Topic: MasterCoin: New Protocol Layer Starting From “The Exodus Address” - page 99. (Read 448462 times)

Thanks Jeff, this is very helpful to know


Paid or not Peter this is extremely helpful, thank you (though it will take multiple readings for me to even remotely try to understand it all!). 

JR, without wanting to be badgering I feel this is the most critical issue for mastercoin right now.  How we store data in the blockchain is fundamental and should be locked away as early as possible (and ideally written into the spec).  As you made that the number one goal of the first coding contest I'm guessing you feel the same   Tachikoma's work is great but perhaps we could refine it somewhat - in development we're spitting out invalid ECDSA points in multi-sigs some of the time and as Jeff has raised above, pubkey checking is on the way regardless of mastercoin.

As I've mentioned before I view the miners as our critical issue and if some of the major pools are doing things like looking for obvious compressable/text data as Peter notes, perhaps some further investigation into steganography (an apt analogy I think) would be in order - obfuscating the data we're storing in the pubkey (IMO) seems quite achievable and spotting our padding ("000000000" etc) isn't going to be hard.

Thoughts?

Once the project is mature, someone just has to clone it and people can have all the features of Mastercoin without having to purchase expensive Mastercoins. It would be a cheaper alternative. That's what I'm getting at. It's not like the BTC vs LTC wars. A competitor immediately has the same security. It's not exactly a whole new crypto-currency like the originals. You are essentially betting on people being loyal to Mastercoin. And why would someone who is about to do an IPO care? Offer shares on the original Mastercoin or use the cheaper alt-mastercoin where the fees are pretty much as cheap as BTC transactions will allow? They should be loyal to a certain software package or website? If a company decides to use the alt-mastercoin, they just direct the investors to another download site so they can begin right away. This alt-mastercoin would probably even have compatibility to manage old mastercoin transactions as well. Wouldn't users flock to the package that manages both? And wouldn't businesses and users use the one that's cheapest?

The more expensive Mastercoin gets the more there is an incentive for a cheaper alternative. This cheaper alternative would be best to wait until Mastercoin is mature. After people have invested time and money. It would totally destroy investors who are heavily invested in Mastercoin as an investment as apposed to an actual tool for trade. That's what worries me. People promising wealth on a tool. That's what it is. It's moving BTC around. The BTC is here to stay. The tools on top will change.


Colored coins are built into the blockchain! Just like Mastercoin.


Exact same thing can be done with colored coins. Just define the new currency as 1 satoshi = 100 units new currency residing in address x. Define that no new BTC sent to that address are valid. All completely done without Mastercoin.

Miners are a HUGE form of momentum. That's what keeps us on BTC. If we could invent a currency with the same security as BTC instantly, BTC would be threatened. With mastercoin or colored coins that scenario is not only possible but likely. That's why a huge valuation for mastercoins makes no sense.

You're on the right track, although be warned that the assumption that modifying a single byte until the X point is on the ECDSA curve is always possible may be invalid; my understanding is that there's no upper-bound known on the gaps between valid points on the curve. Having said that, a decent assumption is, as you've already figured out, they are randomly distributed and about half of all randomly chosen 256-bit integers are valid X points.

Stepping back for a moment, keep in mind that censorship isn't as simple as just "block invalid X points" - censoring any data that looks like it isn't random is quite possible too. I've been told that some pools are already implementing this with rules that block transactions where the data encoded in them is too "compressible" or has too many ASCII characters. What you need to be doing, at minimum, is encrypting the data you are embedding too. As I suggested in the Bitmsg thread a good way to do this is to use a cipher, taking the first CTxIn's prevout.hash + prevout.n + nSequence + nLockTime, hashing all them together to create an initialization vector, and then using that IV with some type of cipher. The resulting encrypted data is just as likely as passing randomness tests as any other pubkey, and doing so doesn't have any real performance impact. (encryption is fast!) Of course, for Mastercoin, this isn't really encryption as encryption, more encryption for the purpose of steganography, but for that purpose it's still effective.

