So to be clear, you disagree with Vitalik Buterin’s assertion about 51/67% attacks?
Many people have the mentality that “if a blockchain gets 51% attacked, everything breaks, and so we need to put all our force on preventing a 51% attack from ever happening even once”. I really disagree with this style of thinking; in fact, blockchains maintain many of their guarantees even after a 51% attack, and it’s really important to preserve these guarantees.
No. An independent auditor or random cryptographic expert would likely be running the blockchain calculations as publicly designed and documented, along with blockchain code prior to the upgrade, to compare against the block results of the code recently implemented in order to verify that no unexpected discrepancies occurred (i.e., that no erroneous code was implemented). Why would an auditor trust the new code first in order to verify that same code? That makes absolutely no sense.
You then digress again onto the need for “multiple independent replica implementations” when I’m not talking about auditing for node consistency, but rather block (or state) calculation accuracy. Even replicating the entire IC won’t help you verify that the blocks are being calculating correctly if a single upgrade affecting the entire IC causes incorrect calculations (vs. the public open source design). Therefore, the calculation verification I’m referring to would not have to be done on all (or even most) nodes or subnets, since existing node consistency controls would detect if even one node discrepancy occurred and highlight it for immediate investigation.
No again. As I stated, both BTC and Ethereum are still very fault tolerant, so their entire blockchains could still be hijacked by taking over a sufficient number of nodes. In other words, blockchain security is not theoretically enough to protect them. What makes them unhackable and unstoppable is the additional control of post-facto verification assurance, which destroys (almost) any rational incentive to hijack their blockchains. I say “almost” in parentheses because the U.S. government could still have a rational incentive to hijack any blockchain that could realistically threaten the U.S. dollar (or a CBDC equivalent) as the world’s reserve currency, even if this hijacking destroys the competing blockchain’s market value instantly. BTC and ETH are clearly not a threat in this scenario for various reasons, but another cryptocurrency might be.
Yes, which is one reason why post-facto verification assurance on top of blockchain security can add significant value to blockchains like BTC. In addition, you are missing the far more important value of this internal control: it is a massive deterrent against even trying to hijack a blockchain with strong post-facto verification assurance, since it would never be profitable to do so given the public’s quick reaction time.
I realize that an obsessive focus on security (i.e., on-chain controls) is your job, and I’m actually quite glad and comforted that you are very good at that job. However, I think this focus is not allowing you to see some of the very real benefits of off-chain controls, like even a minimum level of independent verification assurance over blockchain calculations, independent audits over DFINITY’s internal controls on node and protocol upgrades (in spite of NNS approval being required), etc.
Thank you for conceding to one of my most important points on the value of post-facto verification assurance. Indeed, asset losses can accumulate and multiply far higher and far longer on a hijacked IC than on a hijacked blockchain like BTC or ETH. More important, the fact that this is “definitely” so, as you confirm, means that the motivation to hijack the IC might actually become a rational malicious objective. By contrast, it can never become a rational objective on the BTC blockchain.
I don’t. If all you have is a single, public, persisted blockchain with thousands of validators, everything he says is true, But then he proceeds to explain why if you go through a bridge between two networks (which is not the same, but a close approximation of how subnets communicate) you can lose arbitrary amounts from a 51% attack (or 67% in the IC case) on a single network/subnet. Even if the examples he gives are Ethereum and Solana (two public blockchains with thousands of independent validators each), not “secretive” IC subnets.
You can achieve the same guarantees on the IC as on Ethereum as long as you’re happy with only having a single subnet. And commensurate costs.
What you are describing is a virtual machine (like the EVM or Wasm) for a programming language. The IC’s deterministic state machine is more like an OS managing virtual machines (individual canisters) than a glorified interpreter / JIT compiler. Not all of it is described in a specification. It could be, but it would have to be many, many thousands of pages long, because it would have to describe details such as how many messages and how many bytes can be enqueued into a stream going to an application vs. a system subnet; or which messages count versus which memory limit on which subnet type; or an exact description of how messages from various sources are prioritized when being routed; down to details such as, when using the random tape as a source of randomness, in which order the various random values are generated; and so on, and so forth.
Furthermore, because this is basically an OS that is under continuous development, such details do change from one release to the next (e.g. because someone realizes that in order to protect the NNS subnet from DoS attacks, some new rule or limit needs to be enforced in just the right place under just the right circumstances). So you couldn’t possibly use one replica version to validate the correctness of another replica version, because they would most likely diverge a couple of blocks in. For reasons that have nothing to do with calculation accuracy per se.
