Obyte: Totally new consensus algorithm + private untraceable payments - page 958.

coinhugger

hero member

Activity: 728

Merit: 500

Quote from: tonych on January 12, 2017, 05:46:07 AM

Quote from: Come-from-Beyond on January 12, 2017, 03:31:29 AM

Quote from: tonych on January 11, 2017, 05:36:46 PM

Quote from: Come-from-Beyond on January 11, 2017, 09:50:50 AM

This explains why there is no a protection against an eclipse attack, which can be conducted if a naive peer discovery is used (which is the case of Byteball, I noticed this trying to recover byteballs of my friend). In IOTA necessity to talk to people is an anti-Sybil measure. Poor SatoNatomato doesn't understand all these nuances, I suggest to forgive his childishness.

For the record, peer discovery is irrelevant to consensus in Byteball. Even if Sybiled, a node cannot select a wrong branch, by design. The worst that can happen to a node while it is Sybiled, is that the node will stay stuck at some old point on the DAG, as if it were offline. CfB if you want to reply, IOTA thread is not the best place for in-depth discussion of Byteball, post to https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859.

This is an attack that came to my mind while I was reading the source code trying to get what "device ID" was for:

The whitepaper says:

Quote

There is no partial order between them. In this case, we accept both. We establish a total order between the units later on, when they are buried deep enough under newer units (see below how we do it). The one that appears earlier on the total order is deemed valid, while the other is deemed invalid.

Quote

In normal use, people mostly link their new units to slightly less recent units, meaning that the DAG grows only in one direction.

The former allows to trick a user into believing that he received coins (if we can censor the traffic). The latter allows to make the others extend a branch we need (if we can (to some extent) censor the global traffic).

Imagine that I have poisoned the network and 90% of the nodes (not physical machines, just IPs) are controlled by me. What stops me from scamming a merchant in such way:

1. Issue a payment to the merchant and a payment to myself with "no partial order between them"
2. Make the others to prioritize the payment to myself (the branch with the payment to merchants will be extend too and this is the only transactions the merchant will see)
3. Get the purchased item delivered
4. Stop the attack, my payment is already considered as a part of the main chain, let the merchant to see that his payment is not.

If the user waits that the transaction is final, he cannot be defrauded.
In your example, you isolate the merchant from the real network and feed him with a fake branch. The merchant will accept your units and add them to his version of the DAG, but since there are no witness-authored units on your branch, it will not move the stability point forward and your double-spent payment will stay unconfirmed for as long as your attack continues. Number of nodes is totally irrelevant, it is the presence of witnesses what makes a branch real.

@Tonych, thanks for clearing that up. Nothing to worry about then. Keep up the good work!

tonych

legendary

Activity: 965

Merit: 1033

Quote from: Come-from-Beyond on January 12, 2017, 03:31:29 AM

Quote from: tonych on January 11, 2017, 05:36:46 PM

Quote from: Come-from-Beyond on January 11, 2017, 09:50:50 AM

This explains why there is no a protection against an eclipse attack, which can be conducted if a naive peer discovery is used (which is the case of Byteball, I noticed this trying to recover byteballs of my friend). In IOTA necessity to talk to people is an anti-Sybil measure. Poor SatoNatomato doesn't understand all these nuances, I suggest to forgive his childishness.

For the record, peer discovery is irrelevant to consensus in Byteball. Even if Sybiled, a node cannot select a wrong branch, by design. The worst that can happen to a node while it is Sybiled, is that the node will stay stuck at some old point on the DAG, as if it were offline. CfB if you want to reply, IOTA thread is not the best place for in-depth discussion of Byteball, post to https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859.

This is an attack that came to my mind while I was reading the source code trying to get what "device ID" was for:

The whitepaper says:

Quote

There is no partial order between them. In this case, we accept both. We establish a total order between the units later on, when they are buried deep enough under newer units (see below how we do it). The one that appears earlier on the total order is deemed valid, while the other is deemed invalid.

Quote

In normal use, people mostly link their new units to slightly less recent units, meaning that the DAG grows only in one direction.

The former allows to trick a user into believing that he received coins (if we can censor the traffic). The latter allows to make the others extend a branch we need (if we can (to some extent) censor the global traffic).

Imagine that I have poisoned the network and 90% of the nodes (not physical machines, just IPs) are controlled by me. What stops me from scamming a merchant in such way:

1. Issue a payment to the merchant and a payment to myself with "no partial order between them"
2. Make the others to prioritize the payment to myself (the branch with the payment to merchants will be extend too and this is the only transactions the merchant will see)
3. Get the purchased item delivered
4. Stop the attack, my payment is already considered as a part of the main chain, let the merchant to see that his payment is not.

