Robert Sams writes me about Ethereum

by on February 1, 2014 at 12:05 am in Web/Tech | Permalink

…wanted to draw your attention to http://ethereum.org/. Their testnet has just been released tonight. This is NOT another alt-coin, but something much more interesting.

It’s a blockchain with hash-based proof-of-work, similar to Bitcoin, and it has a currency at its core called “ether”. But what makes this interesting is that it includes a Turing-complete scripting language that implements a new entity, a programmable *contract* which, like addresses, can generate and receive transactions.

From their whitepaper (http://ethereum.org/ethereum.html): “A contract is essentially an automated agent that lives on the Ethereum network, has an Ethereum address and balance, and can send and receive transactions. A contract is “activated” every time someone sends a transaction to it, at which point it runs its code, perhaps modifying its internal state or even sending some transactions, and then shuts down.” So the network doesn’t just compute meaningless hashes, it is a distributed computer automating any type of financial exchange expressible in its scripting language.

In theory, all manner of things can be implemented on the network: sophisticated escrow arrangements, securities, CFD’s, order books, games of chance. And being Turing-complete, there will be many things possible that are not currently anticipated or even conceived.

The creators use an internet analogy. As a protocol, Bitcoin is like SMTP, good for doing one thing well (transferring Bitcoin from A to B). Ethereum is like TCP/IP, a generic, low-level platform on top of which other high-level protocols can be built. The internet of finance, as it were.

Haven’t had a chance to look into the code yet. It will be awhile before we know whether the thing is robust. I predict lots of teething problems. I’m just guessing here, but the biggest question mark is whether the security of the network can withstand malicious or buggy code (Bitcoin’s simple scripting language is deliberately not Turing-complete for this reason). Creators of contracts must fund them with tx fees which, as far as I can tell, are proportional to the complexity of the program. So they’re taking an economic approach to solving that problem.

You can read about Ethereum on Twitter here.  Here is Wired on Ethereum.  By the way, it seems Goldman Sachs may be involved.  By the way, here is Sams on cryptonomics.

Ray Lopez February 1, 2014 at 12:57 am

Note that this new scheme requires a ‘central computer’ unlike the distributed computer of Bitcoin. Also, why is Bitcoin not Turning-complete? Is it because in theory factoring the blockchain from a prime number(s) is not in theory completely guaranteed?

Peter Gerdes February 1, 2014 at 2:16 am

I think the problem is more that bitcoin doesn’t allow you to prove that you have a certain amount of money in reserve. Also, it provides no mechanism for proving that a given scripting agent running somewhere on the internet is really running a given piece of code and that code won’t be modified in the future.

Using a formal scripting language for contracts is only appealing if you can cryptographically guarantee that the terms of the contract are carried out. With bitcoin you can’t verify any scripting agent actually controls sufficient currency to make appropriate payments if required.* Also, you certainly can’t cryptographically guarantee that payments out of a given account will only be made if a certain piece of code directs that they be made.

I don’t see any mention of a central computer in this scheme. Just the opposite! It simply requires that contracts be published publicly and that honest clients only produce successor blocks along paths where all contracts are correctly computed and payouts registered. So people put up money to pay for the execution of a contract and anyone completing a block executing a number of instructions of that contract can claim that execution payment as a mining fee. Since honest clients always check that prior entries in the block chain that contain the hash of script state are associated with the correct evaluation of n instructions from the indicated script only correct execution and assignment of it’s value get incorporated into the dominant chain.

*)I suppose if you both trusted some third party to run exactly the script provided you could use hashes to both commit to particular numbers without revealing them to the other party and have the script compute it’s private key from the sum of those numbers (mod n) ensuring that neither of you know the private key. Then, you could both transfer the appropriate dollar amounts to the script which is programed to cancel the transaction if both transfers don’t appear in the block chain (at least k elements longer than any other branch) within some time limit.

gwern February 1, 2014 at 3:34 pm

> I think the problem is more that bitcoin doesn’t allow you to prove that you have a certain amount of money in reserve.

