To repeat an earlier comment, this scheme encourages a centralization of trust into a private key managed by processor manufacturers. You might say that by integrating SGX mechanisms into your security model, you create a set of 'feudal lords' [1] who can wield their power over you.
A manufacturer may 'legitimately' establish an enclave in your most trusted hardware which you may not audit or even measure. And if that security model becomes commonplace, for example when only allowing Widevine DRM inside SGX, you eventually cannot use your self-chosen hardware, but will have to pick a feudal lord from a limited set of 'ecosystem choices'.
I still think it's an interesting approach. If you want to be more efficient and less wasteful than Bitcoin, at some point trust has to come into play. And reducing your trust to the manufacturers of secure enclaves (whose products can also be audited to a degree) is surely an improvement still, even if it doesn't have the radical threat model of conventional cryptocurrencies (which inevitably run into scaling problems because it mostly requires proof-of-work).
Also, the article mentions the de facto centralization of trust in the current cryptocurrency ecosystem - so pragmatically, it's not much better there. From centralized exchanges, to centralized mining cartels, what does something like Bitcoin have left to offer?
Bitcoin uses proof-of-work for its consensus system, but not all cryptocurrencies do. Bitcoin is a technological wonder, but it's ultimately not as advanced as its younger brethren.
The Stellar Consensus Protocol, which MobileCoin say they're using, uses something more akin to a web of trust rather than proof-of-work. You do not need the SGX to get rid of proof-of-work.
I read that like: "a stone wheel ? man it's not revolutionary at all. It's heavy. And hard to make. It's not practical and currently unusable for real purposes."
Said by a guy you just witness the historical invention of the wheel.
The wheel was, in fact, one of the first instances of a centralized structure replacing an inefficieint distributed structure.
The central "hub" of a wheel bears the load and the "edge condition" is the substantially reduced "rolling friction".
This is in contrast to ye old "distributed load" way of a zillion poor slaves pulling a load.
So as far as the "wheel" goes, VISA is a chariot, and Bitcoin is an army of slaves pulling a wheel-less load.
And in fact, the "facts", prove this. Almost 400 KWh per transaction, and that at the feeble rate of 7 tx/sec.
That is your "technological wonder".
point 2:
"Technological wonder[s]" of this time -- now -- are Machine Learning, CRISPR, etc. These are the "inventions" to pay attention to, not a thinly disguised play by private wealth to finally fully take out the national governments from the monetary system loop.
That CJW -- Crypto Justice Warriors -- like you fail to see this is the actual "wonder".
I couldn't not read your post without hearing your every word dripping with seething anger and disappointment. While your post contains information that has lots of merit, I can't help but see the person that typed this reply as a Big Money VP or someone that's either lost a bunch of money "investing" in crypto, or really fucking pissed they didn't hold onto their Bitcoin. But just to preemptively defuse a reply, here's a funny story: I started mining Bitcoin really early, back when CPU mining was the only thing to do. I ended up selling them (a couple thousand) in January of 2012 to put the down payment on my car.
Nothing revolutionary about distributed consensus. It was the 2008 financial crisis that brought the anti-banking crowd into frenzy, seeing all sorts of claimed benefits in using this sort of thing for money. They would have been goldbugs or tulip collectors under other circumstances.
Or do you mean the revolutionary scamming techniques never seen before? /s
One that was resistant to sybil attacks? Bitcoin was the first system to do that as far as I know.
Before bitcoin you would be unable to create a virtual currency without a central authority. Satoshi's algorithm was a new invention in 2009, although it's parts - like proof of Work - were invented in 1990s.
Bitcoin and other crypto coins are a neat idea until their underlying cryptographic primitives are broken. Then they will immediately loose all of their value. Every cryptosystem of the past has been broken at some time.
> and given enough time, all ciphers can and will be broken
Not all ciphers... 3DES and GOST have no practical breaks after 40 years of cryptanalysis (all attacks have > 2^100 time or memory complexity)
Any secure modern 256 bit symmetric primitive is likely safe from large quantum computers.
What will continue to be be broken are encryption protocols and systems that misuse modern secure 256-bit primitives. So we will continue to see things like the BEAST attack because non-cryptographers continue to invent their own encryption protocols with alarming frequency.
It's far from ideal though. I think it's actually worse than using banks from a centralization point of view, because you can typically choose between multiple banks.
In this case you only have one single point of failure: Intel. If that breaks, what then?
From a pure efficiency/centralization perspective, there are likely better cryptocurrencies out there. I think Ethereum's sharding network is interesting, too, and it seems to maintain a high-degree of decentralization, but I don't know how easy it will be to implement:
> If you want to be more efficient and less wasteful than Bitcoin, at some point trust has to come into play.
In that case, one might as well go with any of the permissioned blockchains (such as Interplanetary database where the nodes are run by reputed non-profits for a minimal fee).
> From centralized exchanges, to centralized mining cartels, what does something like Bitcoin have left to offer?
I'd say you're being overdramatic here. Mining is still decentralised and if there are any mining cartels, they haven't abused their position yet. It's still possible to buy, sell and spend Bitcoin peer to peer as well.
I think part of the reason Segwit2x failed is that, ultimately, mining wasn't as centralized as everyone assumed. Its proponents had the backing of the major mining pools who controlled the vast majority of the mining power - or so they thought - but it turned out enough of the actual miners had views too and were happy to switch pools to express them that it suddenly looked a lot more precarious than expected.
