I feel like I'm missing one side of the story. I don't know much about IOTA but from what I learned reading articles linked on HN today IOTA:
- Uses custom "ternary" crypto which has been shown to have vulnerabilities in the past.
- Has software that doesn't include the basic function of generating wallet addresses, instead having some users rely on shady 3rd party websites and getting their coins stolen.
- Does away with much of what made other cryptocurrencies like Bitcoin work in the first place in order to remove transaction limitations.
- Except that the changes required to make this work, at least in theory, are for the most part not actually implemented yet and there appears to be a lot of doubts that it can work at all. See for instance this comment on the article: https://medium.com/@comefrombeyond/thank-you-269640e794e7 ("in the future", "temporarily", "will be using",...). Also note that many replies in this comment actually deflect the original criticism without actually addressing it. I don't even understand what that person means by "You describe the internet", and how that has anything to do with the argument of TFA.
So basically you have a highly experimental technology (even by cryptocurrency standards) which is very much unproven (even by cryptocurrency standards) and yet apparently it has a market cap of $6 billions: https://coinmarketcap.com/currencies/iota/
So what's the other side of the story? Can a IOTA enthusiast explain what's missing from this picture?
BitConnect, a literal Ponzi scheme that was repeatedly flagged to newbies as a Ponzi scheme they should avoid, had a $2.5 billion market cap last month before collapsing.
While IOTA boosters probably have a story they believe that justifies the hype in their mind, just because it’s worth $6 billion in this market doesn’t mean they necessarily have a good one.
For what it’s worth, of all the crypto people I follow that I consider smart or savvy, none of them are IOTA bulls.
Also, the IOTA founder comes off as extremely immature on twitter each time someone trashes it. Even if all the criticism is FUD, his reaction alone is enough to keep me away.
> For what it’s worth, of all the crypto people I follow that I consider smart or savvy, none of them are IOTA bulls.
Would it be possible to stop using crypto as a shorthand for cryptocurrency? It's already a term of art for the much older field of cryptography and things get confusing, especially as all the crypto(graphy) people I follow consider altcoins in general to be hype.
Not to mention it makes no sense, kryptós means "hidden" or "secret", which cryptocurrencies are not, the crypto- prefix comes solely from the underlying usage of cryptographic tools.
Another possibility: folks like your parent may be able to keep fighting this fight long enough for cryptocurrency to fall off the mainstream hype radar and the smaller, more knowledgeable, community driving whatever the future steady-state of all this craziness ends up being may actually coalesce on better language (something involving "blockchain" perhaps?).
I tend to think you're right that it's time to just sigh, shake our collective head, roll our collective eyes, and give up fighting this battle, but the future I just described seems at least somewhat plausible to me.
You didn't respond to my point at all. People talk about this stuff like everything is established and permanent now that there has been, what, a year? of mainstream interest. It's absurd. Let's re-evaluate once we've moved a ways past the "flash in a pan" point.
A fifty year old not-very-tech-savvy colleague recently suggested (in jest) that we could pitch something as "crypto-nano, for maximum buzzword effect".
I don't think this is half as annoying as the "hoverboard" fad which never really "hovered". And you know how that turned out. It's impossible to put the cat back in the box once it's out.
It's amazing how many scams are in the cryptocurrency space. To some extent even I personally even view Ripple and all the other completely pre-mined or tokenized cryptocurrencies (i.e. 100% centralized systems) as a scam. There's no guarantee manipulation of the underlying technology isn't happening. Essentially, removing the advantage of cryptocurrencies.
Proof of Stake algorithms so far amount to various rationalizations on giving the wealthiest users more wealth.
To explain further, PoS blockrewards are settled as lotteries to stakeholders with each staked coin being granted a lottery ticket. Due to the all or nothing nature of newly printed coins from blockrewards, the wealthiest users will not just accumulate more newly printed coins on average but the statistical odds of them accumulating more of the future supply increases with time whereas poor users are entirely disqualified from thresholds required for "staking" and earning newly minted coins.
Cryptos lend themselves to flamewars, no twitter or anything else needed. You have a bunch of people who are trying to get rich quick while on average not understanding much about the underlying technology. Try to have a technical discussion on any crypto enthusiast forum and see how well it goes. In my experience it turns really ugly really quickly.
In general I give up after I get the first "you don't know what you're talking about" without any kind of actual argument behind it. Note that you find several of these in the comments of TFA:
>i find it deeply alarming everybody and their graindma has to write bad stuff about iota without beeing informed themselves enough.
>I learned a lot today, but not from this article. The comment section has some good information.
>you’re way too late for the fud party.
>Wow…another clear case of awesome journalism. Another case of the misinformed trying to mislead people with another mudslinging article.
>Just a question: does it ever occur to you to pick up the phone and may get in touch with someone who actually knows the topic at hand before writing this kind of garbage…say the IOTA…
>The bottom line is that IOTA is embarking on something new. Like a lot of things in crypto, it is theoretical and academic and working towards becoming practical. It is very early.
Then:
>We all rise together, so we should more encouraging of one another’s endeavors in crypto and blockchain. IMO these concerns would have been best voiced in the IOTA slack channel instead of on the interwebs for all to FUD about.
In other words: it's experimental academic endeavor but don't criticize it publicly because it hinders my ability to pump it.
We all rise together, so we should more encouraging of one another’s endeavors in crypto and blockchain
There’s your tip-off for a scam: don’t ask questions, and be encouraging to each other, because it’s us against a skeptical world. Cults, penny stocks, Amway, and now crypto currency scams apparently: I’ve observed similar patterns in all. Not that we shouldn’t support each other in our mutual endeavors, but if that’s the only thing with any substance that you hear and money is on the line, run away.