Address signatures, multi-sig, and nlocktime all come to mind…

gwern February 1, 2014 at 11:03 am

> Note that this new scheme requires a ‘central computer’ unlike the distributed computer of Bitcoin.

??? No, it doesn’t. Where are you getting that from?

> Also, why is Bitcoin not Turning-complete?

Because it doesn’t include looping or recursion primitives and scripts are limited in length, anyway.

> Is it because in theory factoring the blockchain from a prime number(s) is not in theory completely guaranteed?

…do you have any idea what you are talking about at all?

Ray Lopez February 2, 2014 at 4:30 am

@gwern–lol, you clearly don’t know what you are talking about (“Because it doesn’t include looping [unlikely, as nearly every piece of code has a loop] or recursion primitives [lol, I guess he means 'primitive recursive function'? which anyways Bitcoin has] and scripts are limited in length [as opposed to an infinte length script? lol], anyway” – GIGO gibberish, to even me who codes) whereas I put my ignorance in the form of a question mark? But on the internet anybody can pretend to be a computer scientist…

Dangerman February 2, 2014 at 3:23 pm

Gwern is correct.

“Bitcoin uses a scripting system for transactions. Forth-like, Script is simple, stack-based, and processed from left to right. It is purposefully not Turing-complete, with no loops.”

https://en.bitcoin.it/wiki/Script

gwern February 6, 2014 at 5:55 pm

> unlikely, as nearly every piece of code has a loop

In a Turing-complete language, yes. Which is the point. See Dangerman’s cite.

> lol, I guess he means ‘primitive recursive function’? which anyways Bitcoin has

No, primitive recursive is a class of computability, which can be implemented iteratively or with recursion primitives; but once loops have been barred, the only alternative is recursion, and there are none.

> scripts are limited in length [as opposed to an infinte length script? lol]

As opposed to an *unbounded* program or tape, which is something you should recognize from the definition of Turing-completeness.

> But on the internet anybody can pretend to be a computer scientist…

No kidding.

Alex Godofsky February 1, 2014 at 2:03 am

Bitcoin already has a scripting language, albeit one that is not Turing-complete *by design* (so you guarantee a finite runtime for all scripts). I’m skeptical that Turing-completeness is a virtue here.

Adrian Ratnapala February 1, 2014 at 9:24 am

This is what I am thinking too. Turing complete languages are essentially terrifying, and you don’t want to be running scripts just because someone uploaded something. Javascript is bad enough.

someone February 6, 2014 at 1:50 pm

The scripts can run forever as long as they’re willing to pay for the time. Execution is not free.

Peter Gerdes February 1, 2014 at 4:50 am

While the turing completeness is nice this protocol has 2 huge problems as currently implemented.
——
First, unless the protocol is modified eventually hash collisions will occur somewhere in the chain. Unless the protocol includes some kind of nonce (which isn’t described here) which ensures that nodes can’t be duplicated at another level in the tree (say including the current height in the node definition) any such collision puts all transactions registered between the heights of the two collisions permanently at risk. Even here there is still a problem!!

Suppose you are an attacker controlling a fraction of 1/k of the total compute power. Now instead of extending the winning chain you instead pick some losing node and start generating a huge number of siblings with that node as a parent only moving on once you’ve added the maximum number of siblings that can be mentioned in one of their successors (i.e. that will still pay). After a very long time, you will eventually find k hash collisions (blocks with the same hash) between siblings. Hash collisions between non-siblings are effectively prevented by the nounce in the block definition (it must be a pure function of block height and parent + some arbitrary data if it allows for concurrent computation of siblings) so since siblings will be quite rare along the primary tree (on average this should probably be at most 3). If the protocol allows for As long as k 50% (actually a bit less b/c of efficiency gains) of computational power this is both more economically advantageous for the attackers (ignoring transaction fees) and allows for no economically viable attack. Sure, the protocol says that the payout for an uncle goes partially to the node whose uncle it is seemingly creating an incentive for defection but the public attack can simply use the same trick of refusing to help any node which doesn’t include transactions donating that percentage back and count on defection being unprofitable so long as a substantial percentage of nodes refuse to extend a defector.

