SMPC does NOT work.

Previous topic - Next topic


As Vitalik explains on his blog:
"The requirement of trust on the participants is also an onerous one; note that, as is the case with many other applications, the participants have the ability to save the data and then collude to uncover at any future point in history. Additionally, it is impossible to tell that they have done this, and so it is impossible to incentivize the participants to maintain the system's privacy; for this reason, secure multi-party computation is arguably much more suited to private blockchains, where incentives can come from outside the protocol, than public chains."

Truthcoin oracles will not work. There is an attack that costs very little.
Bribe the oracle participants to lie. Commit to paying them dependent on the attack failing.
They will all lie for you, and you don't have to pay any of them.


I am trying to think up an alternative to truthcoin oracles.
How about every time a bet expires, the blockchain forks into 3 possibilities.
If Hillary won the election, version 1 is valuable.
If Hillary lost the election, version 2 is valuable.
If the question is nonsense, then version 3 is valuable.

If publicly traded exchanges exist, you can look at the difference in price between the different coins to know which blockchain is correct.


I am starting to read the Hawk paper.
I think we might be able to put truthcoin oracles inside of this type of encrypted computation.


There exists a library for making zkSNARKS. This library is being used in the zerocoin project.
It is in C++, which I do not know. I am considering learning how to make an erlang wrapper for the library so that I can integrate it with Flying Fox.

I am studying the paper:


I added item (f) (2) to the latest Whitepaper in response to this point.

As I state there, I do not think it is a problem. I invoke a game theory solution, not a cryptographic solution -- voters can change their vote at any time.

As a result:

...while the "sealing" of votes can help, it is not necessarily very crucial or important. Voters can already change votes, and so all voting is "cheap talk" until the point at which votes become binding (at which point they are unalterable).
Nullius In Verba


It needs to be impossible for the members of the oracle to prove how they voted, even after the votes are counted and the winnings are paid out. Otherwise an attacker could make a commitment to pay conditional on: the individual voting wrong, the the attack failing. It could even be from a different blockchain.

If it is possible to prove how you voted, then it is possible for someone to commit to give you money, once you create the proof in the future.
This is similar to voting in the United States. It needs to be impossible for citizens to prove how they voted. Otherwise their boss might say: "Show up tomorrow with proof that you voted for Trump, or you are fired."

If the members of the oracle are capable of cooperating to stop the conditional bribery attack, then that means they are capable of cooperating to break the results of the oracle to cheat in a big gambling market.

We need to put each member's votecoin balance into a zkSNARK. The SVD needs to be inside the zkSNARK.
I am worried that we might not be able to let the members of the oracle look at their own votecoin balance. I don't understand zkSNARKS well yet.


Quote from: zack on February 05, 2016, 04:31:05 PM
If it is possible to prove how you voted, then it is possible for someone to commit to give you money, once you create the proof in the future.

This simply returns us to the original "bribe" topic, which is not different from simply buying VTC.,173.msg849.html#msg849

Nullius In Verba


It is different from buying the coins, because the bribe only gets paid if the attack fails.
It is a conditional bribe.

attack fails____|1.51___|1.5
attack succeeds|1.5____|0


Reread the parts about "splitting" votes, and creating a counter-bribe.
Nullius In Verba


I can't find what you are talking about in the white paper, but I found this stuff Vitalik said and I am so relieved:

Now, there is another kind of counter-coordination that Vlad Zamfir figured out that does work. Essentially, first of all, instead of the naive Schellingcoin mechanism where winners get P and losers get 0, we add the anti-coordination game to at least the extent at which the mechanism always has an equal total revenue, ie. if there are k winners, winners get NP/k and losers get 0. Then, set up the contract C such that:

(i) to join C you need to put down a security deposit
(ii) after you join C, you need to provably vote with a 60% chance of Obama and a 40% chance of McCain (ie. use some common entropy to decide your vote with that probability distribution, eg. vote Obama iff sha3(block hash) % 10 < 6)
(iii) after you join C and get your reward if you vote Obama, you need to equally redistribute the reward that you get, as well as any bribes that you receive, among all participants in C
(iv) if you violate (ii) or (iii) you lose the deposit

The expected collective payoff, assuming everyone joins C, is going to be P * N + (P + ϵ) * N * 0.4 ~= P * N * 1.4. The incentive to join C is that you receive an expected payoff of 1.4 * P instead of P. Once you join, the security deposit bounds you to participate. The key trick here is that the contract allows the participants to provably share the rewards and collect the maximum possible benefit from the entire combined game. The mechanism doesn't inherit the problems of assurance contracts for public goods because you have the ability to exclude non-participants from sharing in the collective gain (namely, the attacker's attempted bribe).

Essentially, this is basically a way of using a version of my decentralized coordination contract from (52:27) against Andrew Miller's centralized coordination contract.