Learned that one from a biodiesel nut, a suburban boy with clean fingernails trying to convince this ex-mechanic who grew up on a farm that growing food crops for fuel is energy net positive, and otherwise a good idea. Not that his heavy financial investment in a local biodiesel company would color his opinion at all.
Said biodiesel nut never once mentioned sugar cane, soybeans was the frequently suggested crop, your article is talking about ethanol and not biodiesel, and that wasn’t the point anyway.
That’s probably why he lost all of his money in that venture: just not quite nutty enough. No one’s going to jump on board for something as boring as soybeans.
OTOH, snarky or not, you bring up an interesting thought: there are probably millions of people that know (as in practical knowledge) how soybeans are grown, hence enabling millions to call “bullshit”. Had said nutter said “algae”, I would have to have taken his word until I could research further.
1. Token Economy is a weekly crypto newsletter run by two crypto VCs (https://tokeneconomy.co/). I think it is extremely good at separating the signal from the noise. Highly recommend.
2. Twitter is unfortunately indeed the easiest place to follow what's going on. Naval Ravikant, the founder of AngelList, recently published a list of the people he follows in the space (https://twitter.com/naval/lists/crypto/members). It has a large overlap with my own list, but neither he nor I endorse everyone's views that are on it. But it probably includes most of the active developers, VCs and thought leaders in the space.
Oh, you meant cryptocurrencies, not the cryptography people. "Crypto" is an established abbreviation for "cryptography". Probably, to avoid confusion we should spell out both terms.
Custom crypto primitives (ciphers, hashes, etc.) is a big red flag to me unless the designers are cryptographers.
I know a fair bit about crypto. I would implement (and have implemented) higher order constructions like encrypted and authenticated protocols according to design patterns and principles put forward by competent cryptographers. I would never ever even attempt to design a cipher or a cryptographically strong hash unless I were just playing around, and would never label my work as anything other than such. Even trying to innovate on constructions (like how to combine a MAC with a cipher) would make me very nervous and I'd seek the advice of a pro.
Multiply that nervousness by ten if the system is a cryptocurrency, which has a big "hack me" sign on it with a massive cash bounty.
Actual deep cryptography such as cipher design is an area where truly extreme and very esoteric expertise is required to even get started, and where the consequences of a failure are pretty dire. Even people who can design ciphers are conservatives when they implement real secure systems, only using those ciphers that have been through years of academic cryptanalysis. This area is very different from other areas of computer science and math.
> Actual deep cryptography such as cipher design is an area where truly extreme and very esoteric expertise is required to even get started
I hear this every time cryptography is brought up. I think I get that it's hard, but people make it sound like it's the hardest thing ever. Where does this extreme complexity stem from? And what's the field of knowledge required? (Mathematics I imagine)
I think the problem is that it's tricky math, and there are so many possible subtle failure modes that make a scheme insecure (e.g., timing attacks). So in order to have a chance of making a new secure scheme, you should be an expert in crpyotgraphy (i.e., be very familiar with past schemes, why they worked, and common ways schemes fail that are non-obvious to someone without such a background).
Furthermore, given the number of subtle failure modes, a new scheme (even one designed by an expert) is likely to be insecure until shown to be secure by time and peer review (i.e., after it has been extensively attacked). Experts know this; amateurs assume that because they can't see a flaw, their new scheme is secure enough to deploy.
I also first thought this was some smug condescending point of view, but the more I learned about it the more I realize this shit is hard.
And it's not hard because of the mathematical theory behind it. It's because there are so many subtleties in cryptography that in order to call yourself a "cryptographer", you not only need to have understood all the mathematical theory but also have thought about and understand all the subtle edge cases. And once you do get to that point, you become super careful about making certain claims.
Unlike engineering problems where a small error can be fixed somehow through monkey patching, a subtle loophole brings down the usefulness of the entire cryptographic algorithm. So no matter how powerful your next big cryptography algorithm is, if someone finds a very very small loop hole, it's fucked, and the entire algorithm is unusable.
This is so important that the WebCrypto API even named their main API endpoint as "crypto.subtle" (instead of just using the "crypto" prefix) to warn people.
So TLDR: it's not because people don't trust the expertise of a non-cryptographer, but because people trust that an actual "professional cryptographer" is humble enough to not make claims unless they can prove it.
My impression with IOTA is that it makes a lot of mind-bending claims which no one can easily prove or disprove. And also they don't use the proven-by-time cryptographic algorithm. This makes it impossible for anyone to make a trustworthy peer review. (It doesn't help that the founder acts like an asshole so nobody wants to waste their time doing a peer review on it anyway)
It's not complexity but combinatorics. The hardness of crypto is a type of hardness not often encountered in other programming areas, or not to the same degree.
Cryptographers are modern day real world occultists and wizards. It really is an esoteric area of computational and mathematical lore that requires many years of diligent study before one can even attempt to do anything that isn't a toy.
The gods (intelligence agencies, organized crime) laugh at those who attempt to roll crypto without knowing what they're doing.
Note again that I'm talking about core primitive (cipher, hash, etc.) design. I do think that mere mortals can implement crypto, though doing so competently still requires a lot of study and respect for the difficulty of the domain. I don't repeat the "never implement crypto" mantra. Instead I prefer the modified version: "do not attempt to implement crypto unless you know how to break crypto." If you don't understand how crypto is often broken and can't name and explain a few recent examples, you should not be implementing crypto.
> I think I get that it's hard, but people make it sound like it's the hardest thing ever. Where does this extreme complexity stem from?
I believe that it stems from the fact that it's easy to get wrong, and hard to know you got it wrong. Furthermore, other than a few special cases like one-time pads, there's no known way to prove that a cipher is secure, only that it's insecure. A cipher designer, therefore, must by necessity be an expert on all the known ways to break a cipher, so as to avoid all the known traps, and defend against the yet-to-be-discovered ones.
Specifically, you will want strong experience in several subfields of maths. You will want:
* Computer science, specifically complexity theory and circuits
* Galois field theory (AKA finite field theory)
* Group theory
* Number theory
* Specialities include elliptic curves and modular forms, lattices (in the ordered/on-the-plane way, not the algebraic structures)
In general, cryptographic design and analysis is all about a guess that we have in mathematics: We think that one-way functions exist. We think that we have certain specific tools, such as the discrete logarithm problem and Feistel networks, which can be carried from one domain to another reusably, and as a result the bleeding edge of research is currently concerned with finding new domains, as quantum computers will rapidly be obsoleting our current ones.
This isn't the hardest thing ever, but you're going to have to spend a few years getting your maths up to snuff. I've personally spent over a decade and while I've done a lot of things, I've still yet to contribute usefully to the cryptographic community; I haven't accrued enough knowledge to do more than analyze basic protocols and read some classic cryptanalysis papers.
Hope this helps; everything should be Googlable or on Wikipedia.
The core of the argument is that the designer should be more skilled than the attacker, and you don't know who the attacker is going to be. So that leads to a championship mentality.
Given that DCI appears to have outsmarted the IOTA developers here, it's not a crazy attitude.
> I hear this every time cryptography is brought up. I think I get that it's hard, but people make it sound like it's the hardest thing ever.
It’s not literally the hardest thing ever, but it’s probably in that category of difficulty with a few other domains. There are several reasons why this is the case.
First, to understand cryptography well enough to safely design a novel cryptosystem requires significant knowledge of information theory, complexity theory and approximately all of undergraduate mathematics. If you’re only developing symmetric encryption cryptosystems or primitives like hash functions, you can probably stop there. If you’re developing a novel public-key cryptosystem, you will be adding on graduate-level study in number theory and algebra; in particular for advanced topics in elliptic curves, coding theory and vector spaces (lattices). Throw in game thory while you’re at it to model cryptosystems and their security proofs. You don’t need everything from every course, and it doesn’t have to happen in a strictly academic setting, but you still need to acquire that knowledge if you want to design novel systems.
Second, while a lot of “hard” fields require knowledge of very advanced topics in math, cryptography is somewhat unique in that the incentive to identify a mistake in your design is extraordinary. Designing an imperfect alternative to bcrypt or scrypt results in absolute catastrophe for real-world user privacy and monetary assets if a serious vulnerability is found after it’s widely adopted. Simply put: this is an arms race, and most software does not need to be designed to be fault-tolerant in an actively hostile environment. This elevates the design difficulty to what you could call the “military setting.”
Finally, and corollary my second point, cryptography is very difficult to implement. It’s fairly easy to choose the wrong parameter when you’re implementing a cryptographic primitive from a specification, or to accidentally destroy the security of the cryptosystem in an attempt to make it a bit faster (e.g. lattice reduction). And other than that you need to defend against a battery of side channel attacks, which introduces another level of complexity.
I personally understand a lot of academic cryptography (but the more you learn the less you actually know...), and I’d say that, categorically speaking, cryptography is comparable to rocket science. I’m not claiming it’s absolutely as hard, but it shares many of the broad strokes. It’s not brain meltingly difficult in any single dimension (I find cryptography papers far easier to read than some blog posts by Terence Tao, for example), but the conceptual addition of a “safety” requirement makes everything more complex. It elevates the requisite mathematical knowledge and engineering rigor needed to design and implement a good cryptosystem.
The fact that it is using balanced Ternary makes it seem like the science project of young/inexperienced developers. If you're building a cryptocurrency put away your hubris and use what is tried-and-true.
IOTA uses hash-based signatures (https://www.imperialviolet.org/2013/07/18/hashsig.html) instead of elliptic curve cryptography (ECC). Not only is hash-based signatures a lot faster than ECC, but it also greatly simplifies the overall protocol (signing and verification). What actually makes IOTA quantum-secure is the fact that we use Winternitz signatures. IOTA's ternary hash function is called Curl.)[1]
Curl is designed by Genetic Algorithm. I wonder how they could test this? Did they 'do the math'?
In the original article linked it talks about how people found a flaw in the cryptographic hash function. When it was pointed out to the founder he basically said "Yeah we knew it was not secure. We put it in there so if anyone copied our code we could undermine them."
That smells fishy to me. Whether his statement is true or not he cannot be trusted. And the fact that they are using unproven in-house cryptography again supports my view of IOTA as a science project rather that something serious and dependable.
IOTA does not use traditional asymmetrical (public-key) cryptography algorithms which depend on not being able to efficiently computing discrete logarithms or factoring numbers (which are believed to be easy on a quantum computer).
Instead, its signatures are based on the Winternitz signature scheme (slightly modified for ternary) which only depend on the impossibility of reversing hash functions (Kerl in case of IOTA which is a ternary version of Keccak), which is believed not to be that as easy on a quantum computer as factoring a number (although any reversing of a (hash) function can be done more easily on a quantum computer than a traditional computer).
Disadvantage of Winternitz scheme is that signatures are one-time (every signature reveals parts of your key); therefore users have to be careful not to reuse addresses that have been spent.