You can either audit something fully or not at all. Your secure enclaves cannot be audited, it would be a pointless task, if you find nothing it just means it could be in the area you cannot audit. if you do find something then it almost guarantees that something else exists in the secure enclaves.
> I still think it's an interesting approach. If you want to be more efficient and less wasteful than Bitcoin, at some point trust has to come into play
Did you read about Ethereum's Casper and proof of stake? Or dpos - implemented in Eos et all?
Yes, the features of the SGX means that we can no longer even see what are computer is doing.
> This means that the ledger is "public" and distributed to all MobileCoin nodes, but will also simultaneously never be accessible or viewable by humans (even the operators of the MobileCoin nodes) so long as SGX and the MobileCoin software
remains secure.
It seems unlikely to me that these two things things will remain the case.
> A client can perform remote attestation to its MobileCoin node before transmitting its keys into the remote enclave along with a short recovery PIN.
And it seems if SGX gets popped the whole thing comes crumbling down.
Moxie has made it pretty clear through the way Signal operates than Moxie's worldview is one where our feudal lords know better than mere serfs can ever hope to. I'm not at all surprised that yet again trust roots are taken out of the hands of end users.
Seems unnecessarily adversarial of you. I think Moxie has justified his standpoint relatively convincingly, even if you may not agree with it.
And to some degree, the success of Signal, or Signal's protocol as implemented widely used services in WhatsApp, supports his approach. If cypherpunk-purists had their way, encryption would still only be a thing exclusively used by a slim minority of nerds who are capable of managing PGP and all the complications that come with its fragile nature.
What success of Signal? I use To in Android for texting but only a small percentage of my contacts are even using it.
However I'm not really convinced Signal is all that secure in the Android ecosystem, and I trust Open Whisper Systems even less than bigger tech companies to not fold under pressure.
What I don't understand is why such a person resorts to a nickname, but does use a picture. The US government knows the real name of people like ioerror and moxie marlinspike. It seems pointless to consistently hide the real name to the public.
If your pseudonym carries more klout, and you have even more people in your social life knowing you by the pseudonym, it kind of becomes your 'real' name. Not any different from other persona names like Marilyn Manson, or Marilyn Monroe.
I used to use my online name enough that people were confused when they heard my legal name. Eventually, I decided to change my legal name to save the hassle of having a legal name that nobody actually knew me by, but that's easy in my country (doesn't involve courts or lawyers) and a pain in the ass in most other places.
Your argument would be stronger if you didn’t resort to epithets.
Bitcoin was designed to be as decentralised as possible. It turns out this has serious downsides and it’s difficult to pursue the sort of financial revolution it aspires to without social revolution.
This currency chooses different trade-offs which the creators believe will make it more popular because most people don’t need or want trustless transactions. People delegate power for finance, politics and computing not because they are stupid or serfs but because they are willing to sacrifice some autonomy for the speed, ease of use and enforceable contracts which come with a central authority.
If you (re)read the blog post I'm referring to, you'll find that your concerns are very much addressed.
I actually chose to refer to 'feudal security' as coined by Schneier (at least in the context of computer security), because it is such a compelling and balanced approach to the exact same trade-offs you're describing.
The argument would be stronger in the sense that it would be more persuasive. Which if your goal is to convince people is a highly relevant metric of strength to use.
As disappointing as it might be pure logic is rarely enough in the real world.
That was my first impression as well. That being said, I have a lot of respect for Moxie and his work, so i'd like to give him the benefit of the doubt and am curious to see his response to this point.
> "Nobody actually transacts in cryptocurrency," Goldbard says. "So making something that people can actually use is our first goal. And then we want to find additional ways that people can implement it over time. But initially all we want is to make it so people can actually complete transactions."
On reason, in the U.S. at least, is that you're supposed to pay capital gains on every little bit you spend. There's a bill in Congress right now to exclude crypto transactions under $600 from capital gains, which would be a big help.
Even if you do want to hold long term, you could just replenish what you spend along the way, if it weren't a tax reporting nightmare.
There are a lot of ways of defining what a currency is or is not. Taxing gains on it is one way. Another way is having an official body say so, which has happened in several US court cases.
You still have to record them.
Also don’t forget that if you have an ISA, other savings and investments that allowance isn’t that big.
As an individual if you mine you have to record the value as it was at the time of mining if you buy you record it at the time of purchase and you pay capital gains if you exchange the crypto for fiat currency or goods or services directly on the difference between the values.
It gets more complicated since you can’t select an individual currency unit form your wallet but atm you are allowed to use creative accounting for that.
The fact that you have an allowance doesn’t mean it’s not taxed and if you have any substantial amount you’ll blow throgh that allowance pretty darn fast.
You only record them if you otherwise self assessment for tax. If you do t eve self assessment you do not claim if the gain is below £11k unless the total sale is in excess of £45k
This is correct, gains in ISAs are tax free and have no impact on cgt allowance. So if cryptocurrencies were a good investment an ISA would be an excellent place to hold them and convert gains to currency you can spend, but I don’t think any isa providers support them.
No, you don’t ever pay cgt on gains in an isa, that’s the whole point of them. So if you could hold bitcoin (at the moment only an etf is possible), there are no taxes on gains.
