
MobileCoin: A New Cryptocurrency from Moxie Marlinspike - golangnews
https://www.wired.com/story/mobilecoin-cryptocurrency/
======
Confiks
To repeat an earlier comment, this scheme encourages a centralization of trust
into a private key managed by processor manufacturers. You might say that by
integrating SGX mechanisms into your security model, you create a set of
'feudal lords' [1] who can wield their power over you.

A manufacturer may 'legitimately' establish an enclave in your most trusted
hardware which you may not audit or even measure. And if that security model
becomes commonplace, for example when only allowing Widevine DRM inside SGX,
you eventually cannot use your self-chosen hardware, but will have to pick a
feudal lord from a limited set of 'ecosystem choices'.

[1]
[https://www.schneier.com/blog/archives/2013/06/more_on_feuda...](https://www.schneier.com/blog/archives/2013/06/more_on_feudal.html)

~~~
Asdfbla
I still think it's an interesting approach. If you want to be more efficient
and less wasteful than Bitcoin, at some point trust has to come into play. And
reducing your trust to the manufacturers of secure enclaves (whose products
can also be audited to a degree) is surely an improvement still, even if it
doesn't have the radical threat model of conventional cryptocurrencies (which
inevitably run into scaling problems because it mostly requires proof-of-
work).

Also, the article mentions the de facto centralization of trust in the current
cryptocurrency ecosystem - so pragmatically, it's not much better there. From
centralized exchanges, to centralized mining cartels, what does something like
Bitcoin have left to offer?

~~~
olalonde
> From centralized exchanges, to centralized mining cartels, what does
> something like Bitcoin have left to offer?

I'd say you're being overdramatic here. Mining is still decentralised and if
there are any mining cartels, they haven't abused their position yet. It's
still possible to buy, sell and spend Bitcoin peer to peer as well.

~~~
garmaine
> I'd say you're being overdramatic here. Mining is still decentralised

Controlled by a handful of people is absolutely not decentralized.

They have abused their power. Ghash double spends. Segwit blocked for a year.
Bitcoin cash proxy support.

~~~
makomk
I think part of the reason Segwit2x failed is that, ultimately, mining wasn't
as centralized as everyone assumed. Its proponents had the backing of the
major mining pools who controlled the vast majority of the mining power - or
so they thought - but it turned out enough of the actual miners had views too
and were happy to switch pools to express them that it suddenly looked a lot
more precarious than expected.

------
superquest
> "Nobody actually transacts in cryptocurrency," Goldbard says. "So making
> something that people can actually use is our first goal. And then we want
> to find additional ways that people can implement it over time. But
> initially all we want is to make it so people can actually complete
> transactions."

Amen. Too few projects have this focus.

~~~
highd
This is secondary to there being no benefit to the average user for
transacting in crypto vs Visa. What incentive is there for an end user to use
even a hypothetically optimal crypto system? Then is that incentive sufficient
to overcome network effects?

The appropriate and interesting applications of crypto seem to be totally
leaving p2p cash behind - it just doesn't seem like a good fit.

~~~
superquest
The hypothetically optimal crypto system would be cheaper for merchants,
correct? So it would have wider adoption than Visa, at the very least.

I do agree that crypto keeps drifting away from p2p cash ... that's a good
observation. But I hope people keep shooting at that target.

~~~
kang
> The hypothetically optimal crypto system would be cheaper for merchants

Incorrect. Decentralization is always more expensive and slower than
centralized system(both hypothetically optimal) due to extra sync cost.

~~~
wmf
You're mixing cost and price. Let's say the cost of a Visa transaction is 0.1%
and the price is 2.5% while the cost and price of a MobileCoin transaction are
0.2%. It costs more but it's still cheaper for merchants.

~~~
highd
Cash is cheaper for merchants, but people have only continued to use credit
cards more. Further, if crypto becomes attractive from a cost perspective Visa
will just be forced to bring down fees and stay competitive. It's pretty near
impossible to imagine crypto with costs less than Visa's database.

~~~
knicholes
A wire transfer fee to China would cost me ~$45. Sending it in bitcoin would
cost ~$17.

~~~
tehlike
How much was the exchange difference?

~~~
knicholes
No idea. I just went into the bank and said I needed to send money to China.

------
espadrine
Using Stellar’s Federated Byzantine Agreement as a basis for consensus is a
solid foundation.

David Mazières’ paper[0] displays strong insights and proofs into the
structure of byzantine systems with open membership.

