Bitcoin Forum

A virtual currency can be designed by issuing coins with unique ids connected to owners with cryptographic signatures. The coins are transferred between owners in this way:

1. The current owner A unlocks a coin with a private key.
2. A signs the coin with the new owner B's public key.
3. A registers the coin in a distributed hash table.
4. A sends a message to B about the coin having been transferred.
5. B checks the distributed hash table to verify ownership.

Coins of different values 1, 10, 100, 1000 and so on can be issued to make it practical. So for example if a person X wants to send 235 coins to person Y, then two 100, three 10 and five 1 coins are sent in the transaction.

A virtual currency without block chain ? Is that  a centrenlized coin?

I guess the issuing of the coins will be centralized similar to pre-mined coins. Once a coin has been issued it will be fully decentralized and peer-to-peer.

There is already a virtual currency without a block chain! Safecoin is a part of MaidSafe:

"Safecoin is the currency of the SAFE network and a mechanism to incentivise and reward end users and developers as well as provide access to network services. End users who provide their unused computing resources to the network, called Farmers are rewarded in safecoin, while application developers, called Builders earn safecoin in proportion to how often their applications are used. ...  Safecoins are managed by the network’s Transaction Manager. This is the SAFE equivalent to the block chain, however, in SAFE’s case it is unchained, keeping record of only the existing and previous owner. In this respect, safecoin should be thought of as digital cash." -- http://maidsafe.net/safecoin

Could be a brilliant solution. I haven't learned about it enough yet. Looks at face value to have a huge potential.

Without a block chain, there will be no way to search the past transaction history.

Only one transaction back history! ;D But I heard that block chains can be built on top of MaidSafe.

Cryptonite has a mini-blockchain similar to your proposal, but it's not completely missing a block chain.

https://bitcointalk.org/index.php?topic=713538.520

One minute block time is good for many purposes but I'm looking for transactions that can be done in a few seconds. I don't know yet though how fast Safecoin is.

check this:

https://bitcointalk.org/index.php?topic=614917.620

its not released yet, but will have what is called 'proof of consensus' and afaik no blockchain.

The developer himself has said, several times, that there is actually a block-chain.  This is also clearly visible from the source.

This coin will just use a mechanism similar to automated check-pointing in order to reduce burden of storing the chain history.  This carries with it some significant implications and caveats, including a potential "total kill switch" in the hands of the developer, as has been discussed on the thread.

The problem here is that it relies on some assurances that a DHT, alone, cannot provide.  If a DHT registry were "enough" by itself then we would've had a working bitcoin in the mid 90s, trivially.  Unfortunately the "Merkle proof chaining" mechanism of the blocks really is strictly necessary in order to avoid double spend and assure consistent transaction selection and processing.  Without such a mechanism the most simple of attacks against the network could easily be used to disrupt the entire system.

I thought that maybe a distributed real-time server could solve that. For example, the calendar time is taken to be a median value among the nodes in the network.

And then every let's say 5 seconds a chunk of transactions is committed to the distributed hash table. For a transaction to be valid it must be signed with the current coin owner's private key.

It certainly could.  The block-chain *is* that distributed time server, this is the very function it serves.  (We have no other proven design for such a beast.  ;))


It is not so simple. Sybil could just overwhelm and warp the median, for example.


The definition of "committed" becomes very problematic, here.  This is concerning because this committal is strictly necessary as part of avoiding double spends.  Without the proof chain securing consensus over a full history you end up in some messy situations.  In any case you need "someone" to select and order transaction sequences *before* consensus is reached, and consensus has to be reached in a way that precludes re-selecting or re-ordering those transactions in the process, or after the fact, by any party.  Further, you need to do so in a way that reaches at least a "50% + 1" security threshold in order to be able to assert majority consensus, which is much more difficult than it might initially seem.  Most (arguably "all") DHT structures fall to only 1/3 collusion, in the best of cases.  Bitcoin was the first p2p network to demonstrate any security threshold above this norm.

