Trying to figure out a couple things (from pastebin link):
1. What protection against non-halting?
contracts are "funded" upon creation, and by those who issue transactions to the contract. if there are specific fees required by the contract to perform an action, it must be enforced by the contract itself. the cost of computation will eventually exhaust the contract's funding it fails.
2. what are the long-term economics? (i.e. is coin supply unlimited or limited and at what rate of decay)
line 90
- planned fundraising period with issuance of 10000 ether per BTC contributed
- other coins will be issued so the initial money supply is 15000 times the contributed BTC amount, with 0.25x (i.e. 16.67%) to the founders, same amount to fund the Etherium organization. Division of BTC not specified.
- the mining reward will be 1/3 of the initial supply, per year, perpetually (i.e. 1/2 the contributor's reward.) So the money supply increases linearly.
3. if a person's only goal was to use the blockchain to store data, what would be cost per byte, and is there a max rate?
line 385 to 399
- A contract is "funded" when it is created, and the computation performed by the contract consumes the funds.
- storage of a "data item" in contract memory costs 100x where x = floor(10^21 / floor(difficulty ^ 0.5))
- don't see the limit/cost of data items bound to transactions as per transaction definition on line 133
anyway it takes courage to name a currency after a drug like ether.
I don't think anyone associates ether with a drug first.
From Thesaurus: "ether - the fifth and highest element after air and earth and fire and water; was believed to be the substance composing all heavenly bodies"
Though another spelling of that is "aether" (I think this is more common than "ether").
Ethers are also a group of rather common organical compounds in chemistry. This is the page Wikipedia gives you when searching "Ether", as gateway allures to. Apparently, a specific compound of those (diethyl ether) can be used as a drug. Seems rather unlikely to me that people would connect the name to the drug first.
The transaction fee is determined based on the number of computational steps in the contract. My understanding is that, if the contract has not halted by the time the transaction fee has been "spent", then the transaction is rejected.
yeah I came to the same conclusion, except lines 327/328 confuse me a little bit, as to whether the fee goes to the miner in this case, since on 328 (regular termination) it says so explicitly, but on 327 (exhaustion) it doesn't specify.
yeah, I'm thinking that if that is the case, it would allow you to create a "spike" contract, a highly funded contract designed to use a lot of miner resources until it inevitably fails. then you could send out transactions to this contract which would cause it to execute and fuck with all the other miners, where you just ignore it because you know it will fail. Maybe the cost for computation makes this unreasonable though, I don't really have a sense of the cost of computation .
I don't know if the Etherium people are looking for comments, but here are a few.
I think that Dagger has serious issues. First, the spec is buggy: the text says that eight bottom-level nodes are hashed together, but the pseudocode only uses four. Second, it does not require 512MB per thread; it requires 512MB of write-once, read-many-times memory, shared by all threads; this property seems to be asking for a rather large ASIC (or a smaller ASIC backed by some multi-port SRAM) to have a huge advantage.
Also, what's up with the choice of secp256k1? It's at least less likely to be backdoored by evil choice of parameters than, say, P-256, but there are many better choices out there (e.g. curve25519 or some of its larger variants). Those better variants have the big advantage (especially in this application) of having faster verification operations.
(The fastest-to-verify option would probably be plain ol' RSA, but signatures are rather large.)
I'm still trying to understand how the whole system works. It appears to be groundbreaking but I'm not really sure. The last sentence in the document should catch your interest:
"As a result, we have a cryptocurrency protocol whose codebase is very small, and yet which can do anything that any cryptocurrency will ever be able to do."
This is a very cool idea. I think it may have some critical flaws, but even the fact that people are thinking of stuff like this is so cool. Very singularitarian.
I think the clever idea here (IMO) are the fees. An argument against implementing a Turing complete language inside Bitcoin or an Altcoin might be that it's hard to determine when execution should end. The fees allow arbitrarily complex constructs without any hard cap, while preventing abuse.
Except it pays the wrong people. In Bitcoin, at least, miners are kept honest by other people running nodes that limit what miners can do. In this protocol the validation would become very expensive but only the miners are paid. This sounds like trouble.
No, the mine pool operator has to, but no more than once to cover every miner in his pool. To draw a comparison to bitcoin, there might only be a dozen or so pool entities which receive nearly all of the subsidy and transaction fees, but thousands of non-mining full nodes.
My first thought was why would one want their currency to be Turing-complete? It's actually a cool concept though. Being able to have your money make decisions opens all kinds of possibilities.
No it doesn't. Or rather— it's not necessary or sufficient: you can already trade distributed cryptocoins, and no amount of cryptocoin magic can completely distribute USD or other non-cryptocoin assets because their differential counterparty risk makes every promise different.
My understanding was that a balance based model opened up some pretty serious security problems, which is why bitcoin didn't use it. I'm dubious of a new coin as complex as this.
I don't understand who does all the turing complete contract computation. Presumably the miners, but they're paid to do some useless proof-of-work work, not the turning complete computation of the contract.
The fee goes to the miner who happens to find the containing block, yes. But not to the thousands of validating nodes integral to the network. And over time fees are given proportional to hashpower... which doesn't make any kind of sense. The incentives are all messed up.
