
IOTA Surges Past Ripple - blocksyn
https://blocksyn.com/iota-surges-past-ripple/
======
tfha
IOTA is built by a bunch of technical founders who know enough about
blockchain to confuse a lot of non-experts into thinking they are really smart
and credible.

But you will see very consistently in the cryptocurrency space that the
experts refuse to endorse iota, and frequently say strongly negative things
about it.

They are very effective at selling snake oil, but that's all their blockchain
is. The tangle that they have designed is neither scalable nor secure. Every
node still needs to verify every transaction, and because there is no mining
it's trivial to double spend if you have a few machines that focus on cranking
out as many transactions as possible.

If you understand enough about blockchains to find security flaws in an
insecure system, all you need to do to believe me is learn more about iota.
Their flaws are not subtle, there are many of them, and they are substantial.

If you are not expert enough to analyze the security properties of various
blockchains, look for reviews of iota by other experts. You will not find any
positive ones by people with significant standing. Not from the ethereum camp,
not from the bitcoin camp, not from the academic camp.

This is not because of some iota vs. the world conspiracy. It's because iota
is genuinely a terrible cryptocurrency.

~~~
q-base
I do not own IOTA - thought about it some months back but decided against it
because I don't fancy doing trades on or supporting Bitfinex.

Another HN user swayed me away from Monero - which I owned a large part of as
he told me about scaling issues.

But my question is to your advice about: look to other experts. As someone
coming outside the crypto-universe it is kind of hard to distill who the real
experts are - so any advice on how to distill/find credible sources of
information in this space?

~~~
p33p
I'm also very interested in hearing the answer to this.

~~~
chvid
Listen to the ones the market listens to.

For crypto currencies is not necessarily people with deep technical insight
nor is it established economists.

~~~
infinity0
> Listen to the ones the market listens to.

This is exactly the sort of anti-advice that brings suckers into a pyramid
scheme.

> For crypto currencies is not necessarily people with deep technical insight
> nor is it established economists.

Sure, stir up hatred and jealousy of "experts" and "the establishment" to
bring in more suckers, right?

GTFO shill.

------
donquichotte
So this [1] is where they announced their "partnership" (which, to me, remains
obscure in nature) with Microsoft.

The blog post is long and features many well-made graphs, including pictures
of "Data Silos" with a pictogram of a lock on it, slogans like "Data is the
new Oil" in a subsection "Crudely put, data is the new crude", the famous DIKW
Pyramid (Wisdom, Knowledge, Information, Data) and, my favourite, the title of
a subsection "Data wants to be free, but not for free.".

All the alarms on my bullshit meter are ringing after reading this.

[1] [https://blog.iota.org/iota-data-marketplace-
cb6be463ac7f](https://blog.iota.org/iota-data-marketplace-cb6be463ac7f)

~~~
Aledgerly
Everything in that blog post is very much what the rest of the industry is
agreeing with. Sources backing this up is even cited in the damn blog post
man.

~~~
ktta
What industry? You mean the one that is less than 5yrs old?

IOTA itself, with all its 'smarts' made a stupid mistake designing their _own_
cryptographic hash function! This might seem like I'm hanging on a single
point, but I guarantee, any sane security person on this site will tell you to
stay far away from this coin if they see this.

[https://medium.com/@neha/cryptographic-vulnerabilities-in-
io...](https://medium.com/@neha/cryptographic-vulnerabilities-in-
iota-9a6a9ddc4367)

~~~
flaminghedge
People design hash functions. Repeating that ‘creating a hash function is
stupid’ doesn’t make it true. There is a need for an efficient, lightweight
cryptographic standard for low resource devices. Curl-P attempts to be this
solution utilizing ternary logic. They aren’t making it just because they can.
There is a real need for it.

Recently, with the Foundation being established (therefore giving them access
to sufficient funds), they hired CYBERCRYPT to vet and improve upon their
prototype.

~~~
ktta
>Repeating that ‘creating a hash function is stupid’ doesn’t make it true.

There's a process for everything. Cryptographic functions are supposed to
undergo atleast half a decade of peer testing before they can be used with any
reasonable sense of security. Creating them isn't stupid. Creating them and
using them in your application without proper security testing is.

If 'ternary' logic based hash didn't exist, then sure, create one. But don't
tout it as being anywhere close to ready when it is important to the overall
security of the system.

