Trust Is Risk: A Decentralized Financial Trust Platform

Trust Is Risk: A Decentralized Financial Trust Platform

Trust Is Risk: A Decentralized Financial Trust Platform Orfeas Stefanos Thyfronitis Litos1 and Dionysis Zindros2,? 1 2 National Technical University...

506KB Sizes 0 Downloads 3 Views

Trust Is Risk: A Decentralized Financial Trust Platform Orfeas Stefanos Thyfronitis Litos1 and Dionysis Zindros2,? 1

2

National Technical University of Athens National and Kapodistrian University of Athens [email protected], [email protected]

Abstract. Centralized reputation systems use stars and reviews and thus require algorithm secrecy to avoid manipulation. In autonomous open source decentralized systems this luxury is not available. We create a reputation network for decentralized marketplaces where the trust each user gives to the other users is quantifiable and expressed in monetary terms. We introduce a new model for bitcoin wallets in which user coins are split among trusted associates. Direct trust is defined using shared bitcoin accounts via bitcoin’s 1-of-2 multisig. Indirect trust is subsequently defined transitively. This enables formal game theoretic arguments pertaining to risk analysis. We prove that risk and maximum flows are equivalent in our model and that our system is Sybil-resilient. Our system allows for concrete financial decisions on the subjective monetary amount a pseudonymous party can be trusted with. Risk remains invariant under a direct trust redistribution operation followed by a purchase.

1

Introduction

Online marketplaces can be categorized as centralized and decentralized. Two examples of each category are ebay and OpenBazaar. The common denominator of established online marketplaces is that the reputation of each vendor and client is typically expressed in the form of stars and user-generated reviews that are viewable by the whole network. The goal of “Trust Is Risk” is to offer a reputation system for decentralized marketplaces where the trust each user gives to the other users is quantifiable in monetary terms. The central assumption used throughout this paper is that trust is equivalent to risk, or the proposition that Alice’s trust in another user Charlie is defined as the maximum sum of money Alice can lose when Charlie is free to choose any strategy. To flesh out this concept, we will use lines of credit as proposed by Sanchez [1]. Alice joins the network by explicitly entrusting some money to another ?

Research supported by ERC project CODAMODA, project #259152

1

user, say her friend, Bob (see Fig. 1 and 2). If Bob has already entrusted some money to a third user, Charlie, then Alice indirectly trusts Charlie since if the latter wished to play unfairly, he could have already stolen the money entrusted to him by Bob. We will later see that Alice can now engage in economic interaction with Charlie. To implement lines-of-credit, we use Bitcoin [2], a decentralized cryptocurrency that differs from conventional currencies in that it does not depend on trusted third parties. All transactions are public as they are recorded on a decentralized ledger, the blockchain. Each transaction takes some coins as input and produces some coins as output. If the output of a transaction is not connected to the input of another one, then this output belongs to the UTXO, the set of unspent transaction outputs. Intuitively, the UTXO contains all coins not yet spent.

A

10B

B

20B

C

A

Fig. 1: A indirectly trusts C 10B

10B

B

5B

C

Fig. 2: A indirectly trusts C 5B

We propose a new kind of wallet where coins are not exclusively owned, but are placed in shared accounts materialized through 1-of-2 multisigs, a bitcoin construct that permits any one of two pre-designated users to spend the coins contained within a shared account [3]. We use the notation 1/{Alice, Bob} to represent a 1-of-2 multisig that can be spent by either Alice or Bob. In this notation, the order of names is irrelevant, as either user can spend. However, the user who deposits the money initially into the shared account is relevant – she is the one risking her money. Our approach changes the user experience in a subtle but drastic way. A user no more has to base her trust towards a store on stars or ratings which are not expressed in financial units. She can simply consult her wallet to decide whether the store is trustworthy and, if so, up to what value, denominated in bitcoin. This system works as follows: Initially Alice migrates her funds from her private bitcoin wallet to 1-of-2 multisig addresses shared with friends she comfortably trusts. We call this direct trust. Our system is agnostic to the means players use to determine who is trustworthy for these direct 1-of-2 deposits. Nevertheless, these deposits contain an objective value visible to the network that can be used to deterministically evaluate subjective indirect trust towards other users. Suppose Alice is viewing the listings of vendor Charlie. Instead of his stars, Alice sees a positive value calculated by her wallet representing the maximum value she can safely pay to purchase from Charlie. This value, known as indirect trust, is calculated in Theorem 2 – Trust Flow. 2

Indirect trust towards a user is not global but subjective; each user views a personalized indirect trust based on the network topology. The indirect trust reported by our system maintains the following desired security property: If Alice makes a purchase from Charlie, then she is exposed to no more risk than she was already taking willingly. The existing voluntary risk is exactly that which Alice was taking by sharing her coins with her trusted friends. We prove this in Theorem 3 – Risk Invariance. Obviously it is not safe for Alice to buy anything from any vendor if she has not directly entrusted any value to other users. In Trust Is Risk the money is not invested at the time of purchase and directly to the vendor, but at an earlier point in time and only to parties that are trustworthy for out of band reasons. The fact that this system can function in a completely decentralized fashion will become clear in the following sections. We prove this in Theorem 5 – Sybil Resilience. We make the design choice that an entity can express her trust maximally in terms of her available capital. Thus, an impoverished player cannot allocate much direct trust to her friends, no matter how trustworthy they are. On the other hand, a rich player may entrust a small fraction of her funds to a player that she does not extensively trust and still exhibit more direct trust than the impoverished player. There is no upper limit to trust; each player is only limited by her funds. We thus take advantage of the following remarkable property of money: To normalise subjective human preferences into objective value. A user has several incentives to join. First, she has access to otherwise inaccessible stores. Moreover, two friends can formalize their mutual trust by directly entrusting the same amount to each other. A company that casually subcontracts others can express its trust towards them. Governments can choose to directly entrust citizens with money and confront them using a corresponding legal arsenal if they make irresponsible use of this trust. Banks can provide loans as outgoing and manage savings as incoming direct trust. Last, the network is an investment and speculation field since it constitutes a new area for financial activity. Observe that the same physical person can maintain multiple pseudonymous identities in the same trust network and that multiple independent trust networks for different purposes can coexist. On the other hand, the same pseudonymous identity can be used to establish trust in different contexts. Trust Is Risk is not just a theoretical conception, but can be deployed and applied in existing decentralized markets such as OpenBazaar. All the necessary bitcoin constructs such as multisigs are readily available. 3

Our only concern pertains to the scalability of such an implementation, but we are confident that such difficulties can be overcome.