There aren't thousands of validating nodes. All nodes are computing on jobs in the system. The incentive is you get paid for processing code for someone. It's a trusted cloud framework with payment built in. The Dagger page is down. That'll have the detail on the rewards details for compute.
It's a distributed block chain right? And each fully validating node needs to validate each of the scripts, right? So every full node on the network is replicating every single computation. But only the miners are getting paid.
Dagger appears to be inferior to the Cuckoo Cycle proof of work system I recently developed; see https://github.com/tromp/cuckoo
Cuckoo Cycle is a new proof of work system with the following features
1) proofs take the form of a length 42 cycle in the Cuckoo graph, so that verification only requires computing 42 hashes.
2) the graph size (number of nodes) can scale from 1x2^10 to 7x2^29 with 4 bytes needed per node, so memory use scales from 4KB to 14GB
3) running time is roughly linear in memory, at under 1s/4MB
4) there is no time-memory trade-off, and memory access patterns are the worst possible, making the algorithm constrained by memory latency
5) it has a natural notion of difficulty, namely the number of edges in the graph; above about 60% of size, a 42-cycle is almost guaranteed, but below 50% the probability starts to fall sharply
the naming convention that allows it to be named cuckoo729.
the program could be rewritten not to use bit 31 as a flag,
and then you could use as many as 2^32-1 nodes, but that's
not neatly expressible as MULT*2^SHIFT with few digits.
The dagger page is cached by google here. Note that this is from 29 Dec and has probably been significantly updated since. But here it is for what it's worth:
I don't see anything regarding compute rewards here. It's all about the mining PoW. If all nodes are validating the Turing-complete scripts, and only the miners are getting paid, how does that work? What am I missing?
I would rather see an actual, functional product take off (even without miners). The resistance to Ripple just enables an endless series of me-too fundraisers.
The ethereum proposal is the most technical yet. Hopefully it sets a new minimum bar in the market for crowd-funded vaporware (I'm highly skeptical of them all).
I'm most curious about cryptocurrency algorithms that can be optimally run on FPGAs, but not ASICs or GPUs. Is there anything along those lines floating around already?
For what reason are you interested in that? Any such algorithm would have to make use of the re-programmability of FPGAs, since a static FPGA layout can always be turned into an ASIC...
My interest really has nothing to do with cryptocurrency, but I've been reading about dynamic method migration[0] and modular reconfigurability[1] for a long time. I can see how some of my professional work could benefit from 'adaptive computing'[2] trends as well. The algorithm I have in mind would simply be geared towards hardware that I want to own already.
Precisely. I would expect that the algorithm itself would change over time, with modifications based partially on the state of the network.
Edit: maybe the modification strategy could provide some 'proof-of-steak' protections, without burdening the system with excessive early adopter advantages.
Nothing wrong with ASICs at all, but I would prefer to invest in general purpose infrastructure. It seems like a system favoring FPGAs wouldn't be as attractive to botnet owners either.
I don't really see any reason why it couldn't be Turing complete, as long as it was completely deterministic (no "rand()" etc) and the specification included a maximum number of operations (which Bitcoin's Script already does)
What am I missing? Is the idea that without loops the transaction size can be used to estimate the computation required without actually performing it, and thus the appropriately sized transaction fee required?
Nakamoto designed script to be non-Turing complete from the very beginning (it was mentioned in his white paper). I suspect it was for security reasons. You don't want arbitrary complex code running on miners machine. At the very least, it could obstruct the system.
Script is not mentioned at all in the Bitcoin white paper. Perhaps you are thinking of a comment he made elsewhere.
Bear in mind that in the Bitcoin design it's not just miners who have to run scripts, it's all nodes, yet fees accrue only to the miners. Bitcoin does use fees to try and make computationally expensive transactions financially expensive as well, but that's just a basic antiflood mechanism, the fees don't actually get collected by those doing the work.
1. What protection against non-halting?
contracts are "funded" upon creation, and by those who issue transactions to the contract. if there are specific fees required by the contract to perform an action, it must be enforced by the contract itself. the cost of computation will eventually exhaust the contract's funding it fails.
2. what are the long-term economics? (i.e. is coin supply unlimited or limited and at what rate of decay)
- planned fundraising period with issuance of 10000 ether per BTC contributed- other coins will be issued so the initial money supply is 15000 times the contributed BTC amount, with 0.25x (i.e. 16.67%) to the founders, same amount to fund the Etherium organization. Division of BTC not specified.
- the mining reward will be 1/3 of the initial supply, per year, perpetually (i.e. 1/2 the contributor's reward.) So the money supply increases linearly.
3. if a person's only goal was to use the blockchain to store data, what would be cost per byte, and is there a max rate?
- A contract is "funded" when it is created, and the computation performed by the contract consumes the funds.- storage of a "data item" in contract memory costs 100x where x = floor(10^21 / floor(difficulty ^ 0.5))
- don't see the limit/cost of data items bound to transactions as per transaction definition on line 133
anyway it takes courage to name a currency after a drug like ether.