Tuesday, March 6, 2018

Techno-hype part 2.5

Last November I wrote Techno-hype part 2 on cryptocurrencies and blockchains, reviewing David Gerard's excellent book Attack of the 50 Foot Blockchain: Bitcoin, Blockchain, Ethereum & Smart Contracts. A lot has happened since, so its time for an update. Below the fold, I look at three examples of how far these technologies are from being "ready for prime time":
  • The Lightning Network, which is supposed to allow Bitcoin to scale to billions of transactions.
  • IOTA, which is supposed to be a blockchain capable of supporting the Internet of Things.
  • Ethereum, which is supposed to be the infrastructure for "smart contracts".

Lightning Network

Satoshi Nakamoto's release note for Bitcoin 0.1 critiques conventional currency:
The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust. Banks must be trusted to hold our money and transfer it electronically, but they lend it out in waves of credit bubbles with barely a fraction in reserve. We have to trust them with our privacy, trust them not to let identity thieves drain our accounts. Their massive overhead costs make micropayments impossible.
David Gerard sums up the failure of Bitcoin:
Bitcoin failed at every one of Nakamoto's aspirations here. The price is ridiculously volatile and has had multiple bubbles; the unregulated exchanges (with no central bank backing) front-run their customers, paint the tape to manipulate the price, and are hacked or just steal their user's funds; and transaction fees and the unreliability of transactions make micropayments completely unfeasible.
After Bitcoin's "governance" mechanisms failed to address even the most pressing of these, the cost and unreliability of transactions, the Lightning Network (LN) was proposed. It is a layer on top of the Bitcoin network whose goal is to move most transactions off the Bitcoin blockchain, and thus presumably to make them cheaper and faster.

In February Timothy B. Lee at Ars Technica posted Bitcoin has a huge scaling problem—Lightning could be the solution. It starts:
Lightning payments are expected to be faster, cheaper, and more private than conventional bitcoin payments. Proponents see Lightning as a new, second layer in the bitcoin software stack. They hope Lightning will expand the appeal of bitcoin in much the same way the Web helped the Internet go mainstream.

The key ideas behind Lightning were proposed by Joseph Poon and Thaddeus Dryja in a 2015 white paper, but it's taken three years to translate the proposal into fully working code. Today, three different companies—San Francisco startups Blockstream and Lightning Labs and Paris startup ACINQ—are working on parallel implementations of the Lightning technology stack. The trio released version 1.0 of the Lightning specification in December, and the companies are now racing to get their software ready for use by the general public.
The basic idea is that any two Bitcoin users, say Alice and Bob, can use the Bitcoin blockchain to set up a payment channel endowed with an amount of Bitcoin from each of them. Messages on the channel can move some of the endowment from Alice to Bob or vice versa without affecting the total endowment as represented on the Bitcoin blockchain. If Alice wants to pay Carol, but doesn't have a channel to Carol, she can send some of her endowment to Bob in the channel she has to him, and hope that Bob has a channel to Carol. If he does, he sends the same amount of his endowment in that channel to Carol. If he doesn't, he can try sending it on one of his other channels in the hope that it will eventually get to Carol.