See above. You cannot possibly validate the behavior of a canister in isolation from its subnet (because you couldn’t even tell when it gets executed, much less what its inputs would be, or in what order). I imagine (even though I have no clue whether this is so) that Ethereum’s EVM simply executes every transaction in a block, in the same round, in the exact order that they appear in. An IC subnet inducts said messages into canister input queues (with a host of rules regarding what is considered a valid message; and a whole lot of possible outcomes for inducting each message). The canisters are then scheduled, with some messages executed in the same round, some message executions spread across multiple rounds, and some left in input queues for future rounds. Executed instructions are counted, as are dirtied memory pages and execution continues until some limit is hit. Rate limits are imposed on canisters and the subnet as a whole. If the instruction limit is not hit, messages from local canisters to local canisters are routed; in a specific order; and everything starts from the top. In the same round.
In many respects, validating the IC would be closer to validating an (admittedly fully deterministic) OS by recording and replaying keystrokes and mouse movement; than it would be to validating the correctness of an EVM instance.
I would recommend reading Vitalik’s post (linked by JaMarco above) about why Ethereum (and BTC) would be fine with virtually any amount of malicious, colluding validators. And why this does not apply across blockchains (which also includes IC subnets). It has very little to do with the presence or absence of independent validators; and very much to do with the fact that, as soon as you have a system consisting of more than one virtual machine (blockchain / network), if something is temporarily out of whack on one blockchain, it has persistent effects on the other, even if the former issue is later sorted out.
BTW, I’m by far not a security expert. I’m a lowly systems software engineer, working on the ICs message routing. I’m simply aware of the complexity of the code that I helped write and of the fact that fully documenting its behavior so it can be reproduced identically by someone else would require insane effort. And I’ve been oncall for the IC and helped put together some of the monitoring infrastructure. And listened in on many, many conversations about security, determinism and whatnot.
So, @free, what you are basically saying is that blockchain calculations on the IC are impossible to independently verify or audit, no matter what, even after the fact. In other words, “trust me, bro” is the answer the general public ultimately has to be satisfied with, even after trillions in assets might be sitting on the IC in the future. OK, then, I guess that discussion is over.
Putting this doomsday conclusion aside for a moment, that VB post does give me some comfort regarding the protection of blockchain assets, particularly this part:
“Even if 99% of the hashpower or stake wants to take away your ETH, everyone running a node would just follow the chain with the remaining 1%, because only its blocks follow the protocol rules.”
However, it would only give me corresponding comfort on the IC if I had some independent assurance that the IC protocol rules would never allow a 51% (or 67%) attacker to take away someone’s ICP (or intellectual property on the IC). Where can I get that assurance today? And where can I get it after each protocol upgrade, any one of which could violate those sacred protocol rules? Even if those cryptography rules exist on the IC too, I suspect that I won’t be able to get similar assurance from the IC, simply because the blockchain history is not persisted anywhere like it is for BTC or ETH. So if I had 1 million ICP and someone edited that state to zero a month ago, I’m not sure there would even be a sufficient audit trail to show that I ever had any ICP.
At the very least, there should be some way to create a master continuity schedule to audit the consistency of state for all neurons. For example, if my ICP drops from 1 million to zero, another neuron must go up by the same amount via a mutually signed transaction between those two neurons. An independently verifiable continuity schedule of ICP balances across all neurons should always be obtainable. Are you implying that even this is not possible without malicious actors faking balances via boundary nodes, sending fake node messages or other means?
If so, then how can anyone even disprove today (or any day in the past) that up to a majority of ICP balances in neurons are not even real? Or how can we even disprove that ICP might in fact just be one big Ponzi scheme in a black box that we are not allowed (or forever unable) to look into, while we continue to invest more and more real money into that black box? I’m struggling here to get even a basic level of point-in-time verification assurance over assets on the IC. I find this persistently troubling and increasingly frustrating, in spite of my relatively high confidence in the IC’s on-chain security over transactions.
There exists a full history of all NNS blocks. As well as all the replica binaries that produced and executed them, And the source code they were built from, although I believe that for the first few months we did not have reproducible replica builds.
It has not been published because it contains all of the II logins and it would be trivial to use those to map per-application principals that are supposed to keep users anonymous back to the original user principals (you’re not supposed to be able to reverse engineer a user principal from an application principal). The II canister has recently been migrated to a different subnet, hence Manu bringing up the topic of publishing subnet blockchains now.