[0]: [https://www.stellar.org/papers/stellar-consensus-
protocol.pd...](https://www.stellar.org/papers/stellar-consensus-protocol.pdf)

I wonder where the code for MobileCoin is, or when it will get open-sourced.
All GitHub yields currently is this clearly non-affiliated project:
[https://github.com/mobilecoind/mobilecoin](https://github.com/mobilecoind/mobilecoin).

~~~
lumberjack
I'm not sure I understand correctly, but from what I got, Stellar is a
distributed ledger, but not a currency. There are no coins as such. But the
upside is that the consensus is reached without a taxing algorithm.

Everyone can run a node, but the whole system is not itself decentralised,
because you need "anchors", which are banks or payment processors, to get your
money in and out of the system.

So then, what is the point of the decentralised ledger? GNU Taler seems like a
more simple solution.

~~~
wmf
_you need "anchors", which are banks or payment processors, to get your money
in and out of the system._

You also need exchanges for cryptocurrency[1], so why not admit it from day
one and build that concept into the system?

And maybe it's possible to graft a cryptocurrency onto SCP by using consensus
to choose nodes which receive freshly "mined" currency.

[1] The mythical closed-loop Bitcoin economy ain't going to happen.

~~~
Vadoff
Then why have a decentralized solution at all? Why not just make it like
Paypal?

------
TD-Linux
This coin uses Stellar, which is not a decentralized consensus like Bitcoin,
but rather federated. It's not really surprising that it has performance
advantages.

Also not sure how I feel trusting the fate of a cryptocurrency to the strength
of Intel's SGX.

~~~
kossTKR
"MobileCoin does not rely solely on SGX for maintaining transaction privacy.
Transactions are designed to employ CryptoNote1 one-time addresses and onetime
ring signatures, so MobileCoin will still maintain transaction privacy through
unlinkable addresses if an attacker is able to defeat SGX and view
transactions on the network."

[https://www.mobilecoin.com/whitepaper-
en.pdf](https://www.mobilecoin.com/whitepaper-en.pdf)

Other than that, i very much share your concern..

~~~
mtgx
Interesting. So it has the same privacy protections as Monero, the only
cryptocurrency with a track record of being untraceable so far?

I wonder if the Stellar network is "leakier" than a decentralized network
would be, though.

~~~
icelancer
>>So it has the same privacy protections as Monero, the only cryptocurrency
with a track record of being untraceable so far?

I wouldn't call Monero "untraceable" even though I am a very big fan of XMR.
It takes work to put a lot of steps between you and the payee at more levels
than simply the transactional one.

~~~
StavrosK
How do you mean? Why would you need to, if the payment is untraceable? Are you
talking about what happens after you purchase something?

------
Nrbelex
> "9\. Bob's MobileCoin node sends Bob's client a message, which can then
> calculate the private key that corresponds to the generated one-time public
> key."

>" 10\. Bob has now successfully received a payment."

If I'm reading this correctly, Bob's client (e.g. mobile app) must be in
contact with the node for his address to receive the payment. This is pretty
different from what I think will be Mobilecoin's closest competitors (at least
from a UX standpoint), Venmo, Google Wallet, etc.

DDOSing Bob's mobile device or otherwise preventing access to the node would,
at least temporarily, prevent the transaction from going through. Are the
funds in purgatory during that period? If that client never gets in contact
with the node, does the transaction ever get reversed, allowing the sender to
regain control of the funds?

There are probably a host of other repercussions I haven't thought through
yet. The idea of a cryptocoin as easy to use as Venmo/Signal is definitely
intriguing.

~~~
oculusthrift
how is the need to be in contact with the node different than the need to be
in contact with venmo’s servers?

~~~
nunyabuizness
It's different because regardless if your node is online or not, venmo's
servers can still accept payments on your behalf, and it's presumed that
taking venmo's servers offline would be considerably harder than taking yours
offline.

------
berberous
1) Both Kin and MobileCoin have moved to Stellar as their back end this week.
I haven't paid Stellar much attention before. Anyone have any good links that
explains Stellar and/or discusses the technical pros/cons? Trying to avoid any
shill/pump or baseless FUD.

2) Am I correct that if any vulnerability were found in the SGX, an attacker
would gain access to the encrypted private keys that are stored on a server
node and would just need to brute force the PIN?

