security
- 2.1 Theft Resistance Factor
- 2.2 Redundancy Factor
- 2.3 Cost Factor
- 2.4 Veto Number
- 2.5 Reliability level
- 2.6 Member Independence and Anonymity
- 3 Standard Pool Sizes
- 4 Effective Security Factors
Voting pools provide a framework for improving the security of cryptocurrency deposits, however merely using of this framework does not guarantee any particular level of security. Each pool must be evaluated on a case-by-case in order to estimate the amount of security it provides.
At a technical level, we can describe the a pool in the form
m is the number of pool members who must agree on a withdrawal action, and
n is the total number of pool members. These two numbers have no intuitive meaning, so to better understand the security properties of a pool we will translate these numbers into more understandable terms.
Theft Resistance Factor
The theft resistance factor of a pool is the number of members who must be malicious or compromised in order to steal customer funds.
The theft resistance factor is equal to
m, if there are no anonymous members.
If any of the members are anonymous, see below.
An 3-of-5 voting pool has a theft resistance factor of 3. A 3-of-7 pool also has a theft resistance factor of 3.
The redundancy factor is the number of members who can disappear permanently without causing a total loss of all funds, or disappear temporarily without causing an inability to withdraw funds from the pool.
The redundancy factor is equal to
A 2-of-3 voting pool has a redundancy factor of 1. A 5-of-7 voting pool has a redundancy factor of 2.
The cost factor is a number roughly proportional the costs incurred by blockchain transaction fees. Fees are roughly proportional to the size of the scripts used, and for the types of scripts used in voting pools the size of the scripts is roughly proportional to the number of public keys used.
The cost factor is equal to
The cost factor of a 2-of-3 voting pool is 5. The cost factor of a 9-of-14 voting pool is 23.
The veto number of the pool is the number of members who could work together to block a withdrawal request.
The veto number of a pool is equal to the redundancy factor + 1.
A 2-of-3 voting pool has a veto number of 2.
The reliability level is the maximum number of failures of any kind which will not result in a type 1 or type 2 failure of the pool.
A reliability level calculated as
min(theft resistance factor - 1, redundancy factor)
A 3-of-7 voting pool has a theft resistance factor of 3 and a redundancy factor of 4. The reliability level of this pool is 2.
These terms can be grouped into three primary indicators: theft resistance factor, redundancy factor, and cost factor, and one secondary indicator: veto number, and a combined indicator: reliability level.
Member Independence and Anonymity
The calculations above assume that each member of the pool acts separately from the others as an independent decision-making agent. This means that member identity should be publicly known, at least in so far as necessary to verify their are not the same entity.
If members of a voting pool are completely anonymous, it's not possible to verify they aren't also a known member. Because of this, the number of anonymous members must be subtracted from
m to calculate theft resistance factor. A 5-of-9 voting pool with 2 anonymous members has a theft resistance factor of 1, an redundancy factor of 4, and a cost factor of 13.
Other factors which could reduce the independence of the members are described in the Effective Security section.
Standard Pool Sizes
Every pool represents a compromise between performance and cost. For security and reliability purposes, higher reliability levels are better, however they must be balanced against the cost factor. Standard pool sizes are pools are the lowest cost pools that produce a given reliability level.
|Reliability Level||Theft Resistance Factor||Redundancy Factor||Cost Factor||Pool Size|
Effective Security Factors
The actual security level of a voting pool will always be lower than the theoretical factors, because no two members will ever be 100% independent from each other. The effects which reduce the independence of voting pool members can be classified as social, professional, contractual, geographical, or jurisdictional. Any connections of these types reduce the effective theft resistance factor of the pool.
Social connections between the owners, operators, or employees of voting pool members increases the risk of collusion between pool members, because individuals share a personal relationship they value, and if the maintenance of this personal relationship conflicts with the proper operation of the pool, the individuals involved will need to balance conflicting incentives. Individuals who went to the same school, live in the same neighborhood, are belong to the same organizations, currently or in the past have social connections.
Professional connections affect the security of the pool in a manner similar to social connections. Professional connections may arise from common membership in a professional organization. If the inventive of the individuals to remain in good standing with this organization ever conflicts with their incentive to properly maintain the pool, the risk of collusion between members is increased.
Voting pool members might enter into contracts which require them to behave in ways that are not always correct for proper operation of the pool. In this case, their incentive to avoid damages from a contractual breach will conflict with their incentive to properly operate the pool.
Members who are in the same geographical proximity are vulnerable to be affected by the same disaster event. For example, if two members have offices in the same building, a fire or earthquake could take both of them offline at the same time. This also applies to human-caused disasters. An attacker who chooses to attack the pool via physical means will find the attack easier if the members are located closer in a geographical sense.
Members who are located within common legal jurisdiction can both be simultaneously compelled to take actions detrimental to the operation of the pool, and so in that instance do not act as independent agents.
Jurisdictional risk is a common feature of developing markets, where a stable governments are prone to be replaced via a coup, and where the coup leaders frequently nationalize formerly-private property.
Effective Theft Resistance Factor
The effective reliability level of a pool is the reliability level that results from discounting each security factor by a multiplier that accounts for the connectivity of various members. For example, in a 2-of-3 voting pool, if two of the members are 50% socially connected and the other is completely independent, the actual theft resistance factor is 1.5.
Connectivity can not be precisely calculated - the various effects must be estimated on a percentage scale.
Effective Redundancy Factor
Not every member of a voting pool will achieve exactly equal uptime. To calculate effective redundancy factor sort the members by uptime, add the measured uptimes of the lowest
m members. For example, for a 3-of-5 voting pool, if the members with the two lowest uptime have 95% and 97% respectively, the effective redundancy factor is 1.92.
Effective Reliability Factor
A rating agency that measures the effective reliability level of pool should rate each of the risk types on a 0%-100% scale between every pair of members, and combine these ratings via an appropriate function to calculate an effective theft resistance factor and redundancy factor.