IOTA (technology)

IOTA is an open-source distributed ledger and cryptocurrency designed for the Internet of things (IoT). It uses a directed acyclic graph to store transactions on its ledger, motivated by a potentially higher scalability over blockchain based distributed ledgers. IOTA does not use miners to validate transactions, instead, nodes that issue a new transaction on the network must approve two previous transactions. Transactions can therefore be issued without fees, facilitating microtransactions. The network currently achieves consensus through a coordinator node, operated by the IOTA Foundation. As the coordinator is a single point of failure, the network is currently centralized.

IOTA has been criticized due to its unusual design, of which it is unclear whether it will work in practice. As a result, IOTA was rewritten from the ground up for a network update called Chrysalis, or IOTA 1.5, which launched on 28 April 2021. In this update, controversial decisions such as ternary encoding and quantum proof cryptography were left behind and replaced with established standards. A testnet for a follow-up update called Coordicide, or IOTA 2.0, was deployed in late 2020, with the aim of releasing a distributed network that no longer relies on the coordinator for consensus in 2021.

History
The value transfer protocol IOTA, named after the smallest letter of the Greek alphabet, was created in 2015 by David Sønstebø, Dominik Schiener, Sergey Ivancheglo, and Serguei Popov. Initial development was funded by an online public crowdsale, with the participants buying the IOTA value token with other digital currencies. Approximately 1300 BTC were raised, corresponding to approximately US$500,000 at that time, and the total token supply was distributed pro-rata over the initial investors. The IOTA network went live in 2016.

IOTA foundation
In 2017, early IOTA token investors donated 5% of the total token supply for continued development and to endow what became later became the IOTA Foundation. In 2018, the IOTA Foundation was chartered as a Stiftung in Berlin, with the goal to assist in the research and development, education and standardisation of IOTA technology. The IOTA Foundation is a board member of International Association for Trusted Blockchain Applications (INATBA), and founding member of the Trusted IoT Alliance and Mobility Open Blockchain Initiative (MOBI), to promote blockchain and distributed ledgers in regulatory approaches, the IoT ecosystem and mobility.

Following a dispute between IOTA founders David Sønstebø and Sergey Ivancheglo, Ivancheglo resigned from the board of directors on 23 June 2019. On 10 December 2020 the IOTA Foundation Board of Directors and supervisory board announced that the Foundation officially parted ways with David Sønstebø.

DCI vulnerability disclosure
On 8 September 2017, researchers Ethan Heilman from Boston University and Neha Nerula et al. from MIT's Digital Currency Initiative (DCI) reported on potential security flaws with IOTA's former Curl-P-27 hash function. The IOTA Foundation received considerable backlash in their handling of the incident. FT Alphaville reported legal posturing by an IOTA Founder against a security researcher for his involvement in the DCI report, as well as instances of aggressive language levelled against a Forbes contributor and other unnamed journalists covering the DCI report. The Center for Blockchain Technologies at the University College London severed ties with the IOTA Foundation due to legal threats against security researchers involved in the report.

Attacks
As a speculative blockchain and cryptocurrency-related technology, IOTA has been the target of phishing, scamming, and hacking attempts, which have resulted in the thefts of user tokens and extended periods of downtime. In January 2018, more than US$10 million worth of IOTA tokens were stolen from users that used a malicious online seed-creator, a password that protects their ownership of IOTA tokens. The seed-generator scam was the largest fraud in IOTA history to date, with over 85 victims. In January 2019, the UK and German law enforcement agencies arrested a 36-year-old man from Oxford, England believed to be behind the theft.

On 26 November 2019 a hacker discovered a vulnerability in a third-party payment service, provided by MoonPay, integrated in the mobile and desktop wallet managed by the IOTA Foundation. The attacker compromised over 50 IOTA seeds, resulting in the theft of approximately US$2 Million worth in IOTA tokens. After receiving reports that hackers were stealing funds from user wallets, the IOTA Foundation shut down the coordinator on 12 February 2020. This had the side-effect of effectively shutting down the entire IOTA cryptocurrency. Users at-risk were given seven days to migrate their potentially compromised seed to a new seed, until 7 March 2020. The coordinator was restarted on 10 March 2020.

IOTA 1.5 (Chrysalis) and IOTA 2.0 (Coordicide)
The IOTA network is currently centralized, a transaction on the network is considered valid if and only if it is referenced by a milestone issued by a node operated by the IOTA foundation called the coordinator. In 2019 the IOTA Foundation announced that it would like to operate the network without a coordinator in the future, using a two-stage network update, termed Chrysalis for IOTA 1.5 and Coordicide for IOTA 2.0. The Chrysalis update went live on 28 April 2021, and removed its controversial design choices such as ternary encoding and Winternitz one-time signatures, to create an enterprise-ready blockchain solution. In parallel Coordicide is currently developed, to create a distributed network that no longer relies on the coordinator for consensus. A testnet of Coordicide was deployed late 2020, with the aim of releasing a final version in 2021.