Worth noting e.g. if you receive stock under US company schemes and sell even if you have already been taxed on the gain versus FMV as income. You can be in a circumstance where the taxable gain is under the threshold but disposals are high.
This is secondary to there being no benefit to the average user for transacting in crypto vs Visa. What incentive is there for an end user to use even a hypothetically optimal crypto system? Then is that incentive sufficient to overcome network effects?
The appropriate and interesting applications of crypto seem to be totally leaving p2p cash behind - it just doesn't seem like a good fit.
You're mixing cost and price. Let's say the cost of a Visa transaction is 0.1% and the price is 2.5% while the cost and price of a MobileCoin transaction are 0.2%. It costs more but it's still cheaper for merchants.
Cash is cheaper for merchants, but people have only continued to use credit cards more. Further, if crypto becomes attractive from a cost perspective Visa will just be forced to bring down fees and stay competitive. It's pretty near impossible to imagine crypto with costs less than Visa's database.
There's a shop near me that has had its card payments out of commission for about a week. They are having to bring in staff for additional hours due to the fact that the transactions typically take longer and you have the cash to handle at end of day. I doubt it's a negligible additional cost.
Credit cards are more convenient than cash. If crypto can be equally convenient (which I think it can -- see venmo), I imagine people will use it. Are the savings of centralization really enough that Visa will be able to stay competitive and profitable?
I don't doubt Visa will continue to be used, but I imagine it will be for fraud protection rather than cost.
That's really only useful to a small number of users, relative to the overall size of the economy, and many of them are doing things that aren't legal. Not a market I'd probably target if I was going for mass adoption.
Because it defeats the point. There is no "coin" that will exponentially appreciate in value, making you a billionaire. There is also no centralisation, so you cannot be the owner of the payment system in the same way that Paypal or Visa are.
At best you can be the Linus Torvalds of your payment system non-profit. Which would be a good gig in itself. But that comes with lots of hard work, not the easy riches that you can do from some hype-pump-dump scam in less than 6 months.
To build on this comment, the purpose of a currency is to facilitate the transaction of value, not to store value.
If an instrument stores value, it's an asset, not currency. One can of course transact business with assets, but it's a lot more complicated because you have to agree to a valuation. And without a currency, how do you measure that?
Plus, the incentives for assets and currencies are opposed. Currency exists to be spent, but if an asset is appreciating, you'll want to hold it, not trade it.
Bitcoin was advertised as a currency but it's acting like an asset. (And it's regulated like an asset.)
If you create a new class of asset, you can buy in early, hold on, and get rich on appreciation.
But if you invent a new currency? It's like inventing the inch. Even if everyone uses it, that doesn't give you any more length of your own.
> "Nobody actually transacts in cryptocurrency," Goldbard says. "So making something that people can actually use is our first goal. And then we want to find additional ways that people can implement it over time. But initially all we want is to make it so people can actually complete transactions."
This is being solved by Shapeshift.io and XMR.to. I transact in cryptocurrency all the time using these intermediary services with BTC as the usual medium of exchange. It's opened my skeptical eyes about the future of how things will work.
>https://xmr.to/ looks waaaay too complicated for the average person to use, which is a nonstarter for the average person.
OK, that's fine, but services like that could - and will - get much friendlier. I'm just rebutting the quote which is the blanket "no one transacts in cryptocurrency" which is certainly not true for me, even though I felt that way just 2 months ago. Now that I am an active miner of various currencies, I find myself using it quite frequently for random goods/services, even though the plan was really just to convert it quickly into USD fiat to continue reinvesting into the mining operations or to pocket it.
I'm not sure if you're trying to imply that Lightning Network is vaporware, but there are currently three implementations that pass the integration tests:
That's possible, but the commenter above you isn't talking about that. He is talking about the fact that it is yet to launch and solve all of the problems it purports to.
It's the best possible fix, one that isn't implemented yet! There's toy-level alpha implementations, with the most naive possible path-finding algorithm that will literally scale to tens of nodes.
I wonder where the code for MobileCoin is, or when it will get open-sourced.
All GitHub yields currently is this clearly non-affiliated project: https://github.com/mobilecoind/mobilecoin.
I'm not sure I understand correctly, but from what I got, Stellar is a distributed ledger, but not a currency. There are no coins as such. But the upside is that the consensus is reached without a taxing algorithm.
Everyone can run a node, but the whole system is not itself decentralised, because you need "anchors", which are banks or payment processors, to get your money in and out of the system.
So then, what is the point of the decentralised ledger? GNU Taler seems like a more simple solution.
>>Stellar is a distributed ledger, but not a currency. There are no coins as such.
From the Stellar FAQ[1]: "Lumens are the native asset of the Stellar network.
Native means that lumens are built into the network. Asset is how the network refers to an item of value that is stored on the ledger.
One lumen is a unit of digital currency, like a bitcoin.
While you can’t hold a lumen in your hand, they are essential to the Stellar network—they contribute to the ability to move money around the world and to conduct transactions between different currencies quickly and securely."
Stellar is a distributed ledger that has a native currency to make payments easier.
After reading up on Taler, it sounds like a very similar idea to Stellar, but Stellar removes some of the need for trusted authorities.
From the Taler overview: "The system requires an external auditor, such as a government-appointed financial regulatory body, to frequently verify the exchange's databases and check that its bank balance matches the total value of the remaining coins in circulation."
