Hacker News new | comments | show | ask | jobs | submit login
Ethereum: A Turing-Complete Cryptocurrency (ethereum.org)
135 points by gottagetmac 1376 days ago | hide | past | web | 81 comments | favorite

Trying to figure out a couple things (from pastebin link):

1. What protection against non-halting?

contracts are "funded" upon creation, and by those who issue transactions to the contract. if there are specific fees required by the contract to perform an action, it must be enforced by the contract itself. the cost of computation will eventually exhaust the contract's funding it fails.

2. what are the long-term economics? (i.e. is coin supply unlimited or limited and at what rate of decay)

    line 90
- planned fundraising period with issuance of 10000 ether per BTC contributed

- other coins will be issued so the initial money supply is 15000 times the contributed BTC amount, with 0.25x (i.e. 16.67%) to the founders, same amount to fund the Etherium organization. Division of BTC not specified.

- the mining reward will be 1/3 of the initial supply, per year, perpetually (i.e. 1/2 the contributor's reward.) So the money supply increases linearly.

3. if a person's only goal was to use the blockchain to store data, what would be cost per byte, and is there a max rate?

    line 385 to 399
- A contract is "funded" when it is created, and the computation performed by the contract consumes the funds.

- storage of a "data item" in contract memory costs 100x where x = floor(10^21 / floor(difficulty ^ 0.5))

- don't see the limit/cost of data items bound to transactions as per transaction definition on line 133

anyway it takes courage to name a currency after a drug like ether.

I don't think anyone associates ether with a drug first.

From Thesaurus: "ether - the fifth and highest element after air and earth and fire and water; was believed to be the substance composing all heavenly bodies"

And ethernet. Kids today.

"There is nothing in the world more helpless and irresponsible and depraved than a man in the depths of an ethereum binge."

      Appologies to Hunter S. Thompson

Though another spelling of that is "aether" (I think this is more common than "ether").

Ethers are also a group of rather common organical compounds in chemistry. This is the page Wikipedia gives you when searching "Ether", as gateway allures to. Apparently, a specific compound of those (diethyl ether) can be used as a drug. Seems rather unlikely to me that people would connect the name to the drug first.

"composing all heavenly bodies"

Perfect name.

maybe it's just me and wikipedia.

And the late Hunter S. Thompson. It's the first thing I thought of too.

>> What protection against non-halting?

The transaction fee is determined based on the number of computational steps in the contract. My understanding is that, if the contract has not halted by the time the transaction fee has been "spent", then the transaction is rejected.

yeah I came to the same conclusion, except lines 327/328 confuse me a little bit, as to whether the fee goes to the miner in this case, since on 328 (regular termination) it says so explicitly, but on 327 (exhaustion) it doesn't specify.

I'm guessing that, if the transaction is rejected, then no fees are awarded -- I could be wrong though.

yeah, I'm thinking that if that is the case, it would allow you to create a "spike" contract, a highly funded contract designed to use a lot of miner resources until it inevitably fails. then you could send out transactions to this contract which would cause it to execute and fuck with all the other miners, where you just ignore it because you know it will fail. Maybe the cost for computation makes this unreasonable though, I don't really have a sense of the cost of computation .

you must be really burned out to think of a drug when you hear the word ether :D

The page doesn't say who is behind it, but the wiki is edited by user "vbuterin".

So maybe it's Vitalik Buterin, one of the more interesting cryptocurrency thinkers out there. Hmm.


This is indeed Vitalik's project, you can read the whitepaper on his website: http://vitalik.ca/ethereum.html

Also, the subreddit /r/ethereum is modded by and features a welcome post by "vbuterin".

I don't know if the Etherium people are looking for comments, but here are a few.

I think that Dagger has serious issues. First, the spec is buggy: the text says that eight bottom-level nodes are hashed together, but the pseudocode only uses four. Second, it does not require 512MB per thread; it requires 512MB of write-once, read-many-times memory, shared by all threads; this property seems to be asking for a rather large ASIC (or a smaller ASIC backed by some multi-port SRAM) to have a huge advantage.

Also, what's up with the choice of secp256k1? It's at least less likely to be backdoored by evil choice of parameters than, say, P-256, but there are many better choices out there (e.g. curve25519 or some of its larger variants). Those better variants have the big advantage (especially in this application) of having faster verification operations.

(The fastest-to-verify option would probably be plain ol' RSA, but signatures are rather large.)

