Hacker News new | past | comments | ask | show | jobs | submit login
MobileCoin: A New Cryptocurrency from Moxie Marlinspike (wired.com)
429 points by golangnews on Dec 15, 2017 | hide | past | web | favorite | 247 comments

To repeat an earlier comment, this scheme encourages a centralization of trust into a private key managed by processor manufacturers. You might say that by integrating SGX mechanisms into your security model, you create a set of 'feudal lords' [1] who can wield their power over you.

A manufacturer may 'legitimately' establish an enclave in your most trusted hardware which you may not audit or even measure. And if that security model becomes commonplace, for example when only allowing Widevine DRM inside SGX, you eventually cannot use your self-chosen hardware, but will have to pick a feudal lord from a limited set of 'ecosystem choices'.

[1] https://www.schneier.com/blog/archives/2013/06/more_on_feuda...

I still think it's an interesting approach. If you want to be more efficient and less wasteful than Bitcoin, at some point trust has to come into play. And reducing your trust to the manufacturers of secure enclaves (whose products can also be audited to a degree) is surely an improvement still, even if it doesn't have the radical threat model of conventional cryptocurrencies (which inevitably run into scaling problems because it mostly requires proof-of-work).

Also, the article mentions the de facto centralization of trust in the current cryptocurrency ecosystem - so pragmatically, it's not much better there. From centralized exchanges, to centralized mining cartels, what does something like Bitcoin have left to offer?

Bitcoin uses proof-of-work for its consensus system, but not all cryptocurrencies do. Bitcoin is a technological wonder, but it's ultimately not as advanced as its younger brethren.

The Stellar Consensus Protocol, which MobileCoin say they're using, uses something more akin to a web of trust rather than proof-of-work. You do not need the SGX to get rid of proof-of-work.

> Bitcoin is a technological wonder

Oh, dear lord.

> ultimately not as advanced as its younger brethren.

These must then be simply out of this world. Superwonder technologies. Double digit transactions per second!! /$

The hype around this piece of software is getting out of hand.

I read that like: "a stone wheel ? man it's not revolutionary at all. It's heavy. And hard to make. It's not practical and currently unusable for real purposes."

Said by a guy you just witness the historical invention of the wheel.

point 1:

The wheel was, in fact, one of the first instances of a centralized structure replacing an inefficieint distributed structure.

The central "hub" of a wheel bears the load and the "edge condition" is the substantially reduced "rolling friction".

This is in contrast to ye old "distributed load" way of a zillion poor slaves pulling a load.

So as far as the "wheel" goes, VISA is a chariot, and Bitcoin is an army of slaves pulling a wheel-less load.

And in fact, the "facts", prove this. Almost 400 KWh per transaction, and that at the feeble rate of 7 tx/sec.

That is your "technological wonder".

point 2:

"Technological wonder[s]" of this time -- now -- are Machine Learning, CRISPR, etc. These are the "inventions" to pay attention to, not a thinly disguised play by private wealth to finally fully take out the national governments from the monetary system loop.

That CJW -- Crypto Justice Warriors -- like you fail to see this is the actual "wonder".

I couldn't not read your post without hearing your every word dripping with seething anger and disappointment. While your post contains information that has lots of merit, I can't help but see the person that typed this reply as a Big Money VP or someone that's either lost a bunch of money "investing" in crypto, or really fucking pissed they didn't hold onto their Bitcoin. But just to preemptively defuse a reply, here's a funny story: I started mining Bitcoin really early, back when CPU mining was the only thing to do. I ended up selling them (a couple thousand) in January of 2012 to put the down payment on my car.

Just witnessed? I knew about bitcoin long before you did. I assure you of that.

About the wheel. Rolling friction is less than sliding friction... Regrettably that point is probably over your head.

+1 for your ad hom.

Perhaps you do not understand it's revolutionary aspects.

Nothing revolutionary about distributed consensus. It was the 2008 financial crisis that brought the anti-banking crowd into frenzy, seeing all sorts of claimed benefits in using this sort of thing for money. They would have been goldbugs or tulip collectors under other circumstances.

Or do you mean the revolutionary scamming techniques never seen before? /s

Trustless Byzantine fault tolerant decentralized consensus as long as < 50% of participants are not acting in concert. That _is_ revolutionary.

Not consensus, probabilistic consensus. And not 50% of participants, 50% of computing power. Those are critical distinctions.

Exactly. Consensus by brute force. It is a curiously anti-democratic design.

But distinctions that make it no less revolutionary.

Probabilistic consensus was not known before bitcoin? Somehow I highly doubt it.

One that was resistant to sybil attacks? Bitcoin was the first system to do that as far as I know.

Before bitcoin you would be unable to create a virtual currency without a central authority. Satoshi's algorithm was a new invention in 2009, although it's parts - like proof of Work - were invented in 1990s.

Probabilistic, byzantine fault tolerant consensus was absolutely not known before Bitcoin.

Bitcoin and other crypto coins are a neat idea until their underlying cryptographic primitives are broken. Then they will immediately loose all of their value. Every cryptosystem of the past has been broken at some time.

Bitcoin has problems but I really don’t think that is one of them https://www.quora.com/Has-the-Bitcoin-blockchain-itself-ever...

Indeed. The coin is only as strong as it's cryptography, and given enough time, all ciphers can and will be broken.

Until that happens, there's still money to be made!

> and given enough time, all ciphers can and will be broken

Not all ciphers... 3DES and GOST have no practical breaks after 40 years of cryptanalysis (all attacks have > 2^100 time or memory complexity)

Any secure modern 256 bit symmetric primitive is likely safe from large quantum computers.

What will continue to be be broken are encryption protocols and systems that misuse modern secure 256-bit primitives. So we will continue to see things like the BEAST attack because non-cryptographers continue to invent their own encryption protocols with alarming frequency.

It's far from ideal though. I think it's actually worse than using banks from a centralization point of view, because you can typically choose between multiple banks.

In this case you only have one single point of failure: Intel. If that breaks, what then?

