petko
Newbie
Offline
Activity: 12
Merit: 0
|
|
October 23, 2015, 08:06:04 AM |
|
This looks good for the edge case of a tangle degenerated to a chain. It should be the same for a tangle with arbitrary topology for transactions that have already been considered confirmed, but intuition says that it's incorrect for transactions that haven't passed their adaptation period (i.e. there are a lot of tips not referencing them) yet.
OK, guess the transactions will get entangled fast enough. Let's and do a quick calc considering they do: - Let J be the average Joe hash rate
- You cannot ask Joe to wait more than 60 sec to issue a single transaction, so the minimal PoW cannot be more than 60 * J
- Let E be the attacker's hash rate
The minimal number of transactions per second that you need in order to keep the system secure is N = E / (60 * J) So for SHA-256 (in fact, what hashing do you consider?): - Let's take the Core 2 Duo hash rate for Joe
J = 2.5 MH/s
- Today's hash rate of the Bitcoin network is around 430 PH/s. It is plausible to assume that a single entity owns 1% of that hash power
E = 4.3 PH/s = 4 300 000 000 MH/s
=> The minimal number of transactions per second is the astonishing N = 28 666 666 Did I misunderstand something?
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 08:12:50 AM |
|
So when can a tx be considered unreversable ?
Never, look at formula #14 in http://188.138.57.93/tangle.pdf. Just like in Bitcoin there is always a chance of doublespending.
|
|
|
|
patmast3r
|
|
October 23, 2015, 08:21:00 AM |
|
So when can a tx be considered unreversable ?
Never, look at formula #14 in http://188.138.57.93/tangle.pdf. Just like in Bitcoin there is always a chance of doublespending. Not even when the weight cap is reached ? (The paper mentions the cap but I'm not sure it ever states if the cap will actually be applied)
|
|
|
|
tonych
Legendary
Offline
Activity: 965
Merit: 1033
|
|
October 23, 2015, 08:25:03 AM |
|
Got it. But I still doubt it is secure. With roughly constant flow of transactions, we have roughly constant PoW generated on the legit branch. In Bitcoin, we always have better, more power efficient ASICs. The miner who is first to install a new ASIC, obtains temporary advantage over other miners (assuming all other variables equal). A new ASIC basically redistributes the constant flow of wealth (25BTC/block) among miners, ordinary users don't care. In Iota, I'm afraid, it'll be profitable to use ASICs against users. If minimal PoW per transaction is small enough then a small battery of ASICs might be enough to outPoW the whole legitimate network armed with CPU PoW.
Bitcoin has constant PoW during a week too, I don't see how constant PoW leads to an insecure state. Would anyone create ASICs for Bitcoin mining if there was no subsidy (25 BTC) nor transaction fees? While it is true that Bitcoin has constant PoW during two weeks, it is adjusted every two weeks in response to changes in the total hash power available. It is able to adapt. There is no reason to assume that the flow of transactions in Iota will increase in response to more hash power being available. Will anyone create ASICs or build botnets specifically to attack Iota users? If Iota token becomes valuable enough, why not? Security of Iota relies on assumption that an adversary controls less than 50% of hashing power. This is a standard assumption in cryptoindustry. Bootstrapping period will be protected by checkpoints.
It is not just an assumption, it is carefully designed incentives that drive people to behave honestly rather than try to attack other users. Satoshi writes this in section 6 of Bitcoin whitepaper: The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
In Iota, there is no mining that would have absorbed any surplus hashpower. Where will this wild hashpower go? Thanks, terminology definitely helped. So you allow to duplicate a transaction as long as PoW is also duplicated. What about attempts to rewrite history by rewriting the envelopes? In this example from the whitepaper, if I wanted to censor envelope F and the corresponding transaction (because e.g. it contained a spend that I want to roll back), could I "route around" it by spending some electricity and rewriting references in envelopes of E and B so that they no longer point to F but somewhere else? Then there are no references to F in the graph any more, I can safely delete it and share my version of the history with other nodes. How will they know which history is right? The history with the heaviest tangle is right. To rewrite the history you need to control most of the hashing power. Why? I'm guessing after I rewrite envelopes of E and B, I have to also rewrite all envelopes that reference them (A and C), then the envelopes that reference those who reference, and so on until the tips, correct?
|
Simplicity is beauty
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 08:27:38 AM |
|
The minimal number of transactions per second that you need in order to keep the system secure is N = E / (60 * J) So for SHA-256 (in fact, what hashing do you consider?): - Let's take the Core 2 Duo hash rate for Joe
J = 2.5 MH/s
- Today's hash rate of the Bitcoin network is around 430 PH/s. It is plausible to assume that a single entity owns 1% of that hash power
E = 4.3 PH/s = 4 300 000 000 MH/s
=> The minimal number of transactions per second is the astonishing N = 28 666 666 Did I misunderstand something? Looks good, it's just unclear why you picked Bitcoin hashrate which is generated by ASICs working a million times faster than a computer.