The project justifies their decision to do so about 'spearheading technology
for a new paradigm', which further solidifies the fact they value short-term
risky benefits over long term research which is what science is supposed to
be.

~~~
flaminghedge
There is no arbitrary time length requirement for security. There are standard
tests (like avalanche) all of which Curl-P passed. They passed all the
standard security requirements before deploying the prototype, and had a
backup plan of deploying keccak should a hint of any possible exploit arise.

Curl-P is based on a well-studied sponge construction, so it’s not an
especially risky move to deploy it in their system after it passed all initial
security requirements.

Curl-P also has the advantage of being extremely simple. This makes it easier
to vet as the analysis can be done more thoroughly, as it’s not obscured
through complex internal mechanisms.

It does require new tools to study (as it’s ternary) so there is bound to be
some delay to extremely thorough production readiness. However, saying it is
not close to being ready is false (unless we must put an arbitrary year
requirement on it as you seem to be keen on).

~~~
ktta
>There is no arbitrary time length requirement for security.

No there isn't, but it is about letting more researchers take a crack at it.
With well-known competitions, you can expect cryptographers to take a look at
it.

The thing is, I've heard of lots of new hashes in the past couple years but
only heard about curl when the vulnerability was found. I'm not saying I was
on the lookout for new hashes but didn't find any, but how do you except
people to check it out when no one really knows about it? Even decades of time
is worthless when you have no one looking at it.

>There are standard tests (like avalanche) all of which Curl-P passed.

That's basic homework, not the real test, which is analysis done by people.
Give me some tets, a couple months and I can come up with a hash function
which passes those too.

>Curl-P is based on a well-studied sponge construction, so it’s not an
especially risky move

Sure, sponge construction, while new has been studied due to Keccak. But you
should've used keccak, instead of creating a new one(As they're doing now)

> Curl-P also has the advantage of being extremely simple. This makes it
> easier to vet as the analysis can be done more thoroughly, as it’s not
> obscured through complex internal mechanisms.

You know what, I'm not a cryptographer, so I'll quote what a _real_
cryptographer - Bruce Schneier has to say about that.

“In 2017, leaving your crypto algorithm vulnerable to differential
cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed
their system, and that the odds that their fix makes the system secure is
low,”

What do you have to say to this?

>However, saying it is not close to being ready is false (unless we must put
an arbitrary year requirement on it as you seem to be keen on).

Arbitrary year requirement seems frivolous, because you don't see the
cryptographers who work hard quietly till they have an attack ready. It is to
give time for them.

Take a look at previous competitions, where attacks surface many years after
first publication.

~~~
flaminghedge
> The thing is, I've heard of lots of new hashes in the past couple years but
> only heard about curl when the vulnerability was found. I'm not saying I was
> on the lookout for new hashes but didn't find any, but how do you except
> people to check it out when no one really knows about it? Even decades of
> time is worthless when you have no one looking at it.

Cryptographers have been looking at it. Initially the team reached out
directly to a number of cryptographers, and they have an internal team as
well. As a side note, it seems like a weird argument that since you haven't
heard of it, no one really knows about it (especially given that you aren't a
cryptographer). Additionally, as I said above, it's now being vetted by
CYBERCRYPT: [https://cybercrypt.dk/company/](https://cybercrypt.dk/company/)

Also, the article you cited is incorrect in it's assessment that a
vulnerability was found. They assumed the ability to generate collisions was a
vulnerability instead of a design choice. The security of Iota's current
signature scheme relies on one-wayness of the hash function, which was not
broken by the MIT team. In addition, the collisions would not result in
compromised funds as they state, since forging a signature would require
malicious software be downloaded by a user.

> Sure, sponge construction, while new has been studied due to Keccak. But you
> should've used keccak, instead of creating a new one(As they're doing now)

Keccak is not lightweight and therefore not a viable end solution. The network
works much better with Curl-P. I will agree that it probably would've been
better to just use Keccak initially till their hash function was vetted by a
group like CYBERCRYPT if only to avoid the backlash from implementing a custom
function. Hindsight is 20/20 though, and I imagine they were probably just
keen on testing the tangle (which is much more unknown tech) in a state closer
to it's end implementation.

You know what, I'm not a cryptographer, so I'll quote what a real
cryptographer - Bruce Schneier has to say about that. “In 2017, leaving your
crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake.
It says that no one of any calibre analyzed their system, and that the odds
that their fix makes the system secure is low,” What do you have to say to
this?

This is not a valid argument. It is an appeal to authority. Besides, Bruce is
commenting based on the original incorrect analysis by MIT.

> Arbitrary year requirement seems frivolous, because you don't see the
> cryptographers who work hard quietly till they have an attack ready. It is
> to give time for them. Take a look at previous competitions, where attacks
> surface many years after first publication.

This is true. But it is also true for all hash functions including current
well vetted ones. Better mathematical models are produced all the time. This
kind of researched coupled with AI will likely make a lot of current hash
functions vulnerable. What is the fix then? Most likely in the short term it
will be quickly swapping to alternative hash functions, which the Iota team
did quite easily (since they were prepared for the scenario). This seems like
much better prep for the future to me than assuming Keccak or another hash
function is forever golden.

------
csomar
Putting aside all their misadventures with crypto and other bugs (it's crypto
after all), they don't have a functioning currency or network.

The Tangle is an idea that has no theoretical solution yet.

What I did understood is the following: A user that makes a transaction, picks
two txs (from the unspent pool) and send his transaction. Then another user
picks it with another one and send his. And so on and so forth. But who gets
to decide which tree to follow?

This is exactly what mining is for: It is election based on mining capacity
(or hash rate burn rate). The one who burns more hash rate gets elected to
publish the next blockchain.

Not that mining can't get centralized, it is. But there is a difference:
Mining is democratic. The nodes elect based on it. That's not the same with
the coordinator in IOTA. It is run by the creator of the cryptocurrency.

Edit: Thinking about it now, is it ever possible to achieve this without
"burning" something? (I mean equal consensus election without a non-free
criteria). Doesn't this somehow conflict with the physic law of conservation
of energy.

Now let me get to the important part: It's a premine. It has a nice façade and
polished website. That's all you need to know.

This is going to end in tears for lots of people fomoing right now. (or later
if this still ramps up)