If the user waits that the transaction is final, he cannot be defrauded.
In your example, you isolate the merchant from the real network and feed him with a fake branch. The merchant will accept your units and add them to his version of the DAG, but since there are no witness-authored units on your branch, it will not move the stability point forward and your double-spent payment will stay unconfirmed for as long as your attack continues. Number of nodes is totally irrelevant, it is the presence of witnesses what makes a branch real.

SatoNatomato

sr. member

Activity: 378

Merit: 250

Quote from: coinhugger on January 12, 2017, 05:00:25 AM

Quote from: Come-from-Beyond on January 12, 2017, 03:31:29 AM

Quote from: tonych on January 11, 2017, 05:36:46 PM

Quote from: Come-from-Beyond on January 11, 2017, 09:50:50 AM

This explains why there is no a protection against an eclipse attack, which can be conducted if a naive peer discovery is used (which is the case of Byteball, I noticed this trying to recover byteballs of my friend). In IOTA necessity to talk to people is an anti-Sybil measure. Poor SatoNatomato doesn't understand all these nuances, I suggest to forgive his childishness.

For the record, peer discovery is irrelevant to consensus in Byteball. Even if Sybiled, a node cannot select a wrong branch, by design. The worst that can happen to a node while it is Sybiled, is that the node will stay stuck at some old point on the DAG, as if it were offline. CfB if you want to reply, IOTA thread is not the best place for in-depth discussion of Byteball, post to https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859.

This is an attack that came to my mind while I was reading the source code trying to get what "device ID" was for:

The whitepaper says:

Quote

There is no partial order between them. In this case, we accept both. We establish a total order between the units later on, when they are buried deep enough under newer units (see below how we do it). The one that appears earlier on the total order is deemed valid, while the other is deemed invalid.

Quote

In normal use, people mostly link their new units to slightly less recent units, meaning that the DAG grows only in one direction.

The former allows to trick a user into believing that he received coins (if we can censor the traffic). The latter allows to make the others extend a branch we need (if we can (to some extent) censor the global traffic).

Imagine that I have poisoned the network and 90% of the nodes (not physical machines, just IPs) are controlled by me. What stops me from scamming a merchant in such way:

1. Issue a payment to the merchant and a payment to myself with "no partial order between them"
2. Make the others to prioritize the payment to myself (the branch with the payment to merchants will be extend too and this is the only transactions the merchant will see)
3. Get the purchased item delivered
4. Stop the attack, my payment is already considered as a part of the main chain, let the merchant to see that his payment is not.

This is a scary thought. I hope the developer can mitigate this potential vulnerability if the above-mentioned procedure really works.

Its bull and FUD, which CFB would have known if he actually read the whitepaper.

This is what witnesses are for, the payment is not Finaluzed as Confirmed unless a witness sees it, which in the scenario doesnt happen. Its the same dumb attack as sending a goods after no confirmations in bitcoin.

tonych

legendary

Activity: 965

Merit: 1033

Quote from: drays on January 11, 2017, 09:04:57 PM

Quote from: CryptKeeper on January 11, 2017, 09:01:40 PM

Quote from: drays on January 11, 2017, 08:54:30 PM

Sorry if this sounds lame (I admit I didn't read the whole whitepaper Grin

), but is there any way to see in ~~block~~ explorer or anywhere else, the date/time when a transaction is actually made!? Huh

Look in the wallet at the "History" tab, then click on a tx to see the details.

Ok, thanks. But I meant the transactions made by others (not from/to my wallet)

Is there any way to see the timestamps on them?

There are no timestamps in Byteball protocol, they are just not needed. That's why there are no reliable timestamps. The ones you see in History tab are the times and dates when your wallet first learnt about the transaction (or, if you are on light wallet, when the light vendor first learnt about the tx).

coinhugger

hero member

Activity: 728

Merit: 500

Quote from: Come-from-Beyond on January 12, 2017, 03:31:29 AM

Quote from: tonych on January 11, 2017, 05:36:46 PM

Quote from: Come-from-Beyond on January 11, 2017, 09:50:50 AM

This explains why there is no a protection against an eclipse attack, which can be conducted if a naive peer discovery is used (which is the case of Byteball, I noticed this trying to recover byteballs of my friend). In IOTA necessity to talk to people is an anti-Sybil measure. Poor SatoNatomato doesn't understand all these nuances, I suggest to forgive his childishness.

For the record, peer discovery is irrelevant to consensus in Byteball. Even if Sybiled, a node cannot select a wrong branch, by design. The worst that can happen to a node while it is Sybiled, is that the node will stay stuck at some old point on the DAG, as if it were offline. CfB if you want to reply, IOTA thread is not the best place for in-depth discussion of Byteball, post to https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859.