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 08:31:40 AM |
|
Not even when the weight cap is reached ? (The paper mentions the cap but I'm not sure it ever states if the cap will actually be applied)
No. The cap is related to another issue.
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 08:43:41 AM |
|
Got it. But I still doubt it is secure. With roughly constant flow of transactions, we have roughly constant PoW generated on the legit branch. In Bitcoin, we always have better, more power efficient ASICs. The miner who is first to install a new ASIC, obtains temporary advantage over other miners (assuming all other variables equal). A new ASIC basically redistributes the constant flow of wealth (25BTC/block) among miners, ordinary users don't care. In Iota, I'm afraid, it'll be profitable to use ASICs against users. If minimal PoW per transaction is small enough then a small battery of ASICs might be enough to outPoW the whole legitimate network armed with CPU PoW.
Bitcoin has constant PoW during a week too, I don't see how constant PoW leads to an insecure state. Would anyone create ASICs for Bitcoin mining if there was no subsidy (25 BTC) nor transaction fees? While it is true that Bitcoin has constant PoW during two weeks, it is adjusted every two weeks in response to changes in the total hash power available. It is able to adapt. There is no reason to assume that the flow of transactions in Iota will increase in response to more hash power being available. Will anyone create ASICs or build botnets specifically to attack Iota users? If Iota token becomes valuable enough, why not? Security of Iota relies on assumption that an adversary controls less than 50% of hashing power. This is a standard assumption in cryptoindustry. Bootstrapping period will be protected by checkpoints.
It is not just an assumption, it is carefully designed incentives that drive people to behave honestly rather than try to attack other users. Satoshi writes this in section 6 of Bitcoin whitepaper: The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
In Iota, there is no mining that would have absorbed any surplus hashpower. Where will this wild hashpower go? Thanks, terminology definitely helped. So you allow to duplicate a transaction as long as PoW is also duplicated. What about attempts to rewrite history by rewriting the envelopes? In this example from the whitepaper, if I wanted to censor envelope F and the corresponding transaction (because e.g. it contained a spend that I want to roll back), could I "route around" it by spending some electricity and rewriting references in envelopes of E and B so that they no longer point to F but somewhere else? Then there are no references to F in the graph any more, I can safely delete it and share my version of the history with other nodes. How will they know which history is right? The history with the heaviest tangle is right. To rewrite the history you need to control most of the hashing power. Why? I'm guessing after I rewrite envelopes of E and B, I have to also rewrite all envelopes that reference them (A and C), then the envelopes that reference those who reference, and so on until the tips, correct? Min transaction PoW will naturally increase over time mimicking Moore's law when more powerful hardware appears. Multiply this by TPS increase caused by increased popularity. ASICs indeed will be created. Satoshi's assumption was shown to be incorrect - http://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf. Necessity to absorb surplus hashpower is not obvious, also what numbers do you have in mind (1% of not used hashpower, 10%, 99%)? There is no such thing as rewriting of envelopes, you can only add new ones unless you conducted a global eclipse attack.
|
|
|
|
patmast3r
|
|
October 23, 2015, 08:47:50 AM |
|
So what's the plan to bootstrap this thing ? Just pump "useless" transactions into it until the market/actual usage can sustain a constant flow?
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 08:53:11 AM |
|
So what's the plan to bootstrap this thing ? Just pump "useless" transactions into it until the market/actual usage can sustain a constant flow?
The plan is to do checkpointing every 5 minutes. Initial holders will vote proportionally to amount owned in the very beginning. Checkpoints are not mandatory and can be disabled by any node.
|
|
|
|
tobeaj2mer01
Legendary
Offline
Activity: 1098
Merit: 1000
Angel investor.
|
|
October 23, 2015, 10:45:39 AM |
|
Is there any code/prototype now or only a whitepaper?
|
Sirx: SQyHJdSRPk5WyvQ5rJpwDUHrLVSvK2ffFa
|
|
|
iotatoken
|
|
October 23, 2015, 10:53:01 AM |
|
Is there any code/prototype now or only a whitepaper?