From a pure efficiency/centralization perspective, there are likely better cryptocurrencies out there. I think Ethereum's sharding network is interesting, too, and it seems to maintain a high-degree of decentralization, but I don't know how easy it will be to implement:


> If you want to be more efficient and less wasteful than Bitcoin, at some point trust has to come into play.

In that case, one might as well go with any of the permissioned blockchains (such as Interplanetary database where the nodes are run by reputed non-profits for a minimal fee).

> From centralized exchanges, to centralized mining cartels, what does something like Bitcoin have left to offer?

I'd say you're being overdramatic here. Mining is still decentralised and if there are any mining cartels, they haven't abused their position yet. It's still possible to buy, sell and spend Bitcoin peer to peer as well.

> I'd say you're being overdramatic here. Mining is still decentralised

Controlled by a handful of people is absolutely not decentralized.

They have abused their power. Ghash double spends. Segwit blocked for a year. Bitcoin cash proxy support.

I think part of the reason Segwit2x failed is that, ultimately, mining wasn't as centralized as everyone assumed. Its proponents had the backing of the major mining pools who controlled the vast majority of the mining power - or so they thought - but it turned out enough of the actual miners had views too and were happy to switch pools to express them that it suddenly looked a lot more precarious than expected.

> Mining is still decentralised

Wait what, no.

You can either audit something fully or not at all. Your secure enclaves cannot be audited, it would be a pointless task, if you find nothing it just means it could be in the area you cannot audit. if you do find something then it almost guarantees that something else exists in the secure enclaves.

> I still think it's an interesting approach. If you want to be more efficient and less wasteful than Bitcoin, at some point trust has to come into play

Did you read about Ethereum's Casper and proof of stake? Or dpos - implemented in Eos et all?

Yes, the features of the SGX means that we can no longer even see what are computer is doing.

> This means that the ledger is "public" and distributed to all MobileCoin nodes, but will also simultaneously never be accessible or viewable by humans (even the operators of the MobileCoin nodes) so long as SGX and the MobileCoin software remains secure.

It seems unlikely to me that these two things things will remain the case.

> A client can perform remote attestation to its MobileCoin node before transmitting its keys into the remote enclave along with a short recovery PIN.

And it seems if SGX gets popped the whole thing comes crumbling down.

Quotes from https://www.mobilecoin.com/whitepaper-en.pdf

Moxie has made it pretty clear through the way Signal operates than Moxie's worldview is one where our feudal lords know better than mere serfs can ever hope to. I'm not at all surprised that yet again trust roots are taken out of the hands of end users.

Seems unnecessarily adversarial of you. I think Moxie has justified his standpoint relatively convincingly, even if you may not agree with it.

And to some degree, the success of Signal, or Signal's protocol as implemented widely used services in WhatsApp, supports his approach. If cypherpunk-purists had their way, encryption would still only be a thing exclusively used by a slim minority of nerds who are capable of managing PGP and all the complications that come with its fragile nature.

What success of Signal? I use To in Android for texting but only a small percentage of my contacts are even using it.

However I'm not really convinced Signal is all that secure in the Android ecosystem, and I trust Open Whisper Systems even less than bigger tech companies to not fold under pressure.

What I don't understand is why such a person resorts to a nickname, but does use a picture. The US government knows the real name of people like ioerror and moxie marlinspike. It seems pointless to consistently hide the real name to the public.

If your pseudonym carries more klout, and you have even more people in your social life knowing you by the pseudonym, it kind of becomes your 'real' name. Not any different from other persona names like Marilyn Manson, or Marilyn Monroe.

I used to use my online name enough that people were confused when they heard my legal name. Eventually, I decided to change my legal name to save the hassle of having a legal name that nobody actually knew me by, but that's easy in my country (doesn't involve courts or lawyers) and a pain in the ass in most other places.

Nice to meet you, Mr. Vertex Four.

Your argument would be stronger if you didn’t resort to epithets.

Bitcoin was designed to be as decentralised as possible. It turns out this has serious downsides and it’s difficult to pursue the sort of financial revolution it aspires to without social revolution.

This currency chooses different trade-offs which the creators believe will make it more popular because most people don’t need or want trustless transactions. People delegate power for finance, politics and computing not because they are stupid or serfs but because they are willing to sacrifice some autonomy for the speed, ease of use and enforceable contracts which come with a central authority.

If you (re)read the blog post I'm referring to, you'll find that your concerns are very much addressed.

I actually chose to refer to 'feudal security' as coined by Schneier (at least in the context of computer security), because it is such a compelling and balanced approach to the exact same trade-offs you're describing.

> Your argument would be stronger if you didn’t resort to epithets.

No, an argument is strong or weak regardless of whether you like the words used to express it.

The argument would be stronger in the sense that it would be more persuasive. Which if your goal is to convince people is a highly relevant metric of strength to use.

As disappointing as it might be pure logic is rarely enough in the real world.

You state the obvious. The point is to encourage rational thinking and discourage emotional reaction. One person at a time.

That was my first impression as well. That being said, I have a lot of respect for Moxie and his work, so i'd like to give him the benefit of the doubt and am curious to see his response to this point.

> "Nobody actually transacts in cryptocurrency," Goldbard says. "So making something that people can actually use is our first goal. And then we want to find additional ways that people can implement it over time. But initially all we want is to make it so people can actually complete transactions."

Amen. Too few projects have this focus.

On reason, in the U.S. at least, is that you're supposed to pay capital gains on every little bit you spend. There's a bill in Congress right now to exclude crypto transactions under $600 from capital gains, which would be a big help.

Even if you do want to hold long term, you could just replenish what you spend along the way, if it weren't a tax reporting nightmare.

You also do so in the UK and virtually every other country I can think off.

In the U.S. there's already a small-purchase exclusion for foreign currencies.

Bitcoin is not a currency for tax purposes in the USA.

Right, which is why you can't exclude small transactions now. The bill I mentioned has been introduced to fix that.

Certain states now require you to report bitcoin gains... so actually it is.

All states require you to pay capital gains tax on Apple stock...it must be a currency then

There are a lot of ways of defining what a currency is or is not. Taxing gains on it is one way. Another way is having an official body say so, which has happened in several US court cases.

Nope. You only have to report capital gains in excess of your annual allowance, which is £11,300 at the moment.

You still have to record them. Also don’t forget that if you have an ISA, other savings and investments that allowance isn’t that big.

As an individual if you mine you have to record the value as it was at the time of mining if you buy you record it at the time of purchase and you pay capital gains if you exchange the crypto for fiat currency or goods or services directly on the difference between the values. It gets more complicated since you can’t select an individual currency unit form your wallet but atm you are allowed to use creative accounting for that.

The fact that you have an allowance doesn’t mean it’s not taxed and if you have any substantial amount you’ll blow throgh that allowance pretty darn fast.

You only record them if you otherwise self assessment for tax. If you do t eve self assessment you do not claim if the gain is below £11k unless the total sale is in excess of £45k

I don’t believe any assets held in an ISA have any bearing at all on your capital gains allowance.

This is correct, gains in ISAs are tax free and have no impact on cgt allowance. So if cryptocurrencies were a good investment an ISA would be an excellent place to hold them and convert gains to currency you can spend, but I don’t think any isa providers support them.

They don’t have impact unless you sell or cash out.

The same goes for many other assets you pay cgt only when the profit is realized.

No, you don’t ever pay cgt on gains in an isa, that’s the whole point of them. So if you could hold bitcoin (at the moment only an etf is possible), there are no taxes on gains.


Which is a particularly useful case for Bitcoin ETFs

Not wishing to be overly pedantic, but you have to report in any of the following circumstances:

* Capital gains in excess of £11,300 * Disposals (sales) in excess of £45,200 * Losses that you wish to claim


Worth noting e.g. if you receive stock under US company schemes and sell even if you have already been taxed on the gain versus FMV as income. You can be in a circumstance where the taxable gain is under the threshold but disposals are high.

The limit is $10k of cost basis in australia. No CGT for anything less.

Is that based on a yearly tax allowance which means it’s tied to other investments or is this for an individual transaction?

Do you have link to the proposed text for this bill?

This is secondary to there being no benefit to the average user for transacting in crypto vs Visa. What incentive is there for an end user to use even a hypothetically optimal crypto system? Then is that incentive sufficient to overcome network effects?

The appropriate and interesting applications of crypto seem to be totally leaving p2p cash behind - it just doesn't seem like a good fit.

The hypothetically optimal crypto system would be cheaper for merchants, correct? So it would have wider adoption than Visa, at the very least.

I do agree that crypto keeps drifting away from p2p cash ... that's a good observation. But I hope people keep shooting at that target.

> The hypothetically optimal crypto system would be cheaper for merchants

Incorrect. Decentralization is always more expensive and slower than centralized system(both hypothetically optimal) due to extra sync cost.

You're mixing cost and price. Let's say the cost of a Visa transaction is 0.1% and the price is 2.5% while the cost and price of a MobileCoin transaction are 0.2%. It costs more but it's still cheaper for merchants.

Cash is cheaper for merchants, but people have only continued to use credit cards more. Further, if crypto becomes attractive from a cost perspective Visa will just be forced to bring down fees and stay competitive. It's pretty near impossible to imagine crypto with costs less than Visa's database.

Cash isn't necessarily cheaper for merchants once you account for handling, security, and theft.

There's a shop near me that has had its card payments out of commission for about a week. They are having to bring in staff for additional hours due to the fact that the transactions typically take longer and you have the cash to handle at end of day. I doubt it's a negligible additional cost.

Credit cards are more convenient than cash. If crypto can be equally convenient (which I think it can -- see venmo), I imagine people will use it. Are the savings of centralization really enough that Visa will be able to stay competitive and profitable?

I don't doubt Visa will continue to be used, but I imagine it will be for fraud protection rather than cost.

A wire transfer fee to China would cost me ~$45. Sending it in bitcoin would cost ~$17.

While you take on a huge amount of risk. Congratulations on "saving" that $28.

Not to mention since you can't really spend bitcoins you'll have to pay more for conversions to national currencies on both ends.

This is a great example of where crypto would be useful. But it's not the same as paying for pizza.

Actually, even less than that. To get an avg sized txn sent within the next 14 hours it would cost:

226 * 100 * 0.0000001 * $17761 = $4.01


How much was the exchange difference?

No idea. I just went into the bank and said I needed to send money to China.

What's the benefit of using email over equivalent closed systems?

Pseudonymity/anonymity, for one. You can freely transact across borders, for another.

That's really only useful to a small number of users, relative to the overall size of the economy, and many of them are doing things that aren't legal. Not a market I'd probably target if I was going for mass adoption.

Anonymity is something people give up without knowing. If all cryptos opted for default privacy, things would have been different.

With bitcoin, merchant you make payments to can potentially find your wealth, or another can deny transaction to you bwcause you donated somewhere.

These are not doomsday scenarios, this happens today and will happen more if we do not choose privacy.

Gambling and porn are both quite popular.

For me, it is privacy. Cash is too cumbersome to deal with, that is probably the only reason i use credit cards.

Because you can't get rich building it and you can't get rich hodling it and the press won't create much buzz.

Why can't you get rich building it?

I doubt one would get rich as Bitcoin creators, but one could still make a killing ....

Edit: And this stands to reason. We're relatively later in the game, and so new contributions are less fundamental by definition.

> Why can't you get rich building it?

Because it defeats the point. There is no "coin" that will exponentially appreciate in value, making you a billionaire. There is also no centralisation, so you cannot be the owner of the payment system in the same way that Paypal or Visa are.

At best you can be the Linus Torvalds of your payment system non-profit. Which would be a good gig in itself. But that comes with lots of hard work, not the easy riches that you can do from some hype-pump-dump scam in less than 6 months.

To build on this comment, the purpose of a currency is to facilitate the transaction of value, not to store value.

If an instrument stores value, it's an asset, not currency. One can of course transact business with assets, but it's a lot more complicated because you have to agree to a valuation. And without a currency, how do you measure that?

Plus, the incentives for assets and currencies are opposed. Currency exists to be spent, but if an asset is appreciating, you'll want to hold it, not trade it.