~~~
lojack
To be fair, there are times in bitcoin when two hashes are found
consecutively. In this case, who decides which one is the correct hash? The
answer is that the network enters a contentious state and the miners compete
over the correct hash until a new one is found ad infinitum. The chances of
there multiple competing chains becomes virtually zero as time goes on.

The same thing happens with IOTA, except the mining happens on the node
sending the transaction (and confirming two others). Competing transactions
can happen, and are propagated through the network, but eventually a consensus
is reached. I’m only familiar with IOTA in passing, but the biggest flaw I see
is of a malicious actor flooding the network with transactions to themselves.
I believe the theory is that once the network is big enough this will
economically not be feasible, but until then they have the master node.
Whether or not this will end up working out, I’m not sure.

Happy to be corrected for any of this. I’m not super familiar with IOTA, this
is just my understanding of it.

~~~
csomar
The contentious state in bitcoin is a network fork. Fork A and Fork B. Both
have equal chances. It is the next winning miner that decides which fork will
be elected. So the responsibility is just pushed to the next guy.

That's not the same with IOTA. Who gets to decide which fork is better? Based
on what? Number of txs? That wouldn't work and I think it is obvious why.

~~~
lojack
The network fork is exactly what I described.

With IOTA, it operates in a similar fashion. The winning chain is the one with
the most successful hashes discovered. Just like bitcoin, except instead of a
winning chain happening after ~2 hashes, it happens after hundreds(?) of
hashes.

~~~
csomar
How do you reach a consensus and certainty though? What if there is low
activity, few transactions; and then comes a big guy who was burning hash to
generate txs and take over the chain?

~~~
lojack
> How do you reach a consensus and certainty though?

I feel like we're going in circles. In both Bitcoin and Iota, we never reach
an absolute certainty. In Bitcoin we reach a point where its infeasible for
transactions to ever be overwritten. For high value transactions this is
generally around 5 or 6 confirmations. I don't know the exact number people
use with Iota, but I remember hearing it was some percentage of confirmations
within the tangle.

> What if there is low activity, few transactions; and then comes a big guy
> who was burning hash to generate txs and take over the chain?

That's the big flaw I pointed out in my original comment, that I suspect may
exist.

~~~
csomar
> In both Bitcoin and Iota, we never reach an absolute certainty.

That's not correct. You are only uncertain in bitcoin when there are two equal
(hash wise) blocks. This happens very rarely. That's not the case in IOTA
since it does happen all the time and I'm guessing somebody could calculate
txs to make it happen on purpose.