So the LN needs to do routing. Advocates use the analogy of Internet routing via the Border Gateway Protocol (BGP), to assert that it will work, but there are two problems with this analogy:
  • The BGP works in the Internet backbone only because, or rather when, it is a cooperative, high-trust environment. Malign or careless BGP gateways can divert or stop traffic. Incidents of this kind frequently occur, as for example when a Pakistani ISP took down YouTube worldwide. Recovering from them takes cooperation among the gateway operators. The LN needs to operate in an adversarial, low-trust environment. Enhancing BGP security turned out to be a very hard problem. The Bitcoin network suffers BGP hijacks frequently:
    Based on statistical data, researchers say they’ve found that around 100 Bitcoin nodes are the victims of BGP hijacks each month, with the largest number of BGP hijacks happening in November 2015, when 8% of the entire Bitcoin nodes (447 at the time) were the victims of such incidents.
    The Bitcoin network's routing operates in an adversarial environment, so the BGP analogy isn't valid.
  • A transaction can only traverse a channel in the LN if the source end currently has an endowment at least as big as the transaction value. In traversing the channel the transaction decrements the source end's endowment and increments the destination end's endowment. By doing so it decreases the channel's ability to transmit transactions in the same direction, and increases the channel's ability to transmit transactions in the reverse direction. Thus routing in LN is a far more dynamic (read difficult) problem than in the Internet.
Many people have pointed out the difficulty of routing in LN, for example Frances Coppola and Rick Falkvinge. In fact, the routing problem in LN is so hard that the developers have punted on it. The current LN RFC states:
The route is constructed by the origin node, which knows the public keys of each intermediate node and of the final node. Knowing each node's public key allows the origin node to create a shared secret (using ECDH) for each intermediate node and for the final node. The shared secret is then used to generate a pseudo-random stream of bytes (which is used to obfuscate the packet) and a number of keys (which are used to encrypt the payload and compute the HMACs). The HMACs are then in turn used to ensure the integrity of the packet at each hop.
In other words, the sender of a payment needs to know not merely a complete path of nodes to the intended recipient, but also the liquidity of each of the channels linking them. To say "this does not scale" in a scale-up, decentralized network is an epic understatement. It can work only if all users have channels to one or more of a small number of large "payment hubs" which each have channels to all the other "payment hubs" with large endowments in each channel. A more suitable name for these hubs is "banks". In that case the sender needs to know the public keys for their bank, the recipient's bank, and the recipient. Sounds a lot like the current banking system, doesn't it?

Timothy B. Lee points out the likelihood of centralization:
One of the biggest debates about Lightning is what structure the mature Lightning network will have. Advocates envision a decentralized global network with many small and medium-sized entities helping to shuttle bitcoins around.

Critics predict that the mature Lightning network will have a simpler topology: that it will be dominated by a few big providers that become "hubs" for Lightning payments. They expect that most users will be customers of a single hub, and that most payments will only pass through one or two intermediaries. In other words, the mature Lightning payment industry might wind up looking a lot like the conventional banking system.
But for a financial rather than technical reason:
Matthew Green, a computer scientist at Johns Hopkins University, argues that this is partly a consequence of the issue we pointed out in the previous section: running a Lightning node is risky. As a result, intermediaries will demand significant payment to help people transfer money.

Lightning fees are per-hop, so shorter payment chains will require smaller fees than longer ones. Green argues that this means hubs with many connections will have an advantage over hubs with smaller numbers of connections. Over time, he predicts, the Lightning network will become more and more concentrated.
Once again, Economies of Scale in Peer-to-Peer Networks turns out to have been prophetic, and the P2P network will evolve to be effectively centralized.


IOTA is based on a really interesting idea. Instead of a building a linear chain of blocks of transactions, in which a block validates every preceding block and thus every preceding transaction, each IOTA transaction validates two randomly selected preceding transactions. Thus it constructs a Directed Acyclic Graph of transactions. By doing so it eliminates the need for miners, which each have to store a copy of the entire chain. IOTA is intended for IoT devices, which have limited storage and compute resources.
Last Deember, Mike Orcutt at MIT Technology Review wrote A Cryptocurrency Without a Blockchain Has Been Built to Outperform Bitcoin:
Though IOTA tokens can be used like any other cryptocurrency, the protocol was designed specifically for use on connected devices, says cofounder David Sønstebø. Organizations collect huge amounts of data from these gadgets, from weather tracking systems to sensors that monitor the performance of industrial machinery (a.k.a. the Internet of things). But nearly all of that information is wasted, sitting in siloed databases and not making money for its owners, says Sønstebø.