Bitcoin was advertised as a currency but it's acting like an asset. (And it's regulated like an asset.)

If you create a new class of asset, you can buy in early, hold on, and get rich on appreciation.

But if you invent a new currency? It's like inventing the inch. Even if everyone uses it, that doesn't give you any more length of your own.

> "Nobody actually transacts in cryptocurrency," Goldbard says. "So making something that people can actually use is our first goal. And then we want to find additional ways that people can implement it over time. But initially all we want is to make it so people can actually complete transactions."

This is being solved by Shapeshift.io and XMR.to. I transact in cryptocurrency all the time using these intermediary services with BTC as the usual medium of exchange. It's opened my skeptical eyes about the future of how things will work.

https://xmr.to/ looks waaaay too complicated for the average person to use, which is a nonstarter for the average person.

And it still processes a Bitcoin transaction, correct? So it will be no faster than Bitcoin?

>https://xmr.to/ looks waaaay too complicated for the average person to use, which is a nonstarter for the average person.

OK, that's fine, but services like that could - and will - get much friendlier. I'm just rebutting the quote which is the blanket "no one transacts in cryptocurrency" which is certainly not true for me, even though I felt that way just 2 months ago. Now that I am an active miner of various currencies, I find myself using it quite frequently for random goods/services, even though the plan was really just to convert it quickly into USD fiat to continue reinvesting into the mining operations or to pocket it.

Fair point. I think "no one" here is a rhetorical exaggeration meaning "not very many," which might resolve our disagreement ...

Doesn't lightning network fix this problem?

Tell us all about all the problems Lightning Network fixes once it is actually implemented.

I'm not sure if you're trying to imply that Lightning Network is vaporware, but there are currently three implementations that pass the integration tests:

https://github.com/lightningnetwork/lnd https://github.com/ElementsProject/lightning https://github.com/ACINQ/eclair https://cdecker.github.io/lightning-integration/

Oh, please. You and the other replier knew what I meant by "implemented."

"Code written and passing integration tests" seems like a pretty typical definition to me..?

By that definition I've implemented a search engine, several video games and many other projects that never launched.

Lightning Network has not launched, in the sense of, it is not being used by the community it was designed for. And it never will.

Not vaporware but vaporidea. They never solved incentive model to open channel so it is more like real software no one will touch.

What's the problem with the channel-opening incentives? I'm out of that loop, I'm afraid.

Ah, thanks Egor, I hadn't seen that.

Not only has the Lightning Network been implemented across three codebases, version 1 release candidate was released a week and a half ago:


Doesn't Litecoin already use Lightning Network?

Doesn't solve usability, but it solves the slow transaction speeds.

Note: transaction speed is a component of usability

That's possible, but the commenter above you isn't talking about that. He is talking about the fact that it is yet to launch and solve all of the problems it purports to.

It's the best possible fix, one that isn't implemented yet! There's toy-level alpha implementations, with the most naive possible path-finding algorithm that will literally scale to tens of nodes.

Using Stellar’s Federated Byzantine Agreement as a basis for consensus is a solid foundation.

David Mazières’ paper[0] displays strong insights and proofs into the structure of byzantine systems with open membership.

[0]: https://www.stellar.org/papers/stellar-consensus-protocol.pd...

I wonder where the code for MobileCoin is, or when it will get open-sourced. All GitHub yields currently is this clearly non-affiliated project: https://github.com/mobilecoind/mobilecoin.

I'm not sure I understand correctly, but from what I got, Stellar is a distributed ledger, but not a currency. There are no coins as such. But the upside is that the consensus is reached without a taxing algorithm.

Everyone can run a node, but the whole system is not itself decentralised, because you need "anchors", which are banks or payment processors, to get your money in and out of the system.

So then, what is the point of the decentralised ledger? GNU Taler seems like a more simple solution.

>>Stellar is a distributed ledger, but not a currency. There are no coins as such.

From the Stellar FAQ[1]: "Lumens are the native asset of the Stellar network.

Native means that lumens are built into the network. Asset is how the network refers to an item of value that is stored on the ledger.

One lumen is a unit of digital currency, like a bitcoin.

While you can’t hold a lumen in your hand, they are essential to the Stellar network—they contribute to the ability to move money around the world and to conduct transactions between different currencies quickly and securely."

[1] https://www.stellar.org/lumens/

Stellar is a distributed ledger that has a native currency to make payments easier.

After reading up on Taler, it sounds like a very similar idea to Stellar, but Stellar removes some of the need for trusted authorities.

From the Taler overview: "The system requires an external auditor, such as a government-appointed financial regulatory body, to frequently verify the exchange's databases and check that its bank balance matches the total value of the remaining coins in circulation."

In Stellar, this service is provided by the ledger and the nodes that validate it.

There are other interesting features of the Stellar native currency such as providing a way to transparently convert between currencies when making a payment: https://www.stellar.org/how-it-works/stellar-basics/explaine...

you need "anchors", which are banks or payment processors, to get your money in and out of the system.

You also need exchanges for cryptocurrency[1], so why not admit it from day one and build that concept into the system?

And maybe it's possible to graft a cryptocurrency onto SCP by using consensus to choose nodes which receive freshly "mined" currency.

[1] The mythical closed-loop Bitcoin economy ain't going to happen.

Then why have a decentralized solution at all? Why not just make it like Paypal?

Anchors are not inherent to the Stellar consensus protocol - that is part of how the Stellar coin works, but the consensus protocol doesn't include that, it is just the mechanism for the various nodes coming to a consensus on the blocks.

In no time in history do I find so rewarding reading and understanding crazy papers like right now. I wish I had the balls to actually read and understand the bitcoin years ago. Even if this thing becomes nothing, this is a bubble, I don't care. The fact that there are things that rival fiat money makes me so glad that I'm alive today :)

I was looking into Ripple last night, and it uses something similar[1]: you enter a set of nodes that you trust will not collude together, and an 80% supermajority of those trusted validators propose transactions, and then an 80% supermajority of all nodes on the network accept those transactions for a new consensus.

It's a lot more efficient than Bitcoin (no proof of work, it's just another consensus protocol), but the trade off is that 1) it doesn't have all the feel-good rampant libertarianism of completely untrusted decentralized consensus of Bitcoin 2) you have to pick a good set of trusted nodes and trust them all not to collude

(Ripple has other problems that skeeve me out, but after thinking about it federated consensus isn't one of them. I think a lot of altcoins are using federation, actually...)

[1]: https://ripple.com/build/xrp-ledger-consensus-process/#the-x...

This coin uses Stellar, which is not a decentralized consensus like Bitcoin, but rather federated. It's not really surprising that it has performance advantages.

Also not sure how I feel trusting the fate of a cryptocurrency to the strength of Intel's SGX.

"MobileCoin does not rely solely on SGX for maintaining transaction privacy. Transactions are designed to employ CryptoNote1 one-time addresses and onetime ring signatures, so MobileCoin will still maintain transaction privacy through unlinkable addresses if an attacker is able to defeat SGX and view transactions on the network."


Other than that, i very much share your concern..

It also says that the clients transmit private keys and PINs to the SGX nodes, which presumably allow spending of their coins. Maybe it's designed in a way that they lose their money, but maintain the privacy of their previous and other transactions going through the node.

Users have to transmit the private keys to their nodes, but not the PIN. This tradeoff was taken to prevent people from losing their money by losing their phone. If the secure enclave were broken, nodes could, theoretically, be able to brute-force the private keys.

I think that in reality, there will really be just a few nodes: Signal, WhatsApp and some bots/banks/businesses. The trust system in place is ideal for this.

This is what the whitepaper says:

> At install time, Alice's client performs remote attestation with its Mobile-Coin node, establishes a secure communication channel into the remote enclave, and transmits its keypair along with its recovery PIN.

Interesting. So it has the same privacy protections as Monero, the only cryptocurrency with a track record of being untraceable so far?

I wonder if the Stellar network is "leakier" than a decentralized network would be, though.

Here's the problem with cryptonote: if I play 10 hands of poker at an online casino, with money I bought on an exchange, I have very little privacy. Anyone who can coerce or compel the casino and exchange's cooperation can get my real identity simply by looking at intersections amongst potential ancestor payments. This is because in cryptonote, each payment only has e.g. 4 potential ancestors. While each of those themselves have the same property, you can still look at intersections and deduce linkages with very high probability.

>>So it has the same privacy protections as Monero, the only cryptocurrency with a track record of being untraceable so far?

I wouldn't call Monero "untraceable" even though I am a very big fan of XMR. It takes work to put a lot of steps between you and the payee at more levels than simply the transactional one.

How do you mean? Why would you need to, if the payment is untraceable? Are you talking about what happens after you purchase something?

How is zcash's track record with regard to untraceability?

It's fantastic, but it takes a lot of memory to generate a private transaction (no mobile wallets for that!) and because private addresses are opt in, not many are being used in the wild

using a lot of memory is still better than monero's requirement that you synch a 30+GB blockchain

> "9. Bob's MobileCoin node sends Bob's client a message, which can then calculate the private key that corresponds to the generated one-time public key."

>" 10. Bob has now successfully received a payment."

If I'm reading this correctly, Bob's client (e.g. mobile app) must be in contact with the node for his address to receive the payment. This is pretty different from what I think will be Mobilecoin's closest competitors (at least from a UX standpoint), Venmo, Google Wallet, etc.

DDOSing Bob's mobile device or otherwise preventing access to the node would, at least temporarily, prevent the transaction from going through. Are the funds in purgatory during that period? If that client never gets in contact with the node, does the transaction ever get reversed, allowing the sender to regain control of the funds?

There are probably a host of other repercussions I haven't thought through yet. The idea of a cryptocoin as easy to use as Venmo/Signal is definitely intriguing.

I think that in practice, every operator of a messaging app will have their own node.

There will be Signal, WhatsApp, Messenger, etc. nodes and some small nodes for businesses, bots and similar.

Yes, theoretically, if you DDoSed Signal, then Bob wouldn't be able to get the coins.

how is the need to be in contact with the node different than the need to be in contact with venmo’s servers?

It's different because regardless if your node is online or not, venmo's servers can still accept payments on your behalf, and it's presumed that taking venmo's servers offline would be considerably harder than taking yours offline.

1) Both Kin and MobileCoin have moved to Stellar as their back end this week. I haven't paid Stellar much attention before. Anyone have any good links that explains Stellar and/or discusses the technical pros/cons? Trying to avoid any shill/pump or baseless FUD.

2) Am I correct that if any vulnerability were found in the SGX, an attacker would gain access to the encrypted private keys that are stored on a server node and would just need to brute force the PIN?

Here is a link to the blog post when the Stellar Consensus Protocol was released. It includes a summary in Stellar's own words and a link to the white paper: https://www.stellar.org/blog/stellar-consensus-protocol-proo...

I don't have a good link for Stellar but it's been around for a while, and the Rust creator even worked for them for some time.

Regarding the second point, since it's on the server, wouldn't a vulnerability just mean the server operator might potentially be able to get at the keys, not any random attacker?

I've done some work with Stellar and the implementation in the whitepaper sounds very different than how Stellar currently works.

For example, users control their own private keys and they're never exposed to a node, so I'm not sure why the whitepaper mentions storing private keys in the SGX. Perhaps they're going to host wallets for a user and store all keys in the SGX?

I'll be very interested in more details about this project since it doesn't appear to use the Stellar network, only the consensus protocol.

The title here says "A new Cryptocurrency from Moxie Marlinspike."

But the article describes his involvement as "Marlinspike has been working on as a technical advisor."

Those two descriptions sound different.

That's just "meritocracy" in action. The founder of a project gets all the credit for it, and when there are multiple founders the most famous one gets all the credit.

He is not even a cofounder according to their website. They just picked out whoever is most famous.

The cryptographer is an advisor and there's no mention of any financial experience / economics experience.

I assume this is another early adopter, mining platform....

Nobody's decided to solve that rather fatal flaw.