ICP balances are kept in the ledger canister, hosted by the NNS subnet. So it is possible to replay and fully verify the full history of the NNS, since genesis (there exists an ic-replay tool that is used for this purpose, as well as for debugging or disaster recovery).
Regarding my “doomsday conclusion”, I never said it would be impossible to independently verify or audit an IC subnet. All you’d need is a machine that is at least as powerful as an IC node (64 cores, 512 GB of RAM, 6 TB of server grade SSD), since no subnet state is persisted for more than about half an hour; so you’d have to replay everything since Genesis and then keep up with the subnet. You can either use the replica binaries that were running at the time to do so; or rebuild them from source code (and closely review it); or you can analyze and fully describe the behavior of each replica version, then create a clean room implementations from that.
This is what I already suggested, either done by someone in the general public or by an independent auditor with special access funded by the community. Then you said this was impossible or stupid because boundary nodes could be faked, messages from other nodes could be faked, entire subnets could be hijacked, etc., etc., etc., making any single replica node (or even replica subnet) effectively useless as a source of assurance. Even when I asked for the bare minimum verification assurance on ICP balances, this too is not possible due to reverse engineering or other concerns. Have you not been listening at all to what I’ve been saying about an NNS-approved auditor to validate blockchain information that is supposedly too sensitive to release?
At every turn, you fanatically resist any suggestion that could verify assets on the IC as being valid, which is raising all kinds of red flags in my view. Sorry, I’m not engaging in any more of this absurd tail chasing. Either provide direct access to the public to validate blockchain state or produce independent verification assurance from a third-party of blockchain state reliability on a regular basis. If you can’t do either, then sit down and stop asking the crypto industry to trust the “moon math” like they trusted SBF. I’m sorry, but after all this waffling, you are no longer credible in my view. I’m muting any further responses from you.
But some of us in the community like challenges. This “moon math” is a paradox That only the dedicated mathematicians can achieve with time. You want this to happen right now and don’t want to put hard work in doing research and figuring out the right way to do things. Of course this is not supernatural knowledge; it is something that man created hence man would solve the math.
Seduced by “trust moon math”, when asked to prove that the math is actually being executed, Dfinity never hestitates to shift the goal posts to “uhhh, we can’t actually show you the math. Trust me bro”.
Blockchain = 1/3 cryptography + 1/3 economics + 1/3 game theory
The former leverages technology.
The latter two leverage the selfishness of human nature and the transparency of data. Without data transparency, economics and game theory cannot work on blockchain.
I think I have understood the difference between the two sides in philosophical terms. Dfinity’s representatives on this thread, @dominicwilliams and @free are Utilitarians, as engineers often are. All their arguments make sense from a Utilitarian standpoint. But Utilitarianism fails to comprehend certain basics of human nature.
This issue goes beyond just public subnets. Take the case of seed investors. Williams has often argued that they have nothing to complain about since their profits are high even at the current all time lows for the coin price. On a thread about seed investors, I gave the example of the capuchin monkey fairness experiment to show that ideas of fairness and justice have a great impact on perceptions even among animals. Seed investors are justified in feeling unfairly treated no matter the size of their profits. A Utilitarian perspective simply cannot grasp that.
We do not live our lives in Utilitarian ways. Think of the sheep trapped in a mine shaft in Wales which was saved after a huge and expensive rescue effort. From a Utilitarian perspective, it makes no sense to save a sheep at great cost while also eating sheep for dinner. The sheep at dinner is defined by a certain monetary value while the sheep in the mine shaft is defined independently of it. This seems contradictory and yet it speaks profoundly to what we are as human beings.
Crypto has a foundational ideology which involves individuals being able to verify for themselves the correctness of a blockchain. Of course, as blockchain sizes get bigger, this becomes progressively less practical, and there is progressively less Utilitarian justification for incorporating public verifiability. There is therefore good reason to walk back commitments to public verification. And there certainly exist forms of crypto fundamentalism among people like BTC maxis which take the ideology too far, as every ideology is taken too far by some factions. But equally, the crypto community would simply not exist without crypto ideology, so it is crucially important to pay some heed to that. In fact, there are Utilitarian reasons to respect it based on how widespread the belief system is within the developer, investor and customer base.
