Topic: Threat Model for Colored Coins (Read 1509 times)

Why Not Color Coins? problems, limitations, and criticisms of the Bitcoin Color Coins architecture

http://www.altchain.org/?q=content/why-not-color-coins-problems-limitations-and-criticisms-bitcoin-color-coins-architecture

 I appreciate the comments, and I address the individual points below but before I do, consider the advantages of this architecture.

 * No mining
 * No expensive hardware.
 * No excessive network usage.
 * No mining pools.
 * No asic manufacterers.
 * Instant Confirmations.
 * No thorny security issues that are often intractable and unmanageable.

   the general point is though, that ultimately value must rest in it's redeemability for something.  Even if this is a complex financial derivative that is a financial function of a financial function denominated in a currency that is itself a complex of financial functions.  Ultimately you need to exchange it for something.  Even if this exchange isn't something that is eg. edible or physical, it still has some kind of legal value outside the system.  This reliance is implicit in all financial systems.  And if you don't trust the issuer, why would you want to trade in their issued vouchers?


  You can certainly do complex things such as this in Confidence Chains.


  Sell it for what?  another share that has an implicit value, because that share is exchangeable for something else with implicit value.  Remember Bitcoin wasn't worth anything until someone bought a pizza with it.  So ultimately you must have at least ONE person willing to redeem the digital vouchers for something in the real world.  That could be peanuts, USD, Turkish Lira, Gold Coins, etc.  In most environments though there will be MANY issuers who have such implicit promises and what Confidence Chains gives you is a very quickly assembled ledger that all those issuers agree on.  Consensus is the key word here.  I've abandoned Bitcoin's idea of a global ledger, and this bought me some very attractive performance and architecture features(as well as simplicity).

  Granted there are issues in hosting eg. trades and supporting some sense of non-bias.  Im not sure how a PoW system can give you that.

 "you can't eat money."


you can also do this kind of complex logic chaining and then the remarketing of the risk implicit in those agreements.  Confidence Chains can support the same exact Transaction formats that Bitcoin does if you really want it.

btw- not sure if you saw Peer-To-Peer Bond Auction  http://goo.gl/LVU7A5

thanks for your comments, -bm

Trusting the issuer is a plausible trade off and others have worked with that assumption.

But there remain advantages for mining/blockchain validation based security. 

Consider:

- if you want the issuer to be offline (it could be dangerous to have a key online that can create value on whim if it is hacked the system may break down).

- more advanced/2nd gen types of features where the bearer shares are the shares, not a representation for shares in some external authoritative ledger or issuer escrow broker account: there may be a digital prospectus where the issuer is issuing 10,000 shares for their A-round of financing.  The prospectus says they need approval from 25% of share holders to issue a second round or to do a share buy-back.  So the network validates shares, and all peers reject any shares created in violation of the company prospectus apriori.

- mostly when one is talking about shares, there is no redemption (outside of a company voted share buy-back) - there are just buys and sells on a market setting the price.  If you want to redeem the value of your share you sell it.

- smart contracts depend on final settlement.  If the settlement is not final, then undo requests will be made by users in dispute.  If your system is based on consensus the court will hit your transaction server/issuer with a demand to undo consensus.  Once this happens people will realize the contracts are not smart, and incur the same posthoc dispute costs at the transaction layer as credit cards etc.

- I am not saying disputes cant or shouldnt be resolved: the point is the parties go to an arbitrator or court and allocation of blame is made, and the parties settle financially.  Not by undoing a transaction..  You no more want transactoins to be undone than a $100 us bill in your pocket fail one day because 20 transactions ago someone stole it from a convenience store.  Bearer assets based on smart contracts flow onwards into dependent transactions eg as part of a structured product, a swap etc.  They must not be undoable or the utility of smart-contracts is damaged.

Adam

that is a very lucid way to phrase it actually.  Seems like youre treading on a few of the logical paths I took while I was coming up with this. It's sufficiently far enough from Bitcoin that it does take some effort to understand the what/why/how of it.  A good portion of the people here are just interested in making money mining, so I've excluded them as people to talk to.  Also, it does not require any legal support.  People can issue assets(and other things) reliably without involving any traditional legal system.  Cryptography does all the work here.