I also found something about 'the length of the computation of the hash function' somewhere as making it more quantum resistant but can no longer find the reference.
Doesn't explain using your own hash function, though. SHA-3 doesn't depend on the security of the discrete logarithm or integer factoring problems. Finding SHA-3 collisions on a quantum computer is only quadratically faster than a classical computer.
Even the double spending problem is not really resolved. Just with the current theft, there are recipes posted[1] on how to recover the stolen IOTA by basically enforcing the double spending and trying to give your spending a higher priority than the fraudulent transactions had. That means fraudulent transaction could try this themselves and just need to exploit that race condition. That means a fraud needs to somehow collect the data on pending transactions and just need to issue their own ones with the known collision problem on the hash.
You're conflating a lot of things here. Racing a fraudulent transaction to have a legitimate one confirm faster is not a double spend, like at all. Up until the moment one of the transactions confirms, no funds have changed hands. What you're also conflating is the fact that the hash collision has no influence on transacting funds in the first place. The DCI report recently released their vulnerability exploiting code which demonstrated, that in order to actually use colliding transaction hashes to create fraudulent transactions, the fraudulent party would have to have access to the seed at which point the whole thing becomes moot anyway. Adding to all this, the hashing function has long since been replaced, further compounding the moot-icity.
For the double spend to occur, you would need access to the seed ( private key) which the victims had and are trying to outrun the attacker in the case you were describing.
>For the double spend to occur, you would need access to the seed ( private key) which the victims had and are trying to outrun the attacker in the case you were describing.
So it works a bit like replace-by-fee on bitcoin?
There is no mining on IOTA so what is the possible time frame? do you have more detailed technical information how this works?
Thanks
New transactions are selected randomly to be verified. So in case the attackers transaction is still not confirmed there is a chance to outspend him by having the private keys. I find this useful in understanding the confirmation/consensus mechanism.
https://forum.iota.org/t/iota-consensus-masterclass/1193
The fun part is, that if you want to discuss such details (and I have much more) with an IOTA enthusiast, I get thinks like "I don't understand the technical details, but the founders say so you must be wrong. You are just discredit me."
So you, how want to discuss the details when people are just convinced without having knowledge themselves?
Even the rebuttal is immature and badly thought out, much like their cryptography.
They start by implying that the MIT Media Lab isn't really MIT (what the fuck) as an ad-hominem way to dodge their criticism. Later they whine "But Zcash rolled their own crypto, why can't we?!" which shows they really don't even understand the context of what they're doing.
1) No, the whole implementation of the ledger is written in ternary. Its current hasing function is called Kerl. The vulnerability that DCI claimed existed is impossible to be used in the wild because an attacker would have to have seed level access to the wallet at which point, any attack vector becomes moot.
2) The IOTA Foundation and the community expressly warned not to trust unaffiliated sites. Saying they relied on them is just shady. Would we hang TBL for inventing email because people had their money stolen by nigerian scammers? No, because shifting blame on the man would be even more stupid than wiring thousands of dollars to someone you don't know. Seedgeneration is, in this current non-feature-complete implementation simply not a priority. Creating a seed is not hard and if you can't muck one up, nobody is forcing anyone to try and feed their greed trying to "enter at the ground floor, lambo lol!!!" using IOTA. I would wait for a wallet implementation that comes with a generator.
3) IOTA is very very young by far not feature complete. Hanging it out to dry because it isn't yet isn't exactly fair. Everything had to start somewhere. Though, with all that in mind, it still works rather well in my experience and it scales. It solves a lot of problems inherent with blockchain and it has a future market goal it wants to service. The rest is speculation. As always, I guess.
Why would ternary be at all a good basis for this sort of software? I could imagine some use cases at the hardware level, but in software it’s just nonsense.
Their argument for using ternary is that it is 8 times more efficient than binary and it is very important for iot devices which need to be have low energy consumption and a long life. Whereas the conversation from ternary to binary would add only a 10 % additional usage.
They are trying to push the ternary to see if adoption can take off. All it needs is a few thousand logic gates on any traditional chip.if it doesn’t get adopted,they said they can always go back to binary.
Ternary computation does reduce the number of operations for things like multiplication, that’s correct. But if the rest of the modern world isn’t also ternary, you actually introduce performance overhead that reduces your overall efficiency. A bit-based computation has two states, and a trit-based computation has three. Since 3 isn’t a power of 2 (or even, for that matter), you’ll have a remainder when you convert your ternary multiplication to binary.
Considering this, it doesn’t really make sense that the Iota founders made a decision to not only introduce a novel cryptocurrency system (the tangle), but to also try to push ternary adoption. That’s a monolithic amount of work from a research and business perspective, and it strains credulity that they could engage in this with a full understanding of what they’re doing. Their work is completely divorced from the rest of the academic community, which has many well-respected researchers with a vetted track record already.
Innovation usually happens in incremental steps forward, building from the (recent) work of others. Much more rarely, it manifests as a large leap forward without significant cumulative work. But it approximately never happens that a new state of the art combines several large and orthogonal leaps forward. It’s not impossible, but my outlook is strongly pesimisstic.
When you combine this with the frankly odd (and potentially unethical) behavior the founders are showing - rolling their own cryptography out of ignorance or to attempt to sabotage other open source projects - it becomes extremely hard to take the work seriously.
They're claiming this, for what operation? And similar question for the 10% usage claim.
I suspect storage will be the same when you get done packing into machine words and storing those, yes? Unless they're not using all the bits in a word...
