Reputation & Scarcity

Receiver-side reputation-weighted concentration is the same surface 15+ years of collaborative-IDS literature targets. The defenses below are layered and specifically scoped per crate. None of them survive sustained majority collusion. The doc says so.

Layered defenses

• Pheromone substrate owns: a Cheng-Friedman sqrt(N) passport-key cap per kernel, per-pair token bucket, observation-cost commitment field, newcomer age-discount with N = 8 default (CHIODOS_SCARCITY_ECONOMICS.md section 7).
• Reputation crate owns: asymmetric EWMA (penalty rate >> reward rate, per Buchegger-Boudec), confidence-variance weighting, collusion-cluster Jaccard penalty.
• Arena owns: replayable-precision adversary scoring exported as a multiplicative reputation factor.

The math, briefly

Let P be the number of honest peers, K the per-pair token-bucket capacity (honest passports per peer per window), and S = ceil(sqrt(P + A)) the per-kernel passport cap. An adversary running A distinct operator-orgs can present A * S passports because the cap binds per-origin-kernel, not globally. The adversarial mass fraction is f = A * S / (P * K + A * S). Solving for the safety condition f < 0.30 and approximating sqrt(P + A) ~ sqrt(P) for A << P:

# Safety condition
A * S < 0.30 * (P * K + A * S)

# Solve for max adversary org count A
A_max ~= (3/7) * P * K / ceil(sqrt(P))

# Adversary spends C dollars per passport, runs S passports per org
B_min ~= A_max * S * C
      ~= (3/7) * P * K / ceil(sqrt(P)) * ceil(sqrt(P)) * C
      ~= (3/7) * P * K * C

# sqrt(N) cancels.
#
# The cap reduces per-org passport count;
# the adversary stands up O(sqrt(P)) orgs to compensate.
# The dollar threshold does not move.
# Operator-org admission is the load-bearing scarcity, not passport issuance.

The load-bearing finding from CHIODOS_SCARCITY_ECONOMICS.md falls out of the cancellation: sqrt(N) is a cost-shifter, not a cost-reducer. It does not stop a well-funded adversary; it forces them to spend the same dollars on operator-org admissions instead of on raw passport keys. Operator-org admission is a much harder budget line to scale: shell companies, registered agents, sectoral-roster fees, and audited financials all gate on per-org cost, not per-passport cost (CHIODOS_SCARCITY_ECONOMICS.md section 2.1).

Adversary cost model

The four attack strategies the substrate is sized against, mapped against per-deposit cost, per-passport cost, the layer that detects them, and what residual loss survives the defense.

Numbers are pulled from CHIODOS_SCARCITY_ECONOMICS.md sections 2.1 (per-passport cost stack) and 8.2 (insider-shell-org collapse of the per-org admission component). The table is a conservative lower bound: it does not credit reputation weighting, revocation gossip latency, or arena-replay scoring (section 3.3 of the source doc), all of which favour the defender.

Defense composition

The three layers compose multiplicatively. Each one raises the adversary’s effective cost; their combined effect is the product of the multipliers, not the sum.

Order of effect: substrate caps account for roughly 6x to 14x over the bare baseline (newcomer multiplier 2x to 4x times observation-cost multiplier 3x); reputation weighting compounds further (hard to model closed-form, asymmetric EWMA hits cluster behaviour); arena replay scoring compounds again on top of that. The closed-form formula in CHIODOS_SCARCITY_ECONOMICS.md equation (5) only captures the first layer; the second and third are why the recommended defaults bind against organised cybercrime ($250K-$1.5M envelopes) in realistic federation sizes.

The sqrt(N) reframe

The cap is a cost-shifter, not a cost-reducer. It does not stop a well-funded adversary; it forces them to spend more on operator-org admissions per unit of poisoned signal. Combined with the observation-cost commitment field (which makes “sign without originating” detectable and weight-capable), the effect is to push adversarial cost from per-deposit to per-passport, and from per-passport to per-org, which is a much harder budget line to scale (CHIODOS_SCARCITY_ECONOMICS.md section 3.2).

Defaults that fall out of the analysis: N = 8 newcomer-discount horizon, observation-cost commitments required for destructive subject classes, sqrt(N) cap retained (tightening to log(N) does not change the dollar budget; D1 in the source doc).

Honest residuals

Three classes of attack are defended imperfectly. The doc admits this in writing rather than papering over it. Under each, the substrate-side defenses fail; mitigation has to escalate out of the protocol layer.

Sustained majority collusion

Cheng-Friedman (PODC 2005) and Fang et al. (USENIX 2020) both prove no symmetric weighting survives if more than ~50% of effective passport mass (not peer count) is adversarial under coordinated strategy. Mitigation must be exogenous: bilateral handshake admission must keep effective adversarial mass below ~30%.

What we can do:

• Tighten bilateral handshake admission per treaty: require a published roster source, not operator-mediated key exchange, for treaties whose action classes have destructive_floor >= receipt_backed.
• Run periodic out-of-band sectoral audit of operator-org admissions (defense lever D6); a chio-governance Sanction case against an issuing org collapses every passport admitted under it.
• Cap effective adversarial mass at the upstream anchor by accepting only roster sources whose admission gates have published appeals and revocation processes.

Mimicry-style slow-drift below sensor noise

Diffusion- or GAN-generated deposits can be made indistinguishable from honest deposits at any single window. Arena replay catches them only if arena coverage overlaps the mimicked subject class. Residual loss in uncovered classes must be accepted and budgeted.

What we can do:

• Expand arena coverage on a published cadence; declare uncovered subject classes explicitly in the ladder manifest so consumers can weight their queries accordingly.
• Require observation-cost commitments universally on destructive classes; mimicry has to forge a telemetry chain that survives downstream verification, multiplying per-deposit cost by m_oc (1.5x to 10x).
• Apply asymmetric EWMA aggressively (penalty rate >> reward rate per Buchegger-Boudec) so a slow-drift attacker has to absorb larger penalty events to reach steady-state mass.

Cross-org operator collusion via friendly re-issuance

If two distinct operator-orgs cooperate to re-issue passports for sanctioned operators, no in-band reputation function detects this. Out-of-band governance is the only recourse: a Sanction case against the issuing org, not the passport.

What we can do:

• Publish operator-org admission audit cadence per treaty and bind it into the ladder manifest as a sector-profile parameter; an anomalous spike in admissions becomes a triggering event for governance review.
• Hold roster issuers to a published key-rotation cadence and appeals process so re-issuance against a sanctioned operator surfaces in audit logs the issuer cannot suppress.
• Model cross-issuer overlap (which operator-orgs are admitted to multiple sectoral rosters) and flag friendly-re-issuance candidates to chio-governance as a routine reporting line, not a one-off investigation.

References

• Cheng & Friedman, “Sybilproof reputation mechanisms,” PODC 2005. Cited inline in the sqrt(N) derivation and the sustained-majority residual.
• Buchegger & Le Boudec, asymmetric EWMA results in CONFIDANT and successors. Cited in the layered defenses (reputation crate) and the slow-drift residual mitigations.
• Hoffman, Zage, Nita-Rotaru, “A Survey of Attack and Defense Techniques for Reputation Systems,” ACM CSUR 2009. Standard taxonomy underpinning the adversary cost model.
• Fang et al., “Local Model Poisoning Attacks to Byzantine-Robust Federated Learning,” USENIX 2020. Cited inline alongside Cheng-Friedman in the sustained-majority residual finding.