In Stellar, this service is provided by the ledger and the nodes that validate it.
Anchors are not inherent to the Stellar consensus protocol - that is part of how the Stellar coin works, but the consensus protocol doesn't include that, it is just the mechanism for the various nodes coming to a consensus on the blocks.
In no time in history do I find so rewarding reading and understanding crazy papers like right now. I wish I had the balls to actually read and understand the bitcoin years ago.
Even if this thing becomes nothing, this is a bubble, I don't care. The fact that there are things that rival fiat money makes me so glad that I'm alive today :)
I was looking into Ripple last night, and it uses something similar[1]: you enter a set of nodes that you trust will not collude together, and an 80% supermajority of those trusted validators propose transactions, and then an 80% supermajority of all nodes on the network accept those transactions for a new consensus.
It's a lot more efficient than Bitcoin (no proof of work, it's just another consensus protocol), but the trade off is that 1) it doesn't have all the feel-good rampant libertarianism of completely untrusted decentralized consensus of Bitcoin 2) you have to pick a good set of trusted nodes and trust them all not to collude
(Ripple has other problems that skeeve me out, but after thinking about it federated consensus isn't one of them. I think a lot of altcoins are using federation, actually...)
This coin uses Stellar, which is not a decentralized consensus like Bitcoin, but rather federated. It's not really surprising that it has performance advantages.
Also not sure how I feel trusting the fate of a cryptocurrency to the strength of Intel's SGX.
"MobileCoin does not rely solely on SGX for maintaining transaction privacy. Transactions are designed to employ CryptoNote1 one-time addresses and onetime ring signatures, so MobileCoin will still maintain transaction privacy through unlinkable addresses if an attacker is able to defeat SGX and view transactions on the network."
It also says that the clients transmit private keys and PINs to the SGX nodes, which presumably allow spending of their coins. Maybe it's designed in a way that they lose their money, but maintain the privacy of their previous and other transactions going through the node.
Users have to transmit the private keys to their nodes, but not the PIN. This tradeoff was taken to prevent people from losing their money by losing their phone. If the secure enclave were broken, nodes could, theoretically, be able to brute-force the private keys.
I think that in reality, there will really be just a few nodes: Signal, WhatsApp and some bots/banks/businesses. The trust system in place is ideal for this.
> At install time, Alice's client performs remote attestation with its Mobile-Coin node, establishes a secure communication channel into the remote enclave, and transmits its keypair along with its recovery PIN.
Here's the problem with cryptonote: if I play 10 hands of poker at an online casino, with money I bought on an exchange, I have very little privacy. Anyone who can coerce or compel the casino and exchange's cooperation can get my real identity simply by looking at intersections amongst potential ancestor payments. This is because in cryptonote, each payment only has e.g. 4 potential ancestors. While each of those themselves have the same property, you can still look at intersections and deduce linkages with very high probability.
>>So it has the same privacy protections as Monero, the only cryptocurrency with a track record of being untraceable so far?
I wouldn't call Monero "untraceable" even though I am a very big fan of XMR. It takes work to put a lot of steps between you and the payee at more levels than simply the transactional one.
It's fantastic, but it takes a lot of memory to generate a private transaction (no mobile wallets for that!) and because private addresses are opt in, not many are being used in the wild
> "9. Bob's MobileCoin node sends Bob's client a message, which can then calculate the private key that corresponds to the generated one-time public key."
>" 10. Bob has now successfully received a payment."
If I'm reading this correctly, Bob's client (e.g. mobile app) must be in contact with the node for his address to receive the payment. This is pretty different from what I think will be Mobilecoin's closest competitors (at least from a UX standpoint), Venmo, Google Wallet, etc.
DDOSing Bob's mobile device or otherwise preventing access to the node would, at least temporarily, prevent the transaction from going through. Are the funds in purgatory during that period? If that client never gets in contact with the node, does the transaction ever get reversed, allowing the sender to regain control of the funds?
There are probably a host of other repercussions I haven't thought through yet. The idea of a cryptocoin as easy to use as Venmo/Signal is definitely intriguing.
It's different because regardless if your node is online or not, venmo's servers can still accept payments on your behalf, and it's presumed that taking venmo's servers offline would be considerably harder than taking yours offline.
1) Both Kin and MobileCoin have moved to Stellar as their back end this week. I haven't paid Stellar much attention before. Anyone have any good links that explains Stellar and/or discusses the technical pros/cons? Trying to avoid any shill/pump or baseless FUD.
2) Am I correct that if any vulnerability were found in the SGX, an attacker would gain access to the encrypted private keys that are stored on a server node and would just need to brute force the PIN?
I don't have a good link for Stellar but it's been around for a while, and the Rust creator even worked for them for some time.
Regarding the second point, since it's on the server, wouldn't a vulnerability just mean the server operator might potentially be able to get at the keys, not any random attacker?
I've done some work with Stellar and the implementation in the whitepaper sounds very different than how Stellar currently works.
For example, users control their own private keys and they're never exposed to a node, so I'm not sure why the whitepaper mentions storing private keys in the SGX. Perhaps they're going to host wallets for a user and store all keys in the SGX?
I'll be very interested in more details about this project since it doesn't appear to use the Stellar network, only the consensus protocol.
That's just "meritocracy" in action. The founder of a project gets all the credit for it, and when there are multiple founders the most famous one gets all the credit.
