Topic: Virtual currency without block chain (Read 1912 times)

You can't replace transactions. The unique ID for a coin makes it stored as a single value. By messing up I mean that an attacker can put wrong information into the DHT or delete information. If the attacker manages to delete a coin and then tries to put it in again with another owner then the digital signature would have to be cracked for that to be a successful attack.

I see what you mean now. There is no complete history for the transactions so an attacker can simply make up a transaction and sign it correctly. Yes, then messing up the DHT can lead to double spend.

If you can "mess up" the DHT then you can double spend.  For example, send some coins to an exchange, trade them for btc, then scrub the transaction from the dht (perhaps via Sybil attack) and send the same coins off to some second exchange and sell them again.  Having the coins identified and signed doesn't really help the first exchange.

Hmm... Wait a minute. If a central authority like the U.S. government issued the coins AND run the transaction servers as a public serve then they could use digital signatures even for the nodes in the network with an ordinary distributed hash table implentation. They could issue a bunch of 10 cent, $1, $10, $100, ... and so on coins. Very efficiently and to a small public service cost. The wallets can be digitally signed with a national ID system (a potential Orwellian danger perhaps but anyway) and that would eliminate the need for messy cold storage with paper wallets and all that cumbersome management. That's something for Obama to look into.

The double spending problem is completely eliminated by having unique coin IDs and using digital signatures. The worst attack nodes could do would be to mess up the distributed hash table. Admittedly, that has to be solved too but the double spending and counterfeit problems are solved in this way without the need for a block chain.

No, the idea is to have the system without a block chain to be trustless once the coins are in circulation. The central authority would be a government or something like that. For example the U.S. government could issue the virtual currency with the same value as the USD. And then those coins would be like digital peer-to-peer cash with very fast transaction times. And the transactions can have zero transaction fees with servers run by the government as a public service. So it would be a limited use case but it could be used in competition with existing cryptocurrencies.

Another of the key realizations to be had is that security can't actually be made to happen any faster.  (Despite what most alts would have you believe.)  There is no such thing as a secure "0-confirmation transaction" or "instant send" because it eliminates the very thing that creates security over the transaction, that being the passing of time.

It is easy for us to forget that Bitcoin is not really, at heart, a system of money.  It is a system of measuring the time passed since "some event" was logged by the network.  It is designed to measure a probabilistic hour in ten minute average increments.

Let's look at two hypothetical networks.  Network A is like BTC, with 10 minute blocks and 6 confirmations recommended for maximum security.  Network B is a "fast coin" with one minute blocks and 10 confirms.

Let's say both networks have exactly the same average hash-rate, the same number of identical processors hashing on each.  The precise number chosen doesn't matter for the thought experiment, as long as the networks are physically equivalent.

I receive a coin on network A and a coin on network B.  Then an hour passes.  Which coin is more secured?

The answer is, of course, neither.  They both have exactly the same amount of security behind them.  The same amount of work was put behind both by now, that being whatever the network can provide in one hour.  No more, no less, regardless of the block interval or "suggested" confirms

Satoshi et al advised 6 blocks of 10 minutes.  One hour.  Regardless of your alt-coin parameters you can't get this much security by any means that doesn't involve waiting, on average, one hour.  You just simply can't magic the network into being able to add  "an average hours' worth of security" in anything less than one hour.

The only amount of security that you can get from 0 time passing is none at all.

So just Ripple. Minted by a central authority, maintained by a few trusted nodes of their own. Changing their marketcap whenever they feel like it.

One of the key realizations to be had is that these are essentially the same concern.


Also (arguably) undesirable, for many good reasons.

We are talking of orders higher bloat, and that will increase with more transactions. In effect we are talking of a system where each transaction is a block. Its nearly instantaneous as the block is created whenever it transacts, but the size will be huge.

Bloat can be dealt with since disk space and communication speed follow an exponential progress similar to Moore's law. But what about transaction speeds? Paying for a coffee at Starbucks should only take a few seconds at most. 0-confirmation transactions or payment channels can solve that problem for coins with a block chain. It would be better though if the real transactions would be fast.

Blockless blockchain is possible, but locks are necessary to reduce transaction size. If that was not there, each transaction will take all the data with it and it will be bloated soon.