2

Mechanics

We now trace Alice’s steps from joining the network to successfully completing a purchase. Suppose initially all her coins, say 10B, are under her exclusive control. Two trustworthy friends, Bob and Charlie, persuade her to try out Trust Is Risk. She installs the Trust Is Risk wallet and migrates the 10B from her regular wallet, entrusting 2B to Bob and 5B to Charlie. She now exclusively controls 3B. She is risking 7B to which she has full but not exclusive access in exchange for being part of the network. A few days later, she discovers an online shoes shop owned by Dean, also a member of Trust Is Risk. She finds a nice pair of shoes that costs 1B and checks Dean’s trustworthiness through her new wallet. Suppose Dean is deemed trustworthy up to 5B. Since 1B < 5B, she confidently proceeds to purchase the shoes with her new wallet. She can then see in her wallet that her exclusive coins have remained 3B, the coins entrusted to Charlie have been reduced to 4B and Dean is entrusted 1B, equal to the value of the shoes. Also, her purchase is marked as pending. If she checks her trust towards Dean, it still is 5B. Under the hood, her wallet redistributed her entrusted coins in a way that ensures Dean is directly entrusted with coins equal to the value of the purchased item and that her reported trust towards him has remained invariant. Eventually all goes well and the shoes reach Alice. Dean chooses to redeem Alice’s entrusted coins, so her wallet does not show any coins entrusted to Dean. Through her wallet, she marks the purchase as successful. This lets the system replenish the reduced trust to Bob and Charlie, setting the entrusted coins to 2B and 5B respectively once again. Alice now exclusively owns 2B. Thus, she can now use a total of 9B, which is expected, since she had to pay 1B for the shoes.

3

The Trust Graph

We now engage in the formal description of the proposed system, accompanied by helpful examples. Definition 1 (Graph). Trust Is Risk is represented by a sequence of directed weighted graphs (Gj ) where Gj = (Vj , Ej ) , j ∈ N. Also, since the 4

graphs are weighted, there exists a sequence of weight functions (cj ) with cj : Ej → R+ . The nodes represent the players, the edges represent the existing direct trusts and the weights represent the amount of value attached to the corresponding direct trust. As we will see, the game evolves in turns. The subscript of the graph represents the corresponding turn. Definition 2 (Players). The set Vj = V (Gj ) is the set of all players in the network, otherwise understood as the set of all pseudonymous identities. Each node has a corresponding non-negative number that represents its capital. A node’s capital is the total value that the node possesses exclusively and nobody else can spend. Definition 3 (Capital). The capital of A in turn j, CapA,j , is defined as the number of coins that belong exclusively to A at the beginning of turn j. The capital is the value that exists in the game but is not shared with trusted parties. The capital of A can be reallocated only during her turns, according to her actions. We model the system in a way that no capital can be added in the course of the game through external means. The use of capital will become clear once turns are formally defined. The formal definition of direct trust follows: Definition 4 (Direct Trust). Direct trust from A to B at the end of turn j, DT rA→B,j , is defined as the total finite amount that exists in 1/{A, B} multisigs in the UTXO in the end of turn j, where the money is deposited by A. (

DT rA→B,j =

cj (A, B) , 0,

5

if (A, B) ∈ Ej . else

(1)

1B B 5B A 6B A 10B C 3B C 2B D

1B 6B A

2B 3B

D

5B C

10B

B

E

tx tx tx tx tx tx

1B 1/{A,B} 5B 1/{A,C} 6B 1/{A,D} 10B 1/{C,E} 3B 1/{B,C} 2B 1/{B,D}

Fig. 3: Trust Is Risk Game Graph and Equivalent Bitcoin UTXO

The definition of direct trust agrees with the title of this paper and coincides with the intuition and sociological experimental results of Karlan et al. [4] that the trust Alice shows to Bob in real-world social networks corresponds to the extent of danger in which Alice is putting herself into in order to help Bob. An example graph with its corresponding transactions in the UTXO can be seen in Fig. 3. Any algorithm that has access to the graph Gj has implicitly access to all direct trusts of this graph. Definition 5 (Neighbourhood). We use the notation N + (A)j to refer to the nodes directly trusted by A at the end of turn j and N − (A)j for the nodes that directly trust A at the end of turn j. N + (A)j = {B ∈ Vj : DT rA→B,j > 0} , N − (A)j = {B ∈ Vj : DT rB→A,j > 0} .

(2)

These are called out- and in-neighbourhood of A on turn j respectively. Definition 6 (Total In/Out Direct Trust). We use inA,j , outA,j to refer to the total incoming and outgoing direct trust respectively. inA,j =

X

DT rv→A,j ,

outA,j =

v∈N − (A)j

X

DT rA→v,j .

(3)

v∈N + (A)j

Definition 7 (Assets). Sum of A’s capital and outgoing direct trust. AsA,j = CapA,j + outA,j . 6

(4)

4

Evolution of Trust

Trust Is Risk is a game that runs indefinitely. In each turn, a player is chosen, decides what to play and, if valid, the chosen turn is executed. Definition 8 (Turns). In each turn j a player A ∈ V, A = P layer (j), chooses one or more actions from the following two kinds: Steal(yB , B): Steal value yB from B ∈ N − (A)j−1 , where 0 ≤ yB ≤ DT rB→A,j−1 . Then set: DT rB→A,j = DT rB→A,j−1 − yB . Add(yB , B): Add value yB to B ∈ V, where −DT rA→B,j−1 ≤ yB . Then set: DT rA→B,j = DT rA→B,j−1 + yB . yB < 0 amounts to direct trust reduction, while yB > 0 to direct trust increase. Let Yst , Yadd be the total value to be stolen and added respectively by A. The capital is updated in every turn: CapA,j = CapA,j−1 + Yst − Yadd . For a turn to be valid we require CapA,j ≥ 0 and DT rA→B,j ≥ 0 and DT rB→A,j ≥ 0. A player cannot choose two actions of the same kind against the same player in one turn. T urnj denotes the set of actions in turn j. The graph that emerges by applying the actions on Gj−1 is Gj . For example, let A = P layer(j). A valid turn can be T urnj = {Steal (x, B) , Add (y, C) , Add (w, D)} . The Steal action requires 0 ≤ x ≤ DT rB→A,j−1 , the Add actions require DT rA→C,j−1 ≥ −y and DT rA→D,j−1 ≥ −w and the Cap restriction requires y + w − x ≤ CapA,j−1 . We use prev (j) and next (j) to denote the previous and next turn respectively played by P layer(j). Definition 9 (Prev/Next Turn). Let j ∈ N be a turn with P layer (j) = A. Define prev (j) /next (j) as the previous/next turn A is chosen to play. Formally, let P = {k ∈ N : k < j ∧ P layer (k) = A} and N = {k ∈ N : k > j ∧ P layer (k) = A} . Then we define prev (j) , next (j) as follows: (

prev (j) =

max P, 0,

P = 6 ∅ , next (j) = min N . P =∅ 7

next (j) is always well defined with the assumption that after each turn eventually everybody plays. Definition 10 (Damage). Let j be a turn such that P layer (j) = A. DmgA,j = outA,prev(j) − outA,j−1 .

(5)

We say that A has been stolen value DmgA,j between prev (j) and j. We omit turn subscripts if they are implied from the context. Definition 11 (History). We define History, H = (Hj ), as the sequence of all tuples containing the sets of actions and the corresponding player. Hj = (P layer (j) , T urnj ) .