Consider this, you mentioned earlier something along the lines of- how do we stop people from just having their own identity weights?  I do allude to this in the paper, the part about 'idiot nodes'.  So you're individually free to reassess credibility values in the system, but ultimately, the issuers need to honor the ledger for you to get reimbursed.  Therefore if you choose to be an 'idiot' then you risk alienation from your implicit contract with the issuer, and also alienation from the community of people transacting in the assets. [2]  Why are you in a marketplace if you don't like anyone?  Remember the chains build on top of each other, and to have some kind of radical choice of identity weights will just exclude you from opportunities to build blocks on the chain.  It's effectively impossible to drastically diverge from the consensual layout of identity weights(small differences won't have major results). [3]  This is a technology that allows people to easily and automatically generate a consensual distributed financial ledger(it can do many things, not just exchanges- I explain how to do a distributed auction as well).



This also seems to be problematic for the Bitcoin crowd.  We assign trust to entities all the time.  Mt Gox has a pile of my money and they can easily take off with it.  The advantage CChains gives you is that I can create a congress of trust.  It's far more reliable than trusting one particular entity.  For instance would you rather deal with Saudi Arabia(a monarchy) or France(a democratic republic)? [1]  It would be fairly easy to organize as little as 5 nodes into something that is virtually bulletproof.  Imagine you had a ledger that is mathematically proven to be agreed upon by 100 parties in 30 countries with varying shades of background and character?  And this ledger is FAST, we can assemble this consensus practically instantly.  That's the power of Confidence Chains.

The system also addresses Bitcoin's technical shortcomings.  A great paper on why the underlying assumptions of Bitcoin are problematic: http://www.links.org/files/decentralised-currencies.pdf

Laurie points out for instance that Bitcoin relies on checkpoints.  Who makes the checkpoints?  Bitcoin is not exactly as decentralized as they make it out to be, and some of the 'solutions' to the problems they face are really removing the initial intent of the system.  Most people involved at this point don't really care, they're just interested in latching onto the inertia of the movement.  Theyre not necessarily concerned that the movement is moving in a completely opposite direction than originally intended.

Keep in mind that once we have factored out Proof Of Work, there is no mining, there is no need for expensive machinery to run the system.  You can host 50,000+ txs a day(what Bitcoin does) with simple commodity hardware.  You can probably host several thousand transactions a minute.  Thus the technology brings money back into the hands of the average person.  Naturally the big boys, who sell hardware and such are not interested in such things.  Also the performance is much much better, you get virtually instantaneous response times.  There is no block hashing, nonces, etc.


It does not have the same set of risks as Bitcoin as there are no 'unbounded consensus' problems(sic. Ben Laurie).  The 'inputs' in the system are your trust layout.

The risks for Color Coins are going to be a capacity/performance breakdown.  They don't pose any serious additional security problems and generally it does not effect the 51% attack issue.  Putting color coins on an altchain is just pointless because if you had an altchain you can redesign the tx format to support 'colors' directly without the need for this complex coloring schema.


the other papers describe how to make a Distributed Exchange and how to make a Distributed Bond Auction.  There are few parties here and there claiming they can make a Distributed Exchange, however I'm the only one I know of that has described exactly how to do it in detail.  One other camp claims to have it, but their claims are dubious to say the least.  This project, which is currently posted all over the place here, is just kicking up dust trying to bring in investment money.  If you have the time to closely follow their claims it's fairly easy to see what theyre up to.

Richard, much appreciate your comments here.  danke schon!  -bm






[1]  who would you buy bonds from?  Hint: countries like Saudia Arabia don't have the same sovereign debt system that democratic republics have because they are no where near as credible and reliable.

[2] and this tactic would be very short lived.  If you chose for instance to ignore half the identity nodes because you felt they are untrustworthy, the confidence of your own private chain would be minuscule compared to the dominant chain.  Then what?  you could present this private 'idiot' chain to an issuer and claim you have an account balance.  Your records might line up with the dominant records, and they may honor it.  But the problem is you lose the ability to transact with all the people who are 'getting along'.  This is basically how the algorithm fosters participation.  If you don't 'get with the program' you are left out.  If you don't like the program, maybe you can find an alternate chain to trade in.  Remember though that in NO SITUATIONS can account transfers or the initiation of any financial instruments be falsified.  The nodes to not have the ability to forge personal signatures.  

[3] btw- most of these details are shielded from the average user.  These things are only going to come into play when people start breaking open the system and trying to exploit it.  The average person will see a very performant, publicly credible, feature rich exchange/financial service that does not appear to be branded by any one particular entity.  Hackers will see the things I describe, and then they will discover that they cannot break the system.

Thank you too - your response was very clear.

If I understand correctly, your fundamental point is that if somebody/thing is going to assert equivalence between a "blockchain asset" and a real-world asset then a legal entity, ultimately needs to stand behind this assertion as there needs to be *something* that will act as the bridge to the real world. And if you have an identifiable entity as part of the system then some of the constraints that drove the original designs of bitcoin et al can be questioned, right?

