Questions about DHT, cryptography, and security

XMSS
https://tools.ietf.org/html/rfc8391

First… Sorry for the delay @Sol… I haven’t been on top of these forums lately. It looks like @pauldaoust has answered most of them.

But I want to respond to something Paul said above:

I’m not sure why a “majority” has any application here – there’s no useful majority attack on Holochain apps such as HoloFuel. It only takes a single honest node to detect a problem and warrant a cheater. Technically (not necessarily easily), anyone could hack their own node to run a different variant of HoloFuel dna, but as soon as they do anything which honest/normal/vanilla nodes won’t validate (such as skip paying transaction fees), they’ll be warranted and have forked themselves into a space where no honest nodes (including Holo and Reserve Accounts) will transact with them.

So while they could theoretically do this to their device, they would no longer be able to receive hosting payments, or redeem HoloFuel via reserves, or transact with anyone who wants to also be able to transact with honest nodes (such as whatever kinds of exchanges emerge). And once a host’s key is warranted, we’ll have to stop the other hosting apps from interacting with them, because their device is compromised, so they can’t continue to be considered “hosts” at all.

So your idea that a majority of “hosts” could run a version of HoloFuel that doesn’t involve tx fees seems doesn’t really fly. When someone commits fraud in HoloFuel, they cease being a host too.

People could create a different currency app that doesn’t have transaction fees, but it wouldn’t be HoloFuel. And they’d need to make sure their security model is up to the task for their use case, so they probably can’t just clone HoloFuel and then gut it of parts of its structural integrity/security (such as KYC, tx size caps, and fees). I mean… they could do that, but the currency wouldn’t be secure, so most wouldn’t want to use their insecure currency.

2 Likes

As though KYC, tx size caps, and fees do make a currency secured! LMAO! Haven’t heard anything as funny as that for years!

Why don’t you(Holo) just stop calling your hosts as your customers; you should rather call them your team (much as AWS calls its data-centers as “ITS OWN DATA-CENTERS”, not its customers of-course. The only difference between you and AWS being that you’re too flexible in hiring hosts, unlike AWS which doesn’t let the everyday people run their servers from their garage! Moreover, Holo-fuel should rather be advertised as a private-currency (https://en.wikipedia.org/wiki/Private_currency), backed by Arthur Brock and the team’s reputation for being trustful enough to do big business with, backed by the hope that it will buy its beholders some hosting-power, nothing more! Period!
Trust me, you’d save yourself much of the scrutiny this way…

Every technology platform has different attack surfaces that can be leveraged to cause problems. KYC and Tx size limits have nothing to do with HoloFuel’s cryptographic security. Holochain already provides that just fine.

However, all Holochain apps should have strategies for dealing with Sybil attacks. KYC is one part of HoloFuel’s strategy for addressing Sybils. It makes it very difficult to manufacture many fake accounts, certainly blocking the ability to spawn millions of accounts to try to dominate validation on the network.

Another aspect of security is how strict your validation requirements are for your currency’s use case. In the case of HoloFuel (which needs to be optimized for high volumes of micro-transactions), we cannot invest massive amounts of computing power into the validation of each transaction. Otherwise, the cost of validation overshoots the size of the transaction you’re validating.

This is where having transaction size caps come in. Splitting a large transaction into a number of small ones means that each transaction and its corresponding headers published by spender and receiver will go to 3 different neighborhoods of validators based on the hash of the Tx and headers. You might be able to pre-image a single large transaction to temporarily get away with sending it to neighborhoods of colluding validators, but there’s no way to do that for so many small transactions. (This kind of high-value / low-validation attack even has a particular name: a Finney Attack, and all cryptocurrencies have to address this issue.)

More specifically, there’s the fundamental cost equation: If you have to spend more to rip off the system (on computing power for pre-image hashes and bribes for trying to get enough nodes through KYC to control neighborhoods of validators) than you can gain from your attack (because of the size limit), then the attack is net loss and not worth the doing.

Because we are making certain trade-offs in deciding to keep HoloFuel validation fast, light, and efficient, KYC and size limits factor into changing the available attack surfaces.

5 Likes

Have we ever claimed HoloFuel is something other than a Private Currency? This is exactly the examples and metaphors we use (like photo-credits on a stock photo site, or ticket-master event tickets).

This is our stance with the regulators as well.

But derivative markets still emerge for private currencies that can be exchanged under the control of the holder – think of ticket scalpers, stamp collectors, frequent flier mile programs.

Have you ever heard anyone from Holo or Holochain claim that HoloFuel is supposed to be some kind of global currency?