Once we've settled on using encryption we can then make use of it to give a very robust way of ensuring the data in question looks like valid public keys. Essentially what you want is a chained block cipher mode, but one where each PUSHDATA corresponds to one block; another equally valid version is to have a stream cipher where the cipher is re-keyed on every PUSHDATA.

Now lets say we've split our Mastercoin message into a series of PUSHDATA's, forming plaintext P_0 to P_n. We also have our steam cipher E_k for key k, where the k is well known. (could be SHA256('MasterCoin Rocks!'); it's not a secret) We compute the cipher text as C_i = E_k(P_i XOR C_{i-1}), C_0 = IV. (AKA CBC mode)

Now, what what we do is for every C_i we test if it's a valid pubkey, if not we modify P_i until it is, just like you were doing above. Given that ~50% of all X points are valid pubkeys the probability of not being able to find a valid one is 2^-256, essentially impossible, and because the IV is different for every message there's no danger of an attacker finding a specific one that doesn't work for everybody. (by finding some region where a large number of X points are invalid and constructing some kind of asset or something where trading in it is likely to result in messages hitting that case)

AES works on 128-bit blocks, while a compressed pubkey makes for a 256-bit block, so you'll have to make the iterator being modified be at the beginning rather than end of a block. You'll also need a crypto library that can save state, allowing you to back-up two blocks whenever you need to modify the iterator. That said if you put the iterator in the second block, you only need to back-up a single block, and it's rather unlikely for a 128-bit prefix to have no 128-suffixes that are valid pubkeys; you'll probably get away with it, but be warned that I'm not a cryptographer.

A more general "stuff-data-in-the-blockchain" solution would also allow for stuffing in any PUSHDATA, specifying which PUSHDATAs happened to be valid with, say, the low-order bits of the nValue in each CTxOut. In this case you'd want a rule that handles 33-byte PUSHDATA's specially, dropping the first byte and the iterator byte from the plaintext output. I've actually got code that does most of this; I might go publish it as a general purpose library for censorship-resistant embedding of data in the blockchain.

Also in case you guys aren't already aware, currently the IsStandard() rules consider any PUSHDATA from 33 bytes to 120 bytes as standard, and there is nothing checking that pubkeys are valid at all. (including the first byte that determines compressed/uncompressed) For instance my OpenTimestamps timestamper stuffed timestamps into bare CHECKMULTISIG scriptPubKeys by setting the first byte of the pubkey to zero to be sure it could never be spent.(1)

1) Note that because the IV is constructed from a one-way-function, and CBC-mode encryption is also a one-way-function, we can be sure that no attacker could ever come up with a way to get you to create a pubkey for which they knew the secret key for. In theory an XOR stream cipher mode doesn't have this guarantee.


Disclosure: Someone contacted me privately and offered to pay me to help you guys out, although they didn't realize at first how far along you guys were in understanding the problem. I assume they were a Mastercoin investor, but I don't know and they asked to remain anonymous. All the same, I hope this helps.

The important thing to note about Mastercoin is momentum. It has the momentum. It has around half a million dollars from crowd funding to provide incentives for developers to actually build it. Owning the coins is like owning stock in Mastercoin and that provides incentive for developers and anyone else to prefer it over Colored Coin.

That is the mistake of Colored Coin. Colored Coin is like GNU Hurd which was the basis for Linux but most people don't know about it because it never had the same kind of developer support, marketing, or incentives to draw people to it.

When all is said and done speculators require incentives to do things. Mastercoin is being designed to attract speculation. Colored Coin is being designed by technical programmer types but since there wont be anything to trade initially and no crowd funding, and no momentum, in my opinion it's going to be left in the dust.