Your chain (no pun intended) of reasoning then becomes: "if we're going to have one trusted entity in the system, why not generalise the concept to one where *any* entity can be assigned some notion of trust and see where that takes us" I think.   Which I think is a great insight.

I'm still unconvinced that it *would* generalise in the real-world, however.   

For example, I'm not yet seeing the circumstances under which I would assign non-zero trust values to any entity other than the issuer of an asset unless I had some other out-of-band information about them from which I could make a determination about their trustworthiness (e.g. if they were a well-known and trusted brand, say?).

If all I have to observe is their behaviour inside the system, then I don't understand the economic analysis / game-theoretic story that means they wouldn't easily be able to "build up" trust for some period of time before mounting a catastrophic attack.   Perhaps the situation would be no worse than one in a "colored coin on bitcoin" world, where the attacks I discussed at the start of the thread could potentially occur - but I don't know.

Disclosure: I've not yet had chance to read the other papers... so if you discuss these issues there (or elsewhere), please just tell me to RFTM.

Richard

that is a good point and it's very possible to have this kind of configuration.  Each node might have different perspectives on which nodes are more important.  Just like in real life.  One member of a social group might favor the statements of certain people.  There's no centralized document that says this particular person is more credible than another.  This does not effect the basic operation of the algorithm though.  Not only can nodes have different views on who is important, they can actually employ different strategies for building chains, and these strategies can exploit various aspects of the financial ledger, ultimately though consensus is the thing on which a ledger is accepted.  With complex financial instruments there is quite a bit of interpretation involved.


that's certainly fair to say.  To understand what Confidence Chains means you have to revisit some of the initial design goals of Bitcoin.  Bitcoin was meant to be a currency without backing and without ownership.  Color Coins and other related technologies have a different purpose: digital vouchers(although Confidence Chains does much more than that).  Thus, you've removed ZERO TRUST.  You must trust the backer.  The idea of leaving in Proof Of Work anyway is just meaningless really and reflects a lack of vision as to why it was there in the first place.  The core oversight is that the block chain is a free database that anyone can insert information for any purpose.  You'll find this assumption is a standard amongst the Color Coin people.  It is here that Color Coins breaks down.  We saw this unfold with the COIN_DUST issue.

Confidence Chains does not have any of the security problems of Bitcoin.  Initially the system supports a STATIC distribution, as in the nodes are predetermined.  There are other possibilities which have not been conceptually explored at this point.  The first basic app will be a Distributed Exchange which offers a some really great value to the sorts of peoples who come here to this list.  Keep in mind people are interested in Confidence Chains who don't have anything to do with Bitcoin.  Wouldn't you rather trade bitcoin on an exchange that cannot be biased by any individual participant or owner?  the exchange has no owner, and that the key difference.



There are two more whitepapers posted to this forum showing some other applications of Confidence Chains.  There will be more publications in the future.  One of the advantages to CCs is that the architecture is very flexible.  Im a very conceptual high-forehead kind of person so I think the strength of this is how many different things you can do with it.  Im not going for low-hanging fruit at this point.  People can easily work in their own ideas and financial instruments, build wealth and capital without much knowledge.  The code base will be relatively simple. 
 
thanks for the input.  I will post a few progress milestones to here when it is relevant.  The http://www.altchain.org site is coming very soon.

Thanks for the comments - I'll take a deeper look at confidence chains.  When I first read about them, I must admit I was unconvinced.  In particular, your paper (link below so you know which one I'm talking about) lacked any analysis of the potential attacks and didn't give me much insight into how the confidence values for nodes would be set (and evolve) over time.  e.g. what happens if different nodes assign different values to the confidence they have in other nodes?  Surely everybody would have a different view as to which the most confident chain was?

No doubt these issues have already been discussed (probably on here somewhere) but my sense is that if you're going to throw out the proof of work system (and I see why it could be attractive for some scenarios), there probably needs to be a reasonably rigorous analysis of how the system could be gamed, etc.