Note that the attackers can start including real transactions in the nodes they produce so they don’t lose the transaction fees. Moreover, even if they can’t produce as much in transaction fees they also have the benefit of being able to roll back a proportional amount of transactions which is potentially very valuable.

This is why the original paper proposing the GHOST protocol where all nodes in the subtree above p count for determining whether p or it’s sibling is on the accepted path didn’t recommend paying for nodes off the main path. This is done here only for ‘fairness’ and even if the % was reduced it would still likely create troubling incentives. Better to abandon fairness and stick with cryptographic advantage. Heck, I think it’s a mistake to even count nodes that are produced to the side b/c it lets attackers add to their version at a faster rate than they can contribute to the public effort.

Gabriel Puliatti February 1, 2014 at 5:57 am

From the whitepaper:

The state_root is the root of a Merkle Patricia tree containing (key, value) pairs for all accounts where each address is represented as a 20-byte binary string. At the address of each account, the value stored in the Merkle Patricia tree is a string which is the RLP-serialized form of an object of the form:
[ balance, nonce, contract_root, storage_deposit ]
The nonce is the number of transactions made from the account, and is incremented every time a transaction is made. The purpose of this is to (1) make each transaction valid only once to prevent replay attacks, and (2) to make it impossible (more precisely, cryptographically infeasible) to construct a contract with the same hash as a pre-existing contract.

dead serious February 1, 2014 at 10:36 am
Stephan Tual February 1, 2014 at 11:23 am

While it makes for a great conspiracy theory, there is no Goldman Sach link. As Charles and Vitalik (two of the Founders) commented on the bitcointalk forums:

Vitalik: “We have two people on the current team who had at some point earlier worked at Goldman Sachs. That’s it.”

Charles:
“We have two people on our team who started their financial careers- as many thousands have done- at Goldman Sachs. They have both since left and started other ventures. In both cases those were hedge funds. Joe retired and moved to Jamaica to be in the music industry and came out of retirement to join us. Costa went to university of Edinburgh to study LCS’s relationship to finance for a PhD in Quantitative Finance. He is now running a hedge fund in Kyrgyzstan as well as building a full clearing house in etherscript.

We have no relationship with Goldman Sachs nor are they an investor. I wouldn’t take their money if offered. I have great respect for their knowledge of the financial industry as well as quality of talent, but no respect for their business practices or questionable conduct.”

Thank you for updating your article :)

Andrea February 3, 2014 at 10:01 am

This one is experimenting with some really dodgy economics. In my view, the glamourous (varporous?) platform won’t matter since the developers are trying to centrally plan transaction fee schedules.

http://blog.ethereum.org/2014/02/01/on-transaction-fees-market-based-solutions/

Tom Kelleher February 6, 2014 at 1:36 pm

Most of ethereum’s features are included in the protocol developed by Ripple Labs (funded with Silicon Valley VC money) including smart contracts, naming protocols and a turing complete scripting language that is fully featured and resists spam with micro fees https://ripple.com/protocol Ripple has a built-in crypto currency (XRP) as well and is currently focused on the remittance and forex markets. Ripple does not include proof of work mining which has inherent internal and external costs (speed, security, wasted energy) and should probably be regulated by the EPA at some point. Its current strategy for distributing XRP to encourage adoption is by partnering with the World Computing Grid which utilizes the Boinc network developed at UC Berkely and awarding results based XRP rewards for donating crunch time to science and health research that requires massive distributed computing (AIDs, Cancer, Organic Solar Materials). The Silicon valley startup wrapping that comes with Ripple doesn’t have the same earthy flavor as a bunch of teenage hackers inventing the next form of money in their basements, but they also have about a 2 year headstart a robust team and respected advisors (Susan Athey of Stanford GSB recently testified at the NYDFS hearings on Bitcoin http://www.youtube.com/watch?v=dSnQkadoaq0)

Computer Scientist February 6, 2014 at 5:15 pm

Ripple is centralized, no?

Comments on this entry are closed.

Previous post:

Next post: