
Ethereum: A Turing-Complete Cryptocurrency - gottagetmac
http://ethereum.org/ethereum.html
======
gatehouse
Trying to figure out a couple things (from pastebin link):

1\. What protection against non-halting?

contracts are "funded" upon creation, and by those who issue transactions to
the contract. if there are specific fees required by the contract to perform
an action, it must be enforced by the contract itself. the cost of computation
will eventually exhaust the contract's funding it fails.

2\. what are the long-term economics? (i.e. is coin supply unlimited or
limited and at what rate of decay)

    
    
        line 90

\- planned fundraising period with issuance of 10000 ether per BTC contributed

\- other coins will be issued so the initial money supply is 15000 times the
contributed BTC amount, with 0.25x (i.e. 16.67%) to the founders, same amount
to fund the Etherium organization. Division of BTC not specified.

\- the mining reward will be 1/3 of the initial supply, per year, perpetually
(i.e. 1/2 the contributor's reward.) So the money supply increases linearly.

3\. if a person's only goal was to use the blockchain to store data, what
would be cost per byte, and is there a max rate?

    
    
        line 385 to 399
    

\- A contract is "funded" when it is created, and the computation performed by
the contract consumes the funds.

\- storage of a "data item" in contract memory costs 100 _x_ where _x_ =
floor(10^21 / floor(difficulty ^ 0.5))

\- don't see the limit/cost of data items bound to transactions as per
transaction definition on line 133

anyway it takes courage to name a currency after a drug like ether.

~~~
Geee
I don't think anyone associates ether with a drug first.

From Thesaurus: "ether - the fifth and highest element after air and earth and
fire and water; was believed to be the substance composing all heavenly
bodies"

~~~
eigenrick
"There is nothing in the world more helpless and irresponsible and depraved
than a man in the depths of an ethereum binge."

    
    
          Appologies to Hunter S. Thompson

------
waterlesscloud
The page doesn't say who is behind it, but the wiki is edited by user
"vbuterin".

So maybe it's Vitalik Buterin, one of the more interesting cryptocurrency
thinkers out there. Hmm.

[http://about.me/vitalik_buterin](http://about.me/vitalik_buterin)

~~~
bendoernberg
This is indeed Vitalik's project, you can read the whitepaper on his website:
[http://vitalik.ca/ethereum.html](http://vitalik.ca/ethereum.html)

------
amluto
I don't know if the Etherium people are looking for comments, but here are a
few.

I think that Dagger has serious issues. First, the spec is buggy: the text
says that eight bottom-level nodes are hashed together, but the pseudocode
only uses four. Second, it does _not_ require 512MB per thread; it requires
512MB of write-once, read-many-times memory, shared by all threads; this
property seems to be asking for a rather large ASIC (or a smaller ASIC backed
by some multi-port SRAM) to have a huge advantage.

Also, what's up with the choice of secp256k1? It's at least less likely to be
backdoored by evil choice of parameters than, say, P-256, but there are many
better choices out there (e.g. curve25519 or some of its larger variants).
Those better variants have the big advantage (especially in this application)
of having faster verification operations.

(The fastest-to-verify option would probably be plain ol' RSA, but signatures
are rather large.)

------
benhamner
Text content: [http://pastebin.com/NCGRv74u](http://pastebin.com/NCGRv74u)

(Saw comments that the site went down and still had it loaded on my machine)

~~~
fragsworth
I'm still trying to understand how the whole system works. It appears to be
groundbreaking but I'm not really sure. The last sentence in the document
should catch your interest:

"As a result, we have a cryptocurrency protocol whose codebase is very small,
and yet which can do anything that any cryptocurrency will ever be able to
do."

~~~
redler
Unless one considers the lack of Turing-completeness to be a feature (as
Bitcoin apparently does, pointed out in a few other comments here).

~~~
phreeza
it mentions the ability to create subcurrencies, so probably you could create
a subcurrency that isn't Turing complete?

