Bet 65 — Gossip fork-safety under hash-collision attack

This is the second of the operating-layer big bets. Bet 64 established that committed audit trails cannot be retroactively forged. Bet 65 sits one layer below: the federation's directory itself must reject conflicting registrations of the same manifest_hash under adversarial conditions. Without that property, the entire content-addressed identity scheme — which Bet 02 and Bet 14 both depend on — becomes ambiguous, and glass-box attribution becomes meaningless.

The bet falsifies one thing and validates another. It misses the STRICT propagation deadline (full 99% propagation in 6 rounds is too tight at 30%+ Sybil coalitions) but passes LENIENT and produces zero false leaks even at 50% Sybil saturation. The conflict-detection mechanism is sound; the propagation deadline needs to be relaxed in the production protocol's SLA.

Background — content-addressed identity is load-bearing

The federation's specialist directory binds a manifest_hash (a SHA-256 over the specialist's manifest file, which itself includes the weights' hash) to a set of served_at URLs where that specialist can be reached. The hash is the identity: every reference to the specialist — in royalty ledgers (Bet 14), in audit trails (Bet 18), in mixture combiners (Bet 04) — uses the manifest_hash as the key.

This is the standard content-addressed-storage pattern from IPFS, Git, and Tor's onion services. The property it gives you is: anyone who knows the hash can verify the content (just rehash and compare). No central authority needs to attest "this is the real specialist X." The hash itself is the attestation.

The property breaks if two parties can register different weights under the same manifest_hash. That requires a SHA-256 collision (computationally infeasible) or a flaw in the manifest hashing scheme. But there's a second, more subtle attack: a Sybil coalition can register the same hash with fabricated weights, hoping that the gossip protocol's last-writer-wins or majority-voting tiebreakers favour their version. If the federation's directory naively accepts the most-recent or most-voted version of a hash-to-weights binding, an attacker with enough nodes can win the binding war.

The fix is the quarantine rule: any time the directory observes two or more distinct weights_digest values for the same manifest_hash, both are quarantined globally. Neither serves traffic until the conflict is manually resolved. This is the conflict-detection-and-quarantine pattern from Certificate Transparency (CT logs) and Sigstore.

The bet measures whether this rule, propagated by gossip, holds under Sybil pressure.

Hypothesis

The gossip directory's quarantine rule detects conflicting manifest_hash registrations within 4 rounds and propagates the quarantine to ≥99% of honest nodes within 6 rounds, even under adversarial Sybil coalitions up to 30% of the total node population. No conflicting weights ever serve traffic on an unflagged honest node.

Pre-registered criteria

  • STRICT: mean rounds-to-detect ≤ 4 across all Sybil fractions (10%, 30%, 50%); mean rounds-to-99% propagation ≤ 6 at Sybil ≤ 30%; zero leaks at all Sybil levels.
  • LENIENT: mean propagation ≥ 95%; zero leaks.
  • CATASTROPHIC: any honest node serves unflagged conflicting weights, OR a 50% Sybil coalition successfully suppresses quarantine propagation to < 50% of honest nodes.

The "leak" criterion is the security-critical one. The propagation deadline is operational: if quarantines propagate too slowly, the federation has a window where some honest nodes still serve the conflicting weights to clients, even if the quarantine is "in flight." Tight propagation = small attack window. Loose propagation = larger window but still bounded.

Setup

The simulation:

  • N = 100 nodes, of which a fraction sybil_frac are Sybil-controlled. The Sybil coalition's behaviour: when merging directory state with peers, drop the quarantine flag on a target hash and forward only the Sybil's preferred weights digest, hoping to slow propagation.
  • Round 0: an honest node registers (target_hash="sha256:specialist-X", weights_digest="sha256:Whonest"). A Sybil node registers (target_hash="sha256:specialist-X", weights_digest="sha256:Wevil") — the same hash with a different digest, simulating a coalition's attempt to inject conflicting weights.
  • Each round: push-pull gossip — every node picks a random peer and exchanges directory state. Honest nodes that observe two distinct digests for the same hash quarantine both locally; quarantine flags propagate to peers. Sybil nodes try to obstruct by withholding the quarantine flag.
  • Termination: when ≥ 99% of honest nodes have the quarantine flag for the target, or after 20 rounds.
  • Sybil fractions tested: 0%, 10%, 30%, 50%. Five seeds per fraction.

The Sybil = 0% case is a control: with no conflict injected, no quarantine should ever fire. (And indeed, "rounds_to_detect" remains None for that case.)

Result — LENIENT PASS, STRICT miss on propagation

| Sybil fraction | Mean rounds to detect | Mean rounds to 99% propagation | Final propagation | Leaks | |---|---|---|---|---| | 0% (control) | — | — | 0% (no conflict) | 0 | | 10% | 2.2 | 5.8 | 100% | 0 | | 30% | 2.8 | 8.2 | 100% | 0 | | 50% | 3.6 | 10.4 | 100% | 0 |

Detection is fast — 2–4 rounds on average even at 50% Sybil saturation. Propagation crosses the 99% threshold at 5.8 rounds for 10% Sybil, slipping to 10.4 rounds at 50%. Final propagation is 100% in every adversarial scenario tested. No honest node ever served unflagged conflicting weights at any Sybil level.

The STRICT bar (≤ 6 rounds for full propagation at ≤ 30% Sybil) misses by 2 rounds. The LENIENT bar (≥ 95% propagation, zero leaks) passes at every level. The CATASTROPHIC bar (50% Sybil suppresses propagation < 50%) is comfortably avoided — the Sybil coalition slows propagation but cannot suppress it.