Text content: http://pastebin.com/NCGRv74u

(Saw comments that the site went down and still had it loaded on my machine)

I'm still trying to understand how the whole system works. It appears to be groundbreaking but I'm not really sure. The last sentence in the document should catch your interest:

"As a result, we have a cryptocurrency protocol whose codebase is very small, and yet which can do anything that any cryptocurrency will ever be able to do."

Unless one considers the lack of Turing-completeness to be a feature (as Bitcoin apparently does, pointed out in a few other comments here).

it mentions the ability to create subcurrencies, so probably you could create a subcurrency that isn't Turing complete?

Denomination is a wei. Weis are tied to compute jobs, basically. It's a distributed computing network/server with built-in trust. Holy shit.

The site is down for many hours. The cached version: http://webcache.googleusercontent.com/search?q=cache:http://...

Is there a dedicated forum or mailing list for further discussion?

I think the clever idea here (IMO) are the fees. An argument against implementing a Turing complete language inside Bitcoin or an Altcoin might be that it's hard to determine when execution should end. The fees allow arbitrarily complex constructs without any hard cap, while preventing abuse.

Except it pays the wrong people. In Bitcoin, at least, miners are kept honest by other people running nodes that limit what miners can do. In this protocol the validation would become very expensive but only the miners are paid. This sounds like trouble.

Don't all the miners have to run the entire program, so they are validating each other?

No, the mine pool operator has to, but no more than once to cover every miner in his pool. To draw a comparison to bitcoin, there might only be a dozen or so pool entities which receive nearly all of the subsidy and transaction fees, but thousands of non-mining full nodes.

Maybe, but not the way its implemented here. The fee needs to go to all the nodes which perform the validation, not to the miners.

They must run their webservers on top of their Turing-Complete cryptocurrency... their site seems to be down.

My first thought was why would one want their currency to be Turing-complete? It's actually a cool concept though. Being able to have your money make decisions opens all kinds of possibilities.

This allows for the implementation of a completely distributed trading platform.

No it doesn't. Or rather— it's not necessary or sufficient: you can already trade distributed cryptocoins, and no amount of cryptocoin magic can completely distribute USD or other non-cryptocoin assets because their differential counterparty risk makes every promise different.

You need a central agency ATM for trading coin. Those guys have to run wallets and do the transactions in non-trusted space. This skips that.

> 6) A full-scale on-chain stock market. Prediction markets are also easy to implement as a trivial consequence."

Line 283 of http://pastebin.com/NCGRv74u

My understanding was that a balance based model opened up some pretty serious security problems, which is why bitcoin didn't use it. I'm dubious of a new coin as complex as this.

This is a very cool idea. I think it may have some critical flaws, but even the fact that people are thinking of stuff like this is so cool. Very singularitarian.

Site is down. How do they manage to go down with probably static content, I have no idea.

Hmm. Maybe he took it down? Here's a story about him:


With the availability of free CDNs (CloudFlare setup is 30 seconds max) I'm not sure why static sites have issues with bandwidth these days...

cloudflare do not cache html/php/etc stuff and as a result all these request still going to the hosting server, sometimes killing it.

I don't understand who does all the turing complete contract computation. Presumably the miners, but they're paid to do some useless proof-of-work work, not the turning complete computation of the contract.

The fee goes to the miner who happens to find the containing block, yes. But not to the thousands of validating nodes integral to the network. And over time fees are given proportional to hashpower... which doesn't make any kind of sense. The incentives are all messed up.

There aren't thousands of validating nodes. All nodes are computing on jobs in the system. The incentive is you get paid for processing code for someone. It's a trusted cloud framework with payment built in. The Dagger page is down. That'll have the detail on the rewards details for compute.

It's a distributed block chain right? And each fully validating node needs to validate each of the scripts, right? So every full node on the network is replicating every single computation. But only the miners are getting paid.

Do you have the text for the dagger page?

Dagger appears to be inferior to the Cuckoo Cycle proof of work system I recently developed; see https://github.com/tromp/cuckoo

Cuckoo Cycle is a new proof of work system with the following features

1) proofs take the form of a length 42 cycle in the Cuckoo graph, so that verification only requires computing 42 hashes.

2) the graph size (number of nodes) can scale from 1x2^10 to 7x2^29 with 4 bytes needed per node, so memory use scales from 4KB to 14GB

3) running time is roughly linear in memory, at under 1s/4MB

4) there is no time-memory trade-off, and memory access patterns are the worst possible, making the algorithm constrained by memory latency

5) it has a natural notion of difficulty, namely the number of edges in the graph; above about 60% of size, a 42-cycle is almost guaranteed, but below 50% the probability starts to fall sharply

What creates that upper limit of 7x2^29?

the naming convention that allows it to be named cuckoo729.

the program could be rewritten not to use bit 31 as a flag, and then you could use as many as 2^32-1 nodes, but that's not neatly expressible as MULT*2^SHIFT with few digits.

