Malicious Security

Zero-Knowledge (ZK) proofs enable malicious security by allowing one party to prove a statement's truth without revealing the underlying data. In ZK-Rollups, a prover (which could be malicious) generates a validity proof (like a SNARK or STARK). The system's security depends solely on the cryptographic soundness of this proof; the verifier on the main chain can trust the state transition is correct even if the prover is actively trying to submit a fraudulent batch. This is a pure example of cryptographic security over social consensus.

Optimistic Rollups assume transactions are valid but introduce a challenge period (e.g., 7 days) to achieve malicious security. Any verifier (watchtower) can submit a fraud proof if they detect invalid state transitions. The system is secure because it only requires one honest participant to be watching and challenging. This creates a cryptoeconomic security model where it's infeasible for all potential challengers to be malicious or offline simultaneously.

Maliciously secure bridges do not rely on a trusted committee's honesty. Instead, they use mechanisms like:

• Light client relays: Verifying block headers cryptographically.
• Optimistic verification: With fraud proofs for invalid state imports.
• ZK proofs: Cryptographically verifying events on another chain. In these models, security holds even if all relayers or provers are adversarial, as long as the underlying cryptographic assumptions (e.g., digital signatures, proof systems) hold. This contrasts with honest-majority models used in many multisig bridges.

A decentralized oracle network using a threshold signature scheme (TSS) can achieve malicious security. Data is reported by a decentralized set of nodes, and a signature is only produced if a threshold (e.g., 4-of-7) agrees. Security is maintained even if up to t nodes are malicious, as they cannot forge a valid signature without the required number of private key shares. The security reduces to the cryptographic hardness of the underlying digital signature algorithm and secret sharing scheme.

MPC protocols allow a group of parties to jointly compute a function over their private inputs. With malicious security, the protocol guarantees correctness and privacy even if some participants deviate arbitrarily from the protocol. This is achieved through techniques like commitment schemes, zero-knowledge proofs of correct execution, and input certification. The result is secure as long as the cryptographic primitives are not broken, independent of the participants' motives.

Understanding the practical difference is key:

• Malicious Security (Cryptographic): Secure if all validators are adversarial. Relies on math (e.g., ZKPs). Example: A ZK-Rollup's state validity.
• Honest-Majority Security (Economic/Game-Theoretic): Secure as long as a majority (e.g., 51% or 2/3) of validators are honest. Relies on incentives and slashing. Example: Proof-of-Stake chain consensus. The former provides stronger guarantees but can be more computationally expensive. Many hybrid systems use both models for different components.

Malicious security assumes that a defined threshold of participants (e.g., validators, nodes, or committee members) are not just lazy or faulty, but are Byzantine—they can act arbitrarily to subvert the protocol. This is a stronger guarantee than honest-but-curious or crash-fault models. The security threshold is often expressed as a fraction of the total stake or voting power, such as >1/3 or >1/2, that the system can tolerate while remaining secure.

Many Proof-of-Work and early Proof-of-Stake systems rely on honest-majority assumptions, where security holds if >50% of the hash power or stake is controlled by honest participants following the protocol. Malicious security is stricter, as it must also defend against that majority coordinating their malicious actions. Protocols like Tendermint BFT and HotStuff provide malicious security, tolerating up to 1/3 of voting power being Byzantine.

Malicious security is often enforced through cryptographic proofs and strict protocol rules, not just economic penalties. For example:

• ZK-Rollups use validity proofs (ZK-SNARKs/STARKs) to guarantee state correctness even if the operator is malicious.
• Optimistic Rollups initially use a fraud-proof window, assuming at least one honest participant will challenge invalid state transitions, which is a weaker, economic form of malicious security. The trade-off is between the higher computational cost of cryptographic proofs and the latency of fraud-proof challenges.

A critical trade-off in Byzantine Fault Tolerant (BFT) consensus is the tolerable fraction of malicious power.

• 1/3 Tolerance (Optimal): Protocols like PBFT can achieve safety and liveness with up to f malicious nodes out of 3f+1 total. This is common in permissioned systems and PoS blockchains (e.g., Cosmos).
• 1/2 Tolerance: Some protocols, often in asynchronous network models, can only tolerate <1/2 malicious power. Exceeding this can lead to forking or liveness failures. The choice impacts decentralization requirements and resilience.

In Proof-of-Stake, malicious security must account for long-range attacks, where an old validator set creates an alternative chain history. Pure cryptographic security cannot prevent this if all past validators collude. The solution is weak subjectivity: new nodes must use a recent, trusted checkpoint (a "weakly subjective" check) to bootstrap. This is a key trade-off, introducing a minimal trust assumption for chain initialization to achieve malicious security against historical revisions.

Ethereum's transition to Proof-of-Stake incorporates Casper the Friendly Finality Gadget (FFG), which provides malicious security for finality. It guarantees accountable safety: if two conflicting blocks are finalized, cryptographic evidence can identify and slash at least 1/3 of the validator stake that violated the protocol. This creates a strong cryptoeconomic deterrent, aligning malicious security with severe financial penalties (slashing). The system is designed to be live and safe under the <1/3 Byzantine assumption.

A security model that assumes a majority (e.g., >50% or >2/3) of network participants are honest and follow the protocol. This is the foundation for Proof-of-Work and Proof-of-Stake consensus. The system is secure as long as the adversarial share of resources (hash power, stake) remains below the defined threshold. It is less stringent than malicious security, which assumes all non-designated parties can be adversarial.

The property of a distributed system to reach consensus despite the presence of Byzantine faults, where nodes may behave arbitrarily (maliciously or erroneously). Practical Byzantine Fault Tolerance (PBFT) is a classic consensus algorithm for this model. Malicious security is often the assumed adversarial model within BFT protocols, where some nodes are explicitly Byzantine.

An adversarial model where corrupt parties follow the protocol specification but may attempt to learn extra information from the messages they receive. This is a weaker assumption than a malicious (active) adversary, which can deviate arbitrarily. Secure Multi-Party Computation (MPC) protocols often first achieve security against semi-honest adversaries before strengthening it to malicious security.

These model when an adversary can corrupt parties.

• Static Corruption: The set of corrupt parties is fixed at the start of the protocol.
• Adaptive Corruption: The adversary can choose which parties to corrupt at any time during protocol execution, based on observed information. Malicious security can be analyzed under either model, with adaptive security being the stronger, more realistic guarantee.

Security derived from financial incentives and disincentives, rather than pure cryptographic assumptions. It ensures that attacking the system is economically irrational (cost > reward). This is central to Proof-of-Stake and cryptoeconomics. While related, it complements malicious security: a protocol must be cryptographically secure against malicious actors and economically secure to deter them.

A rigorous framework for analyzing the security of cryptographic protocols when they are run concurrently with other protocols. A protocol proven secure in the UC framework maintains its security (e.g., its malicious security guarantees) under arbitrary composition. This provides the highest standard for real-world deployment where multiple protocols interact.