Very interesting concept, in any case.

https://docs.google.com/viewer?a=v&pid=forums&srcid=MDg1Nzc2MjYxNDE2NDcyMjk2NDcBMDQ4MDMyNzQyMDY2MjExMDkyNzEBNU81RURra1djcHdKATQBAXYy

I dont think Color Coins increase the risk of a 51% attack.  It poses the same risk with or without color coins.

the problem is that the transaction values no longer scale to the input of the miners.  A very small BTC transaction could carry millions of dollars in trade value.  Thus a miner could hold that transaction hostage or a number of different things.  It's already been discussed at length on the BitcoinX list, but as things go here anything important is virtually ignored in favor of pump and dump schemes and WHO IS TEH SATOSHI? threads.

the idea works as far as the initial whitepaper takes it.  The initial whitepaper does not discuss the issues regarding mining economics brought up by myself on the BitcoinX list.  It's a failed architecture in my view.

you've removed ZERO TRUST.

why then would you want Proof of Work?  It's a complete waste, but not many have the vision to see that.  Most on here have highly specialized knowledge/experience specifically for Bitcoin.

youre not missing anything, Color Coins[1] are going to be a nightmare in practice.  They seriously distort the economics of mining.  I raised this many times on the BitcoinX list, but the main protagonist/troll on there 1st: refused to acknowledge the problem 2nd: acknowledged it but didn't fix it.  He spends months doing precisely NOTHING but sounding off and trying to look important(but not succeeding).  This is probably why it seems the only project in that neighborhood with investment money did not include him.

It's these very problems, and a few other revelations that led to my development of Confidence Chains.

Confidence Chains has none of these problems.  It doesnt use mining at all.


[1] and presumably Mastercoins

It would seem that everyone who has bitcoins would care: even a few satoshis double spent are a deviation from the core idea of Bitcoin as an unimpeachable public ledger.

The problem is colored coins exist only on the blockchain, if the blockchain is 51% attacked, it cannot be used as a reiiable proof of anything anymore, then the colored coin would lose its value as well.

You mention a 51% attack, and it is very to prove it.

For the vast majority of backing commodities the act of redeeming colored coins (i.e. destroying them and receiving their value) could easily require significant confirmations -- say 50+.  After all, backed coins already require that you trust the issuer.  So you can send them your coins overnight and trust them enough to get the commodity in the AM.

Yes: but you're assuming it it possible to tell that they are stolen - and this is my point.

Today, the rule is basically that the longest blockchain wins (or, rather, the hardest blockchain).  It is customary to wait for a transaction to be so many blocks deep before treating it as "confirmed" and one could imagine contracts underpinning colored coins to be written on this basis.  e.g. "title to the physical asset will be granted when the Bitcoin transaction returning the associated colored coins to the issuer are ten blocks deep in the longest/hardest chain" - or whatever.

Now, today, somebody contemplating a 51% attack to steal Bitcoins would be pretty obvious: when their new chain, containing the double spend, starts to catch up with the "real" chain, it would be obvious to anybody that a double-spend attack was underway: there would be conflicting transactions in each chain, each spending a significant number of the same coins (it has to be a significant number or else why bother?).   This would surely provoke a response (somehow) from the honest participants in the network.... since failure to resolve it would undermine the system.    For this reason (and the reality that anybody with the compute power to do this would probably benefit more from using it to play by the rules), such an attack is probably unlikely.

However, the situation is far more subtle with colored coins.  And this is because a colored coin that has high value by virtue of its color appears just like any other coin to the other participants in the network, for whom its BTC value is the only metric of interest.  So it is conceivable that - from the Bitcoin perspective - that a colored coin double spend transaction would be for a trivial amount in BTC --- maybe even just a few satoshis. 

Sure... it would be obvious (to anybody who looked) that the new chain represented a double-spend attack --- but who has the incentive to care?  The writer of the colored coin contract MAY care.... and whoever was scammed out of the coin certainly does.  But is it a 100% certainty that a double-spend of a few satoshis would provoke a major response from anybody else? 

I see this as primarily a problem for those working on colored coins to worry about (if indeed it's a real problem) and perhaps it can be addressed through appropriate contract wording....  but is it not also a risk to the core bitcoin network too?   i.e. the existence of colored coins would change the economic incentives acting on participants in the network - and any analysis that only looks at the underlying BTC value would miss this.

Colored coin is contract. If the coin issuer refuses to acknowledge the stolen colored coins, those coins worth nothing

The threat of a 51% attack is a flaw of the system. It can be "enforced" in code... but it is not. We use trust, and "let it work itself out"...

Equally so is the reverse of a 51% attack, and that is a coin-eater that hunts down and destroys wallets, hurting those who do not have a paper-wallet. Thus, driving up the value, as opposed to driving it down in a 51% attack. (Although, if a 51% attack is found, it can be reversed, as the transactions become nullified, you simply find that your incorrect balance is no longer there... it just vanishes, as the "new block-chain" with the "undelivered fake coins", enters your wallet... Thus, invalidating your previous balance that you thought you had. But destroyed wallets can not realistically be "restored", unless you happen to find the wallet in its original form. It can not be "created" just off the info you have of a prior wallet, due to the fact that "new addresses" do not come from the wallet itself, they are requested from the network, which is sooo wrong, on sooo many levels. Because the network does not track the addresses you requested in a block. Thus, any money sent to those "have no clue what the system gave me" addresses, will never be recoverable.)