Ok, a distributed real-time server could be tricky to develop, but if we assume it's possible, then each 5-second block of transactions would prevent double spending since all transactions in the block are checked for double spending. How to reach consensus for what transactions should be included may be problematic although that too could perhaps be possible to solve.

Safecoin handles it in this way:

"A separate persona, the TransactionManager, is proposed to handle all the token-related transactions. A TransactionManager group will be a trusted group of nodes which are closest to any given transaction identity. ... The PUT request for safecoin is "no duplication allowed", i.e. if there is already a safecoin data having same name (first 32 bits), the new put request shall be rejected." -- http://maidsafe.net/SystemDocs/user_perspective/safecoin.html

The part "trusted group of nodes" sounds shaky. Coins using a block chain are trustless. My idea of a currency without a block chain is that it should be trustless. It could however be that "trusted group of nodes" is a trust based on cryptography or something like that. Then Safecoin is trustless too.

Maybe we could use something that can logically assert the passage of time, independent of any one peer's notion of it, like an extract-able hash prefix collision puzzle, scaled continuously to match the resources put toward it so as to consistently keep a set pace.  Maybe we could avoid double spending by having this puzzle be directly interdependent with transaction selection, and linearly dependent on each prior instance of the puzzle.  Maybe we could reach consensus about transaction selection based on some simple rules related to management of an in-memory cache of pending transactions at each node.

Maybe there "just isn't" any alternative. Maybe any design meeting the same goals (like using some weighted modular lottery biased by account balances (PoStake) or some pre-coordinated signers' roster (PoActivity)) will actually be entirely isomorphic to what I've just described.

Maybe anything that is not isomorphic to this inherently has the wrong security assurances.

Yes, it sounds like you are well on your way to reinventing the block-chain.  Enjoy the journey, it is quite a scenic road to walk!  ;)

Yes, safecoin uses a delegated trust model, which only serves to "re-centralize" the system.  This is precisely what we would seek to avoid, for many good reasons.

In my proposal each coin has a unique ID in the distributed hash table. That prevents double spending since there can only be one owner for each coin. The problem is how to ensure that the data in the DHT is consistent. Or is a DHT automatically always consistent? I guess I need to learn more about DHTs.

As I expected, a distributed hash table can be messed up by mischievous nodes. Kademlia is an ordinary DHT and it must be modified for security in ways like:

"The proposed KadS network is almost identical to the Kademlia network, i.e. it consists of the described RPCs and implements the same XOR metric. The major extension to the protocol is that every node is equipped with a public/private key-pair signed by a trusted CA. This extends the normal Kademlia network to a public key infrastructure (PKI) in which every communication is encrypted, every node can be trusted and only verified nodes can participate in the network." -- http://blog.philippheckel.com/2009/03/16/kads-a-secure-version-of-the-kademlia-protocol/

That's inadequate since it means trust and third party authorities. By using unique coin IDs and digital signatures for both minting and transactions, the double spend and counterfeit problems are solved, yet the problem of ensuring consistent data in the DHT remains to be solved. (The coins in my proposal are minted by a central authority but after having been minted the coins are fully decentralized and peer-to-peer.)

There have been a few occasions when a trusted CA certificates were compromised and had to be revoked by all browsers. Would that compromise a coins security if it was dependent on CAs?

I don't know but it sounds like a dangerous risk. And even if that wasn't a problem, there would still be the problem of having to rely on third party authorities. Even if only one big trusted authority was used, like VeriSign, there would be the problem of only "elite" nodes being able to operate since the big trusted authority would have monopoly on certificates and could demand obscene amounts of money for licenses. And even with healthy competition among several certificate providers they would have to charge quite a lot of money anyway since they would need to have rigorous control procedures for those who they sold licenses to. And personally I wouldn't even trust a big so-called "trusted" central authority, at least not for a system that's meant to remain robust for centuries.

Blockless blockchain is possible, but locks are necessary to reduce transaction size. If that was not there, each transaction will take all the data with it and it will be bloated soon.