It's in development.
|
|
|
|
tobeaj2mer01
Legendary
Offline
Activity: 1098
Merit: 1000
Angel investor.
|
|
October 23, 2015, 10:59:52 AM |
|
How can we get IOTA? Can we mine it or buy it?
There will be a crowdsale, yes. At about what time? Will it hold before or after testing IOTA release?
|
Sirx: SQyHJdSRPk5WyvQ5rJpwDUHrLVSvK2ffFa
|
|
|
TPTB_need_war
|
|
October 23, 2015, 12:17:39 PM |
|
Come-from-Beyond has been very cordial to me, so I don't want to defecate on his effort. I have my doubts about viability for the following reason. The ramifications of this probably needs to be discussed more. But it seems to me that having users who send transactions viewing all the transactions before they can send is the antithesis of instant microtransactions and also places a burden on who can send a transaction. You need certain minimum level of connectivity and bandwidth on your connection just to send a transaction. It is an interesting concept and maybe DAG can be integrated in other ways into cryptocurrency. Maybe he needs to figure out how to eliminate this apparent weakness with some paradigm shift. Note it appears to me that Lightning Networks is in some facets (not all) similar to a DAG concept. Perhaps thinking about those two different paradigms will lead to some epiphany. Hey cool name Iota (IoT)! Good one! Can you explain to me why this doesn't require every connected IoT that wants to sign a transaction to not have to listen to every transaction on the network?
Doesn't the bandwidth requirements of that limit which sort of devices can participate?
Can a IoT device proxy its request a well powered server?
Are you talking about on- or off-tangle payments? Lol I don't know. I guess I mean on-tangle, those participating in your algorithm? For on-tangle payments a device needs to see majority of the transactions. Good news is that it needs this only if it's about to make or check a payment, most of time it can store and broadcast transactions without their verification (only PoW needs to be verified to avoid spam attacks).
|
|
|
|
petko
Newbie
Offline
Activity: 12
Merit: 0
|
|
October 23, 2015, 12:24:18 PM |
|
Looks good, it's just unclear why you picked Bitcoin hashrate which is generated by ASICs working a million times faster than a computer.
I picked it in a search for a maximum possible hash rate owned by an attacker. In fact here I assume the biggest ASICs farm is like a billion times faster than a computer. You are correct that ASICs farms wouldn't exist without the Bitcoin economic model. I.e. the ratio E/J wouldn't have grown to billions. But even if it was smaller, you still need a minimal number of transactions per second with the magnitude of E/J. Anyways, good luck! PS: Iota is like a russian car: if it stop, it cannot start, but once it start, it cannot be stopped
|
|
|
|
mthcl
|
|
October 23, 2015, 12:26:07 PM |
|
So when can a tx be considered unreversable ?
Never, look at formula #14 in http://188.138.57.93/tangle.pdf. Just like in Bitcoin there is always a chance of doublespending. Not even when the weight cap is reached ? (The paper mentions the cap but I'm not sure it ever states if the cap will actually be applied) That cap is only for the own weight of a tx (in fact, as far as I know, the plan is to set it to constant). The cumulative weight may (and will) grow.
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 12:44:50 PM |
|
Come-from-Beyond has been very cordial to me, so I don't want to defecate on his effort. I have my doubts about viability for the following reason. The ramifications of this probably needs to be discussed more. But it seems to me that having users who send transactions viewing all the transactions before they can send is the antithesis of instant microtransactions and also places a burden on who can send a transaction. You need certain minimum level of connectivity and bandwidth on your connection just to send a transaction. It is an interesting concept and maybe DAG can be integrated in other ways into cryptocurrency. Maybe he needs to figure out how to eliminate this apparent weakness with some paradigm shift. Note it appears to me that Lightning Networks is in some facets (not all) similar to a DAG concept. Perhaps thinking about those two different paradigms will lead to some epiphany. Hey cool name Iota (IoT)! Good one! It's not needed to see all the transactions before sending a payment, one could have a few days old snapshot and still get their transaction included into the tangle. This is an advantage of the tangle over the blockchain - consistency requirement is much lower than in Bitcoin. Lightning Networks approach (more precisely its improvement made by Christian Decker and Roger Wattenhofer in "A Fast and Scalable Payment Network with Bitcoin Duplex Micropayment Channels") is already utilized in Iota.