(6)

Knowledge of the initial graph G0 , all players’ initial capital and the history amount to full comprehension of the evolution of the game. Building on the example of Fig. 3, we can see the resulting graph when D plays T urn1 = {Steal (1, A) , Add (4, C) , Add (−1, B)} .

(7)

1B 5B A

D

5B 4B C

1B

B

3B 10B

E

Fig. 4: Game Graph after T urn1 (7) on the Graph of Fig. 3

We now define the Trust Is Risk Game formally. We assume players are chosen so that, after her turn, a player will eventually play again later. 1 2

Trust Is Risk Game j = 0 while (True) $

3 4 5

j += 1; A ← Vj Turn = strategy[A](G0 , A, CapA,0 , H1...j−1 ) (Gj , CapA,j , Hj ) = executeTurn(Gj−1 , A, CapA,j−1 , Turn) strategy[A]() provides player A with full knowledge of the game, except for the capitals of other players. This assumption may not be always realistic. executeTurn() checks the validity of Turn and substitutes it with an empty turn if invalid. Subsequently, it creates the new graph Gj and updates the history accordingly. For the routine code, see Appendix B. 8

5

Trust Transitivity

In this section we define some strategies and show the corresponding algorithms. Then we define the Transitive Game, the worst-case scenario for an honest player when another player plays maliciously. Definition 12 (Idle Strategy). A player plays the idle strategy if she passes her turn.

1 2

Idle Strategy Input : graph G0 , player A, capital CapA,0 , history (H)1...j−1 Output : T urnj idleStrategy(G0 , A, CapA,0 , H) : return(∅) The inputs and outputs are identical to those of idleStrategy() for the rest of the strategies, thus we avoid repeating them. Definition 13 (Evil Strategy). A player plays the evil strategy if she steals all incoming direct trust and nullifies her outgoing direct trust.

1 2

evilStrategy(G0 , A, CapA,0 , H) : S {Steal(DT rv→A,j−1 , v)} Steals = v∈N − (A)j−1

3

Adds =

S

{Add(−DT rA→v,j−1 , v)}

v∈N + (A)j−1 4 5

T urnj = Steals ∪ Adds return(T urnj ) Definition 14 (Conservative Strategy). A player plays conservatively if she replenishes the value she lost since the previous turn by stealing from others who directly trust her as much as she can up to DmgA .

1 2 3 4 5

consStrategy(G0 , A, CapA,0 , H) : Damage = outA,prev(j) - outA,j−1 if (Damage > 0) if (Damage >= inA,j−1 ) S T urnj = {Steal (DT rv→A,j−1 , v)} v∈N − (A)j−1

6 7 8

else y = SelectSteal(Gj , A, Damage) #y = {yv : v ∈ N − (A)j−1 } S T urnj = {Steal (yv , v)} v∈N − (A)j−1

9

9 10

else T urnj = ∅ return(T urnj ) SelectSteal() returns yv with v ∈ N − (A)j−1 such that X

yv = DmgA,j ∧ ∀v ∈ N − (A)j−1 , yv ≤ DT rv→A,j−1 . (8)

v∈N − (A)j−1

Player A can arbitrarily define how SelectSteal() distributes the Steal () actions each time she calls the function, as long as (8) is respected. The rationale behind this strategy arises from a real-world common situation. Suppose there are a client, an intermediary and a producer. The client entrusts some value to the intermediary so that the latter can buy the desired product from the producer and deliver it to the client. The intermediary in turn entrusts an equal value to the producer, who needs the value upfront to be able to complete the production process. However the producer eventually does not give the product neither reimburses the value, due to bankruptcy or decision to exit the market with an unfair benefit. The intermediary can choose either to reimburse the client and suffer the loss, or refuse to return the money and lose the client’s trust. The latter choice for the intermediary is exactly the conservative strategy. It is used throughout this work as a strategy for all the intermediary players because it models effectively the worst-case scenario that a client can face after an evil player decides to steal everything she can and the rest of the players do not engage in evil activity. We continue with a possible evolution of the game, the Transitive Game.

1 2 3 4

Transitive Game Input : graph G0 , A ∈ V idle player, B ∈ V evil player Angry = Sad = ∅ ; Happy = V \ {A, B} for (v ∈ V \ {B}) Lossv = 0 j = 0 while (True) $

5 6 7 8 9 10 11 12

j += 1; v ← V \ {A} # Choose this turn’s player T urnj = strategy[v](G0 , v, Capv,0 , H1...j−1 ) executeTurn(Gj−1 , v, Capv,j−1 , T urnj ) for (action ∈ T urnj ) action match do case Steal(y, w) do # For each Steal, exchange = y # Lossw += exchange # pass on Loss 10

13 14 15 16 17 18 19 20 21

if (v != B) Lossv -= exchange # if (w != A) # and change the Happy = Happy \ {w} # mood of the if (inw,j == 0) Sad = Sad ∪ {w} # affected player else Angry = Angry ∪ {w} if (v != B) Angry = Angry \ {v} # Change the mood of if (Lossv > 0) Sad = Sad ∪ {v} # the active player if (Lossv == 0) Happy = Happy ∪ {v}

Happy 3B A G0 E Happy

D

6B 7B

Angry 3B

4B 3B

A

B G1

C Happy

E Happy

G2

6B

B

6B 7B

Sad D A

D

C Angry

Sad D A

B G3

4B

B

C C 7B 6B E E Angry Happy Happy Sad Fig. 5: B steals 7B, then D steals 3B and finally C steals 3B

In turn 0, there is already a network in place. All players apart from A and B follow the conservative strategy. The set of players is not modified throughout the Transitive Game, thus we can refer to Vj as V. Each conservative player can be in one of three states: Happy, Angry or Sad. Happy players have 0 loss, Angry players have positive loss and positive incoming direct trust (line 17), thus are able to replenish their loss at least in part and Sad players have positive loss, but 0 incoming direct trust (line 16), thus they cannot replenish the loss. An example execution can be seen in Fig. 5. Let j0 be the first turn on which B is chosen to play. Until then, all players will pass their turn since nothing has been stolen yet (see Appendix A (Theorem 6)). Moreover, let v = P layer(j). The Transitive 11

Game generates turns: T urnj =

[

{Steal (yw , w)} , where

(9)

w∈N − (v)j−1

X

yw = min (inv,j−1 , Dmgv,j ) .

(10)

w∈N − (v)j−1

We see that if Dmgv,j = 0, then T urnj = ∅. From the definition of Dmgv,j and knowing that no strategy in this case can increase any direct trust, we see that Dmgv,j ≥ 0. Also, it is Lossv,j ≥ 0 because if Lossv,j < 0, then v has stolen more value than she has been stolen, thus she would not be following the conservative strategy.

