Difference between revisions of "Category:Voting Pools"

From Open Transactions
Jump to navigation Jump to search
m (Design Criteria)
m (Security Model)
Line 39: Line 39:
 
==Security Model==
 
==Security Model==
  
'''Goal''': Users of deposit-accepting services should never experience a loss of deposited funds.
+
The goal of the voting pool security model is that users of deposit-accepting services should never experience a loss of deposited funds.
  
 
We can group the various ways in which this goal might not be met into two general categories:
 
We can group the various ways in which this goal might not be met into two general categories:
  
''Type 1 Event'' ('''Theft/Loss'''): A user permanently loses their funds because a third party has gained control of them without the user’s consent, or because the private keys needed to spend them have been irrevocably lost.
+
;Type 1 Event ('''Theft/Loss''')
 +
:A user permanently loses their funds because a third party has gained control of them without the user’s consent, or because the private keys needed to spend them have been irrevocably lost.
  
''Type 2 Event'' ('''Denial of Service'''): A user temporarily loses some or all of their ability to use their funds, but no third party has gained control over them.
+
;Type 2 Event ('''Denial of Service''')
 +
:A user temporarily loses some or all of their ability to use their funds, but no third party has gained control over them.
  
Note: Type 0 Events will be used throughout the rest of this document to describe all other abnormal conditions which do not directly involve a loss of customer deposits.
+
Type 0 Events will be used to describe all other abnormal conditions from which the pool must recover which do not directly involve a loss of customer deposits.
  
  
 
====Voting Pool Security Theorem====
 
====Voting Pool Security Theorem====
  
If the probability of ''m+1'' (Type 1 Event) or ''n-m+1'' (Type 2 Event) services simultaneously and identically behaving in a malicious or incompetent manner is lower than the probability of any individual server behaving in a malicious or incompetent manner, user deposits on that service are at less risk of loss if the service is a member of an ''m-of-n'' voting pool than they would be at risk if the service is not a member of a voting pool.
+
If the probability of <code>m+1</code> (Type 1 Event) or <code>n-m+1</code> (Type 2 Event) services simultaneously and identically behaving in a malicious or incompetent manner is lower than the probability of any individual server behaving in a malicious or incompetent manner, user deposits on that service are at less risk of loss if the service is a member of an <code>m-of-n</code> voting pool than they would be at risk if the service is not a member of a voting pool.
  
The design of voting pools assumes that in any given situation at least ''m'' pool members are well-behaving for Type 1 events and at least ''n-m'' pool members are well-behaving for Type 2 events.
+
Voting pools can guarantee the integrity of user deposits if, in any given situation, at least <code>m</code> pool members are well-behaving for Type 1 events and at least <code>n-m</code> pool members are well-behaving for Type 2 events.
 
 
Voting pools can guarantee the integrity of user deposits if this condition is met.
 

Revision as of 22:38, 17 April 2014

Introduction

Open-Transactions (OT) is a financial cryptography library that implements triple entry accounting with destructible receipts. OT allows creditors to issue liabilities in the form of digitally signed and notarized receipts whose balances can be traded as currency and are available for manipulation via smart contracts and other financial instruments. Transactions are constructed by users and notarized by transaction servers. OT maintains a real-time, cryptographically secured state of all liability balances for a given issuance type. Account balances in OT are protected from tampering with strong cryptography, which eliminates the co-mingling of funds between unrelated accounts. As an accounting system, OT does not normally have the ability to manipulate actual underlying assets, such as physical gold reserves.

Bitcoin is a digital asset ledger the includes its own currency and payment system. Bitcoins are not backed by any issuer, and therefore carry no counterparty risk. The validity of the global Bitcoin ledger (blockchain) is enforced by a global P2P network which requires, on average, ten minutes to update.

With regards to OT, Bitcoin (and other cryptocurrencies) form a unique case. Since cryptocurrencies can be manipulated digitally in the way that other assets can not, OT servers can provide additional functions beyond merely ownership accounting. Importantly, in the case of cryptocurrencies, OT can provide auditing and safe storage of reserves on the blockchain itself. Since OT servers can process transactions more rapidly and inexpensively than a blockchain, it is desirable in many cases to allow an OT server to handle financial transactions off-chain, rather than performing them directly on the blockchain itself.

Many services in the cryptocurrency space already require this functionality. Currency exchanges and other trading platforms usually desire to perform order matching more rapidly than what is possible on the blockchain itself. These services accept custody of user funds, perform transactions in a separate off-chain system, and use a database to track customer balances. Typically these services are not cryptographically secured, or independently auditable. Customers also give full control of their deposited funds to the custodial service, which exposes them to the risk of theft or loss of their coins.

Unlike legacy currencies, cryptocurrencies can be irrevocably lost or stolen, and it’s typically not possible to distinguish between insider or external theft. Historically, this ambiguity appears to have been routinely exploited.

Voting pools are an arrangement of OT transaction servers to securely store and account for customer cryptocurrency deposits, and to redeem valid withdrawal requests even in the event the custodial entity has completely disappeared. They are designed to ensure that no single person or organization can ever perform unilateral actions on deposited funds in order to reduce the risk of loss or theft, and custodial liability.

The basic design promise of voting pools is: Any denial of service attack which can cause customers to lose access to their Bitcoin deposits must involve more than (n minus m) members of an m-of-n voting pool. Any attack that can result in a permanent loss of customer funds must involve more than m members to be successful.

Voting pools are an open standard intended to be a universal replacement for bespoke systems that handle customer cryptocurrency deposits.

Design Criteria

Voting pools bridge two worlds - OT and Bitcoin (cryptocurrency). OT is responsible for tracking the exact BTC-denominated balances of every user of a service, as well as the service’s balance. The OT transaction server is the portion of a voting pool which is closest to the users themselves. The transaction server acts as a backend processor for a deposit-accepting business (such as a currency exchange or issuer), and handles all issues related to cryptocurrency deposits, withdrawals, and balance updates.

In order to manage the actual bitcoins held by the pool, each transaction server will need a corresponding Bitcoin wallet. The wallet must understand a hierarchical, deterministic, multisig structure and be robust enough to handle the high deposit and withdrawal volumes experienced by a popular service, including the security requirement to hold most funds in cold storage. It must also differentiate between standard balances and colored balances.

The transaction server and the bitcoin wallet communicate via an auditing server. The auditing server independently verifies the OT operations of all transaction servers in the voting pool, as well as the bitcoins held by the pool on the blockchain itself. It uses this audit data to know when it should direct the wallet to create a withdrawal transaction, and it is also the component responsible for information sharing and achieving consensus between all members of the pool.

In order for voting pools to function, the transaction server must be publicly accessible. For this reason the audit servers must be physically separate from the transaction servers and they must communicate over a messaging system (Tor, Bitmessage, or equivalent) that obscures the location of the audit servers. This prevents an attacker who manages to compromise a publicly-facing transaction server from identifying the audit servers in order to attack them and steal from the pool’s hot wallets.

The audit server must have a direct communication path with the bitcoin wallet. The wallet should connect to the rest of the Bitcoin network via Tor, I2P or equivalent in order to prevent an attacker from identifying the location of the audit server and bitcoin wallet based on their broadcast transactions.

In order to achieve the desired security and robustness goals for voting pools, the following criteria are enforced:

  1. Customers should be strongly discouraged from reusing deposit addresses. The voting pool itself must never intentionally reuse a bitcoin address.
  2. All Bitcoin addresses used by the pool must be deterministic for auditing purposes. Each member of the pool should be able to calculate all members’ series of deposit and change addresses.
  3. Withdrawal transaction input selection must be deterministic in order to minimise the cost of coordinating transaction signing.
  4. It must be possible to keep a majority of the private keys offline for security reasons, and bring them online as needed to process withdrawals.
  5. It must be possible to alter the voting pool by adding, removing, or replacing members in a coordinated and secure fashion.

Security Model

The goal of the voting pool security model is that users of deposit-accepting services should never experience a loss of deposited funds.

We can group the various ways in which this goal might not be met into two general categories:

Type 1 Event (Theft/Loss)
A user permanently loses their funds because a third party has gained control of them without the user’s consent, or because the private keys needed to spend them have been irrevocably lost.
Type 2 Event (Denial of Service)
A user temporarily loses some or all of their ability to use their funds, but no third party has gained control over them.

Type 0 Events will be used to describe all other abnormal conditions from which the pool must recover which do not directly involve a loss of customer deposits.


Voting Pool Security Theorem

If the probability of m+1 (Type 1 Event) or n-m+1 (Type 2 Event) services simultaneously and identically behaving in a malicious or incompetent manner is lower than the probability of any individual server behaving in a malicious or incompetent manner, user deposits on that service are at less risk of loss if the service is a member of an m-of-n voting pool than they would be at risk if the service is not a member of a voting pool.

Voting pools can guarantee the integrity of user deposits if, in any given situation, at least m pool members are well-behaving for Type 1 events and at least n-m pool members are well-behaving for Type 2 events.