I think this is going in the right direction. You take a bunch of tamper-proof hardware devices from different manufacturers and then model attack costs to compromise them as part of a proof-of-stake scheme. Now you can build consensus algorithms on top of them that are highly secure and scalable compared to anything that exists today.
I'm not convinced that Stellar consensus here is the right algorithm for doing this, but I think SGX is promising technology that has been somewhat overlooked in the blockchain space (not by everyone.) SGX has a lot of potential. You can use SGX as a way to expand the consensus rules of any blockchain by using it as a blackbox obfuscation construct. Everything and more that Vitalik wrote in his article about Indistinguishability Obfuscation is possible with SGX today.
Want to create a specialized oracle that only signs certain transaction formats, even on untrusted hosts? Yep - use SGX. Now you can have agents that run in a cluster that will only move assets between blockchains based on a user's prior agreements, allowing for more complex cross-blockchain smart contracts to be written in high-level languages. What about having a nice way to do transaction commitments to scale any blockchain without having GB zero-knowledge proofs? SGX again. It could be used for privacy preserving protocols... It could be used for solving data availability problems in sharding / decentralized storage systems. The list goes on.
Some of the biggest trust problems are solvable with this technology - but like others have already said - you still have to trust the hardware manufacturer. In this case, my thoughts are that you already have to trust the hardware manufacturer anyway (nobody is going to inspect every chip with an electron microscope...) My bet is that a non-trivial portion of full nodes today are already running chips with backdoors like the Intel Management Engine anyway...
The point here is that you can't fully remove trust from any system without introducing vast inefficiencies, but you can at least formalize the risks in a system and design so that a compromise is too expensive to be worthwhile, and for me I think that's where the potential lies with this tech. Cryptoeconomic systems based on tamper-proof hardware where individually a component may be compromised, but where it is simply infeasible to compromise each and every device. You build a network out of these components and you have yourself the first on-chain scalable blockchain bound by physical hardware encumberments instead of computational difficulty.
You know it was hard enough for PayTV smart card developers to keep transistor level reverse engineers from getting inside their chips, and all that was at stake then was $35 content subscriptions. I can't imagine how putting personal banking inside SGX will fare. Or, I acknowledge I am probably missing something. Am i?
It wasn't that hard and the stakes were much higher than that. Individual subscriptions could be much more, but the entire black market of glitching units was an industry worth many hundreds of millions of dollars.
Ultimately DirecTV was able to kill pay TV hacking by simply introducing a new generation of cards that were better protected, the P4 series iirc. Other pay TV firms invested less and were mostly undermined by just one guy (Tarnovsky) - not exactly an army of reverse engineers.
The weak points in SGX security aren't the electronics themselves. So far all attacks on it are side channel based.
Tarnovsky wasn't the only key. There was also a single minded team of former intelligence investigators spread around the world coercing and infiltrating, on top of a smartcard dev team packed with most of moscows mathematics prize winners, in addition to another red team in haifa with their own tarnovsky's. I speak from first hand knowledge because in my younger and more naive years I used to worked with them.
Still, the analogy applies because the stakes with a cryptocurrency that depends on transistor security become a much more interesting target then the, now boring++, paytv market. It should not be assumed that any secrets will stay inside of that secure enclave, at all.
++it's boring to hack paytv because streaming, downloads and card sharing removed a large bulk share of the need
I feel like the real appeal of Bitcoin is the decentralized aspect. I am not totally intrigued at the idea of having a controlled system, even if it offers complete privacy and faster transaction speed.
If it works like Stellar (which it sounds like it does), it's still a decentralized network of nodes, but each individual user isn't a node. They pick a node to work with, and that node is then connected to a set of other nodes. Anyone can run a node, but there's just not any point to it for most users.
You can't just spin up your own CoinBase if you don't trust coinbase.com. I mean, it's BitCoin, so you can run your own transactions, but you can't do any of the other stuff CoinBase does.
But with Stellar or something based on its consensus protocol, you can run your own node if you want, or more likely, a bunch of public nodes can exist and you can pick the one you trust to work with. For example, if banks decide to start working with MobileCoin, then Chase could offer a node and, as a Chase customer, you could decide to trust their node (since you already trust them to manage your money) and use that one.
> you can run your own node if you want, or more likely, a bunch of public nodes can exist and you can pick the one you trust to work with
Still not getting it. If I don't trust CoinBase, I can go to any other online wallet that manages my private keys. With some effort, I can even start one myself. If Chase is running such a wallet, I can use them.
How is a decentralized protocol not a superset of a "federated" one?
Every node in Ripple or Stellar works with the same global state. You have to trust Coinbase not to run away with your money, but your Stellar node cannot. The consensus system is more like a replacement for proof of work, ensuring that no one double spends.
Would someone close to this project be able to explain why the node operator wouldn't have direct access to user's keys in the event of an SGX exploit? The whitepaper only briefly delves into transaction privacy protections, but not key management.
Any remote-attestation scheme is theoretically vulnerable to attacks where the CPU manufacturer includes backdoors in the processor hardware (either deliberately, accidentally, or under compulsion from a third party).
Intel's implementation is considerably worse than that. Even if you assume the hardware itself isn't compromised, every remote attestation has to go through the "Intel Attestation Service" which has no end-to-end protection. The IAS is what actually validates the enclave's signature, and it returns a "success" or "failure" message which is signed with an Intel key. But there's absolutely no technical measure that prevents Intel from being compelled to sign a falsified response; a client would have no way of telling the difference.