The dagger page is cached by google here. Note that this is from 29 Dec and has probably been significantly updated since. But here it is for what it's worth:


I don't see anything regarding compute rewards here. It's all about the mining PoW. If all nodes are validating the Turing-complete scripts, and only the miners are getting paid, how does that work? What am I missing?

Hey, I like your assessment ability. Contact me at jkwon.work@gmail.com, I have an idea I want to share with you.

Are you the same guy who called the bitcoin peak perfectly in April on irc?

yes. :)

BTW, also contact me if you want help investing in alt-coins. I'm going to start an alt-coin hedge fund.

altcoin index fund? that would never work!

I have a personal troll!

Ripple is also working on the same thing and is supposedly releasing them "soon": https://ripple.com/wiki/Contracts

Unfortunately, Ripple is a worst-case example of pre-mining. I would really hate to see it take off.

I would rather see an actual, functional product take off (even without miners). The resistance to Ripple just enables an endless series of me-too fundraisers.

The ethereum proposal is the most technical yet. Hopefully it sets a new minimum bar in the market for crowd-funded vaporware (I'm highly skeptical of them all).

Fair enough, although their technology can be appreciated separately from the pre-mine. Anyone can fork it and do a purely mined version.

I'm most curious about cryptocurrency algorithms that can be optimally run on FPGAs, but not ASICs or GPUs. Is there anything along those lines floating around already?

For what reason are you interested in that? Any such algorithm would have to make use of the re-programmability of FPGAs, since a static FPGA layout can always be turned into an ASIC...

My interest really has nothing to do with cryptocurrency, but I've been reading about dynamic method migration[0] and modular reconfigurability[1] for a long time. I can see how some of my professional work could benefit from 'adaptive computing'[2] trends as well. The algorithm I have in mind would simply be geared towards hardware that I want to own already.

[0] http://dx.doi.org/10.1109/IPDPS.2004.1303105

[1] http://www.doc.ic.ac.uk/~tbecker/papers/iee06.pdf

[2] http://www.cray.com/Assets/PDF/about/IDC-AdaptiveSC.pdf

I think any chip image that you put on an FPGA will run faster if you turn it into an ASIC. Are you thinking self modifying code?

Precisely. I would expect that the algorithm itself would change over time, with modifications based partially on the state of the network.

Edit: maybe the modification strategy could provide some 'proof-of-steak' protections, without burdening the system with excessive early adopter advantages.

What's so wrong with ASICs? Litecoin don't have them, and now they are plagued by a botnet who mines on infected PCs.

Nothing wrong with ASICs at all, but I would prefer to invest in general purpose infrastructure. It seems like a system favoring FPGAs wouldn't be as attractive to botnet owners either.

Does this mean that arbitrary software can be run in "trusted" way? So that everyone knows for sure what software is being run?

For the record: Qixcoin.com was the first coin to propose a Touring complete system. It shares 95% of Etherum design.

The site is down for me.

How do I mine them?

That's what I'm wondering too. There isn't even a release date

Note that Bitcoin is purposefully not turing complete. http://bitcoin.stackexchange.com/questions/17258/turing-comp...

I don't really see any reason why it couldn't be Turing complete, as long as it was completely deterministic (no "rand()" etc) and the specification included a maximum number of operations (which Bitcoin's Script already does)

What am I missing? Is the idea that without loops the transaction size can be used to estimate the computation required without actually performing it, and thus the appropriately sized transaction fee required?

Nakamoto designed script to be non-Turing complete from the very beginning (it was mentioned in his white paper). I suspect it was for security reasons. You don't want arbitrary complex code running on miners machine. At the very least, it could obstruct the system.

Script is not mentioned at all in the Bitcoin white paper. Perhaps you are thinking of a comment he made elsewhere.

Bear in mind that in the Bitcoin design it's not just miners who have to run scripts, it's all nodes, yet fees accrue only to the miners. Bitcoin does use fees to try and make computationally expensive transactions financially expensive as well, but that's just a basic antiflood mechanism, the fees don't actually get collected by those doing the work.

Wow indeed it is not mentioned. I was sure I had read about it there. I was wrong. My bad.

First paragraph:

>It is purposefully not Turing-complete, with no loops.

The currency has been hacked.

Because the site is down?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact