Iota is a cryptocurrency, but unlike just about every other cryptocurrency, it's not built on a blockchain. Aiming to design a distributed ledger that's low-cost and scalable enough for the internet of things (IoT), the project's developers have started from scratch and built a new sort of structure they call the "tangle."
The tangle is not the first attempt to find a radically different way of achieving distributed consensus, but following iota's stint in early December as the world's fourth-most valuable cryptocurrency, it's become one of the most prominent blockchain alternatives.
Iota's proposed application, IoT, could benefit enormously from a network able to complete high volumes of minute transactions. Making that network trustless and distributed, as iota aims to do, could open up new economic possibilities. A smart device could "pay its assembly, its maintenance, its energy and also for its liability insurance by giving data, computing power, storage or physical services to other machines," write Carsten Stöcker and Kerstin Eichmann of innogy SE in a post on iota’s blog.
Before iota can make "economically independent machines" happen, though, the project has to confront a number of obstacles: achieving full decentralization, establishing trust in newly invented cryptography, and ensuring that resource-constrained IoT devices can support the network. Several of the iota team's decisions have drawn criticism, and their responses to that criticism haven't always inspired confidence.
But while the only tangle around today is iota's, there is nothing that necessarily limits the tangle to that one implementation or even to IoT. Bitcoin's architecture has been repurposed thousands of times with every application and capability imaginable in mind (not that very many of these attempts have succeeded yet). Iota could turn out to be revolutionary or a footnote; either way, the tangle has the potential to transform a number of industries in need of fast, efficient, trustless systems: digital ad sales, for example.
If it works, that is.
What is the tangle? How is it being implemented in iota? Could it expand beyond that project? And does it really represent—as Serguei Popov wrote in the tangle white paper—blockchain's "next evolutionary step"?
The tangle is what is known as a directed acyclic graph (DAG): a data structure that moves in one direction without looping back onto itself. Like the blockchain, the tangle is a distributed ledger, in which a network of independent accounts perform transactions among themselves, reaching consensus about who owns what without depending on a centralized authority.
That's about where the similarities between tangle and blockchain end. Picture a blockchain: a single string of consecutive blocks, each bolted on top of the last, each containing a set of transactions. The tangle looks rather different. The image below is taken from the white paper:
The tangle. Source: Popov. (Here's another way of visualizing it.)
Time passes from left to right in this graph. Each box represents a transaction issued by a device (or "node") on the network. In proof-of-work blockchains like bitcoin's and ethereum's, Popov writes, there are "two distinct types of participants in the system, those who issue transactions, and those who approve transactions"; in the tangle, every device works to maintain the ledger. Every node is also a kind of miner.
Here’s the process: every time a node wants to transfer some value, it must validate two previous transactions, which the arrows in the image above show. This validation requires a small amount of proof of work in order to secure the network, meaning that transactions are not strictly free. Since there is no distinct group of miners that must be compensated, though, there are no fees. The white paper argues that this no-fee structure enables the kind of microtransactions that would be impossible with bitcoin.
As a tangle transaction receives approvals, and the transactions approving it receive approvals in turn, the "cumulative weight" of that transaction builds up. Similar to confirmations for a bitcoin transaction, higher cumulative weights indicate more reliably immutable transactions. The gray boxes at the far right of the diagram, representing recent transactions that have received no validations, are called "tips."
Consensus without blocks
Since transactions are not being shared all at once as blocks, divergences are more prone to happen on the tangle than the blockchain. "It is important to note that the iota network is asynchronous," Popov writes. "In general, nodes do not necessarily see the same set of transactions. It should also be noted that the tangle may contain conflicting transactions."
Eventually, some conflicting transactions are "orphaned"—not completed—while others stand. The tangle relies on incentives to reach consensus about these transactions' fate. As the white paper points out, "if a node issues a new transaction that approves conflicting transactions, then it risks that other nodes will not approve its new transaction, which will fall into oblivion."
In order to find transactions to approve that are unlikely to lead its own transaction to be orphaned, a node runs a "tip selection algorithm." Iota's tangle doesn't mandate any algorithm in particular, but the white paper makes the case for the Markov Chain Monte Carlo (MCMC) variety.