~~~
lojack
> This happens very rarely

Not true. Orphaned blocks happen all the time.
[https://blockchain.info/orphaned-blocks](https://blockchain.info/orphaned-
blocks)

> You are only uncertain in bitcoin when there are two equal (hash wise)
> blocks.

Not true. Its possible to see the longest chain and not know about another
chain that is of equal length. Nodes won't propagate chains that are of equal
length to their current chain, so this is actually probably a somewhat common
scenario. There has also been a number of orphaned blocks of length 2, 3, and
4. That means its totally possible (not likely, but not outside the realm of
possibilities) for a node to be working on a chain and have never seen the
correct previous block.
[https://bitcoin.stackexchange.com/questions/3343/what-is-
the...](https://bitcoin.stackexchange.com/questions/3343/what-is-the-longest-
blockchain-fork-that-has-been-orphaned-to-date)

This is all exactly why many nodes don't accept transactions until there are 6
confirmations -- statistically, we shouldn't ever get to an orphan chain of
length 6 even though its technically possible (outside of bugs).

FWIW, I'm not arguing that IOTA is any more or less secure than Bitcoin.

------
knocte
IOTA is kind of a joke IMHO:

* They have this thing called the "coordinator" which is a master-node run by them, which is a single point of failure. The codebase that this node runs is proprietary software. They claim there will be no need for this masternode in the long run but they never say any ETA about when to remove it (which hints that removing it may always expose the security flaws of their network). This means it's Proof of Authority instead of Proof of Work, therefore, not decentralized.

* It's 100% premined, which smells as scammy as Ripple. It's not a coin, it's an entity handing you gift vouchers with their name on it.

* I've heard they rolled their own crypto. Yes, let that sink. Haven't verified this myself though.

* There's no way for new nodes joining the network to recover the full history of the transactions (a IOTA speaker told me there are some public FTP servers or something where you can get a copy...). So yeah, it's an "append and forget" blockchain, lol.

Be prepared for a big (&deserved) crash.

~~~
jp_rider
It appears their own crypto was already vulnerable. A friend pointed me to
this article:

[https://www.forbes.com/sites/amycastor/2017/09/07/mit-and-
bu...](https://www.forbes.com/sites/amycastor/2017/09/07/mit-and-bu-
researchers-uncover-critical-security-flaw-in-2b-cryptocurrency-iota/)

He was also concerned that there's no security proof in the whitepaper. To me,
it seems like you could feasibly launch an attack with less than a majority of
the computing resources.

~~~
Buttes
My understanding is you only need 33% of the hash power _at any given time_.
Since PoW is only done as part of sending transactions, it probably takes less
hash power than you'd think to cause problems.

~~~
EGreg
Why does everyone repeat that Byzantine consensus requires maximum 33% of
participants to be dishonest?

If messages cannot be forged, then a consensus could make positive progress
with even 99% of participants being dishonest.

~~~
Buttes
>Why does everyone repeat that Byzantine consensus requires maximum 33% of
participants to be dishonest?

Not 33% of participants, 33% of the hash power, could just be one participant
with a pile of GPUs or ASICS or "JINN" chips lol. That's the claim made by the
IOTA author, anyway.

Right now it wouldn't surprise me if someone could amass 90+% of IOTA hash
power anyway.

>If messages cannot be forged

Tbh this is not even a given with IOTA.

~~~
EGreg
Okay but it was more of a general question. I see Hashgraph and others always
saying that they need 33% of participants to be honest. But with unforgeable
message signatures that limitation doesn't apply.

~~~
pas
Virtual Voting in hashgraph requires a 2/3 agreement.

Of course PoW provides some protection against sybil attacks, but the reality
is that with enough hashpower the network can be overtaken. (Hence why
HashGraph is a closed network.)

~~~
EGreg
What does POW have to do with Hashgraph? It doesn't use POW.

~~~
pas
oops right, I mixed up IOTA with HashGraph.

------
_throwaway28475
I read through the IOTA whitepaper a while ago, and while I find the general
idea of a DAG-based approach interesting I wasn't able to understand their
trust concept or even basic implementation details of their consensus
algorithms (which are not detailed in the paper).

As an example, one of their core claims is that it's possible to do offline
transactions on a tangle (=DAG) that is isolated from the main tangle and that
can be merged later. What I didn't understand is how they resolve the double
spending problem with this: If two devices create valid transactions on two
independent subtangles and the system tries to reconcile these tangles into
the main tangle afterwards, how do they determine which transaction is valid?