What would you choose as a developer or investor? Would you choose Colored Coin which by design will never be as powerful as Mastercoin? Which does not have momentum? But which I suppose could produce a simple solution to solve a simple technical problem? Or would you go with the momentum? If Colored Coin can capture the momentum and actually do a good job explaining what Colored Coin is then people will use it but it still isn't going to catch on fire like Mastercoin will.

Mastercoin will allow people to make bets and that feature alone will attract a very dedicated following. For example if Mastercoin works as intended we could bet on anything from which team will win the superbowl, to whether or not difficulty will double, to whether or not AsicMiner will be able to achieve 10% of the hash rate and we'd be able to do it in a completely decentralized manner. On top of that anyone who owns Mastercoins now is going to prefer using Mastercoin over Colored Coin because their Mastercoins gain value over time while Colored Coin is at best a platform which no one really has a stake in so who would care about it if everyone were a rational actor?

I know people are not rational and there will be plenty of people who like Colored Coin for ideological reasons. I can even think of some reasons why I might prefer Colored Coin and I own Mastercoins. One reason is that Colored Coin works on altcoin blockchains and Mastercoin works only with Bitcoin. There would be no real benefit to building an alternative fork of Mastercoin on top of Bitcoin if the original Mastercoin works as it should. There will definitely be demand for Colored Coin and perhaps Bitshares and Hops, and the market is going to be big enough where all of them will succeed on different blockchains but on the Bitcoin blockchain we will see Mastercoin dominate because it's basically build into it the blockchain and you cannot really beat that. Colored Coin is not built into the blockchain and that is both it's strength and weakness.

It's a strength because for Litecoin we'd have to use Colored Coin so perhaps they can create a niche around Litecoin and other altcoins. For Bitcoin it's going to either be Mastercoin ,  Bitshares,  or both but I don't think Colored Coin will be able to compete when both Mastercoin and Bitshares have lots of cash to build with and attract speculators with interest, dividends, and other kinds of incentive mechanisms which Colored Coin lacks.

I don't even see how you could build something like Mastercoin without some kind of coin which people would have to buy with Bitcoins. How would you get people to buy something with Bitcoins? People buy Mastercoins because they can be used to create new currencies. Those new currencies require backing in the form of escrow so that the supply can be controlled.

It's not just that Mastercoins are scarce, it's that they are incredibly valuable because they can allow so many possibilities but I suppose you could do some of it with Colored Coin or with some alternative to Mastercoin but it's all about speculation and liquidity,  once Mastercoin gets established its not going to be so simple to just clone it. If it were that simple then Bitcoin would have a difficult time competing with Litecoin because Litecoins are cheaper.

I'm cross posting a question here for more visibility and further discussion. I like Mastercoins and colored coins and think they are the next frontier for crypto-currencies. I hope they both succeed. My main confusion seems to be one of value. Colored coins are essentially priced to be lowest BTC value that the network will confirm. They are just clever movements of BTC. Mastercoins on the other hand have scarcity built in from the exodus address and are traded.

Alt-mastercoins are a real possibility. Traditional alt-currencies needed miner support to thrive. The larger the miner support, the stronger the security. Coins like Mastercoins get their security for free from the BTC network. Because the project is open source anyone can alter the project and create alt-mastercoins. They don't need any miner support at all and instantly will get the same security and features.

Could an Alt-Mastercoin exist that doesn't doesn't need scarcity? One that uses a "generation address" and to enter the alt-mastercoin ecosystem you just send BTC to it? It would make using all of Mastercoin's features dirt cheap with all the advantages of a tradition Mastercoin. Almost a colored coin/mastercoin hybrid.

I'm just wondering if the scarcity is unenforceable as a more free alternative will just take away market share after all the development is done? Although the exodus address was useful for funding development, I'm skeptical it will behave like a traditional crypto-currency and grow to extreme values.

wow nice is there anything I could do to promote for you guys i've been dropping hints on the options desk!   thank you! looking good/\

Apparently, Silk Road's closure has done little to reduce the consumption of drugs.

