"Beaver: A Decentralized Anonymous Marketplace with Secure Reputation"

"Beaver: A Decentralized Anonymous Marketplace with Secure Reputation", Soska et al 2016:

Reputation systems play a crucial role in establishing trust online, especially in e-commerce settings. Users in reputation systems provide feedback for other users, thereby incentivizing good behavior and disincentivizing bad behavior. With growing concerns of government surveillance and corporate data sharing, it is increasingly common that users on the web demand tools for preserving their privacy without placing trust in a third party. Unfortunately, existing centralized reputation systems need to be trusted for either privacy, correctness, or both. Existing decentralized approaches, on the other hand, are either vulnerable to Sybil attacks, present inconsistent views of the network, or leak critical information about the actions of its users. In this paper, we present Beaver, a decentralized anonymous marketplace that is resistant against Sybil attacks on vendor reputation, while preserving the anonymity of its customers. Beaver allows its participants to enjoy free open enrollment, and provides every user with the same global view of the reputation of other users through public ledger based consensus. Our use of various cryptographic primitives allow Beaver to offer high levels of usability and practicality, along with strong anonymity guarantees.

Reputation systems play a crucial role in establishing trust in online communities and drive many modern online businesses, ranging from auction markets to transportation companies. A typical reputation system features a collection of actors executing a protocol that allows users to leave reviews for their interactions with each other. Reviews, or feedback, usually consist of numeric ratings (e.g., 1-5 stars) and/or a short message. Feedback accumulates over time, and can be queried by other users in the system.

...These shortcomings motivate the search for a solution that can provide strong anonymity without trusting a third party: in other words, a decentralized anonymous marketplace. The recently proposed OpenBazaar prototype [2] is one such distributed effort, but it currently does not provide strong anonymity properties. For instance, OpenBazaar relies on the UDP protocol and does not readily support network-level anonymization techniques such as Tor. More fundamentally, decentralizing reputation systems has proven to be a challenging task. Early works (e.g., [12, 22]) present peerto-peer/sensor network algorithms in which a node queries its peers to obtain the reputation for another node in the network. These approaches come with the drawback that each node's view of the network is biased by that of its peers. Another important challenge in decentralizing any reputation system, especially a system that protects users' anonymity, comes from the threat of Sybil attacks [17]. In a Sybil attack, an adversary creates a large number of identities in the network (customer accounts, nodes, etc.) and uses them to either inflate her own reputation or damage the reputation of her competitors. Intuitively, there seems to be a fundamental tension between the ability to identify a Sybil attack and the requirement that customers remain anonymous: How can one be sure feedback is legitimate without knowing any information about its source?

...In this paper, we introduce a formal model for a decentralized anonymous marketplace (DAM), and design Beaver, a Sybil-resistant DAM. Beaver is designed with e-commerce in mind, and consists of three types of participants: customers, vendors, and network miners. Unlike most existing approaches, participation in Beaver is free, open, and does not use a trusted third party. From the perspective of customers and vendors, Beaver behaves nearly identically to existing e-commerce systems such as Amazon Marketplace and eBay. It allows vendors to establish reputation by selling items to customers while ensuring that vendor reputation has not been adversely modified either positively or negatively. Beaver simultaneously provides strong anonymity to its customers, in that, unless the customer explicitly provides this information, no adversary can learn which purchases a customer has made or associate reviews with particular transactions better than by randomly guessing. Beaver builds on an anonymous payment system (e.g., Zerocash [4]), consensus protocol (e.g., Bitcoin "blockchain"), and various cryptographic primitives to present a globally consistent view of the network to all of its users without sacrificing anonymity. Due to this consensus construction, Beaver is also able to avoid attacks where a few customers are targeted, and convinced of incorrect statements about another user's reputation. All interactions in Beaver are performed via the consensus protocol. Concretely, item listings created by vendors as well as payments made or reviews left by a customer to a vendor are publicly available as part of the consensus. With this, customers are able to freely and accurately enumerate all listings and feedback in the system, while deriving strong guarantees about the credibility of these reviews. Customers can also purchase products and leave their own reviews without fearing censorship or retribution. The major innovation in Beaver is that, although transactions and reviews are made public, the relationship between the transactions and reviews are kept private and the customers in Beaver always remain anonymous. One of the key properties of Beaver is the mitigation of Sybil attacks. Traditional defenses against Sybil attacks rely on knowing the users' identities or their interaction history [28]. When the participants and their interactions are anonymous, as is the case with DAMs, such defenses cannot be deployed. Instead, we anonymously link reviews to transactions, by using non-interactive zeroknowledge proofs [7] and linkable ring signatures [24], which guarantees that there is a valid transaction for every review, and institute a small cost for each transaction. As a consequence, we can better understand and compute a notion that we call credibility , the lower bound on the cost to an adversary for generating feedback, and thus the trustworthiness of the current state of reputation. While Beaver is not Sybil-proof, we claim that it is Sybil-resistant under modest assumptions about the economic rationality of its participants.