6

Trust Flow

We can now define indirect trust from A to B. Definition 15 (Indirect Trust). Indirect trust from A to B after turn j is defined as the maximum possible value that can be stolen from A after turn j in the setting of TransitiveGame(Gj ,A,B). Note that T rA→B ≥ DT rA→B . The next result shows T rA→B is finite. Theorem 1 (Trust Convergence Theorem). Consider a Transitive Game. There exists a turn such that all subsequent turns are empty. Proof Sketch. If the game didn’t converge, the Steal () actions would continue forever without reduction of the amount stolen over time, thus they would reach infinity. However this is impossible, since there exists only finite total direct trust. Proofs of all theorems can be found in Appendix A. In the setting of TransitiveGame(G,A,B) and j being a turn in which the game has converged, we use the notation LossA = LossA,j . LossA is not the same for repeated executions of this kind of game, since the order in which players are chosen may differ between executions and conservative players can choose which incoming direct trusts they will steal and how much from each. Let G be a weighted directed graph. We investigate the maximum flow on it. For an introduction to maximum flows see Introduction to Algorithms, p. 708 [6]. Considering each edge’s capacity as its weight, a flow assignment X = [xvw ]V×V with source A and sink B is valid when: ∀(v, w) ∈ E, xvw ≤ cvw and 12

(11)

X

∀v ∈ V \ {A, B},

xwv =

w∈N + (v)

The flow value is

P v∈N + (A)

xAv =

P

X

xvw .

(12)

w∈N − (v)

xvB . We do not suppose skew

v∈N − (B)

symmetry in X. There exists an algorithm M axF low (A, B) that returns the maximum possible flow from A to B. This algorithm needs full knowledge of the graph and runs in O (|V||E|) time [7]. We refer to the flow value of M axF low (A, B) as maxF low (A, B). We will now introduce two lemmas that will be used to prove one of the central results of this work, the Trust Flow theorem. Lemma 1 (MaxFlows Are Transitive Games). Let G be a game graph, let A, B ∈ V and M axF low (A, B) the maximum flow from A to B executed on G. There exists an execution of TransitiveGame(G, A, B) such that maxF low (A, B) ≤ LossA . Proof Sketch. The desired execution of TransitiveGame() will contain all flows from the M axF low (A, B) as equivalent Steal () actions. The players will play in turns, moving from B back to A. Each player will steal from his predecessors as much as was stolen from her. The flows and the conservative strategy share the property that the total input is equal to the total output.

Lemma 2 (Transitive Games Are Flows). Let H =TransitiveGame(G, A, B) for some game graph G and A, B ∈ V. P There exists a valid flow X = {xwv }V×V on G0 such that xAv = LossA . v∈V

Proof Sketch. If we exclude the sad players from the game, the Steal () actions that remain constitute a valid flow from A to B.

Theorem 2 (Trust Flow Theorem). Let G be a game graph and A, B ∈ V. It holds that T rA→B = maxF low (A, B) . Proof. From lemma 1 there exists an execution of the Transitive Game such that LossA ≥ maxF low (A, B). Since T rA→B is the maximum loss that A can suffer after the convergence of the Transitive Game, we see that T rA→B ≥ maxF low (A, B) . (13) 13

But some execution of the Transitive Game gives T rA→B = LossA . From lemma 2, this execution corresponds to a flow. Thus T rA→B ≤ maxF low (A, B) .

(14)

The theorem follows from (13) and (14). Note that the maxFlow is the same in the following two cases: If a player chooses the evil strategy and if that player chooses a variation of the evil strategy where she does not nullify her outgoing direct trust. Further justification of trust transitivity through the use of M axF low can be found in the sociological work by Karlan et al. [4] where a direct correspondence of maximum flows and empirical trust is experimentally validated. Here we see another important theorem that gives the basis for riskinvariant transactions between different, possibly unknown, parties. Theorem 3 (Risk Invariance Theorem). Let G be a game graph, A, B ∈ V and l the desired value to be transferred from A to B, with l ≤ T rA→B . Let also G 0 with the same nodes as G such that 0 ∀v ∈ V 0 \ {A}, ∀w ∈ V 0 , DT rv→w = DT rv→w .

Furthermore, suppose that there exists an assignment for the outgoing 0 direct trust of A, DT rA→v , such that 0 T rA→B = T rA→B − l .

(15)

Let another game graph, G 00 , be identical to G 0 except for the following 00 0 change: DT rA→B = DT rA→B + l. It then holds that 00 T rA→B = T rA→B .

Proof. The two graphs G 0 and G 00 differ only in the weight of the edge (A, B), which is larger by l in G 00 . Thus the two M axF lows will choose the same flow, except for (A, B), where it will be x00AB = x0AB + l. A can reduce her outgoing direct trust in a manner that achieves (15), since maxF low (A, B) is continuous with respect to A’s outgoing direct trusts. 14

7

Sybil Resilience

One of our aims is to mitigate Sybil attacks [8] whilst maintaining decentralized autonomy [9]. We begin by extending the definition of indirect trust. Definition 16 (Indirect Trust to Multiple Players). Indirect trust from player A to a set of players, S ⊂ V is defined as the maximum possible value that can be stolen from A if all players in S are evil, A is idle and everyone else (V \ (S ∪ {A})) is conservative. Formally, let choices be the different actions between which the conservative players choose, then T rA→S,j =



max 0

j 0 :j >j,choices



outA,j − outA,j 0 .

(16)

We now extend the Trust Flow theorem to many players. Theorem 4 (Multi-Player Trust Flow). Let S ⊂ V and T be an auxiliary player such that, for the sake of argument, ∀B ∈ S, DT rB→T = ∞. It holds that ∀A ∈ V \ S, T rA→S = maxF low (A, T ) . Proof. If T chooses the evil strategy and all players in S play according to the conservative strategy, they will have to steal all their incoming direct trust since they have suffered an infinite loss, thus they will act in a way identical to following the evil strategy as far as M axF low is concerned. The theorem follows thus from the Trust Flow theorem. We now define several useful notions to tackle the problem of Sybil attacks. Let Eve be a possible attacker. Definition 17 (Corrupted Set). Let G be a game graph and let Eve have a set of players B ⊂ V corrupted, so that she fully controls their outgoing and incoming direct trusts with any player in V. We call this the corrupted set. The players B are considered legitimate before the corruption, thus they may be directly trusted by any player in V. Definition 18 (Sybil Set). Let G be a game graph. Participation does not require registration, so Eve can create unlimited players. We call the set of these players C, or Sybil set. Moreover, Eve controls their direct and indirect trusts with any player. However, players C can be directly trusted only by players B ∪ C but not by players V \ (B ∪ C), where B is the corrupted set. 15

Definition 19 (Collusion). Let G be a game graph. Let B ⊂ V be a corrupted set and C ⊂ V be a Sybil set. The tuple (B, C) is called collusion and is controlled by Eve.