------
alptrv
The site is down for many hours. The cached version:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://ethereum.org/ethereum.html)

------
jaekwon
Is there a dedicated forum or mailing list for further discussion?

~~~
nadaviv
[http://www.reddit.com/r/ethereum/](http://www.reddit.com/r/ethereum/)

------
pipeep
I think the clever idea here (IMO) are the fees. An argument against
implementing a Turing complete language inside Bitcoin or an Altcoin might be
that it's hard to determine when execution should end. The fees allow
arbitrarily complex constructs without any hard cap, while preventing abuse.

~~~
nullc
Except it pays the wrong people. In Bitcoin, at least, miners are kept honest
by other people running nodes that limit what miners can do. In this protocol
the validation would become very expensive but only the miners are paid. This
sounds like trouble.

~~~
fragsworth
Don't all the miners have to run the entire program, so they are validating
each other?

~~~
maaku
No, the mine pool operator has to, but no more than once to cover every miner
in his pool. To draw a comparison to bitcoin, there might only be a dozen or
so pool entities which receive nearly all of the subsidy and transaction fees,
but thousands of non-mining full nodes.

------
tsmyrnios
They must run their webservers on top of their Turing-Complete
cryptocurrency... their site seems to be down.

------
cornellwright
My first thought was why would one want their currency to be Turing-complete?
It's actually a cool concept though. Being able to have your money make
decisions opens all kinds of possibilities.

~~~
kordless
This allows for the implementation of a completely distributed trading
platform.

~~~
nullc
No it doesn't. Or rather— it's not necessary or sufficient: you can already
trade distributed cryptocoins, and no amount of cryptocoin magic can
completely distribute USD or other non-cryptocoin assets because their
differential counterparty risk makes every promise different.

~~~
kordless
You need a central agency ATM for trading coin. Those guys have to run wallets
and do the transactions in non-trusted space. This skips that.

~~~
kordless
> 6) A full-scale on-chain stock market. Prediction markets are also easy to
> implement as a trivial consequence."

Line 283 of [http://pastebin.com/NCGRv74u](http://pastebin.com/NCGRv74u)

------
nazgulnarsil
My understanding was that a balance based model opened up some pretty serious
security problems, which is why bitcoin didn't use it. I'm dubious of a new
coin as complex as this.

------
wyager
This is a very cool idea. I think it may have some critical flaws, but even
the fact that people are thinking of stuff like this is so cool. Very
singularitarian.

------
aabalkan
Site is down. How do they manage to go down with probably static content, I
have no idea.

~~~
brotchie
With the availability of free CDNs (CloudFlare setup is 30 seconds max) I'm
not sure why static sites have issues with bandwidth these days...

~~~
hippich
cloudflare do not cache html/php/etc stuff and as a result all these request
still going to the hosting server, sometimes killing it.

------
jaekwon
I don't understand _who_ does all the turing complete contract computation.
Presumably the miners, but they're paid to do some useless proof-of-work work,
not the turning complete computation of the contract.

~~~
maaku
The fee goes to the miner who happens to find the containing block, yes. But
not to the thousands of validating nodes integral to the network. And over
time fees are given proportional to hashpower... which doesn't make any kind
of sense. The incentives are all messed up.

~~~
kordless
There aren't thousands of validating nodes. All nodes are computing on jobs in
the system. The incentive is you get paid for processing code for someone.
It's a trusted cloud framework with payment built in. The Dagger page is down.
That'll have the detail on the rewards details for compute.

~~~
jaekwon
Do you have the text for the dagger page?

~~~
tromp
Dagger appears to be inferior to the Cuckoo Cycle proof of work system I
recently developed; see
[https://github.com/tromp/cuckoo](https://github.com/tromp/cuckoo)

Cuckoo Cycle is a new proof of work system with the following features

1) proofs take the form of a length 42 cycle in the Cuckoo graph, so that
verification only requires computing 42 hashes.

2) the graph size (number of nodes) can scale from 1x2^10 to 7x2^29 with 4
bytes needed per node, so memory use scales from 4KB to 14GB

3) running time is roughly linear in memory, at under 1s/4MB

4) there is no time-memory trade-off, and memory access patterns are the worst
possible, making the algorithm constrained by memory latency

5) it has a natural notion of difficulty, namely the number of edges in the
graph; above about 60% of size, a 42-cycle is almost guaranteed, but below 50%
the probability starts to fall sharply

~~~
nazgulnarsil
What creates that upper limit of 7x2^29?