I think this is going in the right direction. You take a bunch of tamper-proof hardware devices from different manufacturers and then model attack costs to compromise them as part of a proof-of-stake scheme. Now you can build consensus algorithms on top of them that are highly secure and scalable compared to anything that exists today.

I'm not convinced that Stellar consensus here is the right algorithm for doing this, but I think SGX is promising technology that has been somewhat overlooked in the blockchain space (not by everyone.) SGX has a lot of potential. You can use SGX as a way to expand the consensus rules of any blockchain by using it as a blackbox obfuscation construct. Everything and more that Vitalik wrote in his article about Indistinguishability Obfuscation is possible with SGX today.

Want to create a specialized oracle that only signs certain transaction formats, even on untrusted hosts? Yep - use SGX. Now you can have agents that run in a cluster that will only move assets between blockchains based on a user's prior agreements, allowing for more complex cross-blockchain smart contracts to be written in high-level languages. What about having a nice way to do transaction commitments to scale any blockchain without having GB zero-knowledge proofs? SGX again. It could be used for privacy preserving protocols... It could be used for solving data availability problems in sharding / decentralized storage systems. The list goes on.

Some of the biggest trust problems are solvable with this technology - but like others have already said - you still have to trust the hardware manufacturer. In this case, my thoughts are that you already have to trust the hardware manufacturer anyway (nobody is going to inspect every chip with an electron microscope...) My bet is that a non-trivial portion of full nodes today are already running chips with backdoors like the Intel Management Engine anyway...

The point here is that you can't fully remove trust from any system without introducing vast inefficiencies, but you can at least formalize the risks in a system and design so that a compromise is too expensive to be worthwhile, and for me I think that's where the potential lies with this tech. Cryptoeconomic systems based on tamper-proof hardware where individually a component may be compromised, but where it is simply infeasible to compromise each and every device. You build a network out of these components and you have yourself the first on-chain scalable blockchain bound by physical hardware encumberments instead of computational difficulty.

You know it was hard enough for PayTV smart card developers to keep transistor level reverse engineers from getting inside their chips, and all that was at stake then was $35 content subscriptions. I can't imagine how putting personal banking inside SGX will fare. Or, I acknowledge I am probably missing something. Am i?

It wasn't that hard and the stakes were much higher than that. Individual subscriptions could be much more, but the entire black market of glitching units was an industry worth many hundreds of millions of dollars.

Ultimately DirecTV was able to kill pay TV hacking by simply introducing a new generation of cards that were better protected, the P4 series iirc. Other pay TV firms invested less and were mostly undermined by just one guy (Tarnovsky) - not exactly an army of reverse engineers.

The weak points in SGX security aren't the electronics themselves. So far all attacks on it are side channel based.

Tarnovsky wasn't the only key. There was also a single minded team of former intelligence investigators spread around the world coercing and infiltrating, on top of a smartcard dev team packed with most of moscows mathematics prize winners, in addition to another red team in haifa with their own tarnovsky's. I speak from first hand knowledge because in my younger and more naive years I used to worked with them.

Still, the analogy applies because the stakes with a cryptocurrency that depends on transistor security become a much more interesting target then the, now boring++, paytv market. It should not be assumed that any secrets will stay inside of that secure enclave, at all.

++it's boring to hack paytv because streaming, downloads and card sharing removed a large bulk share of the need

you're missing that the protections SGX offers will only be one layer of the security model

Here is a year old paper from Imperial College and Cornell where they implemented trustless transactions using Intel SGX.


“SGX” and “trustless” aren’t two things that really go together.

This is significantly stronger and harder than what that paper suggested

In what way? I mean this (Mobile Coin) is almost the very definition of vapourware. A 4 page whitepaper, come on.

Yes i also find this high school level white paper pretty weird. Also no roadmap, no github, only 3 person team.

But Moxie Marlinspike though...

I feel like the real appeal of Bitcoin is the decentralized aspect. I am not totally intrigued at the idea of having a controlled system, even if it offers complete privacy and faster transaction speed.

If it works like Stellar (which it sounds like it does), it's still a decentralized network of nodes, but each individual user isn't a node. They pick a node to work with, and that node is then connected to a set of other nodes. Anyone can run a node, but there's just not any point to it for most users.

Kinda like bitcoin thin clients?

How is that better or different from Bitcoin users trusting CoinBase?

You can't just spin up your own CoinBase if you don't trust coinbase.com. I mean, it's BitCoin, so you can run your own transactions, but you can't do any of the other stuff CoinBase does.

But with Stellar or something based on its consensus protocol, you can run your own node if you want, or more likely, a bunch of public nodes can exist and you can pick the one you trust to work with. For example, if banks decide to start working with MobileCoin, then Chase could offer a node and, as a Chase customer, you could decide to trust their node (since you already trust them to manage your money) and use that one.

> you can run your own node if you want, or more likely, a bunch of public nodes can exist and you can pick the one you trust to work with

Still not getting it. If I don't trust CoinBase, I can go to any other online wallet that manages my private keys. With some effort, I can even start one myself. If Chase is running such a wallet, I can use them.

How is a decentralized protocol not a superset of a "federated" one?

Every node in Ripple or Stellar works with the same global state. You have to trust Coinbase not to run away with your money, but your Stellar node cannot. The consensus system is more like a replacement for proof of work, ensuring that no one double spends.

Something like this could make sense for "petty cash spending"

I believe that was the intent of Stellar.

Would someone close to this project be able to explain why the node operator wouldn't have direct access to user's keys in the event of an SGX exploit? The whitepaper only briefly delves into transaction privacy protections, but not key management.

Wow. MM is really going all-in on for Software Guard Extensions (secure enclave) on the server.

What does HN say? Do we trust Intel (motivation and implementation) that much?

Any remote-attestation scheme is theoretically vulnerable to attacks where the CPU manufacturer includes backdoors in the processor hardware (either deliberately, accidentally, or under compulsion from a third party).