V \ (B ∪ C)

B

C

Fig. 6: Collusion From a game theoretic point of view, players V \ (B ∪ C) perceive the collusion as independent players with a distinct strategy each, whereas in reality they are all subject to a single strategy dictated by Eve. Theorem 5 (Sybil Resilience). Let G be a game graph and (B, C) be a collusion of players on G. It is T rA→B∪C = T rA→B . Proof Sketch. The incoming trust to B ∪ C cannot be higher than the incoming trust to B since C has no incoming trust from V \ (B ∪ C). We have proven that controlling |C| is irrelevant for Eve, thus Sybil attacks are meaningless. Note that the theorem does not reassure against deception attacks. Specifically, a malicious player can create several identities, use them legitimately to inspire others to deposit direct trust to these identities and then switch to the evil strategy, thus defrauding everyone that trusted the fabricated identities. These identities correspond to the corrupted set of players and not to the Sybil set because they have direct incoming trust from outside the collusion. In conclusion, we have delivered on our promise of a Sybil-resilient decentralized financial trust system with invariant risk for purchases.

8

Related Work

Webs-of-trust can be used as a basis for trust as shown by Caronni [10]. PGP [11] implements one and Pathfinder [12] explores its transitive closure. Freenet [13] implements a transitive web-of-trust for fighting spam. 16

Mui et al. [14] and Jøsang et al. [15] propose ways of calculating trust towards distant nodes. Vişan et al. [16] calculate trust in a hierarchical way. CA- and Byzantine-based [19] PKIs [17] and Bazaar [18] require central trusted third parties or at least authenticated membership. FIRE [20], CORE [21], Grünert et al. [22] and Repantis et al. [23] do not prove any Sybil resilience. All these systems define trust in a non-financial manner. We agree with Gollmann [24] in that the meaning of trust should not be extrapolated. We adopted their advice and urge our readers to adhere to the definitions of direct and indirect trust as defined here. Beaver [25] includes a trust model that, to discourage Sybil attacks, relies on fees, something we chose to avoid. Our motivating application for exploring trust in a decentralized setting is OpenBazaar, where transitive financial trust has previously been explored by Zindros [9]. That work however does not define trust as a monetary value. We are strongly inspired by Karlan et al. [4] who give a sociological justification for the central design choice of identifying trust with risk. We appreciate the work in TrustDavis [26], which proposes a financial trust system with transitivity and in which trust is defined as lines-of-credit, similar to us. We extended their work by using the blockchain for automated proofs-of-risk, a feature not available to them at the time. Our conservative strategy and Transitive Game are similar to the mechanism proposed by Fugger [27] which is also financially transitive and is used by Ripple [28] and Stellar [29]. IOUs in those correspond to reversed edges of trust in our system. The critical difference is that our trust is expressed in a global currency and there is no money-as-debt. Furthermore, we proved that trust and maximum flows are equivalent, a direction not explored in their papers, even though it seems to hold for their systems as well.

9

Further Research

When a purchase is made, outgoing direct trust must be reduced such that (15) holds. Trust redistribution algorithms for this will be discussed in a future paper. Our game is static. In a future dynamic setting, users should be able to play simultaneously, freely join, depart or disconnect temporarily from the network. An interesting analysis would involve modelling repeated purchases with the respective edge updates on the trust graph and treating trust on the network as part of the utility function. Other types of multisigs, such as 1-of-3, can be explored. 17

MaxFlow in our case needs complete network knowledge, which can lead to privacy issues [30]. Calculating the flows in zero knowledge remains an open question. SilentWhispers [31] and its centralized predecessor, PrivPay [32], offer insight into how privacy can be achieved. A wallet implementation of our game on any blockchain is welcome. Experimental results can be harvested by a simulation or implementation of Trust Is Risk. Afterwards, our system can be used in decentralized social networks, such as Synereo [33], and other applications.

Appendix A: Proofs, Lemmas and Theorems Lemma 3 (Loss Equivalent to Damage). Consider a Transitive Game. Let j ∈ N and v = P layer (j) such that v is following the conservative strategy. It holds that min (inv,j , Lossv,j ) = min (inv,j , Damagev,j ) . Proof. Case 1: Let v ∈ Happyj−1 . Then 1. v ∈ Happyj because T urnj = ∅, 2. Lossv,j = 0 because otherwise v ∈ / Happyj , 3. Damagev,j = 0, or else any reduction in direct trust to v would increase equally Lossv,j (line 12), which cannot be decreased again but during an Angry player’s turn (line 13). 4. inv,j ≥ 0 Thus min (inv,j , Lossv,j ) = min (inv,j , Damagev,j ) = 0 . Case 2: Let v ∈ Sadj−1 . Then 1. v ∈ Sadj because T urnj = ∅, 2. inv,j = 0 (line 20), 3. Damagev,j ≥ 0 ∧ Lossv,j ≥ 0. Thus min (inv,j , Lossv,j ) = min (inv,j , Damagev,j ) = 0 . If v ∈ Angryj−1 then the same argument as in cases 1 and 2 hold when v ∈ Happyj and v ∈ Sadj respectively if we ignore the argument (1). Thus the theorem holds in every case. 18

Proof of Theorem 1: Trust Convergence First of all, after turn j0 player E will always pass her turn because she has already nullified her incoming and outgoing direct trusts in T urnj0 , the evil strategy does not contain any case where direct trust is increased or where the evil player starts directly trusting another player and the other players do not follow a strategy in which they can choose to Add () direct trust to E. The same holds for player A because she follows the idle strategy. As far as the rest of the players are concerned, consider the Transitive Game. As we can see from lines 2 and 12 - 13, it is ∀j,

X

Lossv = inE,j0 −1 .

v∈Vj

In other words, the total loss is constant and equal to the total value stolen by E. Also, as we can see in lines 1 and 20, which are the only lines where the Sad set is modified, once a player enters the Sad set, it is impossible to exit from this set. Also, we can see that players in Sad ∪ Happy always pass their turn. We will now show that eventually the Angry set will be empty, or equivalently that eventually every player will pass their turn. Suppose that it is possible to have an infinite amount of turns in which players do not choose to pass. We know that the number of nodes is finite, thus this is possible only if ∃j 0 : ∀j ≥ j 0 , |Angryj ∪ Happyj | = c > 0 ∧ Angryj 6= ∅ . This statement is valid because the total number of angry and happy players cannot increase because no player leaves the Sad set and if it were to be decreased, it would eventually reach 0. Since Angryj 6= ∅, a player v that will not pass her turn will eventually be chosen to play. According to the Transitive Game, v will either deplete her incoming direct trust and enter the Sad set (line 20), which is contradicting |Angryj ∪ Happyj | = c, or will steal enough value to enter the Happy set, that is v will achieve Lossv,j = 0. Suppose that she has stolen m players. They, in their turn, will steal total value at least equal to the value stolen by v (since they cannot go sad, as explained above). However, this means that, since the total value being stolen will never be reduced and the turns this will happen are infinite, the players must steal an infinite amount of value, which is impossible because the direct trusts are finite in number and in value. More precisely, let j1 be a turn in which a conservative player is chosen and X ∀j ∈ N, DT rj = DT rw→w0 ,j . w,w0 ∈V