~~~
joyce
Here is a link to the blog post when the Stellar Consensus Protocol was
released. It includes a summary in Stellar's own words and a link to the white
paper: [https://www.stellar.org/blog/stellar-consensus-protocol-
proo...](https://www.stellar.org/blog/stellar-consensus-protocol-proof-code/)

------
dustdrops
The title here says "A new Cryptocurrency from Moxie Marlinspike."

But the article describes his involvement as "Marlinspike has been working on
as a technical advisor."

Those two descriptions sound different.

~~~
wmf
That's just "meritocracy" in action. The founder of a project gets all the
credit for it, and when there are multiple founders the most famous one gets
all the credit.

~~~
mrhappyunhappy
He is not even a cofounder according to their website. They just picked out
whoever is most famous.

------
Uptrenda
I think this is going in the right direction. You take a bunch of tamper-proof
hardware devices from different manufacturers and then model attack costs to
compromise them as part of a proof-of-stake scheme. Now you can build
consensus algorithms on top of them that are highly secure and scalable
compared to anything that exists today.

I'm not convinced that Stellar consensus here is the right algorithm for doing
this, but I think SGX is promising technology that has been somewhat
overlooked in the blockchain space (not by everyone.) SGX has a lot of
potential. You can use SGX as a way to expand the consensus rules of any
blockchain by using it as a blackbox obfuscation construct. Everything and
more that Vitalik wrote in his article about Indistinguishability Obfuscation
is possible with SGX today.

Want to create a specialized oracle that only signs certain transaction
formats, even on untrusted hosts? Yep - use SGX. Now you can have agents that
run in a cluster that will only move assets between blockchains based on a
user's prior agreements, allowing for more complex cross-blockchain smart
contracts to be written in high-level languages. What about having a nice way
to do transaction commitments to scale any blockchain without having GB zero-
knowledge proofs? SGX again. It could be used for privacy preserving
protocols... It could be used for solving data availability problems in
sharding / decentralized storage systems. The list goes on.

Some of the biggest trust problems are solvable with this technology - but
like others have already said - you still have to trust the hardware
manufacturer. In this case, my thoughts are that you already have to trust the
hardware manufacturer anyway (nobody is going to inspect every chip with an
electron microscope...) My bet is that a non-trivial portion of full nodes
today are already running chips with backdoors like the Intel Management
Engine anyway...

The point here is that you can't fully remove trust from any system without
introducing vast inefficiencies, but you can at least formalize the risks in a
system and design so that a compromise is too expensive to be worthwhile, and
for me I think that's where the potential lies with this tech. Cryptoeconomic
systems based on tamper-proof hardware where individually a component may be
compromised, but where it is simply infeasible to compromise each and every
device. You build a network out of these components and you have yourself the
first on-chain scalable blockchain bound by physical hardware encumberments
instead of computational difficulty.

~~~
cyphunk
You know it was hard enough for PayTV smart card developers to keep transistor
level reverse engineers from getting inside their chips, and all that was at
stake then was $35 content subscriptions. I can't imagine how putting personal
banking inside SGX will fare. Or, I acknowledge I am probably missing
something. Am i?

~~~
mike_hearn
It wasn't that hard and the stakes were much higher than that. Individual
subscriptions could be much more, but the entire black market of glitching
units was an industry worth many hundreds of millions of dollars.

Ultimately DirecTV was able to kill pay TV hacking by simply introducing a new
generation of cards that were better protected, the P4 series iirc. Other pay
TV firms invested less and were mostly undermined by just one guy (Tarnovsky)
- not exactly an army of reverse engineers.

The weak points in SGX security aren't the electronics themselves. So far all
attacks on it are side channel based.

~~~
cyphunk
Tarnovsky wasn't the only key. There was also a single minded team of former
intelligence investigators spread around the world coercing and infiltrating,
on top of a smartcard dev team packed with most of moscows mathematics prize
winners, in addition to another red team in haifa with their own tarnovsky's.
I speak from first hand knowledge because in my younger and more naive years I
used to worked with them.

Still, the analogy applies because the stakes with a cryptocurrency that
depends on transistor security become a much more interesting target then the,
now boring++, paytv market. It should not be assumed that any secrets will
stay inside of that secure enclave, at all.

++it's boring to hack paytv because streaming, downloads and card sharing
removed a large bulk share of the need

------
pilingual
Here is a year old paper from Imperial College and Cornell where they
implemented trustless transactions using Intel SGX.

[https://www.cs.cornell.edu/people/egs/papers/teechan.pdf](https://www.cs.cornell.edu/people/egs/papers/teechan.pdf)

~~~
alexnewman
This is significantly stronger and harder than what that paper suggested

~~~
anonymousDan
In what way? I mean this (Mobile Coin) is almost the very definition of
vapourware. A 4 page whitepaper, come on.

