Accountable Cryptography and Smart Collusion

Summary

Accountable cryptography extends threshold MPC protocols with a “whistleblowing” framework: when participants collude to break the protocol’s security guarantees, the colluders produce publicly-verifiable proof of their collusion that can be verified by a smart contract acting as judge. Mahimna Kelkar (Cornell/Purdue) presented this framework at MEV-SBC 2025 with applications to encrypted mempools, randomness beacons, and custodial wallets. The key finding: “smart collusion” using blockchain smart contracts as commitment devices can defeat any unconditional security guarantee, but bounded deposits can contain the damage.

The Whistleblowing Problem

Standard MPC protocols (threshold decryption, threshold signatures, secret sharing) provide security against coalitions smaller than the threshold t. But this security is computational — the protocol cannot prevent participants from colluding outside the cryptographic protocol and then acting on that collusion.

Accountable cryptography adds:

• Completeness: if t or more participants collude, the coalition can produce a publicly-verifiable proof of collusion
• Soundness: no false proof can be produced (non-colluding participants cannot be framed)
• Unframability: the proof system cannot be used to falsely implicate honest participants

Why this matters: if collusion is detectable, the threat of slashing or reputational damage deters it. The MPC protocol doesn’t need to prevent collusion — it only needs to make collusion provable.

Protocol Design

Proof of Collusion

When participants i₁, i₂, …, iₜ decide to collude:

1. They jointly compute the output (e.g., decrypt a ciphertext early)
2. As a byproduct of computing the output, they automatically obtain a collusion transcript: a compact, publicly-verifiable proof that these specific participants cooperated
3. The proof can be submitted to an on-chain judge (smart contract) to claim a bounty or trigger slashing

The proof system is designed so:

• Computing the output without producing the proof is infeasible (completeness)
• Producing a valid proof without actually colluding is infeasible (soundness)
• The proof does not reveal who authorized the collusion or why (privacy of intent is preserved, only fact of collusion is proven)

On-Chain Judge

The judge is a smart contract that:

1. Accepts collusion proofs as input
2. Verifies them using a succinct verifier (e.g., ZK proof or simple hash check)
3. Distributes a reward to the whistleblower
4. Triggers slashing of the colluders’ bonded collateral

Smart Collusion: The Threat Model

Standard collusion: participants agree off-chain to collude. Risk: a defector can expose the others without benefit (no payoff for betrayal, possibly reputational damage).

Smart collusion uses a blockchain smart contract as a commitment device:

1. Colluders jointly deposit funds into a “retaliation contract”
2. The contract encodes: “if any member of this coalition whistleblows, the remaining members can claim the whistleblower’s deposit”
3. This creates a credible threat of retaliation: defection is costly

Impossibility Result

Theorem: with sufficiently large retaliation deposits, smart collusion defeats any unconditional MPC security guarantee.

Proof sketch:

• The retaliation contract makes defection individually irrational regardless of the protocol’s security proof
• The proof applies to any MPC protocol that relies on honest majority as a security assumption
• Money does not have a natural upper bound, so no finite collateral system can universally prevent smart collusion

This is a fundamental result: cryptographic security guarantees over economic entities on a shared settlement layer cannot be unconditional.

Bounded Positive Result

Despite the impossibility, a practical bound applies:

Theorem: if each non-colluding participant bonds deposit D, the retaliation deposit required to deter whistleblowing is approximately (N-1) × D.

Corollary: requiring each MPC participant to bond collateral D makes smart collusion (N-1)× more expensive. Setting D high enough limits the class of adversaries who can afford smart collusion.

Parameter calibration:

• Protocol with N=100 participants, D=10 ETH each → smart collusion requires ~990 ETH retaliation deposit
• If the value of what’s being protected is V, collusion is only rational if V > retaliation risk (~990 ETH)
• For encrypted mempools with typical block MEV of ~1 ETH, this deposit level makes collusion irrational

Applications to MEV Infrastructure

Encrypted Mempools (LUCID, BEAT-MEV)

Threshold decryption committees in LUCID face a collusion risk: if ≥t keyholders collude, they can decrypt transactions early and front-run them.

Accountable cryptography adds:

• Early decryption automatically produces a collusion proof
• Colluders can be slashed on-chain
• The whistleblowing framework allows one member of the colluding coalition to defect and claim a bounty
• Net effect: collusion must account for the probability that one member whistleblows

This converts a purely adversarial model (threshold security only) into a mixed adversarial/economic model (threshold + incentive compatibility).

VRF-Based Randomness Beacons

Randomness beacons (e.g., RANDAO, VDF-augmented randomness) require that no party learns the output before it’s published. Threshold VRF requires t participants to cooperate to produce randomness.

Accountable VRF: collusion to bias randomness produces a proof. This is particularly valuable for:

• Block proposer selection
• Random IL committee selection (FOCIL)
• Lottery and gaming applications

Custodial Wallets and DAOs

Multi-sig wallets require t-of-n keyholders to sign. Smart collusion could allow colluders to drain the wallet while making the crime provable after the fact. Accountable MPC adds:

• On-chain detection of unauthorized signing coalitions
• Slashing from bonded collateral before the wallet is drained
• Timelocked withdrawal combined with collusion detection enables a “safe window” for intervention

Relationship to Threshold Decryption for MEV

For LUCID’s keyper committee:

• Without accountable cryptography: T colluders decrypt silently; front-run with no proof
• With accountable cryptography: T colluders produce a provable transcript; any one can claim a bounty by submitting the transcript
• Combined with slashing: optimal strategy for a potential colluder changes from “collude if value > expected detection cost” to “collude only if retaliation deposit covers expected whistleblowing bounty”

The 2025 research explores this equilibrium but notes the impossibility result: if the front-run value is large enough, rational colluders will simply post a large enough retaliation deposit.

Open Questions

❓ Can the collusion proof be made succinct enough (e.g., via ZK) for on-chain verification at reasonable gas cost?

❓ What is the optimal bounty structure for whistleblowers to maximize expected detection given rational colluders?

❓ Does smart collusion extend to TEE-based systems? (An enclave operator and hardware manufacturer could collude outside the cryptographic protocol.)

❓ How does accountable cryptography interact with reputation systems in relay and builder networks?

Timeline

• 2025-08-08 — Framework presented by Mahimna Kelkar (Cornell/Purdue) at MEV-SBC 2025

See Also

• Encrypted Mempools — Primary application: threshold decryption for LUCID
• Multiple Concurrent Leaders (MCL) — Related: relay collusion resistance via hiding codes
• TEEs and Attested TLS — Alternative trust model: hardware attestation instead of MPC
• MEV Auction Design: Open vs. Sealed, Timeboost, and Kairos — Economic design context for accountable systems