Well I agree that in the "two-phase" blackmail scenario, the argument for Alice to comply is less clear since there's nothing forcing Bob to release the initial transaction once he receives payment from Alice. I would just point out, however, that this type of "two-phase" blackmail is attempted in real life, and the blackmailed party often complies, even if they have no guarantee the blackmailer won't follow through with their threat, or that no future blackmail will occur. In other words, in the face of large potential losses, actors do not necessarily behave rationally. If you concede that this is the case, it may be worth it for Bob to at least attempt a large number of blackmail attacks, hoping he'll find a target that complies with his request. This could result in a loss for all of Bob's targets, including the ones that don't comply. Whether this attack makes sense depends on how costly it is for Bob to initiate an attack, the potential reward of a successful attack, and the distribution of compliant victims.
Yes, I have been thinking about this since I made the post and find myself having similar thoughts.
Take the case of cryptolocker. The reason that victims pay out is, at least partially, that the cryptolocker "team" has shown evidence of following up on their commitments. To be fair, the power asymmetry is absolute here - cryptolocker loses nothing in the default case. So it's not the same.
I came to the conclusion that the only defence is in the cost of identity creation. Even if you have a well defined reputation system, it can be somewhat subverted like this - the attackers can continually create a variety of identities and then in PM tell the victim their *real* identity (Hackers Inc), using a PGP key or something less technical but enough to convince the average user, and their "off channel" reputation as reliable in completing the transaction once ransom is paid will then come into effect.
To avoid that, the cost of identity creation has to be at least around the size of a large transaction, otherwise it might well be economically effect to carry out these "two phase" attacks. And in a purely P2P solution, how is the cost of an identity enforced anyway? Someone or something (an oracle?) has to be the arbiter of whether a particular identity has violated protocol rules.
The other alternative - a fidelity bond/sacrifice cost - each new identity destroys $1000 before starting to use the system - is hardly palatable.
I think the cryptolocker blackmail situation is very different:
1. As you pointed out asymmetry. He has no costs. Alice has cost of her collateral if Bob does not accept the blackmail. If the collateral is higher than in my example, say 50% or 100% then this are considerable costs.
2. Cryptolocker use one "identity" and people can predict his strategy, means that he holds his promise to unlock after payment.
Alice and Bob are changing random strangers. If Bob has the experience once that Alice has kept her promise, that experience does not mean anyhing that another Alice will act the same.
I think that blackmail scenario (2 phase) will not work when assuming a pure rational behaviour.
A rational actor would not accept because he has zero guarantee that the blackmailer will keep his promise. In fact the blackmailer has proven that he does not deserve trust, so to trust him again for paying and hoping he hold his word, is irrational IMO.
That does not mean that it cannot happen. The assumption of rational traders is a weak point as well.
A blackmail creates an irrational behaviour for the other party which could lead to the opposite behaviour of what the blackmailer was intending.
For me, I am pretty sure I would not accept it for pure principle reasons. I would hate that person and not pay him a cent. Even in the 1 phase scenario (then I would act irrational because of my anger, I would prefer to lose 1 BTC rather then to pay 0,5 to that asshole).
So it is very hard to predict how people will react when getting irrational. It is a risk for the attacker as well. Some could run amok and beat up the blackmailer (depending on the attack situation the ID is known to the other).
Another point is that due the bank transfer we are not dealing with a real global exchange. A bank tx from Russia to Chile will be very expensive, so they will not offer those trades. There are different risk levels in different countries and the people in those countries are more cautious as the are used to the situation. That could help as well to lower the real risk.
But it is still the question if we need additional protection (reputation system, escrow,...) to solve those problems.
Unfortunately all those solutions introduce new problems and are imperfect on their own (sybil,...) as well adding complexity which creates problem on its own (usability, security, bugs, new attack vectors,...).
For me it seems a better approach to keep it as simple as possible, limit the trade volume to a less hurting value, set the collateral flexible to the appearance of scams (if a lot of scams put it 100% or more, if low scam rate you can use a lower collateral) and maybe use a simple flexible mutual identification process (exchange facebook/twitter/G+ accounts,...).
A flexible combination could meet different needs as well.
If a user prefers to put in a high collateral and not use the mutual identification process it is ok as well. If the collateral is very low he will not find offer taker if he does not accept mutual identification.
It could be a flexible setup of a few simple adjustments which will never prevent scam to 100% but make it less likly and harder and more expensive for the attacker.
We also need to consider that there is no perfect save solution.
If fact many of our existing solution in the financial area are terribly insecure:
Credit cards would never have passed a security audit in the btc community. NEVER! It is a terrible concept.
Paypal the same.
But both are super mainstream.
Because they took into account a scam rate and covered the costs with a hefty fee. The credit card fees can be seen as an insurance fee.
What I want to say with that is we have to be also pragmatic. Many imperfect solutions work pretty well in reality.
That does not mean we should ignore weaknesses!
In contrary
I am very thanksful for the good analysis posted here!
Thats the power of open source, 1000 eyes see more then 2 eyes.
We will keep on to investigate alternative protection mechanisms for the remaining open risks. Some are described in the paper (updated recently), others need more investigations.
For the more serious blackmail problem with the 1 phase blackmail attacker, I think we found a solution. I will post that in a new post extra... already way too long post....