IOTA’s system can address this in two ways, he says. First, it can assure the integrity of this data by securing it in a tamper-proof decentralized ledger. Second, it enables fee-less transactions between the owners of the data and anyone who wants to buy it—and there are plenty of companies that want to get their hands on data.
But already the previous September, Nick Johnson had written Why I find Iota deeply alarming listing four concerns:
  • Iota shows a lack of good technical judgement: because it uses balanced ternary numbers "Iota is by necessity built to run on existing hardware, which is exclusively binary, as are the communication networks it uses. As a result, all of its internal ternary notation has to be encapsulated in binary, resulting in significant storage and computational overhead."
  • Iota disregards cryptographic best-practices: "Iota’s novel choice of numeral system also requires them to reinvent basic operations such as cryptographic hashing. This violates rule 1 of cryptography: don’t roll your own crypto. The predictable result of this has already been demonstrated, with a team led by Neha Narula demonstrating a number of significant vulnerabilities in Iota’s hash function, Curl."
  • Iota is a bad actor in the open source community: "Sergey Ivancheglo, Iota’s cofounder, claims that the flaws in the Curl hash function were in fact deliberate; that they were inserted as ‘copy protection’, to prevent copycat projects, and to allow the Iota team to compromise those projects if they sprang up."
  • Iota’s integrity guarantees lack rigor: "unlike blockchain-based systems such as Ethereum and Bitcoin, the difficulty of the proof of work is not adaptive. This means that the security of the tangle directly depends on the number of transactions being processed, and that there is no way to adapt the security level to real-world conditions. Ethereum and Bitcoin gain their game-theoretical soundness from the financial reward given to miners, and the guarantees this creates that an attacker must have more hash power at their disposal than all the honest actors combined. Iota lacks such a guarantee, and I’m unaware of any robust proof that Iota is secure against these sorts of 51% attacks."
Nicholas Weaver of UC Berkeley was scathing but brief on Twitter:
The cryptocurrency space is insane #10173: IOTA, $5B market cap, is not even a distributed system (it depends on a central arbitrator) and is written by drooling idiots who somehow think trinary math, 10kB messages, and roll-your-own crypto is a good idea. WTF?!?
Casey Rodarmor provided a list of a dozen significant problems in IOTA: The Brave Little Toaster That Couldn’t. The first was:
IOTA is fully centralized. All IOTA transactions must be approved by a server run by The IOTA Foundation called "The Coordinator".

The Coordinator exists to prevent denial-of-service attacks and double spends. The IOTA Foundation claims that at some point the coordinator can be phased out, but these claims are not credible due to the intractable nature of these issues.

Since all transactions must be approved by a single server, run by a single entity, IOTA is not decentralized. Additionally, The Coordinator is a single point of failure, and has been shut down intentionally by The IOTA Foundation to halt activity on the network.

The source code of The Coordinator has not been released, making it impossible to audit it for vulnerabilities, correctness, or fairness.
Andreas Brekken tried to install an IOTA client and use it, writing up his experience in IOTA: Cannot be used for IoT. Loss of funds may occur:
As of writing this IOTA has a market cap of $6.6 billion dollars.
The usual caveats about believing the "market cap" of a cryptocurrency apply. The saga of Andreas' tribulations is a must-read, and he concludes:
IOTA is the worst cryptocurrency I’ve reviewed so far. Installing the IOTA wallet was a pain. Receiving and sending IOTA tokens is technically challenging and time consuming. Address reuse can lead to loss of funds. There is no functional IOTA mobile wallet. There is no IOTA hardware wallet support.

But most importantly it is very clear that IOTA cannot be used on Internet-of-Things devices, the problem it markets itself as solving! How can a smart lightbulb or drone stay in sync with a “tangle” that requires vast amounts of CPU cores, RAM, and network bandwidth to stay in sync with?


Unlike the LN and IOTA, Ethereum has been live since mid-2015, long enough to have suffered a number of major security problems. The first was the DAO heist, leading to a hard fork, and the last week's was described by Dan Goodin in Ethereum fixes serious “eclipse” flaw that could be exploited by any kid: It was an "eclipse attack":
So-called eclipse attacks work by preventing a cryptocurrency user from connecting to honest peers. Attacker-controlled peers then feed the target a manipulated version of the blockchain the entire currency community relies on to reconcile transactions and enforce contractual obligations.
It wasn't the first viable eclipse attack:
In 2015 and again in 2016, separate research teams devised eclipse attacks against Bitcoin that exploited P2P weaknesses. Both were relatively hard to pull off. The 2015 attack required a botnet or a small ISP that controlled thousands of devices, while the 2016 attack relied on the control of huge chunks of Internet addresses through a technique known as border gateway protocol hijacking. The demands made it likely that both attacks could be carried out only by sophisticated and well-resourced hackers.
But this one needed minimal resources:
We present new eclipse attacks showing that, prior to the disclosure of this work in January 2018, Ethereum's peer-to-peer network was significantly less secure than that of Bitcoin. Our eclipse attackers need only control two machines, each with only a single IP address. The attacks are off-path-the attacker controls endhosts only and does not occupy a privileged position between the victim and the rest of the Ethereum network. ... our attacks can be run by any kid with a machine and a script.
Lior Messika and Noam Levenson's Blockchain Platforms: One Chain to rule them all? is subtitled "Everyone asks: is the world ready for Blockchain? But more importantly, is Blockchain ready for us?". They:
don’t believe that today’s focus should revolve around whether or not Bitcoin will still be around a few years from now. A more intriguing question is: “how will blockchain really change the world?” And even that question fails to consider whether the blockchains we have today can actually support these world changing applications.
They are skeptical, pointing for example to:
Cryptokitties’ popularity exploded in early December and had the Ethereum network gasping for air. With a 465% increase in average transaction price between November 28 and December 12, this specific stretch of time was a definitive moment for the world of Blockchain. A limping and congested Ethereum network started to look a lot like an impossible dream in the eyes of some. Could the hype have been misplaced? Could Ethereum not be the ultimate solution for a truly decentralised world, for an “Internet 3.0”? The discussion shifted away from speculative fantasy towards whether or not Ethereum could really be a herald for the new world. ... We saw quite clearly that the platform with the most proposed theoretical application ... had no real way of implementing any of it on a large scale.
They discuss Ethereum's proposed fix, changing the basis for consensus from Ethereum's and Bitcoin's Proof of Work (PoW) to:
Proof of Stake works similarly to PoW except that instead of computers validating the network and receiving rewards equivalent to their relative computing power, PoS uses token holders. Those who hold tokens can “stake” their tokens (staking means to temporarily place the tokens in a locked smart contract — until staking is over) and in exchange, confirm transactions and receive rewards based on the relative number of tokens held. In PoW, if you operate 5% of the total computing power of the network, you can expect to get 5% of the block rewards. In PoS, if you own 5% of tokens, you can also expect to receive 5% of block rewards.
Proof of Stake sounds great:
With Ethereum, you could conceivably purchase enough computing hardware to achieve a 51% attack; even after comprising the network, you would still have all of that hardware and could potentially use it to attack other PoW platforms. With PoS, because you must stake your coins, any malicious behavior results in the loss of all staked coins. So if you bought 51% of all tokens, you would immediately lose your substantial investment. In addition, the costs of purchasing 51% of the network tokens are equal for everyone. The costs of obtaining 51% of computer power — due to discounts for mass computer purchases and countries with extremely cheap electricity — are not.
But there seem to me to be a number of problems with PoS. One of David Gerard's observations about cryptocurrencies was:
Bitcoin was substantially mined early on - early adopters have most of the coins. The design was such that early users would get vastly better rewards than later users for the same effort.
Satoshi Nakamoto mined (but has never used) nearly 5% of all the Bitcoin there will ever be, a stash now notionally worth $7.5B. The distribution of notional Bitcoin wealth is highly skewed:
a Citigroup analysis from early 2014 notes: "47 individuals hold about 30 percent, another 900 hold a further 20%, the next 10,000 about 25% and another million about 20%".
The same is likely true of Ether, the Ethereum currency which has:
11.9 million coins "premined" for the crowdsale. This accounts for approximately 13 percent of the total circulating supply.
The individuals who are defining the PoS mechanism, and defining what "malicious behavior" consists of, are all early adopters with large potential stakes they can use to dominate the PoS process. They will thus garner most of the PoS reward, which will reinforce their domination of the process.

If Bitcoin were to have adopted PoS in 2014 less than 1,000 individuals could have controlled the blockchain. As large HODLers of the currency, they would have a strong incentive to inflate its value. It could be argued that this would be less centralized than the actual situation, in which fewer than 10 individuals controlling large mining pools dominate the Bitcoin blockchain.

Once PoS is implemented it will, of course, be the HODLers choice whether or not to stake some or all of their ETH and reap the reward. The large HODLers will be much more motivated to lock up their holdings in this way, which will increase their advantage over the small holders.

Once again, Economies of Scale in Peer-to-Peer Networks turns out to have been prophetic, and the P2P network will evolve to be effectively centralized.


David. said...

Bram Cohen's EE380 talk Stopping grinding attacks in proofs of space at about 9:20 makes the same centralization argument against Proof of Stake as I did, plus others.

David. said...