As I understand it the reward goes to the Mastercoin Foundation and can be used for further accelerating MSC development.

Trading is economically rewarding in and of itself, if one is rational and lucky, therefore it should not require a subsidy.  Such a subsidy would reward unnecessary trading.

Reward MasterCoins
For every 10 MasterCoins sold, an additional “reward MasterCoin” will also be created, which will be
awarded to the Exodus Address slowly over the following years.

As you have said above，the Reward MasterCoins distribution is Centralized. every 10 MasterCoins sold the Reward MasterCoins will be awarded to the Exodus Address,that means  Reward MasterCoins will all be yours. Why not consider Reward the traders in a reasonable percent?

You misread. Or perhaps I was unclear.
I am not arguing for this method.  I am suggesting this reason stated for avoiding it is not a good reason.
The method may be bad for many other reasons as you rightly point out.

It was offered as an example of how msc can do better at "playing well with others" and be better accepted.  It ought not have to hide or avoid censorship.  It ought be welcomed and celebrated and invited.

I dont get it.

What you are saying is...

yes lets not conform to the standard and if people think our message is valuable enough they also will break away from the standard to accommodate us...

Why wouldn't making it "blindingly easy" to discriminate between transactions considered a feature?  If msc is a net benefit for the Bitcoin network, this feature would assist in verifying that, yes?

Not arguing for this method, just suggesting that this reason for avoiding it doesn't speak well of msc.

Some questions that may help close the distance between the forks:

If this hostile fork is treated as, well, hostile; could the bitcoin network impose a minimum charge for carrying a Msc tx that be acceptable to everyone?  Or alternatively not accept Msc transactions if it were not?  (with the cost of choice being an imposed cost to the network)

Is developing the facility to recognize Msc transactions and account for them a cost imposed on the Bitcoin network for which it is compensated to their satisfaction?  

Is that cost freely negotiated or simply imposed and the compensation chosen by msc?

Msc may be a net benefit for the Bitcoin network, but how knowable/agreeable is this at this time?

Indeed it is symbiotic at the network level.  Because while msc tx are made up of btc tx which use resources, the btc network needs more tx to build maintain a monopoly/leader position in the market which is the true goal of any economic  organism in a free market.  Thus msc by bringing tx to the btc network is exchanging one thing of value (btc network security) for another thing of value (more users, more tx).

On a side not I have notcied I the btc tx per block record that it has not increased lately.  If we can move at least some stocks over to MSC, the number of tx per block will increase dramatically and you can bet that you will be a 10x or more growth I  the price of btc.  Msc as well, but I dont understand it's capitalization dynamics enough to make an educated guess yet.

Thanks Max, I'll check it out!

PS, I enjoyed your song. Perhaps in time you'll get the chance to make a sequel, this time on Mastercoin.

J.R. (the Mastermind behind Mastercoin) posted a rough sketch of the next coding contest here: https://bitcointalksearch.org/topic/m.3358444

Hammer, are you part of the team developing Mastercoin or are you working on Colored Coins?

Do you have a link to the new contest or is it not open to the public yet?

Don't worry about the money, you'll have plenty if you hang out here for long.  But, I've got to warn you the competition is good.  You'll have to program some slick stuff if you want to take an MSC bounty.  The last contest just ended - a new is about to begin.  Mastercoin project has over $800,000 in the bank so plenty to give away. 

Hello Guys,

I've been following mastercoin since the start of September and I am fascinated by the idea of using it to convert items to smart property which can exchange stocks/bonds/real estate/ect.

Is there an opportunity for a programmer with experience in Ruby and JavaScript to get involved?

I have alot of spare time lately but not alot of money and I'm looking for a project to pour my energy and expertise into.

Looking to join the Mastercoin team,

Please feel free to PM me or comment here.

Paleus

Thanks for the explanation, that makes sense.