What is to be expected to "be covered in legal agreements"... is that you "register with your countries federal monetary regulatory board, as a minter." Also, purchase the appropriate insurance legally required for losses that protect YOU as a minter/banker, in the event of frauds and theft, and offers protections to your customers (The mint holders). Also reporting and complying with laundering laws and tax laws, reporting any/all income, all "non-transfer" exchanges, and various other things... Deposits of $10,000 or more in value, clients identities and records of all transactions and associated fees... A "non-owned" account resembling a "portion of handled currency", that you can never touch, used to "pay your mint-holders", at the time of a withdrawal only. (Thus, can not be, "lent-out".)

What actually gives it "value", at that point, is the government. They tell YOU what you have to accept, and what you have to give them, and what it is worth. You just become a federal pawn, limited to convincing others that they should give you funds, which will be lent to others, who you HOPE will pay you back. Also having the appropriate collections agents and methods in place to reject those "high-risk" borrowers... which requires you to use credit reports and pay for background checks, and various other P.I. and enforcement crap.

Minimum-wage is the base for all value. However, that is screwed-up when the governments raise the value of minimum-wage, thus, devaluing the currency as a whole. Unprepared food comes next, as that is the next largest untaxable physical thing of actual value. (Labor is virtual, like credit.) After that, comes material-taxable-assets... Shit that can be taken away from you, to pay debts... which is also devalued to a fraction of actual repayment value, thus, nearly the least valuable. The least valuable foundation of currency is "hope". If you don't believe in the note/government/system/values-set-by-them... then there is zero value. That is why they/we spend so much effort trying to get everyone to believe things have value, that they want them, that they need them. Because we are holding them. Those who hold the most, tend to push the hardest belief. (Hold the most debt/currency.)

(Sorry if this is the wrong forum)

One of the most interesting topics I learned about at the Bitcoin 2013 conference was the idea of Colored Coins.  However, I'm unable to convince myself that implementing them on top of Bitcoin would have the same security characteristics that exist for Bitcoin itself.

In particular, what is the chain of reasoning that demonstrates that the set of incentives that protect Bitcoin from an economically-motivated 51% attack also apply when certain Bitcoins are colored?

More precisely, here is what I have in mind:

* For Bitcoin itself, an economically rational actor has little incentive to perform a 51% attack to steal Bitcoins (by double-spending, say) since undermining the integrity of the network would reduce/destroy the value of the very coins the attacker was seeking to steal.  Thus, the only actors one would expect to engage in a 51% attack would be those with a non-economic motive (governments, perhaps).  Perhaps another way of saying it is that the possessor of huge amounts of compute power has more to gain by participating in the system than by seeking to thwart it.

* However, if one now turns attention to colored coins, the incentives change.  These are coins with some connection to the "real world": possessing one might entitle the possessor to income from shares or title to a physical asset, etc, etc.  As such, the value of the assets represented by colored coins could be orders of magnitude greater than the value of the underlying Bitcoins themselves.   Therefore, an economically-rational attacker set on stealing real-world assets may no longer care about the value of Bitcoins (or a subsequent failure of the system) since their eyes are on a different goal.

* So... if there were ever a colored Bitcoin that was worth vastly more than the underlying Bitcoin that "carried" its color, why would an attacker not, say, acquire the colored coins for fiat, sell them to somebody else for fiat and then, once the fiat was safely received, mount a 51% attack to reverse the "sale"?   The end-result would be that the attacker had both the original fiat *and* a blockchain that recorded them as the owner of the asset.  If the (BTC) value of the double-spent Bitcoins was low (imagine 1 colored Satoshi that represents one million Apple Shares), one could imagine a scenario where the core Bitcoin network shrugged off the issue as an aberration and the attacker was now recorded as the rightful owner of a stolen asset.  Equally, one could imagine that this fatally undermines the Bitcoin system yet the attacker still potentially has title to the asset.

* Of course, the 51% attack is just an example - the wider point I'm trying to make is that it is not immediately obvious that the economic incentives that help protect Bitcoin from various attacks are still effective in the presence of highly valuable colored coins.

Am I missing something?  Is this something that one would expect to be covered in the legal agreements that "link" a real-world asset to a particular set of colored coins? Something else?