19

Also, without loss of generality, suppose that ∀j ≥ j1 , outA,j = outA,j1 . In T urnj1 , v steals St =

m X

yi .

i=1

We will show using induction that ∀n ∈ N, ∃jn ∈ N : DT rjn ≤ DT rj1 −1 − nSt . Base case: It holds that DT rj1 = DT rj1 −1 − St . Eventually there is a turn j2 when every player in N − (v)j−1 will have played. Then it holds that DT rj2 ≤ DT rj1 − St = DT rj1 −1 − 2St , since all players in N − (v)j−1 follow the conservative strategy, except for A, who will not have been stolen anything due to the supposition. Induction hypothesis: Suppose that ∃k > 1 : jk > jk−1 > j1 ⇒ DT rjk ≤ DT rjk−1 − St . Induction step: There exists a subset of the Angry players, S, that have been stolen at least value St in total between the turns jk−1 and jk , thus there exists a turn jk+1 such that all players in S will have played and thus DT rjk+1 ≤ DT rjk − St . We have proven by induction that ∀n ∈ N, ∃jn ∈ N : DT rjn ≤ DT rj1 −1 − nSt . However DT rj1 −1 ≥ 0 ∧ St > 0 , thus ∃n0 ∈ N : n0 St > DT rj1 −1 ⇒ DT rjn0 < 0 . We have a contradiction because ∀w, w0 ∈ V, ∀j ∈ N, DT rw→w0 ,j ≥ 0 , 20

thus eventually Angry = ∅ and everybody passes. Proof of Lemma 1: MaxFlows Are Transitive Games We suppose that the turn of G is 0. In other words, G = G0 . Let X = {xvw }V×V be the flows returned by M axF low (A, B). For any graph G there exists a M axF low that is a DAG. We can easily prove this using the Flow Decomposition theorem [34], which states that each flow can be seen as a finite set of paths from A to B and cycles, each having a certain flow. We execute M axF low (A, B) and we apply the aforementioned theorem. The cycles do not influence the maxF low (A, B), thus we can remove these flows. The resulting flow is a M axF low (A, B) without cycles, thus it is a DAG. Topologically sorting this DAG, we obtain a total order of its nodes such that ∀ nodes v, w ∈ V : v < w ⇒ xwv = 0 [6]. Put differently, there is no flow from larger to smaller nodes. B is maximum since it is the sink and thus has no outgoing flow to any node and A is minimum since it is the source and thus has no incoming flow from any node. The desired execution of Transitive Game will choose players following the total order inversely, starting from player B. We observe that P P ∀v ∈ V \ {A, B}, xwv = xvw ≤ maxF low (A, B) ≤ inB,0 . Player w∈V

w∈V

B will follow a modified evil strategy where she steals value equal to her total incoming flow, not her total incoming direct trust. Let j2 be the first turn when A is chosen to play. We will show using strong induction that there exists a set of valid actions for each player according to their respective strategy such that at the end of each turn j the corresponding player v = P layer (j) will have stolen value xwv from each in-neighbour w. P Base case: In turn 1, B steals value equal to xwB , following the w∈V

modified evil strategy. [

T urn1 =

{Steal (xvB , v)}

v∈N − (B)0

Induction hypothesis: Let k ∈ [j2 − 2]. We suppose that ∀i ∈ [k], there exists a valid set of actions, T urni , performed by v = P layer (i) such that v steals from each player w value equal to xwv . ∀i ∈ [k], T urni =

[

{Steal (xwv , w)}

w∈N − (v)i−1

Induction step: Let j = k + 1, v = P layer (j). Since all the players that are greater than v in the total order have already played and all of 21

them have stolen value equal to their incoming flow, we deduce that v P has been stolen value equal to xvw . Since it is the first time v w∈N + (v)j−1

N − (v)

plays, ∀w ∈ j−1 , DT rw→v,j−1 = DT rw→v,0 ≥ xwv , thus v is able to choose the following turn: [

T urnj =

{Steal (xwv , w)}

w∈N − (v)j−1

Moreover, this turn satisfies the conservative strategy since X

X

xwv =

w∈N − (v)j−1

xvw .

w∈N + (v)j−1

Thus T urnj is a valid turn for the conservative player v. We have proven that in the end of turn j2 − 1, player B and all the conservative players will have stolen value exactly equal to their total incoming flow, thus A will have been stolen value equal to her outgoing flow, which is maxF low (A, B). Since there remains no Angry player, j2 is a convergence turn, thus LossA,j2 = LossA . We can also see that if B had chosen the original evil strategy, the described actions would still be valid only by supplementing them with additional Steal () actions, thus LossA would further increase. This proves the lemma. Proof of Lemma 2: Transitive Games Are Flows Let Sad, Happy, Angry be as defined in the Transitive Game. Let G 0 be a directed weighted graph based on G with an auxiliary source. Let also j1 be a turn when the Transitive Game has converged. More precisely, G 0 is defined as follows: V 0 = V ∪ {T } E 0 = E ∪ {(T, A)} ∪ {(T, v) : v ∈ Sadj1 } ∀(v, w) ∈ E, c0vw = DT rv→w,0 − DT rv→w,j1 ∀v ∈ Sadj1 , c0T v = c0T A = ∞

22

S

∞ T

G \ (S ∪ {A})

∞ A

G Fig. 7: Graph G 0 , derived from G with Auxiliary Source T . In the figure above, S is the set of sad players. We observe that ∀v ∈ V, c0wv =

X w∈N − (v)0 \{T }

X

=

(DT rw→v,0 − DT rw→v,j1 ) =

w∈N − (v)0 \{T }

=

X

(17) X

DT rw→v,0 −

w∈N − (v)0 \{T }

DT rw→v,j−1 =

w∈N − (v)0 \{T }

= inv,0 − inv,j1 and

c0vw =

X w∈N + (v)0 \{T }

X

=

(DT rv→w,0 − DT rv→w,j1 ) =

w∈N + (v)0 \{T }

=

X w∈N + (v)0 \{T }

(18) X

DT rv→w,0 −

DT rv→w,j−1 =

w∈N + (v)0 \{T }

= outv,0 − outv,j1 . We can suppose that ∀j ∈ N, inA,j = 0 ,

(19)

since if we find a valid flow under this assumption, the flow will still be valid for the original graph. Next we try to calculate M axF low (T, B) = X 0 on graph G 0 . We observe that a flow in which it holds that ∀v, w ∈ V, x0vw = c0vw can be valid for the following reasons: 23

– ∀v, w ∈ V, x0vw ≤ c0vw (Capacity flow requirement (11) ∀e ∈ E) – Since ∀v ∈ Sadj1 ∪ {A}, c0T v = ∞, requirement (11) holds for any flow x0T v ≥ 0. – Let v ∈ V 0 \ (Sadj1 ∪ {T, A, B}). According to the conservative strategy and since v ∈ / Sadj1 , it holds that outv,0 − outv,j1 = inv,0 − inv,j1 . Combining this observation with (17) and (18), we have that X

c0vw =

w∈V 0

X

c0wv .

