Authors: Kyle Levin & James Kilroe.
As we move towards a more decentralized world, it has become apparent that tokens are critical in enabling true decentralization. DApp builders must design platforms that are both technically decentralized (Byzantine Fault Tolerant) and regulate the behavior of actors on the network without a central authority. Decentralized regulation of behavior, where participants can trust the economic rules in the system and the incentives created by those rules, is increasingly being classified as Token Economics.
The Newtown Partners team led the redesign of the Civic token economy, collaborating closely with the Civic team. Using game theory and some mathematical modeling, we developed a behavioral model that allows different actors within the Civic network to trust each other without a central platform authority.
We believe this is the first token economy design that takes the key constraints around identity protection into account, especially the inability to share Personally Identifiable Information (PII). Operating within these constraints, we have created a model that incentivizes good behavior, rewards good actors and punishes bad actors.
The updated token behavior model is published in Civic’s updated whitepaper and outlines:
- how the Civic ecosystem aligns incentives to ensure honest behavior is adhered to in the network; and
- how network effects can be used as a positive feedback system to grow the network.
In this post, we summarize the behavior model and describe why and how the model works.
What is Civic?
Civic is a decentralized identity ecosystem that aims to revolutionize the KYC (Know Your Customer) industry by streamlining redundant document verification processes. It leverages merkle trees to store attestations of verified identities on the blockchain. Users can share subsets of their information with an entity, who can subsequently verify it on the blockchain. This design naturally lends itself to a marketplace, where information validators and information requestors trade user attestations in a peer-to-peer manner. Cue the Civic token, CVC. This is intended to power a KYC marketplace of Requesters, Validators and Users:
- Users are individuals who want to access the services of Requesters.
- Requesters are institutions that want to verify the information of Users before providing services.
- Validators are institutions that have already validated User information and want to sell this validation (in the form of an attestation) to Requesters in exchange for CVC. An important point to note here is that they are selling a validation of user information, not user information itself.
A simplified scenario would be: User Joe creates an account with a bank, JPM, that validates Joe’s information and adds an attestation to the blockchain. User Joe now approaches medical services provider PharmCo, who trusts JPM’s validation process. PharmCo can now purchase the attestation of Joe’s information from JPM for an amount cheaper than it would cost PharmCo to perform its own required KYC checks. Requester PharmCo does this by putting a certain amount of CVC into an escrow account. User Joe then sends the attested PII to Requester PharmCo who, if satisfied, releases the CVC in the escrow account to Validator JPM.
Figure 1: Actors interacting in the system. Image from Civic Token behavior Model whitepaper.
This system allows Validators to profit from expensive KYC processes while making identity verification easier and quicker for the consumer who can just share their verified information through the Civic app to anyone requesting (and willing to pay for) it. Requesters will be happy to pay for attestations from a verified source as long as it is cheaper than undertaking KYC validation themselves.
Why an Extension?
The original Civic whitepaper clarifies the purpose of the network and technical aspects of the attestation process. However, it does not address how the ecosystem protects itself from attack vectors and collusion by actors. It also does not explain how entities can trust each other in a decentralized network with no central arbitrager. The new whitepaper includes an in-depth analysis of the risks to the Civic network.
Among the pertinent questions which needed to be answered were:
- How do we determine the accuracy of Validators in the network and hold Validators accountable to this accuracy? A Validator who validates information with 99.9% confidence will be more sought after than one whose confidence is lower, all things being equal.
- How do we ensure Requesters have a way to call out Validators who are not truthful? By extension, how do we give these Validators due process in such scenarios?
- When a User shares PII with a Requester and a Validator, they don’t expect it to be exposed to any other party. How can we check any kinds of behavior in the system without the use of third-party oracles to verify actors are behaving appropriately?
- How do we ensure Requesters don’t just take the attested PII from the User and Validator and then reject its validity, effectively receiving their CVC back and paying nothing for the information?
Tricks of the Trade
Our chosen model uses an extensive-form game to model the decisions to be made by the relevant actors. After motivating choices for its structure, we convert this into a normal-form game. A normal-form game is a table representing the choices of each actor in the transaction and the payoffs of each choice for each actor.
The payoffs will be primarily determined by a combination of penalties and rewards (in the form of CVC) that the system will enforce. These penalty and reward mechanisms will ultimately allow us to influence Validator and Requester behavior.
A Nash equilibrium represents a set of strategies (one for each actor) such that no actor has anything to gain by switching to a different strategy, given the other actors adhere to their original strategies. We will see that if:
- we know what we want the Nash equilibrium to be;
- we know the possible choices each actor can make;
then we can construct an incentive system (through influencing the payoffs of certain decisions) producing the behaviors we want. This process is largely based on backward induction. We effectively want to ensure that the expected payout of behaving honestly is greater than the payout of behaving dishonestly.
Civic: The Game
Now that we have the tools and the context, we can build a game to answer our prior questions. We assume that a Requester has been approached by a User who has their information verified by some Validator. When the Requester approaches the Validator, the Validator has two options: produce a correct attestation (CA), which is an honest verification of the data, or produce an incorrect attestation (IA), which is dishonest. The Requester in turn has two options: reject or accept the attestation provided.
Should a Requester reject a Validator’s attestation (whether incorrect or correct), the Validator incurs a penalty Pe CVC and the Requester is rewarded Re CVC. Why does this outcome occur even if the Validator was honest? Because we can’t tell whether the Validator was being honest or not without a third-party examining this data, so we can’t differentiate between the two scenarios.
Figure 2: Initial extensive-form game. Image from Civic Token Behavior Model whitepaper (Requester payoff; Validator payoff).
Figure 2 describes an extensive-form game of a Validator and Requester interacting. The leaves are the payoffs in the form (Requester payoff; Validator payoff). While R and Pe are quantifiable, the costs of an accepted incorrect attestation IA are more reputational (and risk-related) than financial. The payoff of a correct attestation for a Requester CA is related to the savings by using this system as opposed to their own KYC process.
To offset the clear ability for abuse by Requesters, we introduce an additional stage in the process. Instead of rejecting an attestation, a Requester flags an attestation if they believe it is incorrect. The Validator then has the choice to accept or reject this flag. The penalty to the Validator is still the same whether they accept or reject the flag – otherwise they would always choose the cheaper option (and in the absence of financial incentive, reputational incentive dictates they choose honestly). However, now rejecting or accepting affects the size reward the Requester receives. This can be seen in the new extended form below.
Figure 3: Final extensive-form game. Image from Civic Token Behavior Model whitepaper.
In Figure 3 we have an additional step of the Validator assessing flags submitted by the Requester. The Requester now earns a different reward (CF or IF) depending on whether the Validator accepts or rejects the flag. This difference will allow us to design an incentive structure that encourages the Requester to only flag incorrect attestations.
This can be converted into a normal-form game, which we can then use to construct penalty and reward functions in such a way that the appropriate Nash equilibrium is achieved.
Figure 4: Normal-form game describing the above. Image from Civic Token Behavior Model whitepaper.
The ideal scenario is:
- A Validator always provides a correct attestation (CA). We can ensure this by constructing a penalty that always exceeds the fee received from the Requester.
- A Requester always accepts a correct attestation (CA). This is the ideal (CA; CA) Nash equilibrium: The Validator receives the Requester’s fee and the Requester receives an attestation at a cost less than implementing its own KYC.
- A Requester always rejects an incorrect attestation (IA). A Requester gains nothing from accepting an incorrect attestation except reputational risk, while they potentially receive a large reward (if the Validator is honest in accepting the flag) from flagging it.
These ideal scenarios allow us to define a set of constraints on the penalty and reward functions we choose to ensure they achieve the right incentives. The construction of these functions is predicated quite strongly on the rationality of the actors involved in terms of avoiding penalties and optimizing their profits and reputation (in that order). The full algebraic details of this voyage can be found in the whitepaper.
Using the accuracy of a Validator as the probability of a correct or incorrect attestation and the given penalty and reward functions, we can determine the ‘expected reward’ if a Requester is to reject all attestations to claim a reward. With the functions we have chosen and described in the white paper, subject to the constraints of the ideal scenario, we ensure that it is always more profitable for a Requester to accept a correct attestation and therefore to behave honestly.
We determined that a stake for validators is the most natural way to ensure they are able to pay their penalties. We constructed a staking function depending primarily on the accuracy of the Validator (to scale with penalty) and the amount of PII validated. The stake function scales diminishingly with the amount of PII validated to ensure Validators aren’t required to stake obscene amounts of CVC.
Validators are, of course, allowed to activate a withdrawal of their stake. Once activated, CVC is released back to them at an exponentially increasing rate.
With the staking mechanism we also ensure that usage of CVC scales with activity in the network. The more Validators entering the network, the more CVC is naturally demanded for staking. In turn, more Requesters will be drawn to the network producing a positive feedback mechanism. This is how network effects are leveraged to continuously grow the network.
Some Final Thoughts and Comments
Civic’s new token economy applies game-theoretic and mathematical models to interactions between individuals and institutions. By using this kind of approach, we were able to formulate a system that aligns incentives without requiring overarching governance and oversight mechanisms. We believe similar models could be used in a variety of token economic contexts to facilitate stronger incentive behavior.
The CVC token, which underpins this behavior model, acts as a true utility token. It is incorporated into the economy as a fundamental tool to direct payoffs and facilitate transactions in the identity marketplace. Additionally, the token captures the value of the network naturally through the incentive design and devoid of any mechanism encouraging holding purely for speculative gain.
The design of the Civic token economy was a rewarding process for everyone from Civic and Newtown Partners involved. It followed many iterations, and exposed us to many novel ideas in the design of token economies. We’re excited to see how these ideas evolve as token economy design does and look forward to hearing your thoughts.