IOTA is built by a bunch of technical founders who know enough about blockchain to confuse a lot of non-experts into thinking they are really smart and credible.
But you will see very consistently in the cryptocurrency space that the experts refuse to endorse iota, and frequently say strongly negative things about it.
They are very effective at selling snake oil, but that's all their blockchain is. The tangle that they have designed is neither scalable nor secure. Every node still needs to verify every transaction, and because there is no mining it's trivial to double spend if you have a few machines that focus on cranking out as many transactions as possible.
If you understand enough about blockchains to find security flaws in an insecure system, all you need to do to believe me is learn more about iota. Their flaws are not subtle, there are many of them, and they are substantial.
If you are not expert enough to analyze the security properties of various blockchains, look for reviews of iota by other experts. You will not find any positive ones by people with significant standing. Not from the ethereum camp, not from the bitcoin camp, not from the academic camp.
This is not because of some iota vs. the world conspiracy. It's because iota is genuinely a terrible cryptocurrency.
I do not own IOTA - thought about it some months back but decided against it because I don't fancy doing trades on or supporting Bitfinex.
Another HN user swayed me away from Monero - which I owned a large part of as he told me about scaling issues.
But my question is to your advice about: look to other experts. As someone coming outside the crypto-universe it is kind of hard to distill who the real experts are - so any advice on how to distill/find credible sources of information in this space?
Do scaling issues really matter?! Bitcoin hasn't dealt with its scaling issues, and Monero is an extremely far way away from it in needing to deal with issues of scale.
Many of Bitcoin's scaling innovations could be applied to Monero as well.
The only reason misinformation can thrive in the first place is because people choose to believe what other people say, rather than slowly, but steadily, acquiring the relevant knowledge, until they can judge by themselves.
If people either a) didn’t show interest in something they don’t understand, or b) acquired the necessary level of knowledge to judge — by themselves — the validity of some concept, misinformation would be unable to survive.
This is a weird rule of thumb but I don’t trust anyone or any team in the cryptocurrency space who doesn’t have a technical background from a top university. When the noise is high, I need a better signal.
Many people in the crypto space are peddling their own agendas.
I've read the tangle paper. It seems as the node transaction weights grow, the double spend problem is solved (transaction nodes gain weight as others confirm). Arguably you could have bad actors confirming transactions but that is why the coordinator exists until there are enough transactions happening where a coordinated double-spend attack is not feasible.
Looking at tfha's post history, you can see he does not support POS as secure either and refers to the opinions of the bitcoin team. These are two red flags for me.
There are others that do not act in your best interest taking center stage in the crypto world.
There are many very well respected computer scientists in the iota foundation and I'm sure they are well aware of any issues the coin will have along the way.
Edit: Don't trust me either. Do your own research.
That's incorrect because of the assymetry between attackers and normal users. An attacker needs only generate as many transactions as the rest of the network combined, and indeed this isn't that expensive.
A single consumer machine can generate hundreds, if not thousands of transactions per second. A fleet of specialized machines costing less than 7 figures total can do millions, if not hundreds of millions, of transactions per second.
Sure, if you wait for a sufficiently large weight on top of your transaction, then you solve the double spend problem. But you need at the bare minimum that every transaction that happened at roughly the same time as yours to be included as an indirect child of your tips. If you do not understand that sentence, please try to, as it is the very reason that IOTA doesn't scale (and isn't fundamentally different from usual blockchains in any sense other than a somewhat contrived construction).
If I understand the issue you've pointed out correctly, this is why the coordinator currently exists. Once there are constantly running zero value transactions all around us (self driving cars, smart sensors, etc), then that becomes trivial.
IE the number of indirect children of your tip increases at a rate of roughly 2^n (less due to random tip selection). This leads to confirmation in an exponential fashion.
> It seems as the node transaction weights grow, the double spend problem is solved (transaction nodes gain weight as others confirm). Arguably you could have bad actors confirming transactions but that is why the coordinator exists until there are enough transactions happening where a coordinated double-spend attack is not feasible.
What is the fundamental assumption that makes the paper assert that this problem will be solved in the future?
Is the assumption that hashing power will be spread more evenly among nodes? And, if so, what is the basis for assuming this? It's certainly not what we see with Bitcoin.
Is the case that the IOTA security model breaks down if hashing power is unevenly distributed?
IOTA currently uses a masternode called the coordinator that verifies all transactions. The coordinator is a necessary feature until there's enough transactions to secure the tangle without out (millions per second?)
Precisely. Food for thought: IOTA nowadays is not only fully centralized currency (in any meaningful technical sense), but it also has a much higher market cap than Bitcoin had a few months ago. So, is the market really valuing decentralization as much as we think?
Is that a rhetorical question — majority of new money coming in is all spectualation, no actual faith in the product; how do you tell? They all convert back to fiat after convincing themselves they sold to a greater fool.
The point is that its questionable whether it will work in practice, or ever reach the level of adoption needed to be autonomous. Treating IOTA now as a potential payment system to rival bitcoin is hugely risky.
I agree that it's risky but a lot of people here are making it sound like the plague. There is inherent risk in all cryptos. IOTA being a totally new concept to crypto currency makes it a little more risky but that doesn't mean that it should be abandoned or destroyed. The vision and benefits of it are great! $0 transactions and no miners sucking up electricity! I just don't get the hate.