~~~
kossTKR
Yes i also find this high school level white paper pretty weird. Also no
roadmap, no github, only 3 person team.

But Moxie Marlinspike though...

------
tuccinator
I feel like the real appeal of Bitcoin is the decentralized aspect. I am not
totally intrigued at the idea of having a controlled system, even if it offers
complete privacy and faster transaction speed.

~~~
eridius
If it works like Stellar (which it sounds like it does), it's still a
decentralized network of nodes, but each individual user isn't a node. They
pick a node to work with, and that node is then connected to a set of other
nodes. Anyone _can_ run a node, but there's just not any point to it for most
users.

~~~
nileshtrivedi
How is that better or different from Bitcoin users trusting CoinBase?

~~~
eridius
You can't just spin up your own CoinBase if you don't trust coinbase.com. I
mean, it's BitCoin, so you can run your own transactions, but you can't do any
of the other stuff CoinBase does.

But with Stellar or something based on its consensus protocol, you can run
your own node if you want, or more likely, a bunch of public nodes can exist
and you can pick the one you trust to work with. For example, if banks decide
to start working with MobileCoin, then Chase could offer a node and, as a
Chase customer, you could decide to trust their node (since you already trust
them to manage your money) and use that one.

~~~
nileshtrivedi
> you can run your own node if you want, or more likely, a bunch of public
> nodes can exist and you can pick the one you trust to work with

Still not getting it. If I don't trust CoinBase, I can go to any other online
wallet that manages my private keys. With some effort, I can even start one
myself. If Chase is running such a wallet, I can use them.

How is a decentralized protocol not a superset of a "federated" one?

~~~
miracle2k
Every node in Ripple or Stellar works with the same global state. You have to
trust Coinbase not to run away with your money, but your Stellar node cannot.
The consensus system is more like a replacement for proof of work, ensuring
that no one double spends.

------
russelldc
Would someone close to this project be able to explain why the node operator
wouldn't have direct access to user's keys in the event of an SGX exploit? The
whitepaper only briefly delves into transaction privacy protections, but not
key management.

------
ajennings
Wow. MM is really going all-in on for Software Guard Extensions (secure
enclave) on the server.

What does HN say? Do we trust Intel (motivation and implementation) that much?

~~~
teraflop
Any remote-attestation scheme is theoretically vulnerable to attacks where the
CPU manufacturer includes backdoors in the processor hardware (either
deliberately, accidentally, or under compulsion from a third party).

Intel's implementation is considerably worse than that. Even if you assume the
hardware itself isn't compromised, every remote attestation has to go through
the "Intel Attestation Service" which has _no end-to-end protection._ The IAS
is what actually validates the enclave's signature, and it returns a "success"
or "failure" message which is signed with an Intel key. But there's absolutely
no technical measure that prevents Intel from being compelled to sign a
falsified response; a client would have no way of telling the difference.

This is documented by Intel [1] and I'm hardly the first to notice it [2] but
people still seem to talk about SGX as if compromising it is equivalent to
backdooring the CPU, which is inaccurate.

[1]: [https://software.intel.com/en-us/articles/intel-software-
gua...](https://software.intel.com/en-us/articles/intel-software-guard-
extensions-remote-attestation-end-to-end-example#msg3)

[2]: [https://www.blackhat.com/docs/us-17/thursday/us-17-Swami-
SGX...](https://www.blackhat.com/docs/us-17/thursday/us-17-Swami-SGX-Remote-
Attestation-Is-Not-Sufficient-wp.pdf)

~~~
rjromero
So you can not start running any code session on the SGX at ALL without this
Remote Attestation call to Intel? That seems silly, considering the SGX has
two 128 bit keys on board (one known to Intel, and one known only to the SGX).

~~~
teraflop
Oh, it's not quite that bad. You can run SGX code and work with encrypted
data, including generating attestation messages. It's just that there's no way
to verify those attestation messages yourself; you have to ask Intel to do it.

It's also worth noting that SGX can run in two modes. There's "debug mode",
which provides absolutely no security because a debugger has complete access
to the state of the enclave. And then there's "release mode", which requires a
key that you can only obtain by signing a commercial agreement and NDA with
Intel.

~~~
mtgx
Why the hell would Intel require an _NDA_ to give you the private key?

That's shady af.