Any independent references for ternary efficiencies for any operation?
If I understood it correctly, they're claiming that it's more efficient on native ternary hardware, and it has no advantage on binary hardware. The people behind IOTA are also connected in some fashion to the development of such a ternary computer.
Oh wow. Now that you mention this I totally remember this project from like 2015 when some people, including Come-From-Beyond, were raising money for some sort of ternary computing hardware project.
Totally forgot about it, and never put two and two together(three and three? :P) to link it to IOTA. Now that they are quite wealthy, I wonder if it will become a reality. I'm highly skeptical, but I really don't know enough to form a real opinion. Definitely one of those things that make you go 'huh?' though.
There's actually this really clever emulation you can do where you don't blindly use two bits per trit, but fractionally pack the trits into bits such that you don't end up with any wasted bits. This has the further advantage that since it produces the same inputs and outputs as binary encoding that you can use the native binary hardware on the CPU to do all your math. Because it is the native binary encoding.
One of the reasons I wouldn't trust IOTA any farther than I could personally throw the entire development team is that writing a strong cryptocurrency requires a deep understanding of mathematics, and theirs is the sort of shallow I'd expect from a high schooler. They appear to be operating under the misapprehension that numbers come with their base built into them, as if they are operating in a mathematics regime where "10 != 0xa != 012(octal) != 1010(binary)", and anyone that confused about mathematics is not someone you want designing your CSS stylesheets ("no, that's rgb(255, 255, 255), you really want #fff. Or maybe #ffffff."), let alone your cryptocurrency.
I guess I shouldn't be surprised that you can use a clever encoding to work with trits natively but "clever encodings to pack trits" seems like something of an antifeature when we're talking about anything within a mile of cryptography...
I was being sarcastic, because the optimal packing of a "trit-based number" into binary is just binary.
It is possible to sit down and work it all out on paper, and you can work out how many trits using logarithms you can pack into a given number of bits, etc etc., but all the terms will cancel and the math will tell you that you just end up with binary again. You can end up with quite the table explaining how to add "binary-encoded base-3" numbers together if you insist on holding on to the idea that base-3 numbers somehow exist separately from base-2 numbers, but in the end it'll all just cancel out. You can get some idea of what it would look like, and how silly it would be, if we trained people to add numbers together by first converting them into binary, adding them in binary, and then converting back to decimal, since that would be the same thing, just with different bases, but does capture how inconvenient it is to do math that way when your bases can't be translated via lookup table (i.e., hexadecimal <-> binary can be done mechanically on a string basis for the number, unlike 2 <-> 3 or 2 <-> 10 (thanks to the factor of 5 in the 10)). And then imagine that as we are teaching people that maneuver that we are telling them that the binary-encoded representation is the real number, and the base-10 encoding is a fake number that can't be trusted or used the same way.
IOTA is built for the internet of things and more specifically for sensors operating in the field. Perhaps with limited acces, perhaps with long intervals between service periods. Generally, you would't care about an 8 fold efficiency increase when you're hooked up onto a powerline but remote sensing equipment does.
Such devices are using ARM Cortex M0, M1, or M3 processors. Maybe even lower power Atmel stuff like in the Arduino. Such devices are connected via either expansive uplinks or slow uplinks like with LPWAN.
For all these applications IOTA is not feasible. It is not feasible because the ternary logic needs to be emulated on a processor that itself has not even enough beef to do cryptographic functions by itself. If they have cryptographic support like the e.g. the SE series from STM with a Cortex M0 as used in the Ledger Nano S, then this is optimized for standard cryptographic algorithms and not for some newly invented stuff.
Also if we talk about IOT sensor networking with LPWAN (LoRa, SigFox, ...) than bandwith is a real issue. That means collecting transactions from others and doing PoW on that before sending of your own transaction is completely unrealistic. The remote sensor just wants to transmit its data. But that would mean the LPWAN Gateway needs to be a full node doing the PoW. But LPWAN works, that everybody can listen to transaction request and so we are back to the collisions problem.
Great, someone else quoting 8x efficiency. Maybe you know about the claim? We understand the motivation, which keeps getting mentioned, but what I think we all want to know is:
2. If people are unable to generate a simple seed (password) on their own. How can they even begin to understand cryptocurrency or even new tech based on IoT? Still, yes it should be in the wallet and it will be added, but only for investors, I guess?!
Is their market cap justified? Is the entire crypto market cap justified? The whole idea is to invest in tech that can change the future. Who knows which party will be the winner. It's a dare to believe in something magical, like IOTA. Or put your luck into something more real like Bitcoin, for example. Alas, it's good to have doubts, but this blogpost is alarming and not IOTA.
PS: A small portion of my crypto investments are in IOTA, but never press your luck on a single coin.
1. The vulnrability existed in their active codebase and network - only AFTER the research team contacted IOTA with the working exploit did they shut the entire (centralized) network down to patch the code.
“In 2017, leaving your crypto algorithm vulnerable to
differential cryptanalysis is a rookie mistake. It says
that no one of any calibre analyzed their system, and that
the odds that their fix makes the system secure is low,”
Bruce Schneier, renowned security technologist,
about IOTA when we shared our attack.
We discovered a vulnerability in IOTA after reviewing
their code on GitHub in July. We disclosed what we found
to the IOTA team on July 14th, and have been in contact
with them since then as we discovered new issues and
exploits. IOTA issued a patch that addresses the
vulnerabilities we found on August 7th. IOTA no longer has
the vulnerabilities we found, they have been fixed. To
learn more about the details of our attack, you can view
the full disclosure and review our attack examples.