This is an attack that came to my mind while I was reading the source code trying to get what "device ID" was for:

The whitepaper says:

Quote

There is no partial order between them. In this case, we accept both. We establish a total order between the units later on, when they are buried deep enough under newer units (see below how we do it). The one that appears earlier on the total order is deemed valid, while the other is deemed invalid.

Quote

In normal use, people mostly link their new units to slightly less recent units, meaning that the DAG grows only in one direction.

The former allows to trick a user into believing that he received coins (if we can censor the traffic). The latter allows to make the others extend a branch we need (if we can (to some extent) censor the global traffic).

Imagine that I have poisoned the network and 90% of the nodes (not physical machines, just IPs) are controlled by me. What stops me from scamming a merchant in such way:

1. Issue a payment to the merchant and a payment to myself with "no partial order between them"
2. Make the others to prioritize the payment to myself (the branch with the payment to merchants will be extend too and this is the only transactions the merchant will see)
3. Get the purchased item delivered
4. Stop the attack, my payment is already considered as a part of the main chain, let the merchant to see that his payment is not.

This is a scary thought. I hope the developer can mitigate this potential vulnerability if the above-mentioned procedure really works.

kaicrypzen

hero member

Activity: 1344

Merit: 656

Quote from: galaxy on January 11, 2017, 08:08:15 PM

Is there a trading thread?

Yes there is: https://bitcointalksearch.org/topic/byteballs-buying-selling-trading-1728405. You can also trade on Slack: https://byteball.slack.com, check the channels #trading, #book, #auctionroom and #trading_blackbyte.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: tonych on January 11, 2017, 05:36:46 PM

Quote from: Come-from-Beyond on January 11, 2017, 09:50:50 AM

This explains why there is no a protection against an eclipse attack, which can be conducted if a naive peer discovery is used (which is the case of Byteball, I noticed this trying to recover byteballs of my friend). In IOTA necessity to talk to people is an anti-Sybil measure. Poor SatoNatomato doesn't understand all these nuances, I suggest to forgive his childishness.

For the record, peer discovery is irrelevant to consensus in Byteball. Even if Sybiled, a node cannot select a wrong branch, by design. The worst that can happen to a node while it is Sybiled, is that the node will stay stuck at some old point on the DAG, as if it were offline. CfB if you want to reply, IOTA thread is not the best place for in-depth discussion of Byteball, post to https://bitcointalksearch.org/topic/obyte-totally-new-consensus-algorithm-private-untraceable-payments-1608859.

This is an attack that came to my mind while I was reading the source code trying to get what "device ID" was for:

The whitepaper says:

Quote

There is no partial order between them. In this case, we accept both. We establish a total order between the units later on, when they are buried deep enough under newer units (see below how we do it). The one that appears earlier on the total order is deemed valid, while the other is deemed invalid.

Quote

In normal use, people mostly link their new units to slightly less recent units, meaning that the DAG grows only in one direction.

The former allows to trick a user into believing that he received coins (if we can censor the traffic). The latter allows to make the others extend a branch we need (if we can (to some extent) censor the global traffic).

Imagine that I have poisoned the network and 90% of the nodes (not physical machines, just IPs) are controlled by me. What stops me from scamming a merchant in such way:

1. Issue a payment to the merchant and a payment to myself with "no partial order between them"
2. Make the others to prioritize the payment to myself (the branch with the payment to merchants will be extend too and this is the only transactions the merchant will see)
3. Get the purchased item delivered
4. Stop the attack, my payment is already considered as a part of the main chain, let the merchant to see that his payment is not.

WorldCoiner

hero member

Activity: 1069

Merit: 682

Quote from: jwinterm on January 11, 2017, 11:17:37 PM

CryptKeeper, are you and how much are you getting paid to run this thread? Are there other people on "the team" getting compensated? Where's the money coming to pay people, presuming people are getting paid?

Cryptkeeper is just a nice guy and community member, that did this purely out of altruistic reasons.
To be honest, me supporting Byteball also without small financial benefit (during the distribution I have had 3.5 BTC, really not a Byteball whale at all).
But I like Tony and I’m really impressed what he was able the achieve in such a short timeframe. Especially I focus always at new technology and the DAG can be the revolution of Cryptocurrency. It's in my view really a new generation, the third one.

There is at the moment no money at the table. Just the value of the Byteball we have received through the distribution can be lifted.

