Malicious adversary

We next assume that there exists a malicious adversary aiming at attacking a specific user U while the rest of EOAs are rational adversaries. The malicious adversary may choose to launch either a time difference attack or an execution failure attack. There are two approaches to launch the two types of attacks, namely trustee bribery and Sybil attack [48]. Through trustee bribery, the malicious adversary can deploy a smart contract with a fund larger than the security deposit d and use this smart contract as bait to bribe a trustee, even if the trustee’s identity is not known. For example, to obtain a specific trustee’s private key for launching a time difference attack, the smart contract can be set with a condition ‘If any EOA in the network can submit the private key owned by the trustee who is in charge of (Uaddr, sid, tid) to the bribery contract before U ’s execution time window, the EOA can withdraw the fund stored in bribery contract.’ Since the fund in bribery contract is larger than the security deposit, a rational trustee may choose to reveal the private key to the bribery contract to increase its profit. Besides, the malicious adversary can create an arbitrary amount of EOAs and make all these EOAs join the trustee candidate pool. This attack approach was named Sybil attack [48].

We now analyze the cost to make either a time difference attack or an execution failure attack successful.

Lemma 3. To launch a successful execution failure attack, a malicious adversary needs to spend at least (n − m + 1)d.

Proof. To launch a successful execution failure attack, a malicious adversary should aim at impeding the restoration of key at execution time, which means at least n − m + 1 shares should be dropped. The drop of a single share may be implemented by either a rational trustee bribed by the malicious adversary or a trustee directly controlled by the malicious adversary through Sybil attack. However, in both the two conditions, due to the existence of the misbehavior report mechanisms, the drop of a single share will cost security deposit d, so the cost of dropping n − m + 1 shares will be at least (n − m + 1)d.

Lemma 4. A malicious adversary needs to spend at least m(l − 1)d to bribe trustees for making a time difference attack successful.

Proof. To bribe trustees for making a time difference attack successful, a malicious adversary should aim at restoring key before execution time window we, which means at least m shares

should be obtained before we. To obtain a single share, the malicious adversary needs to

deploy l − 1 bribery smart contracts to collecting private keys from l − 1 different trustees, which, due to the existence of the misbehavior report mechanisms, will cost at least (l − 1)d. Therefore, the cost of obtaining m shares before we will be at least m(l − 1)d.

Lemma 5. Through Sybil attacks [48], the expected value of security deposit that a malicious adversary needs to pay to launch a successful time difference attack is (l − 2)vd, where v denotes the number of trustee candidates available to user U that are not controlled by this malicious adversary.

Proof. The situation refers to the malicious trustee method introduced in Section5.1.4, where the trustee candidates available to user U during user schedule component can be divided into two parts. By denoting the number of rational candidates not controlled by the malicious adversary as v and the number of malicious candidates injected by the malicious adversary as x, we get pM = _x+vx → x = _1−pvpM

M, where pM denotes the percentage of malicious candidates.

To obtain a single share, all the l − 1 trustees providing private keys for encrypting this share to an onion should be selected from malicious candidates, which has the probability pl−1_M . Since there are n shares in total, the overall process can be viewed as a Binomial distribution B(n, pl−1_M ) with mean npl−1_M . Then, the expected amount of security deposit bd that should be paid by the malicious adversary to make npl−1_M = m can be computed with

b d xd = m npl−1_M , which makes bd = x · dm npl−1_M = vpM 1−pM · dm npl−1_M = vdm n · p2−l_M

1−pM. Since the malicious

adversary cannot control (v, d, m, n), to minimize bd, we set f (pM) = vdm_n · p2−l_M 1−pM and compute f0(pM) = 0, which gives (2−l)p1−l_M 1−pM + p2−l_M (1−pM)2 = 0 → pM = l−2

l−1 Therefore, when bd is minimized:

x = v ·l−2_l−1 · (l − 1) = (l − 2)v → bdmin = (l − 2)vd

For example, when v = 10000, l = 4 and d = $100, bdmin will be four million dollars. In

by a malicious adversary who aims at launching a time difference attack. As can be seen, smaller m while larger n and l help enhancing the resistance against time difference attacks performed through Sybil attack.