This type of sentence is often intellectually dangerous. It's the basic pattern for a false equivalence -- brushing the differences under the rug.
You are essentially saying that risk1 === risk2, without any justification.
The default position when comparing thing1 to thing2, in any complex domain, is that they are not exactly the same, and we should be very cautious when trying to generalize from one to the other.
Which is why I said that IOTA is more risky because it is a new concept. The justification is that to stand up "The Tangle", the Coordinator is necessary at this time. Nobody has been giving any other ideas than FUD.
Weirdly enough, they have multiple academic members in their team. Must be one of the only teams with such high requirements for academia. Also, please enlighten us with some of your findings or sources pointing out IOTA weaknesses so that they can be discussed here and can be conveyed to the dev team.
You've been using this account for a single purpose in addition to violating the guidelines by including personal attacks. We ban accounts like this, so could you please stop now?
So this [1] is where they announced their "partnership" (which, to me, remains obscure in nature) with Microsoft.
The blog post is long and features many well-made graphs, including pictures of "Data Silos" with a pictogram of a lock on it, slogans like "Data is the new Oil" in a subsection "Crudely put, data is the new crude", the famous DIKW Pyramid (Wisdom, Knowledge, Information, Data) and, my favourite, the title of a subsection "Data wants to be free, but not for free.".
All the alarms on my bullshit meter are ringing after reading this.
Ironically the original "data wants to be free" quote was also said in a similar context.
"On the one hand information wants to be expensive, because it's so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other."
Everything in that blog post is very much what the rest of the industry is agreeing with. Sources backing this up is even cited in the damn blog post man.
What industry? You mean the one that is less than 5yrs old?
IOTA itself, with all its 'smarts' made a stupid mistake designing their own cryptographic hash function! This might seem like I'm hanging on a single point, but I guarantee, any sane security person on this site will tell you to stay far away from this coin if they see this.
People design hash functions. Repeating that ‘creating a hash function is stupid’ doesn’t make it true. There is a need for an efficient, lightweight cryptographic standard for low resource devices. Curl-P attempts to be this solution utilizing ternary logic. They aren’t making it just because they can. There is a real need for it.
Recently, with the Foundation being established (therefore giving them access to sufficient funds), they hired CYBERCRYPT to vet and improve upon their prototype.
>Repeating that ‘creating a hash function is stupid’ doesn’t make it true.
There's a process for everything. Cryptographic functions are supposed to undergo atleast half a decade of peer testing before they can be used with any reasonable sense of security. Creating them isn't stupid. Creating them and using them in your application without proper security testing is.
If 'ternary' logic based hash didn't exist, then sure, create one. But don't tout it as being anywhere close to ready when it is important to the overall security of the system.
The project justifies their decision to do so about 'spearheading technology for a new paradigm', which further solidifies the fact they value short-term risky benefits over long term research which is what science is supposed to be.
There is no arbitrary time length requirement for security. There are standard tests (like avalanche) all of which Curl-P passed. They passed all the standard security requirements before deploying the prototype, and had a backup plan of deploying keccak should a hint of any possible exploit arise.
Curl-P is based on a well-studied sponge construction, so it’s not an especially risky move to deploy it in their system after it passed all initial security requirements.
Curl-P also has the advantage of being extremely simple. This makes it easier to vet as the analysis can be done more thoroughly, as it’s not obscured through complex internal mechanisms.
It does require new tools to study (as it’s ternary) so there is bound to be some delay to extremely thorough production readiness. However, saying it is not close to being ready is false (unless we must put an arbitrary year requirement on it as you seem to be keen on).
>There is no arbitrary time length requirement for security.
No there isn't, but it is about letting more researchers take a crack at it. With well-known competitions, you can expect cryptographers to take a look at it.
The thing is, I've heard of lots of new hashes in the past couple years but only heard about curl when the vulnerability was found. I'm not saying I was on the lookout for new hashes but didn't find any, but how do you except people to check it out when no one really knows about it? Even decades of time is worthless when you have no one looking at it.
>There are standard tests (like avalanche) all of which Curl-P passed.
That's basic homework, not the real test, which is analysis done by people. Give me some tets, a couple months and I can come up with a hash function which passes those too.
>Curl-P is based on a well-studied sponge construction, so it’s not an especially risky move
Sure, sponge construction, while new has been studied due to Keccak. But you should've used keccak, instead of creating a new one(As they're doing now)
> Curl-P also has the advantage of being extremely simple. This makes it easier to vet as the analysis can be done more thoroughly, as it’s not obscured through complex internal mechanisms.
You know what, I'm not a cryptographer, so I'll quote what a real cryptographer - Bruce Schneier has to say about that.
“In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low,”
What do you have to say to this?
>However, saying it is not close to being ready is false (unless we must put an arbitrary year requirement on it as you seem to be keen on).
Arbitrary year requirement seems frivolous, because you don't see the cryptographers who work hard quietly till they have an attack ready. It is to give time for them.
Take a look at previous competitions, where attacks surface many years after first publication.