This is documented by Intel [1] and I'm hardly the first to notice it [2] but people still seem to talk about SGX as if compromising it is equivalent to backdooring the CPU, which is inaccurate.
So you can not start running any code session on the SGX at ALL without this Remote Attestation call to Intel? That seems silly, considering the SGX has two 128 bit keys on board (one known to Intel, and one known only to the SGX).
Oh, it's not quite that bad. You can run SGX code and work with encrypted data, including generating attestation messages. It's just that there's no way to verify those attestation messages yourself; you have to ask Intel to do it.
It's also worth noting that SGX can run in two modes. There's "debug mode", which provides absolutely no security because a debugger has complete access to the state of the enclave. And then there's "release mode", which requires a key that you can only obtain by signing a commercial agreement and NDA with Intel.
At the end of the day, trust is still required. For example, if you use Bitcoin, you're trusting the people that wrote the code and the libraries it linked to and the people that ran the server you downloaded it from, and you're trusting that Koblitz didn't put a backdoor into the ECC somehow. I could go on for a while here but I think this describes the basic idea. You can change the level of trust required or who you're trusting but not the mere requirement of it.
I've met some of the people working on this at Intel and I do have confidence that this isn't some conspiracy, I do think they have the intention of improving the crypto space with projects like this.
No, but probably worth a shot. I think AMD's Secure Encrypted Virtualization (SEV) sounded better, though. But it's a shame AMD only offers it on the EPYC server chips. they ought to make it a mainstream feature in Zen 2 chips if they want it to gain popularity and use. That said, that's probably not an obstacle for a company that plans on using server chips anyway.
In multiple verticals of the industry, there exists a clear trend of utilizing hardware security modules for cryptographic operations. Almost all mobile phones have them, cloud providers offer HSM services, and Trezor wallets generate bitcoin private keys. It makes sense to build a service that relies heavily on HSM.
I am pessimistic about SGX. It's basically a DRM system that was dressed up to look like something else. Even if one trusts Intel, the entire security model hinges on Intel's ability to detect a compromised key and revoke it; that makes plenty of sense for DRM, where compromised keys are typically announced on forums etc., but why would a service operator or government agency tell anyone?
Moxie has good ideas, but SGX is a trap and he fell into it.
I'm probably going to pay this a lot more attention now than I would have purely because I find Moxie really quite impressive all the way up to his patient, reasoned interactions with people around here.
MobileCoin is backed by XLM/Stellar, which is not decentralized, and so I feel I should note here that I signed up during Stripe's giveaway of Stellar Lumens years ago - and I did indeed get my wallet credited.
I was given 6000 XLM and I left it in their official wallet for years. On May 12th, 2017 I wrote them an email asking why my wallet, now converted to some newer official wallet, was empty. I did not receive a reply for 2 months, at which point I followed up and received a reply within a day, which was:
"I have investigated your account and it looks like an account merge operation occurred some time ago merging your lumens with another account. If you did not commit this action, it could be possible that someone was able to obtain your account information.
Unfortunately there is nothing we can do to retrieve your lumens at this point.
Apologies we cannot be of further help."
I have pretty damn good security of my various accounts using hardware 2FA and such, and I also transact in cryptocurrency and have wallets with far more fiat value in them than 6000 XLM had at the time ($120-150 USD if I recall), with absolutely no issue - and I hadn't even logged into their official wallet. The developers were 100% quick to blame this merge on me. I replied with a flat: "I highly doubt you are correct that it is my fault" email and it went back and forth with them asking the basic "well, did you get spearphished somehow" as if anyone even knew what XLM were or cared.
The process dragged on for a month while I bothered people in their Slack channel since email communication dropped out and they finally came back with:
"Our team has investigated and checked for multiple different types of issues and have not found anything on our end that shows any type of security compromise in our system.
Unfortunately this means at this moment I do not have a concrete answer to how your account was compromised. I’ll follow up again to check if there is anything on your end they would recommend you do."
I investigated on my own and found a number of accounts who were "hacked" and sent XLM coins to the wallet that I had merged with, all that just kind of sat there, indicating a software error on their end of a bunch of accounts that were randomly emptied. I provided all documentation to their team and spent a solid 15-20 hours doing so.
Their response to all of this bug bounty-type work?
"They have identified one potential issue in the past that affected only a small number of accounts, possibly yours. This bug was fixed once discovered back in 2014, but users who may have been vulnerable to the bug were still impacted during the upgrade process to the new network even after it was resolved.
Although we think this was the cause of what happened, we cannot be 100% sure if this was what impacted your account considering you had a strong password and none of your other accounts were compromised."
And:
"Although we cannot recover you original lumens from your account, we’d like to award you 3000 lumens as part of our Bug Bounty Program because you have helped us in identifying a possible issue that happened in the past."
So they basically gave me half the XLM back instead of the full amount despite it being entirely their fault and them having no idea how to investigate while I exposed a serious flaw in how XLM were assigned and paid to their wallets, all while blaming me the entire time and with atrociously slow customer response times.
Forgive me if I'm not the biggest XLM/Stellar Lumens fan; their team is both terrible at support and suggests that at least their frontline investigators are technically incompetent since they couldn't figure out the merge situation before I did with simple API poking around and enumerating.