Also, I could never get my head around the idea of a decentralized IoT data
marketplace. I mean, it really sounds catchy but when you start thinking about
possible applications it's actually quite hard to come up with something that
seems both interesting and doable.

Finally, no one seems to think about the privacy implications of having IoT
data (which often is person-related or person-relatable and therefore under
the protection of the GDRP) on a decentralized system where you basically lose
control over the data the moment you upload it. From a data protection
perspective this is an absolute nightmare.

~~~
lewi

      If two devices create valid transactions on two independent subtangles and the system tries to reconcile these tangles into the main tangle afterwards, how do they determine which transaction is valid?
    

The subtangle with the highest weight.

    
    
      when you start thinking about possible applications it's actually quite hard to come up with something that seems both interesting and doable.
    

I can think of a number of niche examples that would benefit from both data
security and a value settlement layer

    
    
      no one seems to think about the privacy implications of having IoT data
    

This is constantly being thought about. GDPR compliance is quite a tricky one,
then you have Japan which even classifies the hash of personal data
controlled. This doesn't mean its being left behind.

~~~
phire
_> The subtangle with the highest weight._

Which is not an acceptable answer, at least from the perspective of an offline
node accepting payment. People will exploit it by paying an offline vendor,
taking the goods then rushing online to create a doublespend which reverts the
transaction.

So offline vendors will never accept it as payment, and the entire feature is
useless.

~~~
lojack
Who said anything about offline nodes accepting payments? I wouldn’t expect
transactions to even be remotely possible offline.

~~~
ThePhysicist
In my understanding, the ability to make transactions on a sub-tangle while
not connected to the main network is sold as one of the main advantages by the
IOTA creators.

------
DalasNoin
After a security vulnerability in a self-made hash function of iota was
discovered, they claimed that it had been included to stop people from copying
iota. While I dont believe them, it does show something about the personality
and professionality of the people behind iota.

[https://gist.github.com/Come-from-
Beyond/a84ab8615aac13a4543...](https://gist.github.com/Come-from-
Beyond/a84ab8615aac13a4543c786f9e35b84a)

~~~
minxomat
I was asked by the IOTA team to work on GPU acceleration for "their" ""hash""
algorithm. Not only was there no documentation or even comments for that
matter, everyone has been less than helpful. They also insulted part of their
contributors as "too autistic to write documentation".

Finally, they wanted to pay me in IOTA, which was the point I walked away.

I'm sure there's more going on there, but I wouldn't want to know. I'm not
touching this cc with a 10 foot pole.

------
wyldfire
Bruce Schneier had this to say about IOTA:

> In 2017, leaving your crypto algorithm vulnerable to differential
> cryptanalysis is a rookie mistake. It says that no one of any calibre
> analyzed their system, and that the odds that their fix makes the system
> secure is low

------
albertgoeswoof
I've reviewed the IOTA paper and some docs on it. It seems too good to be
true, if it works it's much better (faster, free) than block chain
cryptocurrencies with no downsides. I am surprised that no one else has come
up with this approach so far, why is that?

The only downside it's not currently decentralized, and requires a "conductor"
to run securely, which will be removed in the future, apparently. The other
criticisms are at the first implementation (rolling own crypto), which is an
error that impacts confidence in the team but not the currency / concept.

~~~
tfha
It is too good to be true. And it's not true. You will not be able to find any
major bitcoin devs saying anything encouraging about iota. Nor
tangle/braid/dag researchers. Nor ethereum devs. Nor respected academics.

Why? Because everyone serious who has taken time to look at the paper has
realized it's not a valuable project, and makes plenty of claims it can't back
up.

~~~
carolita
And WHY would that be that no Bitcoin dev says good things about another
crypto? Hmm, no conflict of interest at all.

------
nadam
IOTA fans say that IOA is scalable and capable of microtransactions. They
often say that it gets faster and faster as there are more transactions, which
seem to be an incredible bullshit to me. I started to read the whitepaper, but
I just don't understand how it is scalable. The whitepaper goes into details
about how the transaction DAG is maintained, but absolutely basic things seem
to be missing: Are nodes all full nodes? Is the history stored on all nodes?
Is account state stored on all nodes? There is another project which is
designed specifically to be extremely scalable, called EOS
([https://github.com/EOSIO/Documentation/blob/master/Technical...](https://github.com/EOSIO/Documentation/blob/master/TechnicalWhitePaper.md)).
Reading its whitepaper I understood how EOS is scalable pretty clearly. I
cannot understand the IOTA whitepaper at all. At least not how it is scalable.
Currently IOTA seems to me a project that wants to impress people with good-
sounding concepts like DAG, ternary number system, etc... but does not seem to
be good engineering to me. Or at least its whitepaper is extremely poorly
written and missing critical information IMHO.