~~~
mike_hearn
It's not actually an NDA (I've signed it). You have to agree to not use SGX to
make un-debuggable malware.

------
harry8
I'm probably going to pay this a lot more attention now than I would have
purely because I find Moxie really quite impressive all the way up to his
patient, reasoned interactions with people around here.

------
icelancer
MobileCoin is backed by XLM/Stellar, which is not decentralized, and so I feel
I should note here that I signed up during Stripe's giveaway of Stellar Lumens
years ago - and I did indeed get my wallet credited.

[https://stripe.com/blog/stellar](https://stripe.com/blog/stellar)

I was given 6000 XLM and I left it in their official wallet for years. On May
12th, 2017 I wrote them an email asking why my wallet, now converted to some
newer official wallet, was empty. I did not receive a reply for 2 months, at
which point I followed up and received a reply within a day, which was:

 _" I have investigated your account and it looks like an account merge
operation occurred some time ago merging your lumens with another account. If
you did not commit this action, it could be possible that someone was able to
obtain your account information.

You can see the merge operation here:
[https://horizon.stellar.org/accounts/GD2CPSK2E3TUNC2N5NGGQJQ...](https://horizon.stellar.org/accounts/GD2CPSK2E3TUNC2N5NGGQJQYOHJNFW42YZ55MPQKPQ5BGI2ZPD72G3H3/operations)

Unfortunately there is nothing we can do to retrieve your lumens at this
point.

Apologies we cannot be of further help."_

I have pretty damn good security of my various accounts using hardware 2FA and
such, and I also transact in cryptocurrency and have wallets with far more
fiat value in them than 6000 XLM had at the time ($120-150 USD if I recall),
with absolutely no issue - and I hadn't even logged into their official
wallet. The developers were 100% quick to blame this merge on me. I replied
with a flat: "I highly doubt you are correct that it is my fault" email and it
went back and forth with them asking the basic "well, did you get spearphished
somehow" as if anyone even knew what XLM were or cared.

The process dragged on for a month while I bothered people in their Slack
channel since email communication dropped out and they finally came back with:

 _" Our team has investigated and checked for multiple different types of
issues and have not found anything on our end that shows any type of security
compromise in our system.

Unfortunately this means at this moment I do not have a concrete answer to how
your account was compromised. I’ll follow up again to check if there is
anything on your end they would recommend you do."_

I investigated on my own and found a number of accounts who were "hacked" and
sent XLM coins to the wallet that I had merged with, all that just kind of sat
there, indicating a software error on their end of a bunch of accounts that
were randomly emptied. I provided all documentation to their team and spent a
solid 15-20 hours doing so.

Their response to all of this bug bounty-type work?

 _" They have identified one potential issue in the past that affected only a
small number of accounts, possibly yours. This bug was fixed once discovered
back in 2014, but users who may have been vulnerable to the bug were still
impacted during the upgrade process to the new network even after it was
resolved.

Although we think this was the cause of what happened, we cannot be 100% sure
if this was what impacted your account considering you had a strong password
and none of your other accounts were compromised."_

And:

 _" Although we cannot recover you original lumens from your account, we’d
like to award you 3000 lumens as part of our Bug Bounty Program because you
have helped us in identifying a possible issue that happened in the past."_

So they basically gave me half the XLM back instead of the full amount despite
it being entirely their fault and them having no idea how to investigate while
I exposed a serious flaw in how XLM were assigned and paid to their wallets,
all while blaming me the entire time and with atrociously slow customer
response times.

Forgive me if I'm not the biggest XLM/Stellar Lumens fan; their team is both
terrible at support and suggests that at least their frontline investigators
are technically incompetent since they couldn't figure out the merge situation
before I did with simple API poking around and enumerating.

~~~
bkolobara
You are complaining about receiving _free_ money, but not caring about it
until the price went up recently. How is this even remotely Stellar's issue?

~~~
icelancer
>>You are complaining about receiving free money

Aside from the fact that this is a terrible line of argumentation ("Person A
gave you $100 and then Person B later stole it out of your house, what's your
problem with that?"), that is not the point of my comment at all. I suggest
you read a bit more specifically in regards to service, transactional
security, and the fact that the coin is federated and not decentralized.

~~~
bkolobara
You didn't even realise for a long time that you lost access to it. It's like
me remembering that I had some BTC, but can't access them anymore and blaming
Bitcoin developers for not getting rich.

Stellar not being decentralised, even 90% of nodes are not run by the SDF,
makes it somehow unsecure? If you have some specific complaint about the
security point it out, instead you are just ranting on an anecdote.

