This is the first of a multi-part blog series which explains our current plans for removing the Coordinator from the IOTA network, a major milestone towards decentralization.
We are excited to open up the discussion about the next steps for IOTA, and in particular how the Coordinator can safely be removed. We have nicknamed this step “Coordicide”.
We would like to start the series by revisiting the early days of the network. This context is helpful for understanding the overall network design, and why we believe the path to Coordicide is the natural next step in the evolution of IOTA.
IOTA’s security, as presented in the white paper, is based on an assumption that the rate of honest transactions is much larger than that of an attacker’s transactions. There are several ways to meet this basic security assumption, and the mechanisms used in the network today differ from our plans for the future. The current network relies on Proof of Work as its primary security mechanism. This implies that if an attacker controls the majority of hashing power in the network they can also control the direction of consensus. In particular, such an attacker would be able to double spend and split the network, which is bad for obvious reasons.
Given this reality, we have had to employ a safety mechanism to protect users’ funds during this early period. Similar mechanisms have been used in more or less every public DLT, to protect networks in their initial stages. This was certainly the case for Bitcoin, which had hard-coded built-in checkpoints to protect selected blocks from being reversed, as well as an alerts system which was basically a way for Satoshi to shut down the network.
While the term Coordinator (Coo, rhymes with dough) became loaded over time, its purpose and function are very simple. The coordinator exists to prevent double spends, while the network does not contain enough hashing power to be intrinsically secure.
The Coordinator works as follows:
Periodically, Coo (which is run by the IOTA Foundation) issues a normal signed transaction. These transactions are called milestones. IOTA’s definition of consensus is then very straightforward: a transaction is confirmed if and only if it is referenced (either directly or indirectly) by a milestone. It is Coo’s job to make sure a milestone does not contradict its predecessors. If Coo issues an invalid milestone, by referencing transactions which double spend or access non-existent funds, the rest of the nodes in the network will not accept it. This means that even if Coo messes up, no funds are lost and no transactions are reversed.
Note that this is in no way meant to be secret or mysterious, and has been actively communicated since the very beginning (for example here, here, here & here). It does not give the IOTA Foundation the power to change history and does not imply that the Foundation can take users’ funds. In that sense, IOTA is already decentralized.
There are several reasons why it is undesirable for Coo to stay around forever:
- In theory, it allows the Foundation to choose which transactions receive priority.
- In theory, it allows the Foundation to freeze funds, by having milestones ignore transactions that spend them.
- It is a single point of attack: if for some reason Coo stops working or is taken over, confirmations in the network would halt.
- Coo has so far been a limiting factor for the scalability of the network.
While these reasons are valid and important, they do not justify removing Coo prematurely and putting users’ funds at risk. Indeed the purpose of the Coordicide project is to make sure that doesn’t happen, and ensure we understand and communicate what we are doing before taking any action.
The current reliance on Proof of Work and the Coo has allowed the network to get off the ground, enabling a much deeper knowledge of the behavior of the Tangle under various conditions. However, Proof of Work is not a viable long-term solution to network security, and also presents scaling limitations. Accordingly, IOTA is presented with the same challenges as every other DLT with regard to security and scaling. Therefore, our vision for coordicide relies heavily on alternate security mechanisms. Our research and plans around these mechanisms are discussed in the third post in this series.
The short answer is that the Coordinator can and will be removed when our research team is satisfied that we understand the coordinator-free Tangle sufficiently.
Through the rest of this blog series we will elucidate the various avenues that our researchers are currently exploring, from proof-of-work, optimizations to the tip-selection, reputation systems and more. We have made good progress, and we are proud to share openly the state of our research and plans for moving IOTA to the next stage of life: a Coordinator-free Tangle.