...At a high-level, Beaver works as follows. The vendors first register themselves to the network (i.e., the ledger) by publishing their pseudonyms. The customers are then able to enumerate the list of vendors, and purchase a product by making an anonymous transaction to the vendor. To leave a review, the customer privately ties the review to the transaction she made earlier, and submits the review to the network. Beaver, by using cryptography, guarantees that the clients cannot use the same transaction twice to sign a review. Finally, anyone can check the block chain to enumerate the reviews. Figure 1 shows the system architecture. One key insight of Beaver is that with a public ledger, there is irrefutable public evidence that a valid transaction has taken place, and only the customer knows the secret information regarding the origin the transaction (i.e., private key used to sign a transaction).

...we assume that any communication, especially that of the customers, is done via a truly anonymous communication to ensure anonymity. In practice, the customers may use Tor [16] or other stronger anonymous communication systems [23, 39].

...Vendor privacy: Though our system offers high level of privacy and anonymity for buyers, it only offers limited protection for vendors. Beaver provides the ability to hide which items a vendor sells, since it generates a fresh pseudonym for each item; however, the sales number (i.e., the number of transactions) is made public via the ledger. This is necessary in Beaver, as customers need explicit information about their anonymity set before leaving a review. One could argue that such transparency and auditability of the vendors may be good for the market as a whole, but this may not be desirable for vendors who want to conceal their transaction volume. We hope to address this concern in the future.

(There is no mention of active implementation efforts, and given the authors, none should be expected. I think it's just a design plus some formalizations.)

I've commented in the past that proposals for distributed DNMs can be broken down into how they implement solutions to 3 requirements:

  1. secure distributed data storage with anonymous connections (usually Tor or i2p)
  2. theft-proof payment/escrow
  3. Sybil-proof feedback/metadata

So for example, SR1 & most DNMs would be an anonymous centralized host, single sig, centralized host (simple, easy to setup, trivial to exit scam or raid); Bitwasp would be anonymous centralized host, multisig, centralized host (still very vulnerable, most people won't use multisig); OpenBazaar is distributed pseudonymous centralized hosts, multi/single-sig, distributed centralized hosts (no anonymity solution, so easy to bust sellers); P2POX would be anonymous connections to a blockchain, multisig, 2-of-2 Nash equilibrium (simple and robust to everything, but Nash equilibrium has not been demonstrated to be psychologically or financially acceptable to users).

The most obvious proposal would be to use a blockchain for the data storage, Bitcoin for multisig payment/escrow, and proof-of-burn (fees) for leaving reviews or creating new pseudonyms to frustrate feedback padding (which, after all, is basically how DNMs work: you can't leave a review without paying the commission). This could probably all be done as a smart contract on Ethereum.

Beaver, while mostly being just the first formal publication to describe the folklore distributed DNM design, does add in some novelty by its twist of using Zerocoin instead of a Bitcoin-like blockchain, enabling a shift from persistent pseudonymous accounts to much more anonymous transaction information (the obvious proposal would have persistent buyer/seller accounts, whose activities would be visible on the blockchain). This complicates the approach considerably compared to something as simple as P2POX, but the greater privacy would be valuable.

There is one specific downside to their design, which is the usual downside with using miner fees for proof-of-burn instead of unspendable addresses/transactions: miner collusion. While security is bounded by the amount of money invested in a transaction or pseudonym, that is not the same as the amount of money in a miner fee (which is what they claim, eg "The cost to an adversary for generating a review is therefore lower bounded by f t + ( + 1) f r , where f t is the tax paid on the payment transaction, is the number of times the review has been updated."), because it is entirely possible for a scammer to create a large number of fake feedback/registrations in valid transactions, send them privately to a cooperating miner, who then mines them as feasible (said miner could be an extremely small-scale miner, since there is no time pressure here), winning the fees, and sending them back to the scammer minus a percentage for their service. As Bitcoin miners have already shown willingness to make arrangements to favor transactions from particular companies, assist in zero-spends, and otherwise monkey around for greater profit margin, this is far from hypothetical, and should a distributed DNM ever reach the current DNM volumes of tens of millions a month, it would definitely be worth both scammers' and miners' time to come to arrangements. (After all, what does a miner care about any reputational repercussions?) Soska et al address miner collusion nowhere that I can see, and I don't see how any other part of Beaver would prevent this. An unspendable proof-of-burn would be as simple and more secure.


Comments


[3 Points] 071f45d24713c2e72ef0:

Well, fuck. I've been getting high and trying to mentally construct a decentralized blockchain-based ordering system for the last month or so. This paper, however, has basically beat me to it.

I'm not familiar with Zerocoin, but what I was envisioning was simply building everything into the bitcoin blockchain. A vendor would push a "genesis" message listing their identity/public PGP key, allowing them to publish any messages they want to. The vendor puts up a listing by pushing to the blockchain, ie making a bitcoin transaction and embedding a signed message describing the listings available, with unique bitcoin addresses for each listing.

Customers would purchase listings by sending the appropriate amount of bitcoins (all blockchain messages are timestamped allowing the vendor to confirm that the appropriate number of bitcoins were sent), and attaching a cryptographic hash of any password they want. Now having associated the hash with their bitcoin transaction, they have a cryptographically secure way to prove they were the ones who purchased the order, and thus can later push a review to the blockchain by attaching their hash and the corresponding passphrase. The customer could either directly embed their encrypted address info in the message, which would only be readable by the vendor but would still have the risk of existing for all eternity, or they could use their hash passphrase to establish proof of identity and send their encrypted address info through a less permanent format.

The idea is basically to take all the core functions of any decent darknet market today, and put it on the blockchain. Remember that bitcoin solved the specific problem of how to transfer value in a decentralized manner, by actually constructing the idea of a blockchain, which is a broader distributed database that can be used to transmit and store, in a secure and robust manner, whatever data you want, forever.

As a result there would never be any loss of vendor reviews when a centralized site went down. Nor would there be a risk of market exit scam - only a scam by the vendor themselves. As long as the bitcoin transactions used to push to the blockchain are done in an anonymous manner, there is virtually no direct interaction with any centralized service that could compromise security. As an added bonus, the blockchain can never go down, and can be easily accessed even through the clearnet.

The use of zerocash is a clever innovation, and is almost certainly an improvement over what I was envisioning.

There's really no reason to be using centralized services - it's just a matter of building the infrastructure and teaching people how to use it. Or rather, using the existing blockchain infrastructure we already have.

071f45d24713c2e72ef017d0b1bf6f639b8d2271f248b0c527bedd65f46da072


[2 Points] styxstims:

Another great post by you Gwern!

The more I read this paper the more intresting it gets, someone should definetly start development if it has not already started.


[1 Points] None:

lol beaver


[1 Points] quieell5000500:

There are already blockchain markets, one is on etherum another is syscoin, im sure there are a few others. the problem with the blockchain approach is there is no lite wallets for any of them that allow instant access. Also because their all altcoins it makes it harder psychologically at least for people to access. I just dont see this approach taking off for the latter reason alone as it then introduces new risks with increased volatility and centralized exchange points of failure.

Zeronet is a promising network but theres still the issue of sites being centrally maintained, which leads to centralized escrow (because laziness) which leads to the same bullshit. Since everyone downloads the most recent version of the site from their peers i suppose a site could persist even if the owner does run off.

But the bigger problem is the escrow, in order of importance (escrow -> hosting -> feedback). The solution is not nashx, 2/3 or any of that convuluted crap. The market demands easy payments, this is 2/2 between arbitrator and vendor. Or maybe 2/3 between 2 arbitrators and the vendor, either way the customer cant be involved. Thats it, any other approach will fail in light of buyer psychology.

Feedback is going to get gamed. You can charge for it but that disincentives buyers from leaving it. If you let vendors pay buyers to leave feedback you still have shills, just look at tripwithscience's daily reddit review schedule, maybe it works but everyone knows its a crock of shit and is an abuse of the system. It is what it is, if the vendor starts fucking enough people they will come in droves here or elsewhere and complain, anyone looking at the account history will see if its bullshit or not. This is part of the arbitrators job, and the customers due diligence, theres nothing that can be programmed to determine authenticity of information, and by all means if they figure out a way to do this take it to wall street they'd love to throw millions at you for it.


[1 Points] AmbrosiaFarms:

Great paper. In the near future, centralized markets will be a thing of the past. DAM is objectively superior in almost every way. It just needs to be implemented!


[1 Points] droplister:

If this interests you, I recommend reviewing DropZone for which there is already a JS and Ruby implementation: https://github.com/17Q4MX2hmktmpuUKHFuoRmS5MfB5XPbhod/dropzone-lib/blob/master/Drop%20Zone%20-%20Whitepaper.pdf


[1 Points] None:

It seems impossible to have true reputation in an anonymous marketplace because you can't ensure one account per person. You can associate a temporary rep with an account, but they can always exit scam and create a new account.

There are ways to have one account per person and be provably anonymous on a market. But you have to have a third party who can ensure one account per person (using biometrics).


[1 Points] None:

[deleted]


[0 Points] None:

[deleted]


[0 Points] BaLLzDeeP696969:

"I DONT KNOW WHAT THE FUCK YOU JUST SAID KID, BUT YOUR SPECIAL"