I would therefore urge the Dfinity foundation to institute some form of public verifiability for the IC blockchain, no matter the cost. The feature is essential if the foundation wants the IC to be perceived as a trustless, decentralized blockchain rather than one controlled and operated entirely by the Foundation itself.
Taking off from the Genesis metaphor, Dfinity can plan a Noah’s ark of data for the inflection point dividing the period of no public verifiability from one when the IC becomes a verifiable blockchain. Whatever data cannot be made public because it will endanger privacy can be left out, I am sure the community will understand, because individual privacy is also an element of core crypto ideology.
On a thread about seed investors, I gave the example of the capuchin monkey fairness experiment to show that ideas of fairness and justice have a great impact on perceptions even among animals. Seed investors are justified in feeling unfairly treated no matter the size of their profits.
I think it’s worth pointing out that capuchin monkeys have also been known to throw their feces and eat their young.
The clip you reference is one that I’ve played for several people. The range of reactions I’ve seen is interesting. Some feel more justified in their feelings of jealousy. Others are embarrassed for having acted like monkeys.
I do think you have a point about humanity. One thing that sets the NNS apart in my mind is how very human it actually is. A single NNS proposal can potentially wreck the system. We can set up guardrails and invoke the virtues of a “trustless” environment, but ultimately how we behave is up to us.
I am sorry you feel that way. You have my sincere apologies.
I was chasing down what I felt were inaccuracies and too high expectations in your and others’ statements (that taking over a subnet was trivial; that if a subnet was taken over, an independent audit would serve as much more than a belated notification; that the security measures of a single blockchain can be applied to a collection of blockchains and achieve the same level of security/trust/assurance). And neglected your central point, which was about producing and publishing audits of a subnet’s blockchain.
In my (somewhat flimsy) defense, I started from the assumption that merely having a continuous quorum of replicas validate a subnet would be essentially the same as auditing it. But it is true that the only output of that process is merely the current state of the subnet, not an explicit audit of exactly which blocks were validated by which replica and whether any divergence was detected in the process.
In the meantime I kept repeating to whoever would listen that I am not fundamentally opposed to either publishing or auditing subnet blockchains, but merely trying to gauge how useful the proposed solutions were likely to be for various ends. And hoping to land on a sweetspot between cost/overhead and benefit, considering the above.
My conclusion thus far (and it is merely my opinion, not something I’m trying to force on anyone) is that adding some form of public audit trail to each subnet replica would be a reasonable (and cost-effective) first step. On top of that, one can argue for or against the utility of making the NNS and/or other subnets’ blockchains fully public; or having a second class of replicas (that may or may not run a different implementation of the deterministic state machine) as subnet auditors; or rely on the replicas themselves to act as auditors; having a layer on top of that to ensure that every canister message inducted by a subnet was actually produced by some other subnet. And so on and so forth.
I for one have learned a lot from this discussion, both in terms of what properties one may expect from a network such as the IC (e.g. Vitalik’s post, linked above) and in terms of having an online conversation.
Edit: In the hope of calming down the spirits that I helped stir up, I will point out a couple more things:
I do not speak for DFINITY here. I am a team member, but that’s it. The above are my opinions. They may be wrong and other DFINITY team members will likely disagree with much or some of what I said. I wasn’t asked by anyone to state this, just thought I’d explicitly say out loud something else that I had previously assumed everyone was aware of.
DFINITY has not, should not and very likely will not turn down an NNS motion proposal requesting public subnets; public audit trails; or whatever else; as long as it is technically achievable. Whatever my or DFINITY’s position on said issue might be.
And a fanatical insider resistance against any reliable way – even off-chain and after the fact – to obtain independent audit assurance in the absence of public data transparency is a huge red flag that the economic game is already afoot.
I trust you have then told them they need not feel embarrassed, for resisting inequity is quintessentially human. The animal experiments only show it goes even deeper than just homo sapiens.
I did not tell them this, in part because I try to refrain from telling people what they need to feel or not feel. But also because I don’t agree with the premise.
Justice, I think, is a critical component of human society. I don’t understand how it can be quintessentially human, though. There are people who don’t resist inequity for a variety of reasons (generosity, greed, temperance, indifference, incapacitation). They are still human, even moreso I think than the capuchin monkey.
I don’t understand why you would show many people the clip as you claim to have done, in that case, but each to their own.
If something is quintessentially human, it does not follow that it must be a behaviour visible in every single human being. Also, there are hundreds of modes of resistance, few of which rise to the level of visible rebellion. But we digress.