~~~
icelancer
>>If you have some specific complaint about the security point it out

I did, in the post. I'm not sure why you are making a big deal about the money
I lost. I am certainly not. It is about the mechanism by which it happened and
how they didn't take it very seriously.

EDIT: I am also not even sure to this day what the value of XLM is, and don't
particularly care. I gather from your post that it has gone up.
Congratulations. I think XLM's architecture and use case makes a lot of sense.
I also think their developers and support team are quite poor. That is the
intent of my post.

------
pellucide
Isn't SGX not so secure ? [1]

Specifically this claim

"In a semi-synchronous attack, we extract 96% of an RSA private key from a
single trace. We extract the full RSA private key in an automated attack from
11 traces within 5 minutes."

[1]
[https://www.schneier.com/blog/archives/2017/03/using_intels_...](https://www.schneier.com/blog/archives/2017/03/using_intels_sg.html)

~~~
anonymousDan
It's vulnerable to side-channel attacks, like a lot of trusted hardware. The
challenge with trusted hardware is you have a much stronger threat model than
a lot of previous work on side-channel attacks, in that instead of having to
protect against remote or local unprivileged software attacks, you now have to
guard against a local privileged attacker (e.g. a malicious OS or hypervisor),
or potentially even someone with physical access. Having said that it is
possible to design software in such a way as to be resistant to many side-
channel attacks (albeit with a lot of effort and a performance hit) and I
imagine future generations of SGX could add hardware protection against the
most egregious channels. Of course if you have enough money/time it will
always be possible, the question is whether an SGX based blockchain can be
designed in such a way as to make it not worth the effort.

------
darawk
Anyone got a link to the project's website? I'd like to read an actual
technical description. Anything MM is involved in is gold in my book.

~~~
superquest
site: [https://www.mobilecoin.com/](https://www.mobilecoin.com/)

whitepaper: [https://www.mobilecoin.com/whitepaper-
en.pdf](https://www.mobilecoin.com/whitepaper-en.pdf)

~~~
darawk
Thanks, strange Google didn't bring that up.

~~~
superquest
Yea I saw that. I think they just put the site up and hasn't been indexed yet.

------
CryptoPunk
Stellar is run by a set of trusted third parties, which makes it permissioned.
If it gains any sort of traction, it will undoubtedly come under the control
of any number of governments, thus negating the "peer-to-peer" part of
cryptocurrency, and making usage conditioned on approval from some set of
intermediaries.

~~~
pollen23
It's not run by "a set of trusted third parties".

It's run by SETS of trusted third parties, where each individual node
specifies what set of nodes it trusts to not collude against it.

You don't need any ones permission to run a node, but it _is_ up to other
nodes if they want to trust _you_

~~~
CryptoPunk
If your set is not the same as everyone else's set, you risk being forked off.
Trusted third party based schemes have a tendency toward centralization,
making them less resilient than ones based on cryptoeconomic incentives.
Inevitability it will mean TTP based ledgers will be permissioned, with the
TTPs acting as gatekeepers, rather than p2p.

This isn't just theoretical either. Stellar has co-authored a paper arguing
for regulations against anonymous cryptocurrencies:

[http://www.lhoft.com/assets/uploads/images/WhitePaper_LHoFT_...](http://www.lhoft.com/assets/uploads/images/WhitePaper_LHoFT_Stellar_2017_A_04.10.compressed.pdf#asset:216)

It's clear that it's positioning itself as a gatekeeper-based ledger that
stays on the good side of regulatory agencies.

------
muricula
A bit ironic that MobileCoin is targeting x86_64 and SGX seeing that the vast
majority of mobile devices run ARM. I wonder how easy this would be to port to
the ARM trustzone?

~~~
Ded7xSEoPKYNsDd
ARM Trustzone doesn't do anything related to remote attestation, which I'm
guessing this thing is all about (even if the article doesn't seem to mention
it). So I'll claim it is impossible.

Edit: You could still check the signatures signed by the trusted Intel CPUs on
your ARM device of course, but any mining would have to happen on a SGX-
enabled Intel CPU. (Or anything else with Intel's private key.)

------
wyldfire
> The currency is designed to utilize an Intel processor component known as
> Software Guard Extensions, or a "secure enclave."

Binding yourself to an implementation like this seems like mega big
centralization. There's several decentralized coins that could solve some of
these same problems.

------
pwaai
I'm not sure using Stellar is wise as the majority is owned by a small group
of people, much smaller than Bitcoin, which creates conflict of interest and
not future SEC proof.

on a side rant: So...many...coins...I too have something called
BrowserCoin.com but still haven't figured out what problems to solve. Too many
people just go implement a pseudo-academic blockchain tech with fancy dials
without vetting the problem.... _virtually zero adoption_ other than from
pumpers and owner...that is something I'd like to avoid altogether, for once
some cryptocurrency based business that delivers and benefits people who don't
need to expensive rigs to mine or jack resources (browser based blockchains
etc).

