How much effort does it take to control a group on
the SAFE network?
This calculator estimates the security of the
Close Group Consensus
mechanism used by the SAFE network
The first section is based on a very simple model. Each subsequent section adds progressively more factors.
Summary
This calculator demonstrates a few principles of the SAFE network design:
Security increases as network size increases.
Security increases as churn increases (ie as vaults join, leave or are relocated in the network).
Successful attacks are a matter of when, not if. Success is based on
'chance' rather than a binary 'attacked' vs 'not attacked' result.
This is a natural consequence of the non-deterministic vault naming
used by the network.
The calculator is not a complete model of the network
security. Refer to the Notes at the bottom of the page
for more information.
Network Specification
The minimum number of vaults per group is
and maximum is
(links to actual values in the codebase)
The actual minimum is defined in routing as 8
-
see the code
The actual maximum is calculated using split_buffer,
defined in routing as 3 which leads to a maximum group size
of (8+3)×2 = 22
-
see the code
Groups contain an average of
? vaults
(? minimum
+
? maximum)
÷
2 =
? vaults per group
=(?+?)/2
To reiterate,
some groups on the network will be small in size
and some will be large,
but on average groups will be medium in size
(as calculated above).
The total network size is
thousand vaults
This makes for a total of
? groups
? total vaults
÷
? average vaults per group
=
? groups
=?/?
Quorum required for group consensus is
(links to actual values in the codebase)
The quorum is defined in routing as 1 ÷ 2 = 0.5
-
see the code
The attacker requires control of
? vaults
floor(? vaults per group
×
? quorum ratio)
+ 1
=
? vaults for quorum
=floor(?*?)+1
to control an average sized group
In the worst case scenario, the attacker requires control of
? vaults
floor(? vaults per group
×
? quorum ratio)
+ 1
=
? vaults for quorum
=floor(?*?)+1
to control a small group
The attacker is able to join (and decide to stay or leave) the network at a rate of
joins per second
Simplistic Analysis
Consider a simplistic approach, where each consecutive vault to join the network is coincidentally located in the same group
The worst case scenario where
? vaults
The attacker must control
? vaults
in the worst case scenario, ie where the smallest
possible group of
? vaults
is being attacked.
in a row join an identical group will happen with a chance of
?
(1
÷
? groups)
?
=
?
=(1/?)^?
,
ie a frequency of once per
? join events
(? groups)
?
=
?
=?^?
At an attack rate of
?
joins per second, the worst case scenario would happen once in
?
? joins per event
÷
(? joins per second
×
60 × 60 × 24 × 365 × seconds per year)
=
? years per event
=?/(?*60*60*24*365)
Using the same simplistic approach, the chance of
? vaults
The attacker must control
? vaults
in the average scenario, ie where the average
group size of
? vaults
is being attacked.
in a row joining an identical average sized group is
?
(1
÷
? groups)
?
=
?
=(1/?)^?
,
ie a frequency of once per
? join events
(? groups)
?
=
?
=?^?
A successful attack on an average sized group would happen once in
?
? joins per event
÷
(? joins per second
×
60 × 60 × 24 × 365 × seconds per year)
=
? years per event
=?/(?*60*60*24*365)
Non-Consecutive Joins
Consider a more realistic scenario where an attacker
accumulates attacking vaults,
ie each vault retains their membership once joined to the target group.
This means the attacker doesn't require consecutive joins as simulated above.
This is still a fairly simplistic approach, since it ignores
non-attacking vaults that coincidentally join the target group
(or leave it or are relocated to it).
The first join always ends up in a group. This becomes the
target group.
This leaves
? vaults
? quorum vaults
- 1 already joined vault
=
?
vaults
=?-1
still to join the group to achieve quorum
The attacker aims for a
percent chance of controlling an
average group
?
vaults per group with quorum of
?
vaults
This means each individual vault must retry joining the network until they have a
? percent
e ^
(ln(?
÷ 100 percent)
÷
? quorum vaults)
=
?
percent
=e^(ln(?/100)/?)
ie
?
percent chance per vault for
? vaults
=
?
percent ^
?
=
? percent
total chance of all vaults joining the same group
The chance of the interrupt joining the target group is 1/? (call this probability 'p')
The chance of the first interrupt not joining the target group is 1-p
The chance of the second interrupt not joining the target group is (1-p)2
The chance of the nth interrupt not joining the target group is (1-p)n
The chance of the nth interrupt joining the target group is 1-(1-p)n
Interruptions delay the attack and reduce the chance
of a successful attack, but does not necessarily altogether
prevent it or set it back to square one.
Notes
The utility of controlling a group is not calculated. Greater utility motivates an attack.
The cost of an attack is not calculated. Larger costs reduce the motivation to attack the network.
The feasibility of an attack is measured by comparing the utility with the cost. This calculator does not determine the feasibility of an attack.
Data-chains allow groups to assess the honesty of other groups. Therefore successfully abusing control of a single group often requires control of more than a single group.
This calculator does not account for other means of controlling specific vaults, such as bribery or secretly distributing malicious vault software. These attacks may be more effective than attacks on the joining algorithm.
This calculator does not measure the difficulty of spreading the attack after a group is compromised, or the likelihood of recovery from a compromised state back to the original uncompromised state.
The target group grows in size as attacking vaults join it, increasing the quorum size for the group. This increases the difficulty of an attack, but is not included in this calculator.
Attacking vaults should target a particular 'end' of the group (the high names or low names) rather than the middle so that if a split occurs during the attack the malicious vaults end up in the same group. The added difficulty of targeting a particular portion of the group is not included in this calculator.
When vault ageing is introduced, joining a group as a quorum member will take longer than simply being allocated a name by the network. This greatly increases the time taken to perform an attack and decreases the chance of success.
Offline attacks to the relocation algorithm are not included in the calculator.