Intel's implementation is considerably worse than that. Even if you assume the hardware itself isn't compromised, every remote attestation has to go through the "Intel Attestation Service" which has no end-to-end protection. The IAS is what actually validates the enclave's signature, and it returns a "success" or "failure" message which is signed with an Intel key. But there's absolutely no technical measure that prevents Intel from being compelled to sign a falsified response; a client would have no way of telling the difference.

This is documented by Intel [1] and I'm hardly the first to notice it [2] but people still seem to talk about SGX as if compromising it is equivalent to backdooring the CPU, which is inaccurate.

[1]: https://software.intel.com/en-us/articles/intel-software-gua...

[2]: https://www.blackhat.com/docs/us-17/thursday/us-17-Swami-SGX...

So you can not start running any code session on the SGX at ALL without this Remote Attestation call to Intel? That seems silly, considering the SGX has two 128 bit keys on board (one known to Intel, and one known only to the SGX).

Oh, it's not quite that bad. You can run SGX code and work with encrypted data, including generating attestation messages. It's just that there's no way to verify those attestation messages yourself; you have to ask Intel to do it.

It's also worth noting that SGX can run in two modes. There's "debug mode", which provides absolutely no security because a debugger has complete access to the state of the enclave. And then there's "release mode", which requires a key that you can only obtain by signing a commercial agreement and NDA with Intel.

Why the hell would Intel require an NDA to give you the private key?

That's shady af.

It's not actually an NDA (I've signed it). You have to agree to not use SGX to make un-debuggable malware.

At the end of the day, trust is still required. For example, if you use Bitcoin, you're trusting the people that wrote the code and the libraries it linked to and the people that ran the server you downloaded it from, and you're trusting that Koblitz didn't put a backdoor into the ECC somehow. I could go on for a while here but I think this describes the basic idea. You can change the level of trust required or who you're trusting but not the mere requirement of it.

I've met some of the people working on this at Intel and I do have confidence that this isn't some conspiracy, I do think they have the intention of improving the crypto space with projects like this.

This is the best way to test SGX, there will be huge incentives to find a vulnerability of any kind (including hardware).

No, but probably worth a shot. I think AMD's Secure Encrypted Virtualization (SEV) sounded better, though. But it's a shame AMD only offers it on the EPYC server chips. they ought to make it a mainstream feature in Zen 2 chips if they want it to gain popularity and use. That said, that's probably not an obstacle for a company that plans on using server chips anyway.


In multiple verticals of the industry, there exists a clear trend of utilizing hardware security modules for cryptographic operations. Almost all mobile phones have them, cloud providers offer HSM services, and Trezor wallets generate bitcoin private keys. It makes sense to build a service that relies heavily on HSM.

Adapt or die

I am pessimistic about SGX. It's basically a DRM system that was dressed up to look like something else. Even if one trusts Intel, the entire security model hinges on Intel's ability to detect a compromised key and revoke it; that makes plenty of sense for DRM, where compromised keys are typically announced on forums etc., but why would a service operator or government agency tell anyone?

Moxie has good ideas, but SGX is a trap and he fell into it.

It does rely on sgx being unhackable. Just hard to hack.

I'm probably going to pay this a lot more attention now than I would have purely because I find Moxie really quite impressive all the way up to his patient, reasoned interactions with people around here.

MobileCoin is backed by XLM/Stellar, which is not decentralized, and so I feel I should note here that I signed up during Stripe's giveaway of Stellar Lumens years ago - and I did indeed get my wallet credited.


I was given 6000 XLM and I left it in their official wallet for years. On May 12th, 2017 I wrote them an email asking why my wallet, now converted to some newer official wallet, was empty. I did not receive a reply for 2 months, at which point I followed up and received a reply within a day, which was:

"I have investigated your account and it looks like an account merge operation occurred some time ago merging your lumens with another account. If you did not commit this action, it could be possible that someone was able to obtain your account information.

You can see the merge operation here: https://horizon.stellar.org/accounts/GD2CPSK2E3TUNC2N5NGGQJQ...

Unfortunately there is nothing we can do to retrieve your lumens at this point.

Apologies we cannot be of further help."

I have pretty damn good security of my various accounts using hardware 2FA and such, and I also transact in cryptocurrency and have wallets with far more fiat value in them than 6000 XLM had at the time ($120-150 USD if I recall), with absolutely no issue - and I hadn't even logged into their official wallet. The developers were 100% quick to blame this merge on me. I replied with a flat: "I highly doubt you are correct that it is my fault" email and it went back and forth with them asking the basic "well, did you get spearphished somehow" as if anyone even knew what XLM were or cared.

The process dragged on for a month while I bothered people in their Slack channel since email communication dropped out and they finally came back with:

"Our team has investigated and checked for multiple different types of issues and have not found anything on our end that shows any type of security compromise in our system.

Unfortunately this means at this moment I do not have a concrete answer to how your account was compromised. I’ll follow up again to check if there is anything on your end they would recommend you do."

I investigated on my own and found a number of accounts who were "hacked" and sent XLM coins to the wallet that I had merged with, all that just kind of sat there, indicating a software error on their end of a bunch of accounts that were randomly emptied. I provided all documentation to their team and spent a solid 15-20 hours doing so.

Their response to all of this bug bounty-type work?

"They have identified one potential issue in the past that affected only a small number of accounts, possibly yours. This bug was fixed once discovered back in 2014, but users who may have been vulnerable to the bug were still impacted during the upgrade process to the new network even after it was resolved.

Although we think this was the cause of what happened, we cannot be 100% sure if this was what impacted your account considering you had a strong password and none of your other accounts were compromised."


"Although we cannot recover you original lumens from your account, we’d like to award you 3000 lumens as part of our Bug Bounty Program because you have helped us in identifying a possible issue that happened in the past."

So they basically gave me half the XLM back instead of the full amount despite it being entirely their fault and them having no idea how to investigate while I exposed a serious flaw in how XLM were assigned and paid to their wallets, all while blaming me the entire time and with atrociously slow customer response times.

Forgive me if I'm not the biggest XLM/Stellar Lumens fan; their team is both terrible at support and suggests that at least their frontline investigators are technically incompetent since they couldn't figure out the merge situation before I did with simple API poking around and enumerating.