Well then be ready for strict regulations by the world governments, censorships (about what ‘happs’ can be hosted on the Holo-network), and hell maybe even taxes (on Holo’s petty little 1%)! Look what happened with XRP, for instance…

It’s delighting to see that you’re transparent about Holo’s potential flaws (of which there are many: mostly being the same regulatory-limitations that the mainstream cloud-providers face); and having Holo’s best interests at heart, it genuinely concerns me knowing that audits and regulations do stifle potential growth over the long run. Private-currencies currently bear the risk of plunging to non-existence almost any-day from its issuance (especially in the centrally-controlled state-dictated societies that the majority of the world lives in at the time being). That being said, such a risk is worth taking only for businesses that have a physical presence in the jurisdictions within which it operates (think of Walmart, for example), but should strictly be avoided by the decentralized hosting platform that Holo is (if possible to avoid, that is to say).

Holochain (as opposed to Holo) should and indeed will be the de-facto choice of conservatives concerned about the concerns pointed above (not to mention the privacy-concerns a Holo user would have regarding his/her private unencrypted data being in someone else’s custody); therefore it should seem paradoxical that an informed user who resolves to only use peer-to-peer Holochain apps would want to do so via. Holo which only removes the two selling-points that Holochain adds, those being data-sovereignty and wider-options (i.e., the ability to consume apps that are not necessarily approved-of by the cloud providers to be deemed adequate to be hosted on their servers; though I’m not entirely sure whether the Holo resolver gets to see the DNA that the Holo-user wishes to be hosted for himself, so further clarification is welcomed on this concern). Hence it seems reasonable to conclude that the customers that Holo as a business is targeting to serve actually don’t exist in the real-world; the only two customer-classes being the informed user, who chooses Holochain, and the uninformed user, who chooses cloud-provided services! Does that mean that Holo as a business is doomed (so being Holofuel as the early investor’s compensation)? Or am I missing something?

good discussion between @artbrock and @The-A-Man

Basically, have you consult any legal experts and any censorship or shutdown implication to holo fuel which ultimately is used as a currency for a distributed hosting network but managed by a centralised company?

1 Like

@artbrock i have asked this question before i think on AMA. But would like your formal reply on this.

HOT (in future, holo fuel) current market cap is 155m. and we have at least 100 holders with at least 100k usd worth of HOT. In future, holo fuel may also be listed on exchanges.

What if we have holders who want to transfer big value holo fuel to exchanges? or direct transfer between agents?

How does holo fuel DNA handle big value holo fuel tx then? I don’t think it is practical to spilt a 100k usd holo fuel to 10s/100s of thousands or millions of micro txs, let alone a tx that could involved millions in usd value (like is trivially done in eth or btc network on a daily basis).

Look forward to your ans. Thanks!

I would also like this question answered

For sake of staying on the subject of security, would you mind making a topic out of this?

I’m excited for the light-weight benefits of Holochain :slight_smile:

@artbrock I am interested in connecting Biometric services to be required for authorization. Who should I talk to / where can I find information? Thanks!

@artbrock would you be able to advice? Still waiting…

@artbrock Do advice on this. Look forward… hope i dont need to wait too long. Thanks!

@pauldaoust could you advice on my questions above. Or could you get @artbrock to reply me?

There’s a handful of things here to address:

Transactions in ETH or BTC take the same amount of computing power no matter their size. This actually means every transaction uses A LOT of power – approximately 681.59 kWh which is over 23 days of electricity for an average American household to do a single BTC transaction. (See link for current data on BTC / ETH energy usage data.)

I’m targeting to be well under 0.1 KWh per HoloFuel transaction and having it be complete in more like 10 seconds rather than 10 minutes. However, this reduced validation workload increases means that a temporarily effective attack on a single HoloFuel transaction is much cheaper to attempt (even if you’ll eventually get caught). So we need to make sure the cost of attacking the network (producing node addresses near a pre-imaged hash, KYCing those accounts, and providing the compute power) always costs significantly more than you can earn from performing the attack.

This is the main reason to have a Tx size limit on HoloFuel.

So if you want HoloFuel to make a million dollar transaction secure, you’re gonna have to break it into a lot of transactions closer to $100 to ensure that the cost of an attack on a transaction is higher than the transaction value. Doing this many transactions actually costs the network more computing power than a single small transaction costs, and therefore it should cost more than a single small transaction costs… which is why a flat 1% still makes sense.

That being said, we will probably provide a UI for larger transactions which automatically breaks them down into the smaller ones. But even that may have a size limit (maybe closer to $10,000 ?) so that it doesn’t lock both party’s chains for too long.

Put simply, HoloFuel is not optimized for being a speculation tool for multi-million dollar transactions. It is optimized for high volumes of small transactions. We’ll probably have many other currencies to fill different needs in the Holochain ecosystem, and ways to move between them, so if there’s a need for this kind of currency, someone (maybe not us) will make it.

1 Like

@art Hmmm… the top 50 holo accounts have hot value of at least 300k usd. If holo fuel is going to be listed on an exchange for trading, surely you have to expect transfer to/fro of 5/6 figures or even more.

Then how do u handle larger holo fuel txs transfer to/withdrawal from exchange? Your answer make me feel you didn’t think enough of this problem.

Let’s say there is a transfer of holo fuel to/out of exchange of 100k usd (this is really not a big sum at all in current market conditions), how many sub-transactions is needed to make up a 100k tx?

10 sub-tx of 10k usd to make up 100k usd tx? How long will it take to “finalize” 10 holo fuel tx of 10k? Have you think through this? This is a real scenario you should expect if holo fuel is to list on any exchange.

If there is a 300k usd tx, there will be 30 sub-txs of 10k?
I feel you have to think of a way to handle larger txs without compromising security and UX. I feel it is a glaring hole on the way holo fuel works.

1% on 300k is the same as 1% on 300 tx’s of 1k

just it depends on the settings, eventually most everything will be customizable

this would depend on a variety of factors… DHT redundancy, node liveness, propagation methods, etc

all of your concerns can easily be addressed by designing your own current-see and writing the DNA for associated Happ. remember that Holofuel is only one of many to be implemented

@Sol said: the top 50 holo accounts have hot value of at least 300k usd.

You are referring to the top 50 HOT accounts… not HoloFuel accounts. And they can transact at whatever the gas costs of ERC20 transactions are (currently pretty high). And most of those are exchanges who will probably not be swapping into HoloFuel themselves, but continuing to operate HOT exchanges for a long time to come.

You do not need to immediately swap into HoloFuel when we launch. In fact, I expect we will keep HOT running as a main interface with crypto markets for quite a while. [Although, we’ll certainly want to close it down before we’ve completely replaced Ethereum and all the rest of inefficient blockchain tech with more efficient Holochain counterparts. :slight_smile: But that might take a few years.]

If holo fuel is going to be listed on an exchange for trading,

Personally, I’m in no rush to get HoloFuel on an exchange and don’t want to allow that during our 1:1 swap pricing window anyway because it would create confusing dual pricing between HOT and HoloFuel.

… but more about exchanges in the next one …

how do u handle larger holo fuel txs transfer to/withdrawal from exchange?

Exchanges are going to need to some special work to operate HoloFuel in their existing business models. What I mean by this, is that exchanges rely on controlling the keys to your crypto wallet to ensure the ability to complete both sides of a trade in different currencies. They can’t do that with a proper HoloFuel account.

Part of our Cryptographic Autonomy License (CAL) specifies that end-users must control their own cryptographic keys. So if you transfer HoloFuel into your account on an exchange, you’re really going to need be transferring to the exchange’s HoloFuel account, with an earmark identifying it as belonging to you in a sub-section of their account. Therefore movements between those sub-accounts are not actually HoloFuel transfers at all and can be managed by whatever means the exchange uses for tracking their internal sub-accounts (even centralized ones are possible).

This isn’t really all that different than things currently work which is why, for example, Binance, Paribu, HotBit, and IDEX are some of the largest HOT holders – because of people’s balances in exchanges.

Your answer make me feel you didn’t think enough of this problem.

Because you don’t like my answer doesn’t mean I haven’t thought it through. More importantly, it isn’t really something that is optional any more than physics is optional. You sound like I’m trying to inconvenience speculators out of some personal dislike of them. That is not why HoloFuel works this way.

We can’t compromise HoloFuel’s security model without compromising its security. So as someone who expects to be holding a bunch of HoloFuel, you should appreciate that I’m unwilling to sacrifice its security to please a sub-group of users.

If there is a 300k usd tx, there will be 30 sub-txs of 10k?
I feel you have to think of a way to handle larger txs without compromising security and UX.

There is a way to enable a large transaction, but there’s other groups who will hate this answer as much as you might like it. Replace automated validation with human review.

We could remove the Tx size limits for any tranasactions with the Holo Org account (coming or going). It’s literally Holo’s BUSINESS to enforce the security of HoloFuel (if we’re crooked, y’all are already screwed) so we could have a human approve the transaction (and potentially require some kind of multi-sig for large transactions so that a single key being compromised doesn’t enable large transactions).

Also, if sending from the Holo Org account doesn’t have to pay tx fees (which would be kinda dumb because we’re just paying ourselves) then it doesn’t introduce any additional cost to relay through this account.

The anarcho-libertarians who think everything crypto should absolutely not rely on any human intervention will hate this. But it’s a way to keep automated validation secure, by requiring human validation for large transfers.

4 Likes