1) In order for the attack to succeed, the attacker would have to have access to the seed at which point the entire thing becomes moot.
2) The android wallet has seed generation. So it's not a question of "refusal", more a question of priotities. Seedgen had not been a priority of the team. We can argue if its good or bad but at the end of the day, it is what it is. Creating a seed is not hard and if you can't put in the effort, well nobody is forcing you to jump into cutting edge experimental technology in search of lambo when!!!
3) Please click "parent" on that comment in order to realize that, yes, this is not a reply to the original post of the thread but to another person unlike it was made out to be and context does matter. Who knew?
1. The attack the MIT team developed on IOTA was a way to efficiently brute force wallet key combos to forge transactions of funds.
2. Every other cryptocurrency has implemented the seed generator as it's the most basic and fundamental feature necessary for this type of software. It's so trivial to implement, it really begs the question of why the IOTA team didn't just include it in all their software releases.
3. The comment CEO David Sønstebø was directly replying to was just commenting on how confusing the software is compared to other cryptocurrency wallets:
I know it sounds simple newb mistake, but even me I
probably would have made that mistake and having been
using crypto for a while.
So to sum it up don't use same receive address in IOTA.
I'll try to burn that in the back of my brain.
To add insult to injury regarding the OP who lost $30,000, it sure sounded like David was indirectly referencing that users loss with his response to the above comment
"Price to pay for quantum security :) " - David Sønstebø, IOTA CEO
> the IOTA developers had written their own hash function, Curl, and it produced collisions (when different inputs hash to the same output). Once we developed our attack, we could find collisions using commodity hardware within just a few minutes, and forge signatures on IOTA payments. We informed the IOTA developers, they patched their system, and we wrote a vulnerability report
What’s even worse is that they claimed the flaws were deliberate, and a method of ‘copy protection’, where the flaws were somehow avoided in their full codebase but would cause any competitor that copied their open source code to suffer the flaws.
Smells like a BS excuse to me, and if true, perhaps an even bigger red flag as it strikes me as a very unethical move that is antithetical to open source ideology.
Just to be clear, for the vulnerabilities DCI found to be exploited, the victim has to practically give away their private key at which point the descibed attack is moot.
IOTAs developer CFB has used this kind of copy protection for hen he developed NXT and his entire history is littered with arguing for putting a copy protection in place. His argument for putting that in place is any legitimate developer would review the code for vulnerabilities and kinks b fore implementation and only those trying to plagiarize the work would literally copy paste the code. That seems a rational argument to me and I am not entirely sure if the copy protection in IOTA’s case is deliberate or not but they say it is and his historical work seems to be in line with that
I value the MIT Media Lab and its DCI group pretty highly. There is nothing about the Media Lab or the DCI in that first link of yours. [1]
So what were you trying to say?
What I did find in that first link of yours [1] is this gem though:
> The IOTA hash function, Curl-P, was designed to allow for practical collisions. The IOTA protocol’s security depends solely upon the one-wayness of the function, not its collision resistance. The rationale behind the design of Curl-P is a much more complicated question which we explain in detail.
Part 4 explains the Curl-P part in more detail, and it doesn't inspire any confidence. They are claiming that they intentionally inserted a known bad hash function in the open source part of the code, so that anyone "fraudulent" clones would be useless. The closed source coordinator is claimed to avoid this problem by some way, so they claim that the IOTA network is not affected.
I'm having a very hard time believing that explanation, but even if I do, it's still something that shows bad judgement in my opinion.
0. I upvoted this response because it provides a legitimate answer to the question of "what's the other side" / "how can people possibly find IOTA a good idea." I hope others do too: it's relevant to the conversation, even if we disagree with the merits of the post.
1. Parts 1 and 2 were all fluff. Part 3 responds to the actual technical claims, and several paragraphs of fluff later, confirms the MIT claim that funds were transferred out of user accounts to an account controlled by the IOTA Foundation without user consent. (They had consent from some other network participants / the "community", and supposedly they had very good reasons for it.) I gave up by part 4, sorry.
Where I come from—which happens to be MIT, in fact—security protocols have a threat model, either stated or unstated, and a confused threat model is a legitimate criticism. One of the common unstated parts of the threat model of cryptocurrencies is that, unlike with a government-issued currency, the organization behind the currency should not be implicitly trusted and certainly should not be able to take your money for your own good. Is this part of the IOTA threat model? What exactly is required technically for this sort of transfer?
If IOTA is supposed to be something that regular people will use (either directly or indirectly through interactions with IOT devices), point #2 doesn't seem relevant.
You can use a credit card without ever having to calculate your own Luhn checksum. You can send money to a bank account without having to untangle the rat's nest that is ACH.
It makes the IOTA team's priorities look skewed when they don't have basic wallet functionality, but they have time to implement ternary math and new cryptographic primitives that aren't useful with existing hardware.
I'm tempted to write a cracker for shitty seeds people come up with, but given what I've heard of the design of IOTA, I'm afraid of getting brain damage trying to understand and reimplement their algorithms.
Let's have a look then. It's in 4 parts, the first two are not about the purported vulnerability but rather complaining that the people behind the discovery didn't disclose it properly and might have a hidden agenda. Fair enough I guess, but it's odd to start with that, it would make a much better point if it came after a strong rebuttal regarding the technical aspects of the vulnerability.
Then we get to the meat of the issue in the middle of page 3:
>2. IOTA Protocol Security and Tangle Reliability
So they start by addressing the "IOTA's coordinator is a single point of failure". Their reply is that... It's true but they never pretended that it was otherwise and that it's temporary:
>IOTA node operators, understanding the importance of the Coordinator’s role in securing the network while it is still young, voluntarily suspended operations during this time.