~~~
tfha
EOS has made security compromises though. If you aren't validating every
transaction on the network yourself you have no way to be certain that the
money you are being paid is legitimate

~~~
nadam
Token holders vote for 21 block producers. Pretty much all of these block
producers have to be controlled by the same malicious party so that an invalid
transaction could go through unnoticed. (In fact I think even more than 21
nodes will track the network, as runner-ups are rewarded also to some extent)
Malicious block producers, when noticed, are voted out of the system by token
holders probably for ever. Unlike in case of most other currencies, block
producers will be actual respectable 'real world' people (but the physical
location of their servers will be unknown)

In fact one can say that in case of POW if an entity can get cheaper
electricity than others, it can happen the mining is unprofitable for everyone
except this entity, so the system can become centralized simply by fierce
competition to mine efficiently. I am not saying that I know for sure which
will be the more secure method in the future: I have diversified my
investments into DPOS and POW based currencies (BTC, DASH, EOS)

------
the_esq
Rumblings of pump and dump, up 100% per day for a week, more then 70% of
volume on bitfinex, hmmm.

~~~
lewi
This article has incorrect figures:
[https://coinmarketcap.com/currencies/iota/#markets](https://coinmarketcap.com/currencies/iota/#markets)

------
EGreg
I like that IOTA is taking a non-blockchain approach. Many people might also
be inspired by that.

I recently wrote a paper on eliminating double-spending _without_ relying on
global consensus. If there are any cryptographers or security researchers in
the audience, I would be interested in hearing your analysis / critique.

[https://intercoin.org/technical.pdf](https://intercoin.org/technical.pdf)

Most of it has pretty straightforward elements so the security properties can
be more or less proven, but still I want to hear what the major caveats are.

So far I just heard that it's similar to IOTA and there MAY be some attack,
but I would love to hear more specific ideas if they jump out at anyone.

[https://twitter.com/joelkatz/status/937455420465061888](https://twitter.com/joelkatz/status/937455420465061888)

------
mntmn
I've looked a bit into IOTA over the past weeks because I was trying to
understand how it actually works. I still do not fully understand how the
Tangle structure actually functions as a process and/or how it solves
scalability issues. If someone smarter than me could enlighten me on this, i
would be very thankful.

As far as I understand, one main difference between IOTA and classic
blockchains is that there are no explicit mining nodes in the system who
confirm all the transactions. Instead, if you issue a new transaction, you
have to confirm (sign) 2 prior transactions first and do a little round of
Proof-of-Work. These 2 prior transactions are called "tips" and are selected
by a random walk. I'm not sure who exactly selects the tips (can you select
the same ones over and over?) and if the correct tip selection is somehow
enforced.

There was a controversy about the homebrew "Curl-P" hash function (P
supposedly means Prototype according to the author Come-From-Beyond,
previously involved with NXT). After a bumpy responsible disclosure process,
MIT researchers Neha Narula et al published these findings:
[https://github.com/mit-dci/tangled-curl/blob/master/vuln-
iot...](https://github.com/mit-dci/tangled-curl/blob/master/vuln-iota.md) and
an accompanying Medium post. IOTA Foundation dismissed the vulnerability as
non-practical, but switched part of their crypto to Keccak instead:
[https://blog.iota.org/curl-disclosure-beyond-the-
headline-18...](https://blog.iota.org/curl-disclosure-beyond-the-
headline-1814048d08ef)

So in the IOTA codebase, there is now "curl" (not to be confused with the HTTP
library), which is based on the proprietary crypto, and "kerl", which is based
on Keccak. Curl is still used for the PoW while I think kerl is now used for
other signing.