Popov's MCMC algorithm would place at least two "random walkers" somewhere back on the tangle: not at the beginning (that would take to long), but not too recently (the quality of the selection would suffer). These move chronologically along the paths defined by validations, favoring paths linking transactions of similar cumulative weight. Say that transaction x (cumulative weight = 20) was approved by transaction y (= 19) and transaction z (= 3). The walker has a much higher probability of moving from x to y.
The rationale is that "lazy" nodes—ones that rarely issue transactions and therefore rarely validate others' transactions—will be at a disadvantage. Punishing lazy nodes is useful not just because it cuts down on freeriders, but because lazy nodes pose a risk for double-spend attacks: the white paper describes several such attacks and the ways an MCMC could be used to defend against them.
What the white paper doesn't mention
Popov states point-blank, "the concrete implementation of the iota protocol is not discussed" in the tangle white paper (there is no iota white paper). The IOTA Foundation has built a working tangle—the only one—but there is a gulf between the ideal of the tangle and the reality of iota. The developers face a number of challenges in getting their technology ready for the IoT, and some of their decisions have attracted strong criticism.
Storage is an immediate concern for tiny, resource-constrained IoT devices. The white paper doesn't address this issue, but lightbulbs and toasters clearly aren’t able to store the entire tangle, as full nodes do the entire 153 GB bitcoin blockchain or 338 GB ethereum blockchain.
Iota's development roadmap, published in March 2017, describes solutions including automated snapshotting—similar in principle to pruning—and a swarm client, which would allow devices to shard and collectively store the database.
In September, a team led by Neha Narula of the MIT Media Lab pointed out a flaw in the "curl," a cryptographic hash function developed in-house by the iota team.
The impetus for designing the curl is the threat of quantum attacks, but "rolling your own crypto" is a gamble, and it appears to have backfired. Iota co-founder Sergey Ivancheglo, aka Come-from-Beyond, justified the flaw Narula's team identified as a "copy-protection mechanism" that would allow iota "to easily attack scam-driven copycats." Ethereum developer Nick Johnson described it as "booby trapping the code."
If a party controls more than a third of the tangle's hashing power, the network is insecure. Bitcoin and ethereum are generally considered secure as long as a single party does not control a majority of the network. In other words, while blockchains are vulnerable to 51% attacks, the tangle is vulnerable to a 34% attack.
Iota's implementation does attempt to mitigate this vulnerability, however, by amassing hash power itself. The IOTA Foundation runs what it calls a "coordinator" node; Eric Wall, an engineer at Cinnober Financial Technology, argues that this decision makes iota "centralized." Joi Ito, the director of MIT's Digital Currency Initiative, wrote that the coordinator represents "a single point of failure." In response to Wall, iota founder David Sønstebø called the coordinator "temporary training wheels" to protect against 34% attacks. (The IOTA Foundation has also responded to Ito.)
The next blockchain?
Tangle may be the "next evolutionary step" of blockchain, as Popov argues, but it does not appear to have achieved that through its only implementation so far. Justifiable concerns about iota's degree of decentralization and security have held the tangle back.
If it is a serious competitor or even successor to the blockchain, tangle should demonstrate the blockchain's versatility and be adapted to other projects, in other industries, with other applications. Bitcoin has not been the blockchain's only application for some time. I asked Popov if the tangle could follow the same trajectory and become independent of iota. "Yes," he told me via email, "the Tangle is just a math model, it can be applied everywhere it suits."
Not everyone is sure about the tangle itself, though. Wall told me via private message, "I'm a long-term skeptic that per-transaction user-generated PoW"—proof of work—"will ever be enough to secure a cryptocurrency." He added that the tangle as described in the white paper "will probably rely on centralized elements for a very long time."
Hypothetically, he said, "you could have a DAG with transaction fees and mining incentives" but then you might as well use a blockchain. Or you could have proof-of-stake DAG, but that tests the boundaries of what the term "tangle" encompasses.
In his email, Popov stressed that "the full potential of the IOTA itself is largely underestimated - there are so many things being quietly developed now…" He may be right, and iota may transform how devices interact and what they are capable of. That shouldn't prevent other tangle projects from getting underway.
Then again, perhaps Wall has a point. The basic principle behind the tangle—that users validate each other's transactions using proof of work—may always be either too centralized or too insecure. We'll know once more people try it.