Questions about DHT, cryptography, and security

Hello! Sorry we’ve let these questions languish.

Two groups of people maintain the list. This is part of the DHT’s ‘fast push, slow heal’ strategy.

  1. On initial publish (fast push), the author spams the authority neighbourhood of the entry. This means that, if they aren’t in the authority neighbourhood themselves, they need to collect the addresses of at least R authorities from the neighbourhood. Then they contact each of them directly and collect the validation certificates. This becomes the initial ‘validation bundle’, which happens to include the mean validation time from the authorities they contacted (which may be useful for validation of future entries). After that, I’m not sure if the author just keeps the validation bundle or republishes it to all of the authorities. I think republishing isn’t necessary because…
  2. During gossiping between authorities (slow heal), they also share their own validation receipts with each other. Eventual consistency means there’s never guaranteed to be a single, authoritative list of validation receipts, especially in a DHT that’s always changing. But the important thing is that, from the perspective of each authority (and the perspective of each node requesting data from that authority), they’ve collected enough information to convince themselves that the data is indeed valid.

So to answer your question, yes the signature aggregation is updated frequently as a natural result of the DHT adapting to current conditions. Each event that causes an authority to give a new piece of data to a neighbour (either by push or by pull) causes that neighbour to produce a validation receipt, which is then gossiped to the original authority and all the other neighbours. FWIU the author won’t get those follow-up receipts, though I could be wrong!

This isn’t included in the TestFuel design, due out for release as I’m speaking, but in the future the validation rules will also say something like “if an agent has spent x amount of HoloFuel without paying x * current_txn_fee to the infrastructure provider account, subsequent transactions are invalid”. Or something like that; it may just be a simple accrual threshhold. So all honest agents will do the validation for Holo, relieving us of the need to snoop into other people’s lives unduly. Yes, it is possible that the majority of hosts could decide to run a forked version of HoloFuel that doesn’t involve transaction fees, but they’re kind of killing the goose that lays the golden eggs at that point.

For making sure hosts and app providers are actually transacting, the situation is similar but different. Again, Holo doesn’t want to go snooping into others’ business, but it is a party to every HTTP request because we run the proxy/router between hosts and web users. And it does facilitate the initial introduction between host and user, because it has to know who’s hosting what hApp. I don’t think we can snoop the individual requests to see what hApp they’re for, because they pass TLS-encrypted through our router, but we do know which host it’s being routed to. Anyhow, maybe we’ll be able to run periodic fraud detection on initial host allocation and host routing based on the little we do know, combined with public service logs from each host. But I don’t see how we could build this into validation rules without it becoming pretty heavy.

[EDIT] Oh, I see your later message about Art answering your first question in the AMA. Sorry, just working from the top down! :slight_smile: Hopefully others can read this and gain some benefit from it.

This would be up to the CEX’s developers doing the integration. The way I see it, it would be automatic, managed by a script that the CEX has created and run on their server. (A Holochain DNA doesn’t care who’s talking to it – UI or script is fine, as long as it can talk HTTP, is running on the same machine as the DNA, and has the right credentials.) And yes, I imagine finality time would be longer with large-value transactions split between multiple microtransactions. But in my opinion that reflects the risk and value involved. I can’t speak for traders and whether they’d tolerate that, but HF’s main use case is of course regularly cleared, small value transactions.

HoloFuel’s DNA is currently designed to permit the initiation of multiple pending transactions at the same time. Sort of like a credit card authorize/capture, where funds are held but not withdrawn until the merchant confirms. But as Art says, there is a bottleneck in which each transaction has to be finalised sequentially. I don’t know if the final HoloFuel design will still have that feature, but I don’t think it has much of an impact on finality speed, especially in a CEX where this is likely to be handled automatically.

3 Likes

XMSS
https://tools.ietf.org/html/rfc8391

First… Sorry for the delay @Sol… I haven’t been on top of these forums lately. It looks like @pauldaoust has answered most of them.

But I want to respond to something Paul said above:

I’m not sure why a “majority” has any application here – there’s no useful majority attack on Holochain apps such as HoloFuel. It only takes a single honest node to detect a problem and warrant a cheater. Technically (not necessarily easily), anyone could hack their own node to run a different variant of HoloFuel dna, but as soon as they do anything which honest/normal/vanilla nodes won’t validate (such as skip paying transaction fees), they’ll be warranted and have forked themselves into a space where no honest nodes (including Holo and Reserve Accounts) will transact with them.

So while they could theoretically do this to their device, they would no longer be able to receive hosting payments, or redeem HoloFuel via reserves, or transact with anyone who wants to also be able to transact with honest nodes (such as whatever kinds of exchanges emerge). And once a host’s key is warranted, we’ll have to stop the other hosting apps from interacting with them, because their device is compromised, so they can’t continue to be considered “hosts” at all.

So your idea that a majority of “hosts” could run a version of HoloFuel that doesn’t involve tx fees seems doesn’t really fly. When someone commits fraud in HoloFuel, they cease being a host too.

People could create a different currency app that doesn’t have transaction fees, but it wouldn’t be HoloFuel. And they’d need to make sure their security model is up to the task for their use case, so they probably can’t just clone HoloFuel and then gut it of parts of its structural integrity/security (such as KYC, tx size caps, and fees). I mean… they could do that, but the currency wouldn’t be secure, so most wouldn’t want to use their insecure currency.

2 Likes

As though KYC, tx size caps, and fees do make a currency secured! LMAO! Haven’t heard anything as funny as that for years!

Why don’t you(Holo) just stop calling your hosts as your customers; you should rather call them your team (much as AWS calls its data-centers as “ITS OWN DATA-CENTERS”, not its customers of-course. The only difference between you and AWS being that you’re too flexible in hiring hosts, unlike AWS which doesn’t let the everyday people run their servers from their garage! Moreover, Holo-fuel should rather be advertised as a private-currency (https://en.wikipedia.org/wiki/Private_currency), backed by Arthur Brock and the team’s reputation for being trustful enough to do big business with, backed by the hope that it will buy its beholders some hosting-power, nothing more! Period!
Trust me, you’d save yourself much of the scrutiny this way…

Every technology platform has different attack surfaces that can be leveraged to cause problems. KYC and Tx size limits have nothing to do with HoloFuel’s cryptographic security. Holochain already provides that just fine.

However, all Holochain apps should have strategies for dealing with Sybil attacks. KYC is one part of HoloFuel’s strategy for addressing Sybils. It makes it very difficult to manufacture many fake accounts, certainly blocking the ability to spawn millions of accounts to try to dominate validation on the network.

Another aspect of security is how strict your validation requirements are for your currency’s use case. In the case of HoloFuel (which needs to be optimized for high volumes of micro-transactions), we cannot invest massive amounts of computing power into the validation of each transaction. Otherwise, the cost of validation overshoots the size of the transaction you’re validating.

This is where having transaction size caps come in. Splitting a large transaction into a number of small ones means that each transaction and its corresponding headers published by spender and receiver will go to 3 different neighborhoods of validators based on the hash of the Tx and headers. You might be able to pre-image a single large transaction to temporarily get away with sending it to neighborhoods of colluding validators, but there’s no way to do that for so many small transactions. (This kind of high-value / low-validation attack even has a particular name: a Finney Attack, and all cryptocurrencies have to address this issue.)

More specifically, there’s the fundamental cost equation: If you have to spend more to rip off the system (on computing power for pre-image hashes and bribes for trying to get enough nodes through KYC to control neighborhoods of validators) than you can gain from your attack (because of the size limit), then the attack is net loss and not worth the doing.

Because we are making certain trade-offs in deciding to keep HoloFuel validation fast, light, and efficient, KYC and size limits factor into changing the available attack surfaces.

5 Likes

Have we ever claimed HoloFuel is something other than a Private Currency? This is exactly the examples and metaphors we use (like photo-credits on a stock photo site, or ticket-master event tickets).

This is our stance with the regulators as well.

But derivative markets still emerge for private currencies that can be exchanged under the control of the holder – think of ticket scalpers, stamp collectors, frequent flier mile programs.

Have you ever heard anyone from Holo or Holochain claim that HoloFuel is supposed to be some kind of global currency?

Well then be ready for strict regulations by the world governments, censorships (about what ‘happs’ can be hosted on the Holo-network), and hell maybe even taxes (on Holo’s petty little 1%)! Look what happened with XRP, for instance…

It’s delighting to see that you’re transparent about Holo’s potential flaws (of which there are many: mostly being the same regulatory-limitations that the mainstream cloud-providers face); and having Holo’s best interests at heart, it genuinely concerns me knowing that audits and regulations do stifle potential growth over the long run. Private-currencies currently bear the risk of plunging to non-existence almost any-day from its issuance (especially in the centrally-controlled state-dictated societies that the majority of the world lives in at the time being). That being said, such a risk is worth taking only for businesses that have a physical presence in the jurisdictions within which it operates (think of Walmart, for example), but should strictly be avoided by the decentralized hosting platform that Holo is (if possible to avoid, that is to say).

Holochain (as opposed to Holo) should and indeed will be the de-facto choice of conservatives concerned about the concerns pointed above (not to mention the privacy-concerns a Holo user would have regarding his/her private unencrypted data being in someone else’s custody); therefore it should seem paradoxical that an informed user who resolves to only use peer-to-peer Holochain apps would want to do so via. Holo which only removes the two selling-points that Holochain adds, those being data-sovereignty and wider-options (i.e., the ability to consume apps that are not necessarily approved-of by the cloud providers to be deemed adequate to be hosted on their servers; though I’m not entirely sure whether the Holo resolver gets to see the DNA that the Holo-user wishes to be hosted for himself, so further clarification is welcomed on this concern). Hence it seems reasonable to conclude that the customers that Holo as a business is targeting to serve actually don’t exist in the real-world; the only two customer-classes being the informed user, who chooses Holochain, and the uninformed user, who chooses cloud-provided services! Does that mean that Holo as a business is doomed (so being Holofuel as the early investor’s compensation)? Or am I missing something?

good discussion between @artbrock and @The-A-Man

Basically, have you consult any legal experts and any censorship or shutdown implication to holo fuel which ultimately is used as a currency for a distributed hosting network but managed by a centralised company?

1 Like

@artbrock i have asked this question before i think on AMA. But would like your formal reply on this.

HOT (in future, holo fuel) current market cap is 155m. and we have at least 100 holders with at least 100k usd worth of HOT. In future, holo fuel may also be listed on exchanges.

What if we have holders who want to transfer big value holo fuel to exchanges? or direct transfer between agents?

How does holo fuel DNA handle big value holo fuel tx then? I don’t think it is practical to spilt a 100k usd holo fuel to 10s/100s of thousands or millions of micro txs, let alone a tx that could involved millions in usd value (like is trivially done in eth or btc network on a daily basis).

Look forward to your ans. Thanks!

I would also like this question answered

For sake of staying on the subject of security, would you mind making a topic out of this?

I’m excited for the light-weight benefits of Holochain :slight_smile:

@artbrock I am interested in connecting Biometric services to be required for authorization. Who should I talk to / where can I find information? Thanks!

@artbrock would you be able to advice? Still waiting…

@artbrock Do advice on this. Look forward… hope i dont need to wait too long. Thanks!

@pauldaoust could you advice on my questions above. Or could you get @artbrock to reply me?

There’s a handful of things here to address:

Transactions in ETH or BTC take the same amount of computing power no matter their size. This actually means every transaction uses A LOT of power – approximately 681.59 kWh which is over 23 days of electricity for an average American household to do a single BTC transaction. (See link for current data on BTC / ETH energy usage data.)

I’m targeting to be well under 0.1 KWh per HoloFuel transaction and having it be complete in more like 10 seconds rather than 10 minutes. However, this reduced validation workload increases means that a temporarily effective attack on a single HoloFuel transaction is much cheaper to attempt (even if you’ll eventually get caught). So we need to make sure the cost of attacking the network (producing node addresses near a pre-imaged hash, KYCing those accounts, and providing the compute power) always costs significantly more than you can earn from performing the attack.

This is the main reason to have a Tx size limit on HoloFuel.

So if you want HoloFuel to make a million dollar transaction secure, you’re gonna have to break it into a lot of transactions closer to $100 to ensure that the cost of an attack on a transaction is higher than the transaction value. Doing this many transactions actually costs the network more computing power than a single small transaction costs, and therefore it should cost more than a single small transaction costs… which is why a flat 1% still makes sense.

That being said, we will probably provide a UI for larger transactions which automatically breaks them down into the smaller ones. But even that may have a size limit (maybe closer to $10,000 ?) so that it doesn’t lock both party’s chains for too long.

Put simply, HoloFuel is not optimized for being a speculation tool for multi-million dollar transactions. It is optimized for high volumes of small transactions. We’ll probably have many other currencies to fill different needs in the Holochain ecosystem, and ways to move between them, so if there’s a need for this kind of currency, someone (maybe not us) will make it.

1 Like

@art Hmmm… the top 50 holo accounts have hot value of at least 300k usd. If holo fuel is going to be listed on an exchange for trading, surely you have to expect transfer to/fro of 5/6 figures or even more.

Then how do u handle larger holo fuel txs transfer to/withdrawal from exchange? Your answer make me feel you didn’t think enough of this problem.

Let’s say there is a transfer of holo fuel to/out of exchange of 100k usd (this is really not a big sum at all in current market conditions), how many sub-transactions is needed to make up a 100k tx?

10 sub-tx of 10k usd to make up 100k usd tx? How long will it take to “finalize” 10 holo fuel tx of 10k? Have you think through this? This is a real scenario you should expect if holo fuel is to list on any exchange.

If there is a 300k usd tx, there will be 30 sub-txs of 10k?
I feel you have to think of a way to handle larger txs without compromising security and UX. I feel it is a glaring hole on the way holo fuel works.

1% on 300k is the same as 1% on 300 tx’s of 1k

just it depends on the settings, eventually most everything will be customizable

this would depend on a variety of factors… DHT redundancy, node liveness, propagation methods, etc

all of your concerns can easily be addressed by designing your own current-see and writing the DNA for associated Happ. remember that Holofuel is only one of many to be implemented