> The thing is, I've heard of lots of new hashes in the past couple years but only heard about curl when the vulnerability was found. I'm not saying I was on the lookout for new hashes but didn't find any, but how do you except people to check it out when no one really knows about it? Even decades of time is worthless when you have no one looking at it.
Cryptographers have been looking at it. Initially the team reached out directly to a number of cryptographers, and they have an internal team as well. As a side note, it seems like a weird argument that since you haven't heard of it, no one really knows about it (especially given that you aren't a cryptographer). Additionally, as I said above, it's now being vetted by CYBERCRYPT: https://cybercrypt.dk/company/
Also, the article you cited is incorrect in it's assessment that a vulnerability was found. They assumed the ability to generate collisions was a vulnerability instead of a design choice. The security of Iota's current signature scheme relies on one-wayness of the hash function, which was not broken by the MIT team. In addition, the collisions would not result in compromised funds as they state, since forging a signature would require malicious software be downloaded by a user.
> Sure, sponge construction, while new has been studied due to Keccak. But you should've used keccak, instead of creating a new one(As they're doing now)
Keccak is not lightweight and therefore not a viable end solution. The network works much better with Curl-P. I will agree that it probably would've been better to just use Keccak initially till their hash function was vetted by a group like CYBERCRYPT if only to avoid the backlash from implementing a custom function. Hindsight is 20/20 though, and I imagine they were probably just keen on testing the tangle (which is much more unknown tech) in a state closer to it's end implementation.
You know what, I'm not a cryptographer, so I'll quote what a real cryptographer - Bruce Schneier has to say about that.
“In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low,”
What do you have to say to this?
This is not a valid argument. It is an appeal to authority. Besides, Bruce is commenting based on the original incorrect analysis by MIT.
> Arbitrary year requirement seems frivolous, because you don't see the cryptographers who work hard quietly till they have an attack ready. It is to give time for them.
Take a look at previous competitions, where attacks surface many years after first publication.
This is true. But it is also true for all hash functions including current well vetted ones. Better mathematical models are produced all the time. This kind of researched coupled with AI will likely make a lot of current hash functions vulnerable. What is the fix then? Most likely in the short term it will be quickly swapping to alternative hash functions, which the Iota team did quite easily (since they were prepared for the scenario). This seems like much better prep for the future to me than assuming Keccak or another hash function is forever golden.
Putting aside all their misadventures with crypto and other bugs (it's crypto after all), they don't have a functioning currency or network.
The Tangle is an idea that has no theoretical solution yet.
What I did understood is the following: A user that makes a transaction, picks two txs (from the unspent pool) and send his transaction. Then another user picks it with another one and send his. And so on and so forth. But who gets to decide which tree to follow?
This is exactly what mining is for: It is election based on mining capacity (or hash rate burn rate). The one who burns more hash rate gets elected to publish the next blockchain.
Not that mining can't get centralized, it is. But there is a difference: Mining is democratic. The nodes elect based on it. That's not the same with the coordinator in IOTA. It is run by the creator of the cryptocurrency.
Edit: Thinking about it now, is it ever possible to achieve this without "burning" something? (I mean equal consensus election without a non-free criteria). Doesn't this somehow conflict with the physic law of conservation of energy.
Now let me get to the important part: It's a premine. It has a nice façade and polished website. That's all you need to know.
This is going to end in tears for lots of people fomoing right now. (or later if this still ramps up)
Their "solution" to the double spend problem (which is the real problem Bitcoin solves) is to have a centrally controlled entity, the coordinator, declaring which transactions are considered confirmed.
When pressed the lead dev retorts with insults instead of answers [1] and tries to redirect to their subreddit where these questions conveniently disappear.
> The Tangle is an idea that has no theoretical solution yet.
Not talking about IOTA specifically but DAG oriented blockchains, there is a good foundation in the SPECTRE paper which was done by recognized researchers in the field. In the following document we made a summary of emerging new research in blockchain technologies: https://docs.google.com/document/d/1J8hehbnZWzcIUMQcxMiGbjz8...
To be fair, there are times in bitcoin when two hashes are found consecutively. In this case, who decides which one is the correct hash? The answer is that the network enters a contentious state and the miners compete over the correct hash until a new one is found ad infinitum. The chances of there multiple competing chains becomes virtually zero as time goes on.
The same thing happens with IOTA, except the mining happens on the node sending the transaction (and confirming two others). Competing transactions can happen, and are propagated through the network, but eventually a consensus is reached. I’m only familiar with IOTA in passing, but the biggest flaw I see is of a malicious actor flooding the network with transactions to themselves. I believe the theory is that once the network is big enough this will economically not be feasible, but until then they have the master node. Whether or not this will end up working out, I’m not sure.
Happy to be corrected for any of this. I’m not super familiar with IOTA, this is just my understanding of it.
The contentious state in bitcoin is a network fork. Fork A and Fork B. Both have equal chances. It is the next winning miner that decides which fork will be elected. So the responsibility is just pushed to the next guy.
That's not the same with IOTA. Who gets to decide which fork is better? Based on what? Number of txs? That wouldn't work and I think it is obvious why.
With IOTA, it operates in a similar fashion. The winning chain is the one with the most successful hashes discovered. Just like bitcoin, except instead of a winning chain happening after ~2 hashes, it happens after hundreds(?) of hashes.