w∈V 0

(Flow Conservation requirement (12) ∀v ∈ V 0 \ (Sadj1 ∪ {T, A, B})) – Let v ∈ Sadj1 . Since v is sad, we know that outv,0 − outv,j1 > inv,0 − inv,j1 . Since c0T v = ∞, we can set x0T v = (outv,0 − outv,j1 ) − (inv,0 − inv,j1 ) . In this way, we have X

x0vw = outv,0 − outv,j1 and

w∈V 0

X w∈V 0

x0wv =

c0wv + x0T v = inv,0 − inv,j1 +

X w∈V 0 \{T }

+(outv,0 − outv,j1 ) − (inv,0 − inv,j1 ) = outv,0 − outv,j1 . thus X

x0vw =

w∈V 0

X

x0wv .

w∈V 0

(Requirement 12 ∀v ∈ Sadj1 ) – Since c0T A = ∞, we can set x0T A =

X

x0Av ,

v∈V 0

thus from (19) we have X

x0vA =

X v∈V 0

v∈V 0

(Requirement 12 for A) 24

x0Av .

We saw that for all nodes, the necessary properties for a flow to be valid hold and thus X 0 is a valid flow for G. Moreover, this flow is equal to maxF low (T, B) because all incoming flows to E are saturated. Also we observe that X

x0Av =

X

c0Av = outA,0 − outA,j1 = LossA .

(20)

v∈V 0

v∈V 0

We define another graph, G 00 , based on G 0 . V 00 = V 0 E(G 00 ) = E(G 0 ) \ {(T, v) : v ∈ Sadj } ∀e ∈ E(G 00 ), c00e = c0e If we execute M axF low(T, B) on the graph G 00 , we will obtain a flow X 00 in which X X x00T v = x00T A = x00Av . v∈V 00

v∈V 00

The outgoing flow from A in X 00 will remain the same as in X 0 for two reasons: Firstly, using the Flow Decomposition theorem [34] and deleting the paths that contain edges (T, v) : v 6= A, we obtain a flow configuration where the total outgoing flow from A remains invariant, 3 thus x00Av ≥

X

X

x0Av .

v∈V 0

v∈V 00

Secondly, we have P v∈V 00

P v∈V 00

c00Av = c00Av



P v∈V 0

P v∈V 00

c0Av =

P v∈V 0

x0Av   

x00Av



 

X v∈V 00

x00Av ≤

X

x0Av .

v∈V 0

Thus we conclude that X

x00Av =

v∈V 00

X

x0Av .

(21)

v∈V 0

Let X = X 00 \ {(T, A)}. Observe that X

x00Av =

v∈V 00 3

X

xAv .

v∈V

We thank Kyriakos Axiotis for his insights on the Flow Decomposition theorem.

25

This flow is valid on graph G because ∀e ∈ E, ce ≥ c00e . Thus there exists a valid flow for each execution of the Transitive Game such that X

xAv =

v∈V

X v∈V 00

(21)

x00Av =

X

(20)

x0Av = LossA,j1 ,

v∈V 0

which is the flow X.

Theorem 6 (Conservative World Theorem). If everybody follows the conservative strategy, nobody steals any amount from anybody. Proof. Let H be the game history where all players are conservative and suppose there are some Steal () actions taking place. Then let H0 be the subsequence of turns each containing at least one Steal () action. This subsequence is evidently nonempty, thus it must have a first element. The player corresponding to that turn, A, has chosen a Steal () action and no previous player has chosen such an action. However, player A follows the conservative strategy, which is a contradiction. Proof of Theorem 5: Sybil Resilience Let G1 be a game graph defined as follows: V1 = V ∪ {T1 } , E1 = E ∪ {(v, T1 ) : v ∈ B ∪ C} , 1 ∀v, w ∈ V1 \ {T1 }, DT rv→w = DT rv→w , 1 ∀v ∈ B ∪ C, DT rv→T =∞ , 1 1 where DT rv→w is the direct trust from v to w in G and DT rv→w is the direct trust from v to w in G1 . Let also G2 be the induced graph that results from G1 if we remove the Sybil set, C. We rename T1 to T2 and define L = V \ (B ∪ C) as the set of legitimate players to facilitate comprehension.

26

C ∞ L L

B



B

T1



T2

G2

G1 Fig. 8: Graphs G1 and G2 According to theorem (4), T rA→B∪C = maxF low1 (A, T1 ) ∧ T rA→B = maxF low2 (A, T2 ) .

(22)

We will show that the M axF low of each of the two graphs can be used to construct a valid flow of equal value for the other graph. The flow X1 = M axF low (A, T1 ) can be used to construct a valid flow of equal value for the second graph if we set ∀v ∈ V2 \ B, ∀w ∈ V2 , xvw,2 = xvw,1 , ∀v ∈ B, xvT2 ,2 =

X

xvw,1 ,

w∈N1+ (v)

∀v, w ∈ B, xvw,2 = 0 . Therefore maxF low1 (A, T1 ) ≤ maxF low2 (A, T2 ) Likewise, the flow X2 = M axF low(A, T2 ) is a valid flow for G1 because G2 is an induced subgraph of G1 . Therefore maxF low1 (A, T1 ) ≥ maxF low2 (A, T2 ) We conclude that maxF low (A, T1 ) = maxF low (A, T2 ) , thus from (22) and (23) the theorem holds.

27

(23)

Appendix B: Algorithms This algorithm calls the necessary functions to prepare the new graph.

1 2

3

Execute Turn Input : old graph Gj−1 , player A ∈ Vj−1 , old capital CapA,j−1 , TentativeTurn Output : new graph Gj , new capital CapA,j , new history Hj executeTurn(Gj−1 , A, CapA,j−1 , TentativeTurn) : (T urnj , NewCap) = validateTurn(Gj−1 , A, CapA,j−1 , TentativeTurn) return(commitTurn(Gj−1 , A, T urnj , NewCap)) The following algorithm validates that the tentative turn produced by the strategy respects the rules imposed on turns. If the turn is invalid, an empty turn is returned.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Validate Turn Input : old Gj−1 , player A ∈ Vj−1 , old CapA,j−1 , Turn Output : T urnj , new CapA,j validateTurn(Gj−1 , A, CapA,j−1 , Turn) : Yst = Yadd = 0 Stolen = Added = ∅ for (action ∈ Turn) action match do case Steal(y, w) do if (y > DT rw→A,j−1 or y < 0 or w ∈ Stolen) return(∅, CapA,j−1 ) else Yst += y; Stolen = Stolen ∪ {w} case Add(y, w) do if (y < -DT rA→w,j−1 or w ∈ Added) return(∅, CapA,j−1 ) else Yadd += y; Added = Added ∪ {w} if (Yadd - Yst > CapA,j−1 ) return(∅, CapA,j−1 ) else return(Turn, CapA,j−1 + Yst − Yadd ) Finally, this algorithm applies the turn to the old graph and returns the new graph, along with the updated capital and history.