~~~
tromp
the naming convention that allows it to be named cuckoo729.

the program could be rewritten not to use bit 31 as a flag, and then you could
use as many as 2^32-1 nodes, but that's not neatly expressible as MULT*2^SHIFT
with few digits.

------
hnolable
Ripple is also working on the same thing and is supposedly releasing them
"soon": [https://ripple.com/wiki/Contracts](https://ripple.com/wiki/Contracts)

~~~
fragsworth
Unfortunately, Ripple is a worst-case example of pre-mining. I would really
hate to see it take off.

~~~
kylebrown
I would rather see an actual, functional product take off (even without
miners). The resistance to Ripple just enables an endless series of me-too
fundraisers.

The ethereum proposal is the most technical yet. Hopefully it sets a new
minimum bar in the market for crowd-funded vaporware (I'm highly skeptical of
them all).

------
rch
I'm most curious about cryptocurrency algorithms that can be optimally run on
FPGAs, but not ASICs or GPUs. Is there anything along those lines floating
around already?

~~~
phreeza
For what reason are you interested in that? Any such algorithm would have to
make use of the re-programmability of FPGAs, since a static FPGA layout can
always be turned into an ASIC...

~~~
rch
My interest really has nothing to do with cryptocurrency, but I've been
reading about dynamic method migration[0] and modular reconfigurability[1] for
a long time. I can see how some of my professional work could benefit from
'adaptive computing'[2] trends as well. The algorithm I have in mind would
simply be geared towards hardware that I want to own already.

[0]
[http://dx.doi.org/10.1109/IPDPS.2004.1303105](http://dx.doi.org/10.1109/IPDPS.2004.1303105)

[1]
[http://www.doc.ic.ac.uk/~tbecker/papers/iee06.pdf](http://www.doc.ic.ac.uk/~tbecker/papers/iee06.pdf)

[2] [http://www.cray.com/Assets/PDF/about/IDC-
AdaptiveSC.pdf](http://www.cray.com/Assets/PDF/about/IDC-AdaptiveSC.pdf)

------
Geee
Does this mean that arbitrary software can be run in "trusted" way? So that
everyone knows for sure what software is being run?

------
Sergio_D_Lerner
For the record: Qixcoin.com was the first coin to propose a Touring complete
system. It shares 95% of Etherum design.

------
pmcpinto
The site is down for me.

------
chm
How do I mine them?

~~~
sdfow
That's what I'm wondering too. There isn't even a release date

------
cube_yellow
Note that Bitcoin is purposefully not turing complete.
[http://bitcoin.stackexchange.com/questions/17258/turing-
comp...](http://bitcoin.stackexchange.com/questions/17258/turing-completeness-
of-bitcoin-script)

~~~
tlrobinson
I don't really see any reason why it couldn't be Turing complete, as long as
it was completely deterministic (no "rand()" etc) and the specification
included a maximum number of operations (which Bitcoin's Script already does)

What am I missing? Is the idea that without loops the transaction size can be
used to estimate the computation required without actually performing it, and
thus the appropriately sized transaction fee required?

~~~
grondilu
Nakamoto designed script to be non-Turing complete from the very beginning (it
was mentioned in his white paper). I suspect it was for security reasons. You
don't want arbitrary complex code running on miners machine. At the very
least, it could obstruct the system.

~~~
mike_hearn
Script is not mentioned at all in the Bitcoin white paper. Perhaps you are
thinking of a comment he made elsewhere.

Bear in mind that in the Bitcoin design it's not just miners who have to run
scripts, it's all nodes, yet fees accrue only to the miners. Bitcoin does use
fees to try and make computationally expensive transactions financially
expensive as well, but that's just a basic antiflood mechanism, the fees don't
actually get collected by those doing the work.

~~~
grondilu
Wow indeed it is not mentioned. I was sure I had read about it there. I was
wrong. My bad.

------
ChristianMarks
The currency has been hacked.

~~~
fragsworth
Because the site is down?

