Topic: IOTA - page 748. (Read 1471689 times)

The attacker doesn't publish it untill he has enough transactions referencing the second doublespending transaction.

No a better idea. It's impossible to prove that we don't buy our own coins, if we kept some coins as premine we still could buy extra coins, so we put ourselves into the most unprofitable position to lessen advantage of our position to the max degree.

But that default doesn't seem to be the correct game theory? This is Prisoner's Dilemma game. Afaics, lower incentive to go first on including a new tip. Just noticed yesterday this research on cases where the pessimistic Nash equilibrium is claimed not to hold (but on quick glance I ponder if they have overly simplistic assumptions in their models).

Obviously if everyone defects to making their own branches (maximally broaden the tree), then no one's tips get lengthened and thus the entire system doesn't function. But is the optimum strategy the default that you assume?

Our point is that normally the left yellow tx would be referenced e.g. already by the second green tx.

Your picture is very unprobable in this case, odds that other transactions (legit ones) don't reference legit payment after the adaptation period is over are near zero.

My picture contains as low amount of transaction as possible, just to express the idea. You can imagine several more transactions of the honest network on top of the green tip, but many more red transactions above the second doublespend.

Yes, normally the left yellow tx would have been referenced by many green ones already.

Does this assume that the merchant waited for enough confirmations? Because his transaction seems to have very little confirmation.

This is still a form of premine. You can convert all of you ICO funding to coins in any scenario while paying those funds to yourself. Since you can pay yourself numerous times, and recycle the funds to pay yourself again, there is no limit to the number of coins you can buy from yourself.

Even if you require all funds to be presented up front, that doesn't prevent you from taking out a loan which you can pay back fully because you buy the coins from yourself.

Even if you limit the supply of coins and force all offers to be tendered at once and randomly choose in a publicly verifiable process, you can still stack the bids to be sure you get the % of coins you want.

If you instead have a market driven price for the ICO and a fixed supply of coins, then you can bid on your own coins driving the price higher and generating more funds while obtaining some of the coins cheaper than others who have paid you to buy your coins cheaper.

The only way around this would be to verify the identify of every purchaser and make this information public (or audited by a trusted entity), which I doubt most purchasers would agree to.

The only solution I see for this dilemma is to identify each purchaser, but do it in a convenient and non-intrusive way. That is why I have been thinking to only sell up to say $500 to each user (no investors! so as to avoid creating an illegal unregistered investment security so you all don't all end up in jail in the future) and allowing these purchases only by credit card (or verified bank account funding via Paypal to avoid chargebacks) with an auditing process that insures each name on the card is unique. I suppose you are clever enough you can pay people to let you use their credit cards (or steal them), but this is a crime and probably easy to track down (especially during any SEC investigation), so it is very risky and one would assume legit developers won't risk crime (heck they are talented, and can earn a lot of money taking programming jobs outside of crypto).

The only other way is some mining distribution, but wastes resources that could be better used to fund development.

Or you can just tell everyone honestly that all they know is how many coins they have and the total supply of coins, but they can't know how many coins you have unless all the buyers get together and tally their purchases.

This a serious dilemma. I have thought about it a lot. Has anyone else devised a better solution?

This is the scenario I'm talking about. Green filled, black edged are transactions of the honest network. Red edged - are transactions of the attacker. The doublespends are filled with yellow.
As far as I understand your algo, weight of the red tip is greater by 3 than weight of the green tip.

Valid point.

That puts undue stress on others. For instance, it no longer suffices for a merchant to see a payment confirmed by tons of PoW from followup tx.

She additionally needs to go all the way back in history to check for potential double-spends that change the status of the recent payment to "please ignore".

Anyhow, for that to happen, both double-spending tx's need to be broadcast more or less at the same time. Doesn't sound as a good idea for the attacker...

If we can provide deterministic way to order double-spends then we can include both and ignore the younger one. It's not related to Iota though, just an idea.

Yes. As mentioned somewhere above on this page (or maybe on the previous one), the (default) referencing algorithm works in such a way that it prefers tips with bigger height. So, if you're too lazy and reference some very old tx's, you take the risk that your tx won't be referenced by others.

Awesome a real project, good luck to you and will follow closely.

That is precisely how I would have answered. It is quite clear that everyone has a strong incentive to be on a correct branch, else any time down stream someone can broadcast a notice that a branch is incongruent then that branch gets abandoned.

But doesn't this mean that there is a great incentive to not include tips in your branch, because these don't yet have enough veracity to be sure they won't end up being a double-spend. In your system there is often no way to prove which of the double-spends were first, so they both are invalid.

Seems to me no one has an incentive to lengthen instead of broaden the tree. But I haven't absorbed the white paper. Did you address that?

Yes, we assume that there is a constant flow of transactions. If it's not the case (for example, tangle runs in North Korea where noone spends money during night time) then merchants should rise confirmation threshold during such hours.

So transaction security is actually reliant on the subsequent transaction volume for the overall network?
I imagine that the picture above would look quite different if the attacker simply chooses to mount his attack during a period of negligible transaction volume (thus low weight build-up on the legitimate tangle). I'm probably missing something (or a lot)...