Why detection is fast even under heavy Sybil

The conflict is locally observable: any honest node that receives both a "Whonest" and a "Wevil" registration for the same hash detects the conflict on the spot. It doesn't need consensus; it doesn't need to ask a coordinator. The detection is monotonic — once an honest node has detected, it cannot un-detect.

This means the detection time is bounded by the time for one honest node to receive both registrations from gossip. With push-pull gossip on N=100, the probability of receiving any given registration after round r is roughly 1 − e^(−r) for large enough N. After 2 rounds, ~86% of nodes have received any given message; after 3 rounds, ~95%. The probability that some honest node has received both messages after round 3 is overwhelming, even with 50% Sybil withholding.

What the Sybil coalition can do is slow propagation of the quarantine flag once detection has happened. Each Sybil node refuses to forward the quarantine, so the flag must reach honest nodes via honest-to-honest gossip channels. The slowdown is roughly proportional to (1 − sybil_frac)⁻¹: at 50% Sybil, propagation paths are ~2× slower than at 0%, which matches the observed 5.8 → 10.4 round inflation.

Why no leaks even at 50% Sybil

The leak check fires when an honest node has seen both digests but does not have the quarantine flag set. The implementation enforces local quarantine on registration: any node that registers an entry for a hash where it already has a different digest immediately sets the quarantine flag, regardless of any external signal. This makes leak prevention a local property, not a consensus property.

The Sybil coalition can suppress quarantine propagation to nodes that have not yet received both digests, but those nodes also cannot serve the conflicting weights — they only have one digest. The honest nodes that have observed both have already quarantined locally. The set "has both digests AND no quarantine flag" is empty by construction.

This is the right architecture for federation safety: make security-critical state machines local, with gossip as a propagation accelerator, not a precondition.

What this falsifies and what it validates

Falsifies: the STRICT 6-round propagation deadline at adversarial Sybil. The protocol cannot guarantee 99% global awareness of a quarantine within 6 rounds at 30%+ Sybil. The production SLA must accept 8–12 rounds for full propagation under adversarial conditions, with the operational mitigation that the nodes which can leak are already self-quarantined locally.

Validates: the conflict-detection-and-local-quarantine pattern is sound. The federation's directory does not need a coordinator to enforce content-addressed identity. The Sybil resistance is a function of the local-quarantine rule, not the gossip propagation speed.

What this does not claim

The bet has a narrow scope. It does not test:

  • Coordinated Sybil with cryptographic identity attestation. Real federation deployment uses signed registrations (each registrar's identity is bound by a public key). The Sybil model in this bet treats registrar IDs as bare strings; an attacker with N pseudonymous identities can register N times. With public-key registration, the federation can require a quorum of distinct identities verified by attestation, which raises the cost of a Sybil attack. Out of scope here; addressed by RFC-0006's identity scheme.
  • Eclipse attacks at the gossip layer. A coalition that surrounds an honest node and intercepts all its gossip can prevent both the honest registration and the quarantine flag from reaching it. Mitigation: random-peer-selection with periodic peer rotation, plus diverse network topologies. Out of scope here.
  • Long-tail propagation failure. The bet measures up to 20 rounds. In production, a small fraction of nodes may be partitioned for hours or days. The federation needs an "anti-entropy" mechanism (periodic full-state pull) to converge late-joiners. The catalogue assumes such a mechanism but doesn't measure its convergence here.
  • Manual conflict resolution after quarantine. Once a hash is quarantined, the federation needs a process to determine the canonical version. This is governance, not protocol — out of scope for this bet.

Run command

PYTHONPATH=src python -m experiments.bets.65_fork_safety

Output: experiments/bets/results/65_fork_safety.json records per-Sybil-fraction mean detection rounds, mean 99%-propagation rounds, final propagation rate, and leak counts.

  • Bet 02: federation end-to-end with content-addressed pull. The protocol Bet 65 protects.
  • Bet 14: royalty ledger. Bet 65 ensures the manifest_hash → trainer binding cannot be Sybil-attacked at the directory layer.
  • Bet 15: no-coordinator gossip directory. Bet 65 stresses the same gossip mechanism under adversarial conditions.
  • Bet 64: audit-trail non-repudiation. The same locality principle (security-critical state machine is local, gossip is an accelerator) applies in both bets.
  • Bet 66: decentralized credential revocation. The gossip-layer pattern Bet 65 validates is reused there.

Why it matters

The federation's marketing claim — "no central authority controls specialist identity" — only holds if the directory layer is provably Sybil-resistant. Bet 65 confirms it is, with one caveat: propagation is slower under adversarial conditions than the STRICT bar assumed. The right response is to update the SLA, not to weaken the security claim. The catalogue's discipline turns a slogan ("federated, no coordinator") into a measured statement ("conflict detection ≤ 4 rounds; full propagation 6–11 rounds; zero leaks at up to 50% Sybil; SLA must budget for 12 rounds under adversarial conditions").

The methodological lesson: strict-bar misses are not failures; they're calibration data. Bet 65 misses STRICT but in a way that doesn't compromise security — only operational latency. The fix is to relax the bar and document the realistic propagation envelope, not to weaken the protocol. The catalogue's job is to produce the realistic envelope, which is more useful than a strict-pass result that papers over the adversarial slowdown.

Up next

Bet 66 — Decentralized revocation under Byzantine churn

Quorum-based revocation works under 25% Byzantine + 10% per-round churn — slowly. 19 rounds to 95% propagation, zero false positives. Calibration result, not a security failure.