Here is a C implementation that is interesting to browse:
[https://github.com/iotaledger/ccurl/tree/master/src/lib](https://github.com/iotaledger/ccurl/tree/master/src/lib)

A bit of an odd aspect of IOTA is the legacy of a ternary number system that
is used in the crypto functions. That's why you have to convert your payloads
to and from a base-27 encoding scheme ("trytes", alphabet [9A-Z]), which felt
strange for me when I wrote some proof-of-concept code trying to use the IOTA
libraries. Instead of switching to more established encoding schemes, the IOTA
team defends this choice by pointing to future mystery hardware accelerators
("Jinn" etc.) that are supposed to use this ternary system for more memory-
efficient calculation. A purported long-haul strategy that is sometimes
mentioned is the distribution of such custom processors by IOTA in the future
targeting embedded hardware. As an FPGA/Hardware developer myself, I'm
extremely skeptical about all of this voodoo and do not understand why so many
people seem not to mind it, especially the industry partners like Microsoft
and Fujitsu. It would certainly help if the IOTA foundation would disclose
more details about these mystery machines.

In summary I find the general approach of IOTA interesting and worthwhile, but
there are some strange aspects in the software (not to mention all that
coordinator business and the full-system-snapshots that lose all message data
once in a while) that I wish would be thoroughly addressed by employing more
KISS principle and less NIH.

~~~
Cakez0r
Any idea what this
([https://github.com/iotaledger/ccurl/blob/master/src/lib/curl...](https://github.com/iotaledger/ccurl/blob/master/src/lib/curl.c#L74))
is for in their c implementation?

------
BLanen
Skeptical of IOTA.

Build on promises that have no proof: Coordinator can be disabled, scaling.

Also, it pretends to be open-source but you can't build it yourself because
they won't release their real code out of fear of 'copying'...

I like the lack of PoW though, a foundation issuing funds at regular times
could fulfill this function without wasting a world of energy.

DISCLAIMER: rode a 50% gain wave and sold.

~~~
carolita
Only part not open source is the coordinator, which will eventually be
disclosed too when the time is right.

------
dimillian
I don't really care about all the fluff & stuff behind all those alt, I just
bought it very low at very high quantity, and sold it when it was higher. I
love cryptos, whatever the use for it. It's free money. While it last.