Too bad you are having this issue. But since you are airing it here on HN then my own anecdotal experience is I went through the same signup as you did. Forgot about it for three years. Found my multi-word password. Loaded it into the website. Received a message I'd been upgraded to the new system. I downloaded a stellar desktop client, transferred the coins to my desktop wallet, all problem free.
I think it is easy for nearly all of us to agree the most likely cause of your own issues is operator error. Now that the price is shooting up on these coins, it's not rational to expect STR to chase down every 6K STR givaway grievance that they receive.
>>I think it is easy for nearly all of us to agree the most likely cause of your own issues is operator error.
Seems exceptionally unlikely given the number of upvotes I have and the work that I did tracking it down. It is very likely their fault and/or a software bug.
Aside from the fact that this is a terrible line of argumentation ("Person A gave you $100 and then Person B later stole it out of your house, what's your problem with that?"), that is not the point of my comment at all. I suggest you read a bit more specifically in regards to service, transactional security, and the fact that the coin is federated and not decentralized.
You didn't even realise for a long time that you lost access to it. It's like me remembering that I had some BTC, but can't access them anymore and blaming Bitcoin developers for not getting rich.
Stellar not being decentralised, even 90% of nodes are not run by the SDF, makes it somehow unsecure? If you have some specific complaint about the security point it out, instead you are just ranting on an anecdote.
>>If you have some specific complaint about the security point it out
I did, in the post. I'm not sure why you are making a big deal about the money I lost. I am certainly not. It is about the mechanism by which it happened and how they didn't take it very seriously.
EDIT: I am also not even sure to this day what the value of XLM is, and don't particularly care. I gather from your post that it has gone up. Congratulations. I think XLM's architecture and use case makes a lot of sense. I also think their developers and support team are quite poor. That is the intent of my post.
care to disclose what connection you have with Stellar -- your blind defense and smoke screening makes it seem like you have an interest in making sure bad press (legit or not) doesn't come to light.
"In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."
It's vulnerable to side-channel attacks, like a lot of trusted hardware. The challenge with trusted hardware is you have a much stronger threat model than a lot of previous work on side-channel attacks, in that instead of having to protect against remote or local unprivileged software attacks, you now have to guard against a local privileged attacker (e.g. a malicious OS or hypervisor), or potentially even someone with physical access. Having said that it is possible to design software in such a way as to be resistant to many side-channel attacks (albeit with a lot of effort and a performance hit) and I imagine future generations of SGX could add hardware protection against the most egregious channels. Of course if you have enough money/time it will always be possible, the question is whether an SGX based blockchain can be designed in such a way as to make it not worth the effort.
Stellar is run by a set of trusted third parties, which makes it permissioned. If it gains any sort of traction, it will undoubtedly come under the control of any number of governments, thus negating the "peer-to-peer" part of cryptocurrency, and making usage conditioned on approval from some set of intermediaries.
If your set is not the same as everyone else's set, you risk being forked off. Trusted third party based schemes have a tendency toward centralization, making them less resilient than ones based on cryptoeconomic incentives. Inevitability it will mean TTP based ledgers will be permissioned, with the TTPs acting as gatekeepers, rather than p2p.
This isn't just theoretical either. Stellar has co-authored a paper arguing for regulations against anonymous cryptocurrencies:
A bit ironic that MobileCoin is targeting x86_64 and SGX seeing that the vast majority of mobile devices run ARM. I wonder how easy this would be to port to the ARM trustzone?
ARM Trustzone doesn't do anything related to remote attestation, which I'm guessing this thing is all about (even if the article doesn't seem to mention it). So I'll claim it is impossible.
Edit: You could still check the signatures signed by the trusted Intel CPUs on your ARM device of course, but any mining would have to happen on a SGX-enabled Intel CPU. (Or anything else with Intel's private key.)
> The currency is designed to utilize an Intel processor component known as Software Guard Extensions, or a "secure enclave."
Binding yourself to an implementation like this seems like mega big centralization. There's several decentralized coins that could solve some of these same problems.
So if the coin's market cap were higher than Intel's, you could buy Intel and use the SGX master keys to establish rogue nodes and take over the network.
In fact this is no better at all than if Intel were simply running the MobileCoin service as a centralized provider/bank.
Surely I'm reading this wrong. Does the whole thing depend on users trusting that the nodes run the correct software, which uses these "enclaves" to hide private data from itself?
I'm not sure what this means. Supposing I'm a node that runs the correct software as well as some incorrect software. I prove (however this works) using SGX that I'm running the correct software. You send me the data and I run it through the incorrect software.
I imagine my ignorance of SGX has something to do with this. Is there a 101 link somewhere?
As betterunix says, the way you do it is that the signed data structure proving what software you're running can contain a public key, for which the private key exists only in the enclave. So you can then encrypt secrets that are readable only in the enclave.
One approach: use attestation to prove that a public key was created inside an SGX "enclave". Encrypt the inputs using the public key, and now only the enclave can decrypt and use the inputs.
In that case, why not use a centralized ledger operated by Intel? It would certainly be more efficient, and no less trust-worthy. You even eliminate a whole bunch of side-channel attack vectors on the MobileCoin software such as memory access patterns, heat dissipation patterns, timing analysis, and failure modes such as total compromise of SGX.