~~~
dude01
I don't know you, but... I have an idea for BrowserCoin.com -- a marketplace
for ads where users are paid to try a product. They receive a coin payment
when they use a product for a certain period of time. Don't bother
decentralizing -- keep tabs on who is paid, to avoid bots stealing payments
with fake usage. Let me know if you like that, my email is in my profile.

------
jstewartmobile
With Moxie, I have to wonder what the endgame is for this?

After reading this, currency doesn't seem to jive with his persona:

[https://moxie.org/stories/money-machine/](https://moxie.org/stories/money-
machine/)

------
Globz
How is the value of a coin created if there’s no miner or exchange, does it
have a fix fiat price? Would you buy the coins with real cash?

------
ikeboy
So, it's using DRM to hide the blockchain, is that right?

~~~
kbwt
So if the coin's market cap were higher than Intel's, you could buy Intel and
use the SGX master keys to establish rogue nodes and take over the network.

In fact this is no better at all than if Intel were simply running the
MobileCoin service as a centralized provider/bank.

~~~
ikeboy
Buying Intel is not that simple and would be disclosed far in advance of the
actual purchase.

------
orblivion
Surely I'm reading this wrong. Does the whole thing depend on users trusting
that the nodes run the correct software, which uses these "enclaves" to hide
private data from itself?

~~~
wmf
The nodes can prove that they are running the correct software using SGX.

~~~
orblivion
I'm not sure what this means. Supposing I'm a node that runs the correct
software as well as some incorrect software. I prove (however this works)
using SGX that I'm running the correct software. You send me the data and I
run it through the incorrect software.

I imagine my ignorance of SGX has something to do with this. Is there a 101
link somewhere?

~~~
mike_hearn
As betterunix says, the way you do it is that the signed data structure
proving what software you're running can contain a public key, for which the
private key exists only in the enclave. So you can then encrypt secrets that
are readable only in the enclave.

------
JepZ
Wow, what an impressive move.

I don't trust Moxie ever since he argued that Signal will not be a
decentralized network due to the technological complexity (just BS as Matrix,
XMPP and other have shown). While I suspected that he had other plans in mind,
I didn't see that coming.

Using your wide spread chat app to deploy a global payment system. Just wow.
If he will pull that off, Elon Musk gets competition for the title 'Innovator
of the Century'.

------
bkolobara
Great to see more cryptocurrency adopting Stellar's Consensus Protocol.
Decentralisation and scalability without the environmental impact of proof of
work.

~~~
CryptoPunk
Stellar is not decentralized. It is federated, meaning a number of trusted
third parties act as the intermediary, and eventually, will become the
gatekeepers as governments deputize them to enforce their respective laws
(e.g. capital controls in China).

~~~
bkolobara
Like if 90% of mining power owned by 2 companies makes something more
decentralised. I would argue that the Stellar Consensus Protocol is more
resilient to centralisation than any proof of work one.

~~~
CryptoPunk
Manufacturing GPUs doesn't give a company control over how the buyers use the
GPUs. GPUs are by market necessity general-purpose. And all of the full nodes
in a decentralized cryptocurrency network like Ethereum will validate the
blocks generated by the miners.

------
Canada
It's cryptocurrency secured by DRM.

------
homakov
An no word about price volatility? Even if btc were scalable it is unusable
for commerce. Pegging to fiat should be #1 goal of a new blockchain that wants
to solve problem. All others arejust sophisticated gambling platforms.

------
neuralzen
The Request Network may beat them to it, in terms of making crypto accessible,
since it aims to provide a paypal-like, currency agnostic portal for payments.
But I still like the project, and will follow it closely.

------
Asdfbla
While yet another cryptocurrency doesn't sound so good, I think Moxie has at
least proven himself enough with Signal (in terms of being pragmatic about
usability while trying to get the maximum amount of security and privacy for
users) that this sounds promising.