------
tanglebob
I think raiblocks is closer to solving what iota is claiming to solve.

~~~
wyldfire
raiblocks is intriguing. I normally don't care for coins that aren't trustless
but I'm curious to see where raiblocks can go.

------
runeks
I feel like sharing a curious e-mail encounter I had with IOTA founder David
Sønstebø.

After writing a blog post about the limitations of the Bitcoin blockchain,
which got some attention on HN[1], I received an e-mail by someone named David
(I didn't know who he was at the time), asking me:

> Hey Rune,

> I read your interesting article analysis of Bitcoin limitations. I was
> wondering if you have had any time to check out IOTA (www.iota.org) and the
> p2p Flash Network within it ([https://blog.iota.org/instant-feeless-flash-
> channels-88572d9...](https://blog.iota.org/instant-feeless-flash-
> channels-88572d9a4385))?

> [..]

Assuming this was just some random person asking for my opinion on IOTA, I
replied with a critique, pointing out two weaknesses I was familiar with:

> The only thing I know about IOTA is that it’s centralized, through the so-
> called Coordinator. This makes it uninteresting to me. As I understand, the
> IOTA team argues that this is just a preliminary precaution, which will
> change as the size of the network grows, but I’m skeptical of this claim. In
> any case, until it actually becomes decentralized, I don’t think I will have
> enough interest in it to learn how it works. So I think I will wait for this
> to happen before taking the time to learn about the system. Also, I know
> that the IOTA team designed their own hash function, which turned out to be
> vulnerable to collision attacks, which sounds rather amateurish to me.

He promptly replied to this critique -- which I thought I was offering someone
seeking advice on the soundness of IOTA -- informing me that

> As the founder of IOTA I can answer these questions: [...]

Proceeding with a rebuttal[2] of the weaknesses I had pointed out, even though
_he_ was the one who had asked me, despite the fact that he didn't need any
information about IOTA at all in the first place (given that he created it).

[1]
[https://news.ycombinator.com/item?id=15427662](https://news.ycombinator.com/item?id=15427662)

[2] > 1) The Coordinator is quasi-centralized, you as a programmer can easily
opt out of it if you want, it is not enforced upon you as a user, it's simply
a "best practice" at the moment. Tangle is made to scale, so the argument is
indeed that the Coordinator is only now in place to prevent against the 34%
attack that all DLTs suffer from until the network has scaled. I don't see
anything controversial about this, it is the only way to reach a truly
decentralized scalable ledger. It is no different from Satoshi firing up his
first miners to get the Bitcoin network to work in the first place. The
Coordinator will very shortly also be distributed to consist of numerous
nodes, at which point it will be a lot more decentralized. These are all well-
known steps towards the long-term goal. IOTA never claimed to be production
ready, nor do we do any handwavy nonsense like Ethereum and Bitcoin core
mantras "we'll solve it with some computer science breakthroughs in the
future", IOTA's roadmap is very simple and straightforward.

> 2) The hash function story has been so misrepresented and blown out of
> proportion it is comical. I'll spare you the pointless drama and conflict of
> interest from the guys carrying out the hit piece and only focus on what is
> important, in short: We spoke with the Keccak team back in 2014 about
> creating a trinary sponge based hash function for the inevitable arrival of
> trinary processors (we have designed our own as well) as ANNs, photonics,
> spintronics etc. all favor trinary over binary, hence we need a trinary hash
> function that is lightweight for IoT which utilize such chips. 'Curl' was
> born. The best way to thoroughly vet a hash function (which is vital) is to
> put it out there with a big incentive to crack it. This is what we did. Even
> if someone had broken the hash function entirely (no one ever did) there was
> no threat to the network due to the precautionary steps in place, and the
> fact that we had Keccak as back up as safety precaution #10. Right now we
> are working with several world-leading cryptographers, including your fellow
> countrymen of [http://cybercrypt.dk/company/](http://cybercrypt.dk/company/)
> on further developing and optimizing Curl. This is far from amateurish, it
> is simply leading the way through genuine invention. Lightweight hash
> function development is a very active field of research.

> 3) We also invented full Proof of Stake, the first decentralized exchange,
> the first decentralized voting protocol, decentralized marketplace in 2013,
> pioneered using blockchain for ID, Supply Chain and IoT in 2014-2015. So
> while we're known to push boundaries, we have so far always been vindicated
> later on. IOTA being the first ledger to disrupt blockchain itself is a
> testament to this, but is naturally very hard to swallow for a lot of
> blockchain maximalists. However, when it comes to actual researchers the
> reception tends to be very positive, and as for companies we work with
> everyone from Cisco to Maersk to Bosch to Microsoft to IBM to Statoil, so
> outside of the niche cryptosphere the interest is mounting daily, due to the
> fact that they have concluded that they can't use blockchain due to its
> inherent scaling and fee limitations. I mention this so you realize that we
> didn't just hack some random shit together like most people do in this
> space.

> 4) [...]

------
handbanana
IOTA has an awful site, and their github isn't impressive (in terms of
commits/contributors/pulse). I don't bother with coins/tokens that have sites
that resemble scammy ICO sites, and if there's a github I can look at - I
prefer to see lots of activity/commits/a pulse.

Maybe IOTA is great. But I can't bring myself to look further into it because
of the site + github

------
granaldo
So IOTA hit about a $6.00 high today
[https://www.coingecko.com/en/price_charts/iota/usd](https://www.coingecko.com/en/price_charts/iota/usd)

and down to $3.70 and looks like it is picking up again.

Market can stay irrational for a long time

------
romanovcode
The new cryptocurrencies to me seem like the new HYIP schemes.

------
NSHippie
To the mooon, lambo.

~~~
wolfgke
Rather: Three cats and the moon:

> [https://www.coindesk.com/3-dead-cats-moon-bitcoin-market-
> dyn...](https://www.coindesk.com/3-dead-cats-moon-bitcoin-market-dynamics-
> explained/)

~~~
Double_a_92
In hindsight you can find patterns in everything.

Also those "dead cats" where just random fluctiations.

~~~
wolfgke
I know. But if there is a hype bubble, it cashes out to have a very compelling
story with which one can explain the world.

------
dbcooper
Are there any transactions on their blockchain?

~~~
lewi
None, as it doesn't have one. It uses a different DTL architecture called a
Directed Acyclic Graph (DAG), known as The Tangle.

~~~
phaemon
A blockchain is a DAG. Just one with no branches. Like, if in using Git you
never branched but only used `master` for everything: that's a blockchain.

------
ringaroundthetx
So is anyone double spending the sh*t out of this, and if so, where?

would we be able to tell?

Thats the kind of post we should be seeing on hackernews

------
yestur
E