How do you reach a consensus and certainty though? What if there is low activity, few transactions; and then comes a big guy who was burning hash to generate txs and take over the chain?
> How do you reach a consensus and certainty though?
I feel like we're going in circles. In both Bitcoin and Iota, we never reach an absolute certainty. In Bitcoin we reach a point where its infeasible for transactions to ever be overwritten. For high value transactions this is generally around 5 or 6 confirmations. I don't know the exact number people use with Iota, but I remember hearing it was some percentage of confirmations within the tangle.
> What if there is low activity, few transactions; and then comes a big guy who was burning hash to generate txs and take over the chain?
That's the big flaw I pointed out in my original comment, that I suspect may exist.
> In both Bitcoin and Iota, we never reach an absolute certainty.
That's not correct. You are only uncertain in bitcoin when there are two equal (hash wise) blocks. This happens very rarely. That's not the case in IOTA since it does happen all the time and I'm guessing somebody could calculate txs to make it happen on purpose.
> You are only uncertain in bitcoin when there are two equal (hash wise) blocks.
Not true. Its possible to see the longest chain and not know about another chain that is of equal length. Nodes won't propagate chains that are of equal length to their current chain, so this is actually probably a somewhat common scenario. There has also been a number of orphaned blocks of length 2, 3, and 4. That means its totally possible (not likely, but not outside the realm of possibilities) for a node to be working on a chain and have never seen the correct previous block. https://bitcoin.stackexchange.com/questions/3343/what-is-the...
This is all exactly why many nodes don't accept transactions until there are 6 confirmations -- statistically, we shouldn't ever get to an orphan chain of length 6 even though its technically possible (outside of bugs).
FWIW, I'm not arguing that IOTA is any more or less secure than Bitcoin.
* They have this thing called the "coordinator" which is a master-node run by them, which is a single point of failure. The codebase that this node runs is proprietary software. They claim there will be no need for this masternode in the long run but they never say any ETA about when to remove it (which hints that removing it may always expose the security flaws of their network). This means it's Proof of Authority instead of Proof of Work, therefore, not decentralized.
* It's 100% premined, which smells as scammy as Ripple. It's not a coin, it's an entity handing you gift vouchers with their name on it.
* I've heard they rolled their own crypto. Yes, let that sink. Haven't verified this myself though.
* There's no way for new nodes joining the network to recover the full history of the transactions (a IOTA speaker told me there are some public FTP servers or something where you can get a copy...). So yeah, it's an "append and forget" blockchain, lol.
I see this argument against premining all the time, and while I’m not bullish on IOTA, I think it’s worth at least calling out... just because it’s premined doesn’t mean it’s a scam. Most of the time I see this argument from crypto purists that think the only valid currency is evenly distributed. Using XRP as an example (because I’m most familiar with it), Ripple has been nothing about transparent about the supply of XRP and what it’s being used for. They have made it clear that they own the majority at the current time, and their holdings will be used to further their partnerships. Everything Ripple has done has been completely upfront and transparent. Their mission is well stated, and they have a clear plan. Whether or not they will achieve their goals is a different story, but there is nothing they’ve done that seems remotely like a scam to me.
You may not agree with premining for other reasons, but please don’t call something a scam just because someone is trying to be a capitalist.
In the context of deceiving users and leading them to believe there is a more even distribution than there is in reality – premining could be a scam. The examples you gave, however, don’t fit the bill.
> just because it’s premined doesn’t mean it’s a scam
Not a scam, but there is a problem with premining. Consider the first 1 million Satoshi's bitcoins, which, albeit unintentional, still qualifies as pre-mining IMO - we don't know who owns them and whether they are spendable, their value is mind-boggling and if any one of them is spent, it can cause a panic.
> I've heard they rolled their own crypto. Yes, let that sink. Haven't verified this myself though.
They decided it's a good idea to use ternary logic instead of binary logic so they had to write their own cryptographic primitives based on ternary. Here's a good analysis about the security issues: https://medium.com/@neha/cryptographic-vulnerabilities-in-io...
> They decided it's a good idea to use ternary logic instead of binary logic
This is the one main thing that keeps me very, very skeptical regarding IOTA (and the coordinator thing, although that may be resolved someday when traffic increases so they can remove it - at least that's what they say).
It looks a bit like they had this JINN processor developed which appears to be ternary in nature, but it went nowhere, and then they pivoted that into IOTA and stubbornly kept the ternary stuff because that might revive this JINN thing again later on, if IOTA catches on. At least that's how it looks to me from the outside. It's a bit hard to get reliable information about this JINN thing, as the company that apparently developed it, Jinn Labs, is nowhere to be seen publicly, with the excuse of being in "stealth mode". As far as I can see, this entire thing could just as well be vaporware as it could be revolutionary tech developed under strict NDAs.
I'll definitely stay very, very skeptical for now, as it's so hard to get reliable information about IOTA aside from the bling-bling on the surface. I also tried to look at the code of their reference implementation on GitHub a bit recently, since it's mostly Java and I'm mostly a Java dev for a living right now I was interested, but the code quality I can see there is pretty bad overall (like there are almost no comments, most comments you find are actually code that was commented out, formatting seems incoherent, huge amount of bloat code even by Java standards among which it's hard to actually find any real logic), so that excursion also did achieve nothing with regard of alleviating my skepticism.
