Re-design Ursula's identity evidence

[cygnusv]

We have to come up with a new design of identity evidence that fulfills with, at least, the following requirements:

• Allows Bob (and other characters) to check that the Ursula node they want to validate belongs to a valid staker. This is currently not checked anywhere.
• Allows stakers to be smart contracts, which can't sign stuff. This is what Separate worker role from miner/staker #949 does, but we will probably need to rethink that approach.

---

Current approach (also followed by #996):

• Ursulas have a non-ETH signing key (the stamp), which is signed with the ETH key of the staker to produce her identity evidence. The stamp is used for signing network protocol messages.
• Ursulas inherit the address associated to the staker's ETH key (the checksum address) and use it as their ID. Ursulas don't need to control the staker's ETH key.
• When Bob validates an Ursula node, he only checks that the signature is valid, but he doesn't check that the staker's account is valid (e.g., it can be a signature from an arbitrary ETH account, with no tokens at all).

#949's approach:

• Ursulas have a stamp and an ETH key (which results in a worker address)
• Stakers have an ETH account (with or without keys, since they can be contracts).
• MinersEscrow has a list of the mapping between Ursulas' addresses and stakers' addresses.
• This new scheme is not connected to the network-level identity information, so it's not consistent at all. The fact that this doesn't raise any problems is bad, since it shows that we weren't really validating anything with our current identity evidence approach.

---

New approach?
We can mix both approaches in something like this:

• Ursula does not need an ETH address, only her stamp, like it is now.
• MinersEscrow has a list of the mapping between Ursulas' stamps and stakers addresses.
• Bob, Alice and other characters should always check with MinersEscrow that a node they have learnt about is actually connected to a staking miner. This means characters need access to an ETH node for this validation.
• The ETH signature as proof of identity is not useful anymore, as even if it's valid, you have to check MinersEscrow.
• Ursula can continue using the staker's address as her checksum_public_address, even if it's a contract.

[michwill]

Hm... If Ursula changes her non-ETH signing key: does it mean that since the old non-ETH signing key was broadcasted in the past, that key can also be (maliciously) used?

[jMyles]

I'm digesting this right now, but first things first: this is a beautiful issue and a model for design decision making going forward.

[jMyles]

On the "new approach":

1. Can you walk me through how a smart contract can stake? If this happens, who performs the work?

2. On the matter of verifying a node, you say:

Bob, Alice and other characters should always check with MinersEscrow that a node they have learnt about is actually connected to a staking miner. This means characters need access to an ETH node for this validation.

...but does Bob really need to perform this check? Isn't Alice's say-so (ie, on the TreasureMap) enough?

3. Do we know about much more gas this will cost per stake?

4. What will be the new process in the case that Ursula loses control of her signing secret? Previously, all she needed to do was generate another keypair, use it to generate a new public bytestring, sign it with her wallet, and broadcast this to the network with a later timestamp than the old one, and everything else just worked.

[michwill]

Reposting the "napkin note" here

Miner ------------------->  Worker
eth_miner_key?              eth_worker_key
0xdeadbeef                  0xf00baar
stake                       stamp


Miner -> Worker
Worker -> Miner

Bob
stamp (verify)

eth_worker_key signs stamp
0xf00baar belongs to 0xdeadbeef
0xdeadbeef is an active miner

[michwill]

1. Here is how I see it. There is a Miner (who can or cannot have an eth_miner_key - doesn't matter), and Worker (basically an instance who has its real eth key and stuff). Instance (worker) also has a verifying key and stuff. Worker does the work, talks to blockchain when he does that etc. Also the worker produces the stamp we currently have now.

There could be only one Worker for Miner and only one Miner for Worker. But the Miner can change the Worker if he is believed to be compromised.

Bob indeed gets the miner from the treasure map. However, when he first verifies the miner, he also checks not only that eth_worker_key signs stamp, but also that the ethereum address of the Worker is indeed in the mapping Miner -> Worker (and it's Miner who is recorded in the treasure map)

[michwill]

2. Indeed, if Ursula never had to change her keys (or change the worker), that doesn't matter. However, if Ursula was hacked, in the current model, the old (hacked) instance can produce stamps which we shouldn't trust anymore!
   In Miner-Worker model, if the Worker was hacked, we have the new Worker (and I believe we probably would need to revoke access if we suspect the hack). But the worker can be changed regardless, say for the sake of key rotation (rotating the "hot wallet" ethereum key)

[michwill]

Here's another analogy. "Worker" is the hot wallet, and "Miner" is the cold wallet (who could also be a contract, multisig, whatever)

[michwill]

3. I think, it will only cost more gas to create a brand new Ursula, not for confirmActivity. But that's a question for @szotov

[michwill]

4. Here's the thing. I doubt very much that in case of a hack Ursula will have only signing key compromised. It'd be also her Ethereum key! And an attacker would be able to sign the new key just as well.
   So, as described above, the lost key belonged to Worker, so we change all Worker keys (verifying key, eth key etc), new eth key signs the verifying key. The new worker is designated by Ursula (Miner) on chain, so it'll be in the mapping. Of course, the caveat is that Bob now has to look on chain (or we may enable random Ursulas to have a rest api endpoint which queries that mapping?).

[michwill]

Also as a bonus. What would a random hacker do if he hacked Ursulas?

Right now, that hacker can deliberately produce incorrect re-encryptions, slash Ursula as much as he can (we probably can limit), and claim the reward for "finding" a cheating Ursula. Essentially, the hacker can steal some money from Ursula (unless someone front-runs the hacker transaction - welcome to gas wars!).

So is it good or bad? @tuxxy may argue that this creates a monetary incentive to hack Ursula to get her money, so it's bad. I think, this is good. Here is why (discussed that with @KPrasch):

Hacking cannot be made by a DDOS attack. It requires exploiting some vulnerabilities. Something Ursulas can do a good effort to protect against.

If we don't have a monetary incentive, the only ones who hack Ursulas would be, for example, malicious nation states who want to collect kfrags (to do their evil things). We wouldn't see traces of any of that until it's too late.

If we do have a monetary incentive - you'll have blackhat hackers security investigators hacking the nodes in order to steal money get a monetary reward for their investigatory activity: good guys, in other words. Once it happened, after they took the slashing into their pockets - we know that that particular worker was not safe, and could've been compromised for stealing kfrags just as well. So we probably should revoke that kfrag.

Could the blackhat hackers silently sell kfrags to V... bad guys? Yes, they could, however the bad guys pay really shitty money. So maybe it's economically better to just take that from Ursulas?

P.S. does this discussion deserve a separate issue?