I'm also happy to see a currency with Byzantine agreement without proof-of-
work being explored. While this may not satisfy the extreme threat model of
Bitcoin etc., I'm not really convinced that this is even needed at all. (Not
to mention that Bitcoin has failed as a currency anyway.)

------
mbid
A decentralized currency brought to you by Moxie "Signal doesn't federate or
allow third-party clients" Marlinspike. OK.

~~~
verbify
He used to federate, he said he reckons he lost a year of development in the
attempt.

His argument is federation makes change difficult - and a private company can
centralise the protocol (like Slack or WhatsApp) leading to a better user
experience because they're not tied to getting everyone to agree to a change.

You can read his arguments here:

[https://signal.org/blog/the-ecosystem-is-
moving/](https://signal.org/blog/the-ecosystem-is-moving/)

and here:

[https://github.com/LibreSignal/LibreSignal/issues/37#issueco...](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217231557)

------
jmtame
I have a few questions: (1) When can we start using this? (2) How will you
acquire the currency?

I think #2 is the pain point, and I didn't see this addressed in the
whitepaper. Most people talk about Bitcoin's transaction speeds, but Litecoin
works incredibly well for doing transactions. The difficulty for a normal
person is acquiring it. You need something like GDAX.

~~~
babaganoosh89
Litecoin is maybe 2-4x better, but still far from Visa’s transaction capacity
unless the lightning network does fantastically well.

------
flyGuyOnTheSly
Sounds pretty similar to Dash with the nodes, doesn't it?

Dash has been doing quite well recently... so it mustn't be a terrible idea.

~~~
Casseres
It's a great idea for making money.

It's a terrible idea for a currency.

------
TeeWEE
The private key is stored on the node. Haha big fail. That's not what
decentralized blockchains are about.

------
superquest
How might this project grow out of its dependence on Intel hardware over time?

~~~
cuckcuckspruce
Like most other tulip breeds, the craze over their creation will turn to
sudden death before the practical concerns they raise need to be considered.

------
lifeisstillgood
> Visa currently processes about 3,674 transactions per second

weird I assumed it was more. It's still 300M a day or 100bn/yr but still.

------
baybal2
Stupidly bad design - storing other people's private keys in a protected
memory region. This is as good as entrusting a safe with your money to a
thief, thinking that the guy will be unable to open it.

Marlinspike, yet again, flops face down with his credibility as a crypto
researcher.

Remember his his angry letter about silent key renegotiation hole in Facebook
messenger

------
laretluval
Will I have to give a mobile phone number to use this cryptocurrency?

------
bandrami
I was just thinking we need a few more of these.

------
qwerty456127
What degree of privacy can it actually offer?

------
m3kw9
This hardware requirement will slow adoption

------
zokeia
Where can I invest in this?

------
pmatos
Can you already mine this?

------
dha10_11
[https://us.teamblind.com/article/ama-round-2-i-manage-a-
mult...](https://us.teamblind.com/article/ama-round-2-i-manage-a-multi-
million-crypto-portfolio-vQBqRpmR) I think this post about managing a multi-
million crypto portfolio can really relate. I think it still is difficult for
the average person to understand, but this is a really great discussion going
on.

------
rjromero
Anyone have any links to read more about SGX? What's stopping someone from
intercepting everything going down their and just doing the operations on
their own while watching?

~~~
qznc
Essentially, the CPU has a private key. Using the corresponding public key you
can send code to the CPU to execute and the CPU prevents even the OS from
looking at the decrypted code. You can also check the signature of the CPU
against a public Intel key to verify it is indeed an Intel CPU you are sending
code to.

~~~
rjromero
Ah I see. I'm seeing that you have 2 128-bit private keys on the enclave, one
known to Intel and what that is not.

Can you not use the one not known to intel to do your own code signing against
another client with ECDH? Why does it seem like they are pushing this "Intel
Attestation" service? Wouldn't that cause Intel servers to be a single POF
incase they aren't around to give a proper reply for the attestation request?
(Imagine 100,000 nodes on the network all running smart contracts, or perhaps
10 years down the line they discontinue the service.)

~~~
mike_hearn
IAS isn't technically a requirement of SGX. But if you want the ability to
revoke hardware that is found to be compromised, someone needs to have that
list and check against it.

I believe the plan is for IAS to be optional in future. It might already be,
but then you have to implement the signature checking logic yourself. EPID is
quite a complex signature scheme and you'd also need to find out from Intel
which microcode/platform versions are revoked, etc. So IAS is more of a
convenience than anything else.