> the IOTA developers had written their own hash function, _Curl_
Did...did they intentionally name it curl, so that when you search for "Is curl secure?" you will find articles saying that curl - the widely used library - is secure, in the hope that people will confuse the two?
I know that you shouldn't assume malice when it can be explained with incompetence, but combined with some of the other points here, I can't help but feel that this was intentional.
To be very honest, when I first heard about IOTA, there was an article that had the phrase "the inventor of curl", I incorrectly assumed for a while that Daniel Stenberg was involved in the project.
I think the insecurity of their function was a mistake. I doubt they would deliberately code something that threw collisions and have a cover up plan that is basically name it curl and hope people get it mixed up with the real curl.
fwiw, was bored and exploring for the first time the (my God) toxic social timelines of these crypto coins and happened to end with IOTA and the story of the home grown hash function. Just posting what I just read about this topic and not an +/- either way on the topic at hand:
Sergey Ivancheglo (@Come-from-Beyond) claims the collisions were intentional and for the purposes of IOTA the hash merely had to be a one way function:
He addresses his base-3 number system design decision as well (by appealing to authority no less :)
> name it curl
In above he references Curl-P and the final letter (see his last gist) also explicitly asks that the MIT security blogger use the full name which she declined.
Kerl is Keccak I.E. SHA-3, the international NSA standard. They called it Kerl for fun in homage of Curl, which is still under active development with the absolute world-leading cryptographers of lightweight cryptography. Curl had to be invented to push LIGHTWEIGHT cryptography which is necessary for the Internet of Things. It's quite astonishing how much misinformation is spread around.
SHA-3 is not an NSA standard. It was invented by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche who are researchers at various companies/universities and are from Italy and Belgium.
I am very curious about what 'LIGHTWEIGHT' cryptography is
defined as. I am also dubious about anyone that claims to have 'absolute world-leading cryptographers' since many strong cryptographers are quietly employed by intelligence agencies and most others are academics.
Also, since we are being pedantic, SHA-3/Keccak is an NIST standard, which is a federal agency of the United States.
I'm not an expert in the field, but there certainly have been efforts here and there to make "lightweight" crypto that needs little computational resources (and therefore battery power). One example would be KASUMI[0].
I've heard that they didn't just roll their own crypto, but that it was in fact unsurprisingly found to be broken and the devs then claimed that this was intentional to stop anyone setting up a clone without the central closed-source coordinator.
It's the second time I hear that today. I don't deny it's true, but can't we put some sources on this? I think it is a little childish to just be spreading rumors.
He was also concerned that there's no security proof in the whitepaper. To me, it seems like you could feasibly launch an attack with less than a majority of the computing resources.
My understanding is you only need 33% of the hash power at any given time. Since PoW is only done as part of sending transactions, it probably takes less hash power than you'd think to cause problems.
>Why does everyone repeat that Byzantine consensus requires maximum 33% of participants to be dishonest?
Not 33% of participants, 33% of the hash power, could just be one participant with a pile of GPUs or ASICS or "JINN" chips lol. That's the claim made by the IOTA author, anyway.
Right now it wouldn't surprise me if someone could amass 90+% of IOTA hash power anyway.
Okay but it was more of a general question. I see Hashgraph and others always saying that they need 33% of participants to be honest. But with unforgeable message signatures that limitation doesn't apply.
Virtual Voting in hashgraph requires a 2/3 agreement.
Of course PoW provides some protection against sybil attacks, but the reality is that with enough hashpower the network can be overtaken. (Hence why HashGraph is a closed network.)
First, a paper written three weeks ago of an unproven currency is a bit of stretch.
Second, I didn't say it was necessary to order transactions, I said that is what it is used for, which is correct. You are replying to a point that I didn't make.
You said proof of work is ABOUT ordering transactions. I was trying to say that it's not. It's used for other things: namely as a way to determine the next miner, like leader election in consensus protocols. It also adds a lot of computation on top of the transactions to show that the miner is heavily invested in the ecosystem and thus serves as an economic incentive. It has almost NOTHING to do with ordering transactions. Transactions are ordered by the blockchain, and everyone has to verify them anyway.
So much misinformation, where to begin. IOTA is using Keccak/SHA-3, then they are developing a new kind of LIGHTWEIGHT cryptographic primitive together with the world leaders of this field
Other than that, yeah it's weird. Although I'm not sure why there's so many announcements of businesses like Microsoft, Fujitsu doing partnerships with IOTA. Sounds very weird and overpumped.
There were the canary contracts, which while they were active (they've been deactivated in mid 2016).
These simply stated whether a chain was good or bad, and they were controlled by the makers of ethereum. I don't know if they were ever used to mark a chain as bad, but they certainly represented centralized control.
I do see your point that most of the time, ethereum functioned using the decentralized protocol, but there was a centralized fallback.
From what I gathered from the links below, they were intended to stop mining if an unintentional hard fork would have happened. Or maybe also to force miners to upgrade? Did the Frontier release not yet have the ice age mechanism?