I don't trust Moxie ever since he argued that Signal will not be a decentralized network due to the technological complexity (just BS as Matrix, XMPP and other have shown). While I suspected that he had other plans in mind, I didn't see that coming.
Using your wide spread chat app to deploy a global payment system. Just wow. If he will pull that off, Elon Musk gets competition for the title 'Innovator of the Century'.
Great to see more cryptocurrency adopting Stellar's Consensus Protocol. Decentralisation and scalability without the environmental impact of proof of work.
Stellar is not decentralized. It is federated, meaning a number of trusted third parties act as the intermediary, and eventually, will become the gatekeepers as governments deputize them to enforce their respective laws (e.g. capital controls in China).
Like if 90% of mining power owned by 2 companies makes something more decentralised. I would argue that the Stellar Consensus Protocol is more resilient to centralisation than any proof of work one.
Manufacturing GPUs doesn't give a company control over how the buyers use the GPUs. GPUs are by market necessity general-purpose. And all of the full nodes in a decentralized cryptocurrency network like Ethereum will validate the blocks generated by the miners.
An no word about price volatility? Even if btc were scalable it is unusable for commerce. Pegging to fiat should be #1 goal of a new blockchain that wants to solve problem. All others arejust sophisticated gambling platforms.
The Request Network may beat them to it, in terms of making crypto accessible, since it aims to provide a paypal-like, currency agnostic portal for payments. But I still like the project, and will follow it closely.
While yet another cryptocurrency doesn't sound so good, I think Moxie has at least proven himself enough with Signal (in terms of being pragmatic about usability while trying to get the maximum amount of security and privacy for users) that this sounds promising.
I'm also happy to see a currency with Byzantine agreement without proof-of-work being explored. While this may not satisfy the extreme threat model of Bitcoin etc., I'm not really convinced that this is even needed at all. (Not to mention that Bitcoin has failed as a currency anyway.)
He used to federate, he said he reckons he lost a year of development in the attempt.
His argument is federation makes change difficult - and a private company can centralise the protocol (like Slack or WhatsApp) leading to a better user experience because they're not tied to getting everyone to agree to a change.
I have a few questions: (1) When can we start using this? (2) How will you acquire the currency?
I think #2 is the pain point, and I didn't see this addressed in the whitepaper. Most people talk about Bitcoin's transaction speeds, but Litecoin works incredibly well for doing transactions. The difficulty for a normal person is acquiring it. You need something like GDAX.
Stupidly bad design - storing other people's private keys in a protected memory region. This is as good as entrusting a safe with your money to a thief, thinking that the guy will be unable to open it.
Marlinspike, yet again, flops face down with his credibility as a crypto researcher.
Remember his his angry letter about silent key renegotiation hole in Facebook messenger
I'm not sure using Stellar is wise as the majority is owned by a small group of people, much smaller than Bitcoin, which creates conflict of interest and not future SEC proof.
on a side rant: So...many...coins...I too have something called BrowserCoin.com but still haven't figured out what problems to solve. Too many people just go implement a pseudo-academic blockchain tech with fancy dials without vetting the problem....virtually zero adoption other than from pumpers and owner...that is something I'd like to avoid altogether, for once some cryptocurrency based business that delivers and benefits people who don't need to expensive rigs to mine or jack resources (browser based blockchains etc).
I don't know you, but... I have an idea for BrowserCoin.com -- a marketplace for ads where users are paid to try a product. They receive a coin payment when they use a product for a certain period of time. Don't bother decentralizing -- keep tabs on who is paid, to avoid bots stealing payments with fake usage. Let me know if you like that, my email is in my profile.
https://us.teamblind.com/article/ama-round-2-i-manage-a-mult...
I think this post about managing a multi-million crypto portfolio can really relate. I think it still is difficult for the average person to understand, but this is a really great discussion going on.
Anyone have any links to read more about SGX? What's stopping someone from intercepting everything going down their and just doing the operations on their own while watching?
Essentially, the CPU has a private key. Using the corresponding public key you can send code to the CPU to execute and the CPU prevents even the OS from looking at the decrypted code. You can also check the signature of the CPU against a public Intel key to verify it is indeed an Intel CPU you are sending code to.
Ah I see. I'm seeing that you have 2 128-bit private keys on the enclave, one known to Intel and what that is not.
Can you not use the one not known to intel to do your own code signing against another client with ECDH? Why does it seem like they are pushing this "Intel Attestation" service? Wouldn't that cause Intel servers to be a single POF incase they aren't around to give a proper reply for the attestation request? (Imagine 100,000 nodes on the network all running smart contracts, or perhaps 10 years down the line they discontinue the service.)
IAS isn't technically a requirement of SGX. But if you want the ability to revoke hardware that is found to be compromised, someone needs to have that list and check against it.
I believe the plan is for IAS to be optional in future. It might already be, but then you have to implement the signature checking logic yourself. EPID is quite a complex signature scheme and you'd also need to find out from Intel which microcode/platform versions are revoked, etc. So IAS is more of a convenience than anything else.
A manufacturer may 'legitimately' establish an enclave in your most trusted hardware which you may not audit or even measure. And if that security model becomes commonplace, for example when only allowing Widevine DRM inside SGX, you eventually cannot use your self-chosen hardware, but will have to pick a feudal lord from a limited set of 'ecosystem choices'.
[1] https://www.schneier.com/blog/archives/2013/06/more_on_feuda...