>The purpose of the Coordinator in the infancy stage of the IOTA network has been transparently communicated throughout the history of IOTA. As the team has explained at length, the Coordinator is a temporary measure to help bootstrap the network and protect it during its infancy. Once there are enough full nodes and transactions to secure and sustain the IOTA network, the Coordinator will be permanently removed from the network. The specific reasons for this are complicated; there is a more detailed explanation on page 19 of the white paper: “...this indicates the need for additional security measures, such as checkpoints, during the early days of a tangle-based system.”
So there's a solution in whitepaper form. As far as the current state of IOTA, they have not debunked any of DCI's claims. But that's still not really the main issue, the one about the broken hash function. They sure do take their time to get there.
Next they talk about whether or not IOTA devs can mess with IOTA accounts. Honestly I don't understand the issue well enough to pass a judgement but if I understand correctly they sort of forked IOTA "ethereum-style" in order to protect the users:
>Ultimately, in order to implement the preventative measures mentioned above, a special snapshot was scheduled wherein all funds vulnerable to theft were tagged with a key reuse marker.
They also say that "Importantly, these protective measures were only possible with the direct and active support of the IOTA community". Except that since they control the coordinator, what would happen if the community hadn't agreed? Can they go their own way without coordinator? Would they have to elect a new one?
Let's skip ahead and get to the vulnerability with the hash function, the last point of the last page in this document. This line stuck out to me:
>The answer is that the Coordinator was specifically designed, in addition to other purposes, to prevent precisely such an attack.
Ah, the coordinator again. Beyond that I don't understand the issue deeply enough to judge whether or not the vulnerability is as bad as DCI said so I can't decide who's right. I do find the justification behind the weakness rather... strange though:
>In summary, Curl-P was indeed deployed in the open-source IOTA protocol code as a copy-protection mechanism to prevent bad actors cloning the protocol and using it for nefarious purposes. Once the practical collisions were uncovered, its purpose as a copy-protection mechanism was of course rendered obsolete (it only works for as long as it remains unknown) and IOTA reverted to the industry standard KECCAK-384 cryptographic function.
So... there's nothing wrong with the function, it's just some kind of protection against people cloning the protocol (why is that a problem?) but even though everything is absolutely fine they decided to replace it anyway? It seems like such a weird decision, and also a bad precedent (you shouldn't have hidden functionality in your open source peer-to-peer cryptocurrency). It reminds me of Intel's "Spectre and Meltdown are the CPU operating exactly as designed" PR stunt.
Oh man, this article reminded me I should sell what little IOTA I have, so I tried to. Here's what happened:
I launched my wallet and saw a zero balance and zero transactions. I looked around and heard from some friends that I need to convert my funds or something, because there was a "snapshot" yesterday.
I clicked the "re-attach" button and waited for a few minutes. It failed, so I did it again and again and again. After half an hour and five times or so, it succeeded and I could see my balance.
I tried to send funds, the wallet said "sending" for around ten minutes, and then it finally said "success". I waited for the funds to confirm (there were three transactions, two of which were zero for some reasons), but 70 minutes later it still hadn't.
A friend told me I should "re-attach" the transaction and "promote" it. Apparently, "promoting" sends five transactions that reference yours, to confirm it. I imagine the transactions are zero-fund transactions that just spam the network to self-confirm your own one. Who confirms the confirmers?
This is absolutely insane and I can't believe this thing ever got traction. It feels like hacks upon hacks upon hacks. It doesn't even work right! Did any of the people who bought these coins try to ever use them for anything?
No offense but your comment is unintentionally humorous because you're asking all these sane questions blaming the mindless people who bought into IOTA, but you happen to be one of them as you describe yourself.
> This is absolutely insane and I can't believe this thing ever got traction.
It got traction because people--including yourself--bought into it without thinking much.
> It feels like hacks upon hacks upon hacks. It doesn't even work right! Did any of the people who bought these coins try to ever use them for anything?
Yeah, like yourself. You never actually tried to use the coins for anything until this point when you are now finally trying to "cash out".
> You never actually tried to use the coins for anything until this point when you are now finally trying to "cash out".
An alternate (and correct) interpretation is that I bought IOTA as I thought I may end up using it in my IoT projects. I didn't (probably because nobody working for IOTA actually cares about IoT), and now I want to sell them for a more useful currency.
Not everyone wants coins for speculation, but you're forgiven for thinking otherwise.
The other possibility (not just you and IOTA, but for others) is that a lot of coins have free offerings at their launch to get things off the ground. Stellar is an example.
So yeah, just because someone owns coins doesn't mean they are/were mindless speculators.
I bought my first legal weed in California yesterday and it was a very interesting experience. I don't usually smoke but I wanted to see what the store was like. It was strictly cash only. They had several ATM's installed in the building. Security was tight for this reason. It's hard to process that it's now legal.
It is completely legal now and I didn't need a prescription card. They asked me if I had a prescription card, for what reason I don't know, because I've never had one and they don't require it anymore. I think perhaps medical clients get discounts or special deals?
There are explanations and reasons for everything, but it doesn't matter much if you are disappointed with your experience and want to sell. It seems to me you have run out of patience / have lost your faith that IOTA will ever get where they want to get.
To be honest, I don't think anybody's personal user experience has been much of a concern to the IOTA project up until now. The new wallets might change that, so you might want to hold on to your coins until then.