Bloat can be dealt with since disk space and communication speed follow an exponential progress similar to Moore's law. But what about transaction speeds? Paying for a coffee at Starbucks should only take a few seconds at most. 0-confirmation transactions or payment channels can solve that problem for coins with a block chain. It would be better though if the real transactions would be fast.

We are talking of orders higher bloat, and that will increase with more transactions. In effect we are talking of a system where each transaction is a block. Its nearly instantaneous as the block is created whenever it transacts, but the size will be huge.

One of the key realizations to be had is that these are essentially the same concern.


Also (arguably) undesirable, for many good reasons.

So just Ripple. Minted by a central authority, maintained by a few trusted nodes of their own. Changing their marketcap whenever they feel like it.

Another of the key realizations to be had is that security can't actually be made to happen any faster.  (Despite what most alts would have you believe.)  There is no such thing as a secure "0-confirmation transaction" or "instant send" because it eliminates the very thing that creates security over the transaction, that being the passing of time.

It is easy for us to forget that Bitcoin is not really, at heart, a system of money.  It is a system of measuring the time passed since "some event" was logged by the network.  It is designed to measure a probabilistic hour in ten minute average increments.

Let's look at two hypothetical networks.  Network A is like BTC, with 10 minute blocks and 6 confirmations recommended for maximum security.  Network B is a "fast coin" with one minute blocks and 10 confirms.

Let's say both networks have exactly the same average hash-rate, the same number of identical processors hashing on each.  The precise number chosen doesn't matter for the thought experiment, as long as the networks are physically equivalent.

I receive a coin on network A and a coin on network B.  Then an hour passes.  Which coin is more secured?

The answer is, of course, neither.  They both have exactly the same amount of security behind them.  The same amount of work was put behind both by now, that being whatever the network can provide in one hour.  No more, no less, regardless of the block interval or "suggested" confirms

Satoshi et al advised 6 blocks of 10 minutes.  One hour.  Regardless of your alt-coin parameters you can't get this much security by any means that doesn't involve waiting, on average, one hour.  You just simply can't magic the network into being able to add  "an average hours' worth of security" in anything less than one hour.

The only amount of security that you can get from 0 time passing is none at all.

No, the idea is to have the system without a block chain to be trustless once the coins are in circulation. The central authority would be a government or something like that. For example the U.S. government could issue the virtual currency with the same value as the USD. And then those coins would be like digital peer-to-peer cash with very fast transaction times. And the transactions can have zero transaction fees with servers run by the government as a public service. So it would be a limited use case but it could be used in competition with existing cryptocurrencies.

The double spending problem is completely eliminated by having unique coin IDs and using digital signatures. The worst attack nodes could do would be to mess up the distributed hash table. Admittedly, that has to be solved too but the double spending and counterfeit problems are solved in this way without the need for a block chain.

Hmm... Wait a minute. If a central authority like the U.S. government issued the coins AND run the transaction servers as a public serve then they could use digital signatures even for the nodes in the network with an ordinary distributed hash table implentation. They could issue a bunch of 10 cent, $1, $10, $100, ... and so on coins. Very efficiently and to a small public service cost. The wallets can be digitally signed with a national ID system (a potential Orwellian danger perhaps but anyway) and that would eliminate the need for messy cold storage with paper wallets and all that cumbersome management. That's something for Obama to look into. ;D

If you can "mess up" the DHT then you can double spend.  For example, send some coins to an exchange, trade them for btc, then scrub the transaction from the dht (perhaps via Sybil attack) and send the same coins off to some second exchange and sell them again.  Having the coins identified and signed doesn't really help the first exchange.

You can't replace transactions. The unique ID for a coin makes it stored as a single value. By messing up I mean that an attacker can put wrong information into the DHT or delete information. If the attacker manages to delete a coin and then tries to put it in again with another owner then the digital signature would have to be cracked for that to be a successful attack.

I see what you mean now. There is no complete history for the transactions so an attacker can simply make up a transaction and sign it correctly. Yes, then messing up the DHT can lead to double spend.