In 'BlockChain is meaningless Adrianne Jefferies quotes Prof. Victoria Lemieux of UBC:

"Lemieux is also well-acquainted with misconceptions about the capabilities of blockchains. “The concept of trustworthiness — at least from an archival science perspective — goes far beyond what the blockchain can do, or even promises to do, in most cases,” she said. This idea implies that records are accurate, “which is not something typically in scope of a good number of blockchain solutions” and exaggerates their reliability, which is an “issue if you have poorly written smart contracts or novel and untested consensus algorithms.” It also exaggerates claims of authenticity, which relies on the robustness of whatever identity system is paired with the blockchain. “Finally, immutability implies permanence, and there’s no guarantee that ledger records created and kept on chain will last, even with lots of copies around, because of technological obsolescence and the fact that incentives to keep the system going may die off after a time,” she said."

The whole piece is worth reading.

David. said...

Tom Simonite at Wired writes The Decentralized Internet Is Here, With Some Glitches:

"David Pakman, a partner with venture firm Venrock, ... argues that decentralized apps will soon have more to offer. New platforms begin by trying to emulate old ones but take off when people create new services that were previously unimaginable, he says.

It's a convenient way to avoid being pinned down on just what the decentralized web will be good for. ... Finding the killer apps of the decentralized internet will take more time, people, and money than have been thrown at the problem so far."

David. said...

Blockchain Inefficiency in the Bitcoin Peers Network shows that:

"43% of the transactions are still not included in the Blockchain after 1h from the first time they were seen in the network and 20% of the transactions are still not included in the Blockchain after 30 days, revealing therefore great inefficiency in the Bitcoin system. However, we observe that most of these `forgotten' transactions have low values and in terms of transferred value the system is less inefficient with 93% of the transactions value being included into the Blockchain within 3h."

But figures 7 & 8 show that the relationship between value and speed of inclusion is not close; with some low value transactions included quickly and some high value transactions taking a long time. Note that "value" does not necessarily relate to "fee".

David. said...

"Wall Street has been much more excited about the system underpinning bitcoin than the cryptocurrency itself, but the global financial industry has not yet been able to do much with the technology known as blockchain.

Reuters has found several blockchain projects launched by major financial institutions that have been shelved, as development of the technology enters a hype-meets-reality phase." via the New York Times. The hype is wearing off.

David. said...

"In further good news for Bitcoin, Reddit isn’t taking Bitcoin for Reddit Gold, its paid membership programme, any more. Apparently this is because Coinbase are deprecating their old merchant accounts for a new system that involves the merchant holding crypto balances on Coinbase, rather than converting it straight to actual money for you." reports David Gerard. Cryptocurrency slowly but surely becoming the Roach Motel of money.

David. said...

Jemima Kelly's FUD, inglorious FUD, in Alphaville's Somone is wrong on the Internet series takes on the wrongness of the IOTA team's response to criticism. For example:

"IOTA's “troll army” - which is how its team of online disciples is often referred to as - have scared off some people enough for them not to want to speak out. Two people we asked to speak to for this story told us they didn't want to because they were worried about the consequences of doing so. One was worried about being threatened with physical harm.

Tim Swanson, founder of tech consultancy Post Oak Labs and a leading authority in the space, told us he undid a retweet of a story that was mildly critical of IOTA because he felt intimidated by Skype messages from a senior person from the IOTA team that were sent after sharing the article."

David. said...

More on the cult-like behavior of IOTA fans including an edit war over IOTA's Wikipedia page, and this:

"UCL Centre for Blockchain Technologies is no longer associated with the IOTA Foundation.
In relation to recent news report, we reaffirm our support for open security research, as a prerequisite for understanding the assurances provided by any blockchain technology. It is inappropriate for security researchers to be subject to threats of legal action for disclosing their results"

David. said...

"What the crypto bros -- and the broader tech industry -- don't seem to have grasped is that journalism is not advertising. In fact it is the exact opposite of that.

As the late William Randolph Hearst liked to say (in an adage he most likely did not coin):

Journalism is printing what someone else does not want printed: everything else in public relations. "

From Jemima Kelly's Hey crypto bros! Journalism ≠ advertising, which is a must-read take-down of play-for-play journalism in tech and cryptocurrencies in particular.

David. said...

"[David Gerard] found out the name of the routing problem the Lightning Network has to solve, to get money from arbitrary person A to arbitrary person B across a mesh of unknown connections of varying usability (liquidity) — the Canadian Traveller Problem. Finding the best path is PSPACE-complete."

So the Lightning developers were right to punt on the routing problem (see above). But punting means the Lightning network will definitely be centralized around a small number of "banks". So what exactly is the point?