They promise to solve all of the issues that you mention:
- Automatic node selection rather than the limited amount of nodes currently listed in the wallet software.
- Automatic re-attaching and promoting transactions.
- Address re-use detection.
Automatic and distributed snapshotting of the network is also on the roadmap, this would address your zero balance issue.
But like I said, if you have run out of patience and you have your eyes on other projects that do deliver what you are looking for, then by all means...
I hope the new wallets fix everything, but, in my opinion, having to promote transactions is a terrible hack and the new wallets don't seem to fix that (they just make it automatic).
Combine that with the hand-waving of the vulnerabilities by the community, and it's not a good sign. However, I'm not really interested in speculating about the price (I've never bought more than $100ish worth of any cryptocurrency), it's just that I don't see IOTA being a useful currency for me to play with.
I have been on HN for 3 years now but I have never seen anything like this thread. There are sheer amount of sockpuppet accounts being created to defend IOTA.
You know how people can get irrationally invested in defending gaming consoles because they’ve bought one for $500?
Imagine what it feels like when you have tens of thousands of dollars invested in something where the flamewars might actually have a real effect on whether you ten-double your investment or not
I think it’s gonna get much uglier than this down the road
It happens sometimes when a popular project gets criticized on HN and people make accounts to defend it. What we do in such cases is close the thread to new accounts, and we've done that here.
I just copy paste from CfB's response, in case you missed it:
Thank you. This article was useful for me, it showed what details of IOTA haven’t been highlighted yet. Below I list incorrect things from the article, if you find time it would be great if you paid more attention to them and shared your thoughts:
“IOTA has no limit on transactions and therefore, it has no limit on bandwidth requirements or disk space.” — In the future the majority of the nodes will be swarm nodes forming clusters and using Swarm Intelligence. A swarm can process more transactions than a single full node.
“This means, if you run a full IOTA node, anyone on the IOTA network can write data to your hard drive with just a small, extremely low cost proof-of-work.” — IOTA was created for the Internet-of-Things with network-bound PoW in mind, the current state of things is temporary.
“Over time, the IOTA transaction set size can grow unbounded, leaving only storage farms with the resources required to host the data.” — This is incorrect even for Bitcoin because of pruning techniques.
“My past experience working at companies that develop hardware products tells me this does not make sense in any other way but a marketing bullet.” — While this thing is likely correct I decided to list it here. IOTA team has experience working at companies developing hardware products too. Even more, I bet your smartphone contains a chip developed by one of our advisors.
“IOTA claims their Ternary-based Proof-of-Work function will work with IOT because it uses minimal power, but I contend that any power usage more significant than signing a transaction is too much because there is another alternative approach.” — As I already said, IOTA will be using network-bound PoW, which will be consuming less energy than required for a transaction signing.
“Contacting a central server run by the company that built the IOT device, announcing the need to submit a transaction at which point the centralized server will submit the transaction on the device’s behalf.” — You described the Internet, not the IoT. Please, refer to “Connectivity” section of https://iot.ieee.org/newsletter/march-2017/three-major-chall..., it explains why you are very wrong.
“In the case of IOTA the client software design intends to kick nodes off the network that do not participate enough, so being even just a passive listener is not an option.” — And again you talk about the Internet, not about the IoT. Googling for reasons of not using IP(v4/v6) should show you the mistake.
I don’t mention insignificant mistakes in your reasoning, all those seem to be caused by the lack of information about IOTA. This is an issue that the IOTA team is working on.
This is a very.. immature and amateurish response at best, purposely deceptive at worst.
OP talks about what IOTA _is_. The response is: "You are wrong because we _hope that IOTA will be different in the future_". How does this response make any sense at all?
"Swarm Intelligence" - Okay, I stopped there. Can't throw something like that out without a link or commentary.
Getting a decentralized swarm to implement transaction processing is highly non-trivial, especially when (as the OP highlights) incentives are delicate and the entire system must be extremely secure.
Especially true since parallelizing the processing of transactions is orders of magnitude easier than parallelizing STORAGE of transactions in decentralized systems- he's deflecting the criticism towards an easier problem.
... which is the opposite of what a good engineer does. A good engineer focuses first on the hardest aspects of the problem, and tends to guide discussion there.
As simias notes in another post on this thread, most of IOTA's "response" is about things which are not there yet. "In the future", "current state of things is temporary", "IOTA will be", etc.
It's a shame this comment got parked in the bottom of the page, it just shows on how the article is right; IOTA is immature technology that hopes to be better one day (maybe with all fingers crossed)
- Uses custom "ternary" crypto which has been shown to have vulnerabilities in the past.
- Has software that doesn't include the basic function of generating wallet addresses, instead having some users rely on shady 3rd party websites and getting their coins stolen.
- Does away with much of what made other cryptocurrencies like Bitcoin work in the first place in order to remove transaction limitations.
- Except that the changes required to make this work, at least in theory, are for the most part not actually implemented yet and there appears to be a lot of doubts that it can work at all. See for instance this comment on the article: https://medium.com/@comefrombeyond/thank-you-269640e794e7 ("in the future", "temporarily", "will be using",...). Also note that many replies in this comment actually deflect the original criticism without actually addressing it. I don't even understand what that person means by "You describe the internet", and how that has anything to do with the argument of TFA.
So basically you have a highly experimental technology (even by cryptocurrency standards) which is very much unproven (even by cryptocurrency standards) and yet apparently it has a market cap of $6 billions: https://coinmarketcap.com/currencies/iota/
So what's the other side of the story? Can a IOTA enthusiast explain what's missing from this picture?