Signal adds a payments feature with a privacy-focused cryptocurrency

What's the consensus function you use on the mobile coin blockchain. Couldn't see if it's proof of work or proof of stake.

We use a modified version of the Stellar Consensus Protocol that we reimplemented from scratch using Rust.

https://github.com/UkoeHB/Mechanics-of-MobileCoin/blob/maste... << Page 81 is where you want to go.

Were there things that you didn't like about Stellar?

Or did you modify it to fit a different use case?

(thanks for answering questions!)

We wanted more guarantees around safety. Stellar isn't written in Rust and Rust has some very nice safety properties that we felt were valuable enough for a full-on rewrite. We also wanted to be able to hand-tune the performance of the system, and the only way we could really get to that level of control was to do it ourselves.

Finally, we wanted to perform consensus on encrypted values so that the nodes wouldn't be able to censor transactions.

How does Stellar Consensus prevent double-spends?

Imagine I have a private key to an address with 10 coins. Imagine I spend the same amount of money (10 coins) on Mars and Earth at the same time. There is a 10-lightminute gap between Mars and Earth. Assume Mars and Earth have a similar number of Stellar nodes. What happens in Stellar Consensus?

Stellar actually does nothing to prevent double-spends as it is the consensus layer and not the ledger. The ledger prevents double spends in mobilecoin by using a proof called a "key image" which is part of CryptoNote (https://bytecoin.org/old/whitepaper.pdf). Essentially, a ring signature is produced by the user which says "one of these N transactions belong to me" and the key image proves that one of the members of the set is a valid transaction without revealing which transaction was valid (and preventing future reuse of the valid input).

So essentially, this is a mashup between XMR (ring sigs) and XLM (consensus protocol)? Why not use zk-proofs?

So this does seem to use some voting mechanism instead of scarcity through PoW.

How do you prevent the sybil attack then if there is no scarcity?

I.e. what prevents an individual from spinning up 10 million nodes to get more voting power?

Stellar is essentially a liquid democracy system similar to DNS. The core proof at the heart of David Mazieres paper is that in a densely interwoven graph, any set of nodes in a quorum slice reaching consensus is graph consensus. Regarding Sybil, nodes define their own trust relationships, so membership is open but not automatic.

If you can find a way to do ZK-proofs that work in the time constraints that we have (1-3 seconds end to end transaction completion and finality), then we'll switch to them. Right now this is the only way we could get the performance we wanted.

> Regarding Sybil, nodes define their own trust relationships, so membership is open but not automatic.

Thanks for clarifying!

So you're expecting people to

- manually add peers to be able to use the network.

- manually monitor the said peers for if they do malicious transactions, and manually ban them if yes.

Right?

How is this supposed to work considering that:

- most users won't care about manually adding peers. They'll just add EVERYONE who offers to be added so they can be done with it and use the system.

- most users probably won't even understand what a malicious transaction is in the first place.

- the few who do will for sure not have the time to monitor a network which does dozens or in the future even thousands of transactions per second.

This seems just humanly impossible, there's by no means sufficient human time available to manually monitor a P2P network's content if the said content is super boring and complex.

If it were a distributed social network you could expect people to e.g. manually flag spam because using a social network implies reading the posts contained in it.

But manually reviewing money which strangers send to each other is boring as hell, who will do this?

I don't understand the "key image" cryptography, but I can't fathom how any cryptography, no matter how smart it is, could prevent the user from:

1) Creating a backup of their wallet on disk.

2) Sending their coins somewhere, but not broadcasting the transaction to the network, instead storing it in a file.

3) Restoring from the backup

4) Sending the coins to a different address = double spending them.

5) Broadcasting the transactions in a very close timespan to conduct the double-spend.

The network needs to prevent this by storing, in an non-forge-able fashion such as PoW, which transaction happened first.

How does your system guarantee that?

Is it true that it only works on Intel now?

The client trusts a list of centralized validator servers, albeit protected by SGX, to resolve conflicts. At least according to:

https://github.com/mobilecoinfoundation/mobilecoin/tree/mast...

As far as I can tell, "nodes define their own trust relationships" is true only when considering the protocol at an abstract level, or if you're building the code yourself. As a concrete end user using the Signal client, you don't actually get to define your own trust relationships; the app is just hardcoded to trust a specific list of servers, albeit somewhat protected by SGX. Please correct me if I'm wrong.

> The MobileCoin Consensus Protocol solves the Byzantine Agreement Problem by requiring each user to specify a set of peers that they trust, called a quorum. Quorums are based on the real-life trust relationships between individuals, businesses, and other organizations that compose the MobileCoin Network.

How does this solve network splits or honest disagreements?

As someone who works on ZKPs, that's very doable :)

In a Zcash-style spend circuit, the bottleneck is typically the Merkle inclusion proof, which takes say 32 hashes (assuming a limit of 2^32 note commitments). If we're comfortable with using one of the newer arithmetic hashes like Poseidon, that's about 10k constraints. Any of the modern argument systems (Groth16, Plonk, STARKs, etc.) can give proof times well under a second with a circuit of that size. If we want to optimize further, we can get proof times down to around 10-20ms (single-threaded) by using an arithmetization that's carefully tailored to our circuit's bottlenecks.

If we stick with traditional primitives like SHA-256, the circuit becomes substantially larger, but with modern techniques we can at least get proof times under a second. Happy to talk through the options if it would be useful.