|
|
|
|
Fuserleer
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
October 23, 2015, 01:46:46 PM |
|
Come-from-Beyond has been very cordial to me, so I don't want to defecate on his effort. I have my doubts about viability for the following reason. The ramifications of this probably needs to be discussed more. But it seems to me that having users who send transactions viewing all the transactions before they can send is the antithesis of instant microtransactions and also places a burden on who can send a transaction. You need certain minimum level of connectivity and bandwidth on your connection just to send a transaction. It is an interesting concept and maybe DAG can be integrated in other ways into cryptocurrency. Maybe he needs to figure out how to eliminate this apparent weakness with some paradigm shift. Note it appears to me that Lightning Networks is in some facets (not all) similar to a DAG concept. Perhaps thinking about those two different paradigms will lead to some epiphany. Hey cool name Iota (IoT)! Good one! It's not needed to see all the transactions before sending a payment, one could have a few days old snapshot and still get their transaction included into the tangle. This is an advantage of the tangle over the blockchain - consistency requirement is much lower than in Bitcoin. Lightning Networks approach (more precisely its improvement made by Christian Decker and Roger Wattenhofer in "A Fast and Scalable Payment Network with Bitcoin Duplex Micropayment Channels") is already utilized in Iota. ^ this Its one of the strengths of a tangle/DAG/whatever you want to call it as I explained further up. I too though am a little unsure about the use of POW as you describe it, I have the anticipation that this "race" if the network loses could have some serious consequences. I plan to dig into the theory -> practice of it more over the weekend as a break from regular eMunie stuff before I make any judgements.
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
October 23, 2015, 01:52:52 PM |
|
I too though am a little unsure about the use of POW as you describe it, I have the anticipation that this "race" if the network loses could have some serious consequences.
We have an ace up our sleeve, but it's too early to reveal it.
|
|
|
|
Fuserleer
Legendary
Offline
Activity: 1064
Merit: 1020
|
|
October 23, 2015, 02:53:03 PM |
|
I too though am a little unsure about the use of POW as you describe it, I have the anticipation that this "race" if the network loses could have some serious consequences.
We have an ace up our sleeve, but it's too early to reveal it. Fair enough. In that case I wont waste any time until you've divulged what that is
|
|
|
|
TPTB_need_war
|
|
October 23, 2015, 03:07:39 PM |
|
Come-from-Beyond has been very cordial to me, so I don't want to defecate on his effort. I have my doubts about viability for the following reason. The ramifications of this probably needs to be discussed more. But it seems to me that having users who send transactions viewing all the transactions before they can send is the antithesis of instant microtransactions and also places a burden on who can send a transaction. You need certain minimum level of connectivity and bandwidth on your connection just to send a transaction. It is an interesting concept and maybe DAG can be integrated in other ways into cryptocurrency. Maybe he needs to figure out how to eliminate this apparent weakness with some paradigm shift. Note it appears to me that Lightning Networks is in some facets (not all) similar to a DAG concept. Perhaps thinking about those two different paradigms will lead to some epiphany. Hey cool name Iota (IoT)! Good one! It's not needed to see all the transactions before sending a payment, one could have a few days old snapshot and still get their transaction included into the tangle. This is an advantage of the tangle over the blockchain - consistency requirement is much lower than in Bitcoin. Lightning Networks approach (more precisely its improvement made by Christian Decker and Roger Wattenhofer in "A Fast and Scalable Payment Network with Bitcoin Duplex Micropayment Channels") is already utilized in Iota. I haven't dug into the core issues of the breadth of tree and its implication on convergence versus divergence and as pertains to double-spends and other metrics. So I am limited in terms of making insights at this time until I do. I thought you replied to me up thread that the payer needs to accumulate a significant portion of the breadth of the tree (even historically) in order to evaluate where strategically to optimally insert his/her node in the DAG. Thus it seems to me that each payer has to see some N other payers, so this bandwidth and computation load on the payer is scaling as N x N for payers versus to a normal PoW system where the payer's signature is autonomous from the network. The latter is the end-to-end principle because the intermediaries—between the originator and the construction of a transaction to the destination—are incapable of harm, substitutable, and fungible. Put more abstractly, the intermediaries are idempotent, referentially transparent, transitive, and commutative. I understand conceptually the global consistency requirement is lower than a more deterministic traditional PoW or even PoS system (although these diverge on reorganizations and total divergence at 51% attack), but doesn't that come with the tradeoff of a risk of divergence of the tree's *final* conclusion about a double-spend (two reasonably balanced leaves each with a double-spend)? I guess what I am after in terms of characterizing the tradeoffs is some quantification or conceptualization of the frequency/probably (or characteristic principles) of divergence as we have succinctly with PoW (selfish mining, 51% attack, orphaned chains, etc). Something expressed in the English language and not requiring differential equations models to comprehend.
|
|
|
|
|