The wiki page suggests that there was an option to ignore the canary contracts. So you could mine nevertheless without recompiling the source.
There's no such option with IOTA as the coordinator is closed source.
Businesses do that all the time, it has no drawback for them. I suspect it is like the ones with Ethereum, that will never mean they actually use Ethereum, they are just learning about it.
You seem to be a pretty big bitcoin fan (all your other comments), so I would say it is fair that you may be slightly biased against IOTA.
IOTA does not proclaim to be finished, it is still in beta. Hence the need for the coordinator. The coordinator will be turned off once there are enough transactions to secure the network.
> Hence the need for the coordinator. The coordinator will be turned off once there are enough transactions to secure the network.
I already said this in my comment, no need to reiterate it. You didn't repeat, though, that there's no ETA or rough threshold of when it would be safe to turn it off.
It's 100% premined, which smells as scammy as Ripple.
It needed to be as there are no miners in the IOTA network.
Additionally, In contrast to conventional ICOs, IOTA had 0% of their ICO reserved for founders. Not a single iota. The founders had to purchase their technology back during the ICO.
Furthermore, there was no allocation for foundation or ecosystem funds. They asked the community to donate for this foundation to exist. They reached 5% of total supply and that is what the foundation runs on. (~140Ti)
So they didn't reserve any iotas for themselves; instead, they got the BTC that people used to buy the initial iotas. Six of one, half a dozen of the other.
... which isn't actually so bad when you think about it, as long as those BTC all went to their foundation.
Iota has bigger problems, like pretending to be more efficient by using a DAG, when in reality everybody still needs to see the whole tangle to verify transactions.
The BTC about 500k USD worth, of which 200k got taken as VAT, was used to develop the technology for the first 2 years. Only in the last month have the IOTA foundation been able to legally access the money donated to them by the community.
As opposed to say, tezos which has 232mil to develop their self-governing token. Additionally, "the founders get 8.5% of the fiat proceeds in cash in addition to 10% of the tokens"\
Iota has bigger problems,
Can't attest to this. But if you are interested in discussing the tangle I suggest joining the slack. Specifically check out #tanglemath
So its functionally the same as an ICO with a 40% premine? Of which 20% of the tokens go directly to the founders because they figured out how to write a paper.
I read through the IOTA whitepaper a while ago, and while I find the general idea of a DAG-based approach interesting I wasn't able to understand their trust concept or even basic implementation details of their consensus algorithms (which are not detailed in the paper).
As an example, one of their core claims is that it's possible to do offline transactions on a tangle (=DAG) that is isolated from the main tangle and that can be merged later. What I didn't understand is how they resolve the double spending problem with this: If two devices create valid transactions on two independent subtangles and the system tries to reconcile these tangles into the main tangle afterwards, how do they determine which transaction is valid?
Also, I could never get my head around the idea of a decentralized IoT data marketplace. I mean, it really sounds catchy but when you start thinking about possible applications it's actually quite hard to come up with something that seems both interesting and doable.
Finally, no one seems to think about the privacy implications of having IoT data (which often is person-related or person-relatable and therefore under the protection of the GDRP) on a decentralized system where you basically lose control over the data the moment you upload it. From a data protection perspective this is an absolute nightmare.
If two devices create valid transactions on two independent subtangles and the system tries to reconcile these tangles into the main tangle afterwards, how do they determine which transaction is valid?
The subtangle with the highest weight.
when you start thinking about possible applications it's actually quite hard to come up with something that seems both interesting and doable.
I can think of a number of niche examples that would benefit from both data security and a value settlement layer
no one seems to think about the privacy implications of having IoT data
This is constantly being thought about. GDPR compliance is quite a tricky one, then you have Japan which even classifies the hash of personal data controlled. This doesn't mean its being left behind.
Which is not an acceptable answer, at least from the perspective of an offline node accepting payment. People will exploit it by paying an offline vendor, taking the goods then rushing online to create a doublespend which reverts the transaction.
So offline vendors will never accept it as payment, and the entire feature is useless.
In my understanding, the ability to make transactions on a sub-tangle while not connected to the main network is sold as one of the main advantages by the IOTA creators.
After a security vulnerability in a self-made hash function of iota was discovered, they claimed that it had been included to stop people from copying iota. While I dont believe them, it does show something about the personality and professionality of the people behind iota.
I was asked by the IOTA team to work on GPU acceleration for "their" ""hash"" algorithm. Not only was there no documentation or even comments for that matter, everyone has been less than helpful. They also insulted part of their contributors as "too autistic to write documentation".
Finally, they wanted to pay me in IOTA, which was the point I walked away.
I'm sure there's more going on there, but I wouldn't want to know. I'm not touching this cc with a 10 foot pole.
> In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low
I've reviewed the IOTA paper and some docs on it. It seems too good to be true, if it works it's much better (faster, free) than block chain cryptocurrencies with no downsides. I am surprised that no one else has come up with this approach so far, why is that?
The only downside it's not currently decentralized, and requires a "conductor" to run securely, which will be removed in the future, apparently. The other criticisms are at the first implementation (rolling own crypto), which is an error that impacts confidence in the team but not the currency / concept.
It is too good to be true. And it's not true. You will not be able to find any major bitcoin devs saying anything encouraging about iota. Nor tangle/braid/dag researchers. Nor ethereum devs. Nor respected academics.
Why? Because everyone serious who has taken time to look at the paper has realized it's not a valuable project, and makes plenty of claims it can't back up.
Byteball exists and doing well just missing marketing (there wan no ICO! so no big funds). Also has witnesses system but 3rd party witnesses already exist and promises to allow more decentralized once ripens
IOTA fans say that IOA is scalable and capable of microtransactions. They often say that it gets faster and faster as there are more transactions, which seem to be an incredible bullshit to me. I started to read the whitepaper, but I just don't understand how it is scalable. The whitepaper goes into details about how the transaction DAG is maintained, but absolutely basic things seem to be missing: Are nodes all full nodes? Is the history stored on all nodes? Is account state stored on all nodes? There is another project which is designed specifically to be extremely scalable, called EOS (https://github.com/EOSIO/Documentation/blob/master/Technical...). Reading its whitepaper I understood how EOS is scalable pretty clearly. I cannot understand the IOTA whitepaper at all. At least not how it is scalable. Currently IOTA seems to me a project that wants to impress people with good-sounding concepts like DAG, ternary number system, etc... but does not seem to be good engineering to me. Or at least its whitepaper is extremely poorly written and missing critical information IMHO.
EOS has made security compromises though. If you aren't validating every transaction on the network yourself you have no way to be certain that the money you are being paid is legitimate
Token holders vote for 21 block producers. Pretty much all of these block producers have to be controlled by the same malicious party so that an invalid transaction could go through unnoticed. (In fact I think even more than 21 nodes will track the network, as runner-ups are rewarded also to some extent) Malicious block producers, when noticed, are voted out of the system by token holders probably for ever. Unlike in case of most other currencies, block producers will be actual respectable 'real world' people (but the physical location of their servers will be unknown)
In fact one can say that in case of POW if an entity can get cheaper electricity than others, it can happen the mining is unprofitable for everyone except this entity, so the system can become centralized simply by fierce competition to mine efficiently. I am not saying that I know for sure which will be the more secure method in the future: I have diversified my investments into DPOS and POW based currencies (BTC, DASH, EOS)
I like that IOTA is taking a non-blockchain approach. Many people might also be inspired by that.
I recently wrote a paper on eliminating double-spending without relying on global consensus. If there are any cryptographers or security researchers in the audience, I would be interested in hearing your analysis / critique.
Most of it has pretty straightforward elements so the security properties can be more or less proven, but still I want to hear what the major caveats are.
So far I just heard that it's similar to IOTA and there MAY be some attack, but I would love to hear more specific ideas if they jump out at anyone.
I've looked a bit into IOTA over the past weeks because I was trying to understand how it actually works. I still do not fully understand how the Tangle structure actually functions as a process and/or how it solves scalability issues. If someone smarter than me could enlighten me on this, i would be very thankful.
As far as I understand, one main difference between IOTA and classic blockchains is that there are no explicit mining nodes in the system who confirm all the transactions. Instead, if you issue a new transaction, you have to confirm (sign) 2 prior transactions first and do a little round of Proof-of-Work. These 2 prior transactions are called "tips" and are selected by a random walk. I'm not sure who exactly selects the tips (can you select the same ones over and over?) and if the correct tip selection is somehow enforced.
There was a controversy about the homebrew "Curl-P" hash function (P supposedly means Prototype according to the author Come-From-Beyond, previously involved with NXT). After a bumpy responsible disclosure process, MIT researchers Neha Narula et al published these findings: https://github.com/mit-dci/tangled-curl/blob/master/vuln-iot... and an accompanying Medium post. IOTA Foundation dismissed the vulnerability as non-practical, but switched part of their crypto to Keccak instead: https://blog.iota.org/curl-disclosure-beyond-the-headline-18...
So in the IOTA codebase, there is now "curl" (not to be confused with the HTTP library), which is based on the proprietary crypto, and "kerl", which is based on Keccak. Curl is still used for the PoW while I think kerl is now used for other signing.
A bit of an odd aspect of IOTA is the legacy of a ternary number system that is used in the crypto functions. That's why you have to convert your payloads to and from a base-27 encoding scheme ("trytes", alphabet [9A-Z]), which felt strange for me when I wrote some proof-of-concept code trying to use the IOTA libraries. Instead of switching to more established encoding schemes, the IOTA team defends this choice by pointing to future mystery hardware accelerators ("Jinn" etc.) that are supposed to use this ternary system for more memory-efficient calculation. A purported long-haul strategy that is sometimes mentioned is the distribution of such custom processors by IOTA in the future targeting embedded hardware. As an FPGA/Hardware developer myself, I'm extremely skeptical about all of this voodoo and do not understand why so many people seem not to mind it, especially the industry partners like Microsoft and Fujitsu. It would certainly help if the IOTA foundation would disclose more details about these mystery machines.
In summary I find the general approach of IOTA interesting and worthwhile, but there are some strange aspects in the software (not to mention all that coordinator business and the full-system-snapshots that lose all message data once in a while) that I wish would be thoroughly addressed by employing more KISS principle and less NIH.
