While the Coordinator is a powerful protective tool, the objections to its existence are well-understood. The IOTA Foundation is eager to see the day it can be retired. And the research department of the IOTA Foundation has a dedicated “Coordicide” team for this exact purpose. We aim for a system that does not require a central Coordinator, and at the same time, does not lead to security weaknesses.
Below, we present what we believe are the necessary strategies to achieve decentralization in a timely manner, and meet the needs of IOTA’s users and stakeholders. We must remind the reader that the approaches outlined here are at various stages of their research, and the final implementation will result from further research and testing. We consider some of the security mechanisms to be more essential, while others are best viewed as potential future paths. We expect to learn a great deal as we begin to deploy a Coo-free testnet in the coming months.
The basic principle of node accountability is to classify transactions as good or bad (typical examples of bad behaviour include double-spending attempts or a very large number of re-attachments). The idea is to create a reputation system, similar to object reputation systems used for peer-to-peer file-sharing. The reputation system would be conceptually similar to page-ranking algorithms, but much simpler and adapted to the needs of the IOTA ecosystem.
We have investigated various reputation systems; the one proposed by Walsh and Sirer has been well-received in the information security community and, at least on preliminary testing, seems very promising for the needs of the Coordicide project. The Credence system for computing peer reputations is completely decentralized, and has already been applied very successfully (e.g. in the Gnutella file-sharing network) in allowing users of different file-sharing systems to make informed judgements of authenticity before downloading unknown content.
The development of a reputation system will also help to avoid a Proof-of-Work race, as there would be nothing to gain from issuing too many transactions — it would be impossible to double-spend, and spammers would be penalized.
We are investigating — both theoretically and experimentally — various algorithms aimed at finding good starting points for the MCMC random walk, and the initial outcomes are promising. We have already developed a large-scale simulation aimed at finding some observable parameters of transactions in the tangle, and some parameters which are not so easily observable, such as exit-probability-similarity. The next steps in this direction include the application of regression analysis, performance optimizations, and investigation into other alternatives such as local modifiers.
Another candidate under consideration for Coordicide is to use what we call “Stars”, that is, nodes run by well-known public entities such as governments, corporations, or individuals with a high level of trustworthiness. These entities would issue reference transactions in much the same way that Coo issues milestones, but a user- or community-defined constellation of Stars would function as a decentralized, trustworthy reference path through the Tangle. In a way, this would be a ‘first-approximation’ reputation system. As suggested in Serguei Popov’s post on freedom: it is reasonable for one to give greater weight to transactions originating from entities one trusts. The expansion of such a system would substantially diminish the role of the proof-of-work race, and vastly restrict the attacking abilities of misbehaving users with large computational resources.
We should make it clear that we are not going to depart from the main feature of the IOTA Tangle ecosystem — the existence of one fundamental rule (the approval of two transactions by any new transaction) paired with the impossibility to enforce any strict tip selection algorithm. Instead, our fundamental goal is to create an IOTA ecosystem that behaves in a natural way. It can be viewed as an evolving cellular automaton that isolates and eventually eliminates the actions of the misbehaving nodes by adopting an appropriate evolutionary algorithm.
To summarise, the IOTA Foundation is working to restrict and eventually completely eliminate the role of the Coordinator. While the research challenges may seem daunting, we are confident that the outlined approaches will lead to our ultimate goal, and will drastically increase the security and reliability of the entire ecosystem.
On the Engineering side, the next big step is Coo-free IRI (mentioned in the “What’s Next” blog post). The goal of Coo-free IRI is not to to replace IRI on mainnet right away. Rather, the goal is to enable local instances and global testnets of a Coo-free Tangle, so that researchers and interested community members can experiment and test their assumptions on a live network — not just a simulation.
The Coo-free IRI project requires some major code changes to IRI, as the current codebase depends on references to milestones. The random walk entry point, confidence levels (to replace “confirmation”), ledger validation, and balance calculations all need to be reworked to match the latest specifications proposed by the research team.
Once a first version of Coo-free IRI is available, we plan to launch a Coo-free Tangle on a testnet. This will allow researchers and community members ample opportunity to help test, optimize, and ensure the security of the network.
In the meantime, while the work on Coo-free IRI is still underway, we are releasing an open source version of the coordinator, which we call Compass. Note that this is not exactly the same as Coo, which runs on mainnet, but it serves some important functions, which we will discuss in more detail in the next post. Briefly: we hope that releasing Compass will encourage our community to deploy their own testnets and independently verify and evaluate the technology.