1

Commit Turn Input : old Gj−1 , player A ∈ Vj−1 , NewCap, T urnj Output : new Gj , new CapA,j , new Hj commitTurn(Gj−1 , A, NewCap, T urnj ) : 28

2 3 4 5 6 7 8

for ((v, w) ∈ Ej ) DT rv→w,j = DT rv→w,j−1 for (action ∈ T urnj ) action match do case Steal(y, w) do DT rw→A,j = DT rw→A,j−1 − y case Add(y, w) do DT rA→w,j = DT rA→w,j−1 + y CapA,j = NewCap; Hj = (A, T urnj ) return(Gj , CapA,j , Hj ) It is straightforward to verify the compatibility of the previous algorithms with the corresponding definitions.

References 1. Sanchez W.: Lines of Credit. https://gist.github.com/drwasho/ 2c40b91e169f55988618#part-3-web-of-credit (2016) 2. Nakamoto S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008) 3. Antonopoulos A. M.: Mastering Bitcoin: Unlocking Digital Cryptocurrencies. O’Reilly Media, Inc. (2014) 4. Karlan D., Mobius M., Rosenblat T., Szeidl A.: Trust and social collateral. The Quarterly Journal of Economics, pp. 1307-1361 (2009) 5. Thyfronitis Litos O. S., Zindros D.: Trust Is Risk: A Decentralized Financial Trust Platform. IACR Cryptology ePrint Archive (2017) 6. Cormen T. H., Leiserson C. E., Rivest R. L., Stein C.: Introduction to Algorithms (3rd ed.). MIT Press and McGraw-Hill (2009) 7. Orlin J. B.: Max Flows in O(nm) Time, or Better. STOC ’13 Proceedings of the forty-fifth annual ACM symposium on Theory of computing, pp.765-774, ACM, New York, doi:10.1145/2488608.2488705 (2013) 8. Douceur J. R.: The Sybil Attack. International workshop on Peer-To-Peer Systems (2002) 9. Zindros D. S.: Trust in Decentralized Anonymous Marketplaces (2015) 10. Caronni G.: Walking the web of trust. Enabling Technologies: Infrastructure for Collaborative Enterprises, WET ICE 2000, Proceedings, IEEE 9th International Workshops, pp. 153-158 (2000) 11. Zimmermann P.: PGP Source Code and Internals. The MIT Press (1995) 12. Penning H.P.: PGP pathfinder pgp.cs.uu.nl 13. Clarke I., Sandberg O., Wiley B., Hong T. W.: Freenet: A Distributed Anonymous Information Storage and Retrieval System. H. Federrath, Designing Privacy Enhancing Technologies pp. 46-66, Berkeley, USA: Springer-Verlag Berlin Heidelberg (2001) 14. Mui L., Mohtashemi M., Halberstadt A.: A Computational Model of Trust and Reputation. System Sciences, 2002. HICSS. Proceedings of the 35th Annual Hawaii International Conference, pp. 2431-2439 IEEE (2002) 15. Jøsang A., Ismail R.: The Beta Reputation System. Proceedings of the 15th Bled Electronic Commerce Conference (2002) 16. Vişan A., Pop F., Cristea V.: Decentralized Trust Management in Peer-to-Peer Systems. 10th International Symposium on Parallel and Distributed Computing, pp. 232-239, IEEE (2011)

29

17. Adams C., Lloyd S.: Understanding PKI: concepts, standards, and deployment considerations. Addison-Wesley Professional (2003) 18. Post A., Shah V., Mislove A.: Bazaar: Strengthening User Reputations in Online Marketplaces. Proceedings of NSDI’11: 8th USENIX Symposium on Networked Systems Design and Implementation, p. 183 (2011) 19. Lamport L., Shostak R., Pease M.: The Byzantine Generals Problem. ACM Transactions on Programming Languages and Systems (TOPLAS) 4.3, pp. 382-401 (1982) 20. Huynh T. D., Jennings N. R., Shadbolt N. R.: An Integrated Trust and Reputation Model for Open Multi-Agent Systems. Autonomous Agents and Multi-Agent Systems, 13(2), pp. 119-154 (2006) 21. Michiardi P., Molva R.: Core: a Collaborative Reputation Mechanism to Enforce Node Cooperation in Mobile Ad-hoc Networks. Advanced Communications and Multimedia Security, pp. 107-121, Springer US (2002) 22. Grünert A., Hudert S., König S., Kaffille S., Wirtz G.: Decentralized Reputation Management for Cooperating Software Agents in Open Multi-Agent Systems. ITSSA, 1(4), pp. 363-368 (2006) 23. Repantis T., Kalogeraki V.: Decentralized Trust Management for Ad-hoc Peer-toPeer Networks. Proceedings of the 4th International Workshop on Middleware for Pervasive and Ad-hoc Computing, MPAC 2006, p. 6, ACM (2006) 24. Gollmann D.: Why trust is bad for security. Electronic notes in theoretical computer science, 157(3), 3-9 (2006) 25. Soska K., Kwon A., Christin N., Devadas S.: Beaver: A Decentralized Anonymous Marketplace with Secure Reputation (2016) 26. DeFigueiredo D. D. B., Barr E. T.: TrustDavis: A Non-Exploitable Online Reputation System. CEC, Vol. 5, pp. 274-283 (2005) 27. Fugger R.: Money as IOUs in Social Trust Networks & A Proposal for a Decentralized Currency Network Protocol. http://archive.ripple-project.org/ decentralizedcurrency.pdf (2004) 28. Schwartz D., Youngs N., Britto, A.: The Ripple protocol consensus algorithm. Ripple Labs Inc White Paper, 5 (2014) 29. Mazieres, D.: The stellar consensus protocol: A federated model for internet-level consensus. Stellar Development Foundation (2015) 30. Narayanan A., Shmatikov V.: De-anonymizing Social Networks. Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pp. 173-187, 10.1109/SP.2009.22 (2009) 31. Malavolta G., Moreno-Sanchez P., Kate A., Maffei M.: SilentWhispers: Enforcing Security and Privacy in Decentralized Credit Networks (2016) 32. Moreno-Sanchez P., Kate A., Maffei M., Pecina K.: Privacy preserving payments in credit networks. Network and Distributed Security Symposium (2015) 33. Konforty D., Adam Y., Estrada D., Meredith L. G.: Synereo: The Decentralized and Distributed Social Network (2015) 34. Ahuja R. K., Magnanti T. L., Orlin J. B.: Network Flows: Theory, Algorithms, and Applications. Prentice-Hall https://ocw.mit.edu. License: Creative Commons BY-NC-SA. (1993) 35. Jøsang A., Ismail R., Boyd C.: A Survey of Trust and Reputation Systems for Online Service Provision. Decision Support Systems, 43(2), pp. 618-644 (2007)

30