The Tangle
The Tangle is the moniker used to describe IOTAs directed acyclic graph (DAG) transaction settlement and data integrity layer. It is structured as a string of individual transactions that are interlinked to each other and stored through a network of node participants. The Tangle does not have miners validating transactions, rather, network participants are jointly responsible for transaction validation, and must confirm two transactions already submitted to the network for every one transaction they issue. Transactions can therefore be issued to the network at no cost, facilitating micropayments. To avoid spam, every transaction requires computational resources based on Proof of Work (PoW) algorithms, to find the answer to a simple cryptographic puzzle.

IOTA supports both value and data transfers. A second layer protocol provides encryption and authentication of messages, or data streams, transmitted and stored on the Tangle as zero-value transactions. Each message holds a reference to the address of a follow-up message, connecting the messages in a data stream, and providing forward secrecy. Authorised parties with the correct decryption key can therefore only follow a datastream from their point of entry. When the owner of the data stream wants to revoke access, it can change the decryption key when publishing a new message. This provides the owner granular controls over the way in which data is exchanged to authorised parties.

IOTA token
The IOTA token is a unit of value in the IOTA network. There is a fixed supply of 2,779,530,283,277,761 IOTA tokens in circulation on the IOTA network. IOTA tokens are stored in IOTA wallets protected by an 81-character seed, similar to a password. To access and spend the tokens, IOTA provides a cryptocurrency wallet. A hardware wallet can be used to keep credentials offline while facilitating transactions.

As of 8 December 2021, each IOTA token has a value of $1.17, giving the cryptocurrency a market capitalisation of $3.26bn, according to CoinMarketCap data.

Coordinator node
IOTA currently requires a majority of honest actors to prevent network attacks. However, as the concept of mining does not exist on the IOTA network, it is unlikely that this requirement will always be met. Therefore, consensus is currently obtained through referencing of transactions issued by a special node operated by the IOTA foundation, called the coordinator. The coordinator issues zero value transactions at given time intervals, called milestones. Any transaction, directly or indirectly, referenced by such a milestone is considered valid by the nodes in the network. The coordinator is an authority operated by the IOTA foundation and as such single point of failure for the IOTA network, which makes the network centralized.

Markets
IOTA is traded in megaIOTA units (1,000,000 IOTA) on digital currency exchanges such as Bitfinex, and listed under the MIOTA ticker symbol. Like other digital currencies, IOTA's token value has soared and fallen.

Fast Probabilistic Consensus (FPC)
The crux of cryptocurrencies is to stop double spends, the ability to spend the same money twice in two simultaneous transactions. Bitcoin's solution has been to use Proof of Work (PoW) making it a significant financial burden to have a minted block be rejected for a double spend. IOTA has designed a voting algorithm called Fast Probabilistic Consensus to form a consensus on double spends. Instead of starting from scratch, the IOTA Foundation started with Simple Majority Consensus where the first opinion update is defined by,

$$s_i(1) = \begin{cases}1 & \mu_i(1) \geq \tau\\0 & \text{otherwise} \end{cases} $$

Where $$s_i(\cdot)$$ is the opinion of node $$i$$ at time $$1$$. The function $$\mu_i(1)$$ is the percent of all the nodes that have the opinion $$1$$ and $$\tau \in (0.5,1] $$ is the threshold for majority, set by the implementation. After the first round, the successive opinions change at time $$t$$ to the function,

$$s_i(t+1) = \begin{cases}1 & \mu_i(t+1) > 0.5 \\0 & \mu_i(t+1) < 0.5 \\ s_i(t) & \text{otherwise}\end{cases} $$

Although, this model is fragile against malicious attackers which is why the IOTA Foundation decided not to use it. Instead the IOTA Foundation decided to augment the leaderless consensus mechanism called, Random neighbors majority consensus (RMC) which is similar to SMC although, the nodes in which their opinions are queries is randomized. They took RMC then augmented it to create FPC by having the threshold of majority be a random number generated from a Decentralized Random Number Generator (dRNG). For FPC, the first sound is the same,

$$s_i(1) = \begin{cases}1 & \mu_i(1) \geq \tau\\0 & \text{otherwise} \end{cases} $$

For success rounds though,

$$s_i(t+1) = \begin{cases}1 & \mu_i(t+1) > U_t \\0 & \mu_i(t+1) < U_t \\ s_i(t) & \text{otherwise}\end{cases} $$

Where $$U_t \sim \textbf{U}(\beta,1-\beta)$$ where $$\beta \in [0,1/2]$$, is a randomized threshold for majority. Randomizing the threshold for majority makes it extremely difficult for adversaries to manipulate the consensus by either making it converge to a specific value or prolonging consensus. Note that FPC is only utilized to form consensus on a transaction during a double spend.

Ultimately, IOTA uses Fast Probabilistic Consensus for consensus and uses Proof of Work as a rate controller. Because IOTA does not use PoW for consensus, its overall network and energy per transaction is extremely small.

Applications and testbeds
Proof-of-concepts building on IOTA technology are being developed in the automotive and IoT industry by corporates as Jaguar Land Rover, STMicroelectronics and Bosch. IOTA is a participant in smart city testbeds, to establish digital identity, waste management and local