I don't really care about all the fluff & stuff behind all those alt, I just bought it very low at very high quantity, and sold it when it was higher. I love cryptos, whatever the use for it. It's free money. While it last.
I feel like sharing a curious e-mail encounter I had with IOTA founder David Sønstebø.
After writing a blog post about the limitations of the Bitcoin blockchain, which got some attention on HN[1], I received an e-mail by someone named David (I didn't know who he was at the time), asking me:
Assuming this was just some random person asking for my opinion on IOTA, I replied with a critique, pointing out two weaknesses I was familiar with:
> The only thing I know about IOTA is that it’s centralized, through the so-called Coordinator. This makes it uninteresting to me. As I understand, the IOTA team argues that this is just a preliminary precaution, which will change as the size of the network grows, but I’m skeptical of this claim.
In any case, until it actually becomes decentralized, I don’t think I will have enough interest in it to learn how it works. So I think I will wait for this to happen before taking the time to learn about the system.
Also, I know that the IOTA team designed their own hash function, which turned out to be vulnerable to collision attacks, which sounds rather amateurish to me.
He promptly replied to this critique -- which I thought I was offering someone seeking advice on the soundness of IOTA -- informing me that
> As the founder of IOTA I can answer these questions: [...]
Proceeding with a rebuttal[2] of the weaknesses I had pointed out, even though he was the one who had asked me, despite the fact that he didn't need any information about IOTA at all in the first place (given that he created it).
[2] > 1) The Coordinator is quasi-centralized, you as a programmer can easily opt out of it if you want, it is not enforced upon you as a user, it's simply a "best practice" at the moment. Tangle is made to scale, so the argument is indeed that the Coordinator is only now in place to prevent against the 34% attack that all DLTs suffer from until the network has scaled. I don't see anything controversial about this, it is the only way to reach a truly decentralized scalable ledger. It is no different from Satoshi firing up his first miners to get the Bitcoin network to work in the first place. The Coordinator will very shortly also be distributed to consist of numerous nodes, at which point it will be a lot more decentralized. These are all well-known steps towards the long-term goal. IOTA never claimed to be production ready, nor do we do any handwavy nonsense like Ethereum and Bitcoin core mantras "we'll solve it with some computer science breakthroughs in the future", IOTA's roadmap is very simple and straightforward.
> 2) The hash function story has been so misrepresented and blown out of proportion it is comical. I'll spare you the pointless drama and conflict of interest from the guys carrying out the hit piece and only focus on what is important, in short: We spoke with the Keccak team back in 2014 about creating a trinary sponge based hash function for the inevitable arrival of trinary processors (we have designed our own as well) as ANNs, photonics, spintronics etc. all favor trinary over binary, hence we need a trinary hash function that is lightweight for IoT which utilize such chips. 'Curl' was born. The best way to thoroughly vet a hash function (which is vital) is to put it out there with a big incentive to crack it. This is what we did. Even if someone had broken the hash function entirely (no one ever did) there was no threat to the network due to the precautionary steps in place, and the fact that we had Keccak as back up as safety precaution #10. Right now we are working with several world-leading cryptographers, including your fellow countrymen of http://cybercrypt.dk/company/ on further developing and optimizing Curl. This is far from amateurish, it is simply leading the way through genuine invention. Lightweight hash function development is a very active field of research.
> 3) We also invented full Proof of Stake, the first decentralized exchange, the first decentralized voting protocol, decentralized marketplace in 2013, pioneered using blockchain for ID, Supply Chain and IoT in 2014-2015. So while we're known to push boundaries, we have so far always been vindicated later on. IOTA being the first ledger to disrupt blockchain itself is a testament to this, but is naturally very hard to swallow for a lot of blockchain maximalists. However, when it comes to actual researchers the reception tends to be very positive, and as for companies we work with everyone from Cisco to Maersk to Bosch to Microsoft to IBM to Statoil, so outside of the niche cryptosphere the interest is mounting daily, due to the fact that they have concluded that they can't use blockchain due to its inherent scaling and fee limitations. I mention this so you realize that we didn't just hack some random shit together like most people do in this space.
IOTA has an awful site, and their github isn't impressive (in terms of commits/contributors/pulse). I don't bother with coins/tokens that have sites that resemble scammy ICO sites, and if there's a github I can look at - I prefer to see lots of activity/commits/a pulse.
Maybe IOTA is great. But I can't bring myself to look further into it because of the site + github
But you will see very consistently in the cryptocurrency space that the experts refuse to endorse iota, and frequently say strongly negative things about it.
They are very effective at selling snake oil, but that's all their blockchain is. The tangle that they have designed is neither scalable nor secure. Every node still needs to verify every transaction, and because there is no mining it's trivial to double spend if you have a few machines that focus on cranking out as many transactions as possible.
If you understand enough about blockchains to find security flaws in an insecure system, all you need to do to believe me is learn more about iota. Their flaws are not subtle, there are many of them, and they are substantial.
If you are not expert enough to analyze the security properties of various blockchains, look for reviews of iota by other experts. You will not find any positive ones by people with significant standing. Not from the ethereum camp, not from the bitcoin camp, not from the academic camp.
This is not because of some iota vs. the world conspiracy. It's because iota is genuinely a terrible cryptocurrency.