Too bad you are having this issue. But since you are airing it here on HN then my own anecdotal experience is I went through the same signup as you did. Forgot about it for three years. Found my multi-word password. Loaded it into the website. Received a message I'd been upgraded to the new system. I downloaded a stellar desktop client, transferred the coins to my desktop wallet, all problem free.

I think it is easy for nearly all of us to agree the most likely cause of your own issues is operator error. Now that the price is shooting up on these coins, it's not rational to expect STR to chase down every 6K STR givaway grievance that they receive.

>>I think it is easy for nearly all of us to agree the most likely cause of your own issues is operator error.

Seems exceptionally unlikely given the number of upvotes I have and the work that I did tracking it down. It is very likely their fault and/or a software bug.

This has also been my experience with Stellar's support: radio silence.

You are complaining about receiving free money, but not caring about it until the price went up recently. How is this even remotely Stellar's issue?

>>You are complaining about receiving free money

Aside from the fact that this is a terrible line of argumentation ("Person A gave you $100 and then Person B later stole it out of your house, what's your problem with that?"), that is not the point of my comment at all. I suggest you read a bit more specifically in regards to service, transactional security, and the fact that the coin is federated and not decentralized.

You didn't even realise for a long time that you lost access to it. It's like me remembering that I had some BTC, but can't access them anymore and blaming Bitcoin developers for not getting rich.

Stellar not being decentralised, even 90% of nodes are not run by the SDF, makes it somehow unsecure? If you have some specific complaint about the security point it out, instead you are just ranting on an anecdote.

>>If you have some specific complaint about the security point it out

I did, in the post. I'm not sure why you are making a big deal about the money I lost. I am certainly not. It is about the mechanism by which it happened and how they didn't take it very seriously.

EDIT: I am also not even sure to this day what the value of XLM is, and don't particularly care. I gather from your post that it has gone up. Congratulations. I think XLM's architecture and use case makes a lot of sense. I also think their developers and support team are quite poor. That is the intent of my post.

care to disclose what connection you have with Stellar -- your blind defense and smoke screening makes it seem like you have an interest in making sure bad press (legit or not) doesn't come to light.

How he got the currency has ZERO standing on the issue that he described.

Isn't SGX not so secure ? [1]

Specifically this claim

"In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."

[1] https://www.schneier.com/blog/archives/2017/03/using_intels_...

It's vulnerable to side-channel attacks, like a lot of trusted hardware. The challenge with trusted hardware is you have a much stronger threat model than a lot of previous work on side-channel attacks, in that instead of having to protect against remote or local unprivileged software attacks, you now have to guard against a local privileged attacker (e.g. a malicious OS or hypervisor), or potentially even someone with physical access. Having said that it is possible to design software in such a way as to be resistant to many side-channel attacks (albeit with a lot of effort and a performance hit) and I imagine future generations of SGX could add hardware protection against the most egregious channels. Of course if you have enough money/time it will always be possible, the question is whether an SGX based blockchain can be designed in such a way as to make it not worth the effort.

Anyone got a link to the project's website? I'd like to read an actual technical description. Anything MM is involved in is gold in my book.

Thanks, strange Google didn't bring that up.

Yea I saw that. I think they just put the site up and hasn't been indexed yet.

Stellar is run by a set of trusted third parties, which makes it permissioned. If it gains any sort of traction, it will undoubtedly come under the control of any number of governments, thus negating the "peer-to-peer" part of cryptocurrency, and making usage conditioned on approval from some set of intermediaries.

It's not run by "a set of trusted third parties".

It's run by SETS of trusted third parties, where each individual node specifies what set of nodes it trusts to not collude against it.

You don't need any ones permission to run a node, but it is up to other nodes if they want to trust you

If your set is not the same as everyone else's set, you risk being forked off. Trusted third party based schemes have a tendency toward centralization, making them less resilient than ones based on cryptoeconomic incentives. Inevitability it will mean TTP based ledgers will be permissioned, with the TTPs acting as gatekeepers, rather than p2p.

This isn't just theoretical either. Stellar has co-authored a paper arguing for regulations against anonymous cryptocurrencies:


It's clear that it's positioning itself as a gatekeeper-based ledger that stays on the good side of regulatory agencies.

But isn't Mobilecoin just borrowing stellar's approach to consensus? And what stops anyone from setting up a full node?

A bit ironic that MobileCoin is targeting x86_64 and SGX seeing that the vast majority of mobile devices run ARM. I wonder how easy this would be to port to the ARM trustzone?

ARM Trustzone doesn't do anything related to remote attestation, which I'm guessing this thing is all about (even if the article doesn't seem to mention it). So I'll claim it is impossible.

Edit: You could still check the signatures signed by the trusted Intel CPUs on your ARM device of course, but any mining would have to happen on a SGX-enabled Intel CPU. (Or anything else with Intel's private key.)

> The currency is designed to utilize an Intel processor component known as Software Guard Extensions, or a "secure enclave."

Binding yourself to an implementation like this seems like mega big centralization. There's several decentralized coins that could solve some of these same problems.

I'm not sure using Stellar is wise as the majority is owned by a small group of people, much smaller than Bitcoin, which creates conflict of interest and not future SEC proof.

on a side rant: So...many...coins...I too have something called BrowserCoin.com but still haven't figured out what problems to solve. Too many people just go implement a pseudo-academic blockchain tech with fancy dials without vetting the problem....virtually zero adoption other than from pumpers and owner...that is something I'd like to avoid altogether, for once some cryptocurrency based business that delivers and benefits people who don't need to expensive rigs to mine or jack resources (browser based blockchains etc).

I don't know you, but... I have an idea for BrowserCoin.com -- a marketplace for ads where users are paid to try a product. They receive a coin payment when they use a product for a certain period of time. Don't bother decentralizing -- keep tabs on who is paid, to avoid bots stealing payments with fake usage. Let me know if you like that, my email is in my profile.

AFAIK, they are using Stellar Consensus Protocol, not Stellar itself. Nobody uses MobileCoin yet.

Exactly how I feel.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact