[Phase 2] HIP-55: Explicit Sybil Resistance

HIP: 55
title: Explicit Sybil Resistance
author: @greenlucid
status: Phase 2
created: 2022-07-18
conflicts with: None
languages: EN

Simple Summary

Make the registration policy reject sybils explicitly.

Abstract

Make the Acceptance Criteria be explicit about sybils not being allowed. Allow challenging sybil submissions as Duplicate. A sybil is an actor that controls human accounts whose human does not represent themself.

Motivation

In its current state, the Policy states the registry is sybil resistant, which is a desirable trait. But the Acceptance Criteria was not explicit about this. This has resulted in some different strategies to creating sybils, like farming, or helping family members to get in while controlling their keys.

Implementation

Merge this PR to the HIP-45 compliant repo . Changes are also stated here, for completion: (but, the authoritative wording is in the PR)

  1. Define sybil as

actor that has direct control over registered human accounts that don’t represent them

and be explicit about 100% proof not needed.

  1. Add non-sybil as Acceptance Criteria.
  2. Add examples of sybils.
  3. Add sybil as Duplicate worthy challenge.

Rationale

It’s not possible to prove that someone is a sybil at its core, since that would imply proving they are holding other accounts’ private keys or whatever equivalent. So, an explanation with reasonable, extremely-high likely arguments for someone being a sybil, should be enough. The most important characteristic of the registry is sybil resistance, not inclusion.

It would also be desirable to treat a sybil submission challenge as a Duplicate, because then, whoever vouched for them gets removed as well (who, is certainly malicious, unawarely or knowingly so).

2 Likes

I’ve shared my thoughts in the previous post. My main concern is the difficulty to prove one thing (you are a sybil!) or another (No ser, i’m in control).

There is some evidence that is often presented as a sybil/farmer accusation that anyone can check on etherscan. I want to know what you consider in each case, or if we as community can be explicit about them:

  1. Human A (registered) sends to Human B (not registered) the ETH needed for submission. Then Human A vouches him. Is that a sybil?
  2. Similar to that one, but with crowdvouching. Is that a sybil?
  3. Human A send ETH to Human B and Human C. The B&C videos seems to be in the same place (farmer alert). Is that a sybil?
  4. Human A vouches Human B and in the same moment human A receive a snapshot delegation from Human B. Is that a sybil?
  5. Human A (registered) receives multiple UBI transfers from Human B(registered) and Human C(registered). Is that a sybil?

Thinking about “defense” evidence of a sybil-challenge. Is it enough a video saying “I’m in control of my account” ?

2 Likes

I would vote for this if a few things are fulfilled:

  • We should specify that the weight of evidence lies on the challenger.
  • The criterion should not be applied immediately, but only on new profiles and renewal (some people signed up not knowing that this was required).

We will have time to find a solution for people to declare/sign-up/renew dependants (children, elderly) after this proposal is passed. We can find a solution that can solve sybil-resistance and inclusion - they need not be mutually exclusive.

1 Like

I agree with both @Mads and @herniadlf and I add as I did before that a standard of proof must be set. You can raise or lower the bar of what is considered proof, but without a standard of proof it is “it’s a Sybil because I say so” and that is not proper procedure.

I believe that a video of the person saying they are in control of the account, holding a sign with the address of the challenger should be enough proof. Hard to fabricate in advance, and easy enough to provide.

As for the reasons for challenging, I believe it’s better not to create strict rules, because that makes it easier for challengers to circumvent those rules. Ultimately, what’s being “measured” is the ability of the person to respond to the removal request with the proof they control the wallet in the video enough to be able to submit a proof.

I would agree with that in theory, but in practice I believe that if we specify that, we will have almost no challenges for this reason, unless farmers produce evidence to incriminate themselves.

Regarding the question about if we have time or not, if we pass the quadratic delegations HIP and not this one, we will benefitting farmers exponentially, because they will not use proper delegations, and will vote with the wallets of the people they control instead.

10 farmed profiles = 100 honest delegations

Good one, I like it.

I get your point, I didn’t expect to include all of that questions in the policy, but I do want to understand what are we expecting to achieve with this hip and this policy. If we are talking about being “explicit” but we cannot draw some lines for us and for the jurors with these common cases, I don’t know if we are moving forward or not.

The way I see it, it’s not possible to foresee what challenge patterns may be abusive or not. The text in the HIP is pretty clear I think: the challenger needs to provide an explanation for why the profile is, with most certain probability, a sybil. That is, the private key is not exclusively controlled by the human represented by the profile.
This is super hard to prove. The burden of evidence is in the challenger already.
If abusive patterns emerged, then we just create HIPs to clarify points. But, you cannot expect from me to foresee every possible edge case and argument.

As for the “standard of evidence”, both parties already need to provide credible evidence for the jurors. The current arbitrator (Kleros) handles these evaluations internally. If you are interested in a “standard of evidence”, it should be general and applicable to all challenge and removal reasons, not just for this specific sybil scenario.

This hip has been put to a vote.

I am not talking about edge cases, but cases that I have already seen. Some of them have even been the subject of a removal request.

Again, I am not asking that we include the examples in the policy right now. But before voting, I would like that as the author of the proposal you could give me your point of view on the cases that commonly lead us to doubt if there is a sybil behind or not, and in what way you imagine that this hip can help us to stop them.

EDIT: We were talking in some telegram groups. I will support this HIP but I hope to see the defense mechanism definition. A video saying “I certify that I’m in control of my account” holding a sign with challenger address (as @0xjean.eth said) would be nice.

But, is not similar of:
When registering, in the video, have to say " I certify… I control my wallet… "

It’s not, it’s basically a proof of life, with the address of the challenger that cannot be known in advance.

1 Like