I don't know but it sounds like a dangerous risk. And even if that wasn't a problem, there would still be the problem of having to rely on third party authorities. Even if only one big trusted authority was used, like VeriSign, there would be the problem of only "elite" nodes being able to operate since the big trusted authority would have monopoly on certificates and could demand obscene amounts of money for licenses. And even with healthy competition among several certificate providers they would have to charge quite a lot of money anyway since they would need to have rigorous control procedures for those who they sold licenses to. And personally I wouldn't even trust a big so-called "trusted" central authority, at least not for a system that's meant to remain robust for centuries.

There have been a few occasions when a trusted CA certificates were compromised and had to be revoked by all browsers. Would that compromise a coins security if it was dependent on CAs?

As I expected, a distributed hash table can be messed up by mischievous nodes. Kademlia is an ordinary DHT and it must be modified for security in ways like:

"The proposed KadS network is almost identical to the Kademlia network, i.e. it consists of the described RPCs and implements the same XOR metric. The major extension to the protocol is that every node is equipped with a public/private key-pair signed by a trusted CA. This extends the normal Kademlia network to a public key infrastructure (PKI) in which every communication is encrypted, every node can be trusted and only verified nodes can participate in the network." -- http://blog.philippheckel.com/2009/03/16/kads-a-secure-version-of-the-kademlia-protocol/

That's inadequate since it means trust and third party authorities. By using unique coin IDs and digital signatures for both minting and transactions, the double spend and counterfeit problems are solved, yet the problem of ensuring consistent data in the DHT remains to be solved. (The coins in my proposal are minted by a central authority but after having been minted the coins are fully decentralized and peer-to-peer.)

In my proposal each coin has a unique ID in the distributed hash table. That prevents double spending since there can only be one owner for each coin. The problem is how to ensure that the data in the DHT is consistent. Or is a DHT automatically always consistent? I guess I need to learn more about DHTs.

Yes, safecoin uses a delegated trust model, which only serves to "re-centralize" the system.  This is precisely what we would seek to avoid, for many good reasons.

Maybe we could use something that can logically assert the passage of time, independent of any one peer's notion of it, like an extract-able hash prefix collision puzzle, scaled continuously to match the resources put toward it so as to consistently keep a set pace.  Maybe we could avoid double spending by having this puzzle be directly interdependent with transaction selection, and linearly dependent on each prior instance of the puzzle.  Maybe we could reach consensus about transaction selection based on some simple rules related to management of an in-memory cache of pending transactions at each node.

Maybe there "just isn't" any alternative. Maybe any design meeting the same goals (like using some weighted modular lottery biased by account balances (PoStake) or some pre-coordinated signers' roster (PoActivity)) will actually be entirely isomorphic to what I've just described.

Maybe anything that is not isomorphic to this inherently has the wrong security assurances.

Yes, it sounds like you are well on your way to reinventing the block-chain.  Enjoy the journey, it is quite a scenic road to walk!  

Safecoin handles it in this way:

"A separate persona, the TransactionManager, is proposed to handle all the token-related transactions. A TransactionManager group will be a trusted group of nodes which are closest to any given transaction identity. ... The PUT request for safecoin is "no duplication allowed", i.e. if there is already a safecoin data having same name (first 32 bits), the new put request shall be rejected." -- http://maidsafe.net/SystemDocs/user_perspective/safecoin.html

The part "trusted group of nodes" sounds shaky. Coins using a block chain are trustless. My idea of a currency without a block chain is that it should be trustless. It could however be that "trusted group of nodes" is a trust based on cryptography or something like that. Then Safecoin is trustless too.

Ok, a distributed real-time server could be tricky to develop, but if we assume it's possible, then each 5-second block of transactions would prevent double spending since all transactions in the block are checked for double spending. How to reach consensus for what transactions should be included may be problematic although that too could perhaps be possible to solve.

It certainly could.  The block-chain *is* that distributed time server, this is the very function it serves.  (We have no other proven design for such a beast.  )


It is not so simple. Sybil could just overwhelm and warp the median, for example.


The definition of "committed" becomes very problematic, here.  This is concerning because this committal is strictly necessary as part of avoiding double spends.  Without the proof chain securing consensus over a full history you end up in some messy situations.  In any case you need "someone" to select and order transaction sequences *before* consensus is reached, and consensus has to be reached in a way that precludes re-selecting or re-ordering those transactions in the process, or after the fact, by any party.  Further, you need to do so in a way that reaches at least a "50% + 1" security threshold in order to be able to assert majority consensus, which is much more difficult than it might initially seem.  Most (arguably "all") DHT structures fall to only 1/3 collusion, in the best of cases.  Bitcoin was the first p2p network to demonstrate any security threshold above this norm.