Espo

newbie

Activity: 37

Merit: 0

Quote from: Dynamic Index on January 11, 2017, 11:32:29 PM

Quote from: CryptKeeper on January 11, 2017, 11:04:17 PM

Quote from: Dynamic Index on January 11, 2017, 10:47:35 PM

Okay a serious question: What's the best way to backup wallet? I wrote down restore phrase and wrote down encryption key. Do I need to backup anything else? I couldn't find a wallet.dat in application support (mac)

FYI

Quote

Byteball Backups and Recovery

Byteball uses a single extended private key for all wallets, BIP44 is used for wallet address derivation. There is a BIP39 mnemonic for backing up the wallet key, but it is not enough. Private payments and co-signers of multisig wallets are stored only in the app's data directory, which you have to back up manually:

macOS: ~/Library/Application Support/byteball
Linux: ~/.config/byteball
Windows: %LOCALAPPDATA%\byteball

Is this data encrypted? I'm about to store on secure cloud account.

No, You should ZIP/RAR the files with a strong Password.

Dynamic Index

member

Activity: 83

Merit: 10

Quote from: CryptKeeper on January 11, 2017, 11:04:17 PM

Quote from: Dynamic Index on January 11, 2017, 10:47:35 PM

Okay a serious question: What's the best way to backup wallet? I wrote down restore phrase and wrote down encryption key. Do I need to backup anything else? I couldn't find a wallet.dat in application support (mac)

FYI

Quote

Byteball Backups and Recovery

Byteball uses a single extended private key for all wallets, BIP44 is used for wallet address derivation. There is a BIP39 mnemonic for backing up the wallet key, but it is not enough. Private payments and co-signers of multisig wallets are stored only in the app's data directory, which you have to back up manually:

macOS: ~/Library/Application Support/byteball
Linux: ~/.config/byteball
Windows: %LOCALAPPDATA%\byteball

Is this data encrypted? I'm about to store on secure cloud account.

jwinterm

legendary

Activity: 3136

Merit: 1116

CryptKeeper, are you and how much are you getting paid to run this thread? Are there other people on "the team" getting compensated? Where's the money coming to pay people, presuming people are getting paid?

CryptKeeper

legendary

Activity: 2044

Merit: 1055

Quote from: Dynamic Index on January 11, 2017, 10:47:35 PM

Okay a serious question: What's the best way to backup wallet? I wrote down restore phrase and wrote down encryption key. Do I need to backup anything else? I couldn't find a wallet.dat in application support (mac)

FYI

Quote

Byteball Backups and Recovery

Byteball uses a single extended private key for all wallets, BIP44 is used for wallet address derivation. There is a BIP39 mnemonic for backing up the wallet key, but it is not enough. Private payments and co-signers of multisig wallets are stored only in the app's data directory, which you have to back up manually:

macOS: ~/Library/Application Support/byteball
Linux: ~/.config/byteball
Windows: %LOCALAPPDATA%\byteball

Dynamic Index

member

Activity: 83

Merit: 10

Okay a serious question: What's the best way to backup wallet? I wrote down restore phrase and wrote down encryption key. Do I need to backup anything else? I couldn't find a wallet.dat in application support (mac)

Dynamic Index

member

Activity: 83

Merit: 10

Quote from: yvv on January 11, 2017, 10:36:59 PM

Quote from: Dynamic Index on January 11, 2017, 10:09:33 PM

So before the supposed snapshot in med February, would it be more profitable to buy bytes of exchange and store in wallet (will simply storing the byte in wallet gain byte at snapchat)?

Or to link BTC address and gain byte that way

Let's assume with the same amount of bitcoin that you would be buying byte with or linking.

Just do your math bro

During next giveaway, 1BTC gives you 62.5Mb, the same amount as 625Mb gives you. So, if bytes are cheaper than 625Mb per BTC, it is better to buy bytes with BTC, otherwise sell bytes to have more BTC.

What if I were to take a bank loan out for lets say one month of $50,000 and buy 62 bitcoin. Then I wait until snapshot, verify bitcoin address, receive Mb, then sell bitcoin to pay back loan?

yvv

legendary

Activity: 1344

Merit: 1000

.

Quote from: Dynamic Index on January 11, 2017, 10:09:33 PM

So before the supposed snapshot in med February, would it be more profitable to buy bytes of exchange and store in wallet (will simply storing the byte in wallet gain byte at snapchat)?

Or to link BTC address and gain byte that way

Let's assume with the same amount of bitcoin that you would be buying byte with or linking.

Just do your math bro

During next giveaway, 1BTC gives you 62.5Mb, the same amount as 625Mb gives you. So, if bytes are cheaper than 625Mb per BTC, it is better to buy bytes with BTC, otherwise sell bytes to have more BTC.

Dynamic Index

member

Activity: 83

Merit: 10

So before the supposed snapshot in med February, would it be more profitable to buy bytes of exchange and store in wallet (will simply storing the byte in wallet gain byte at snapchat)?

Or to link BTC address and gain byte that way

Let's assume with the same amount of bitcoin that you would be buying byte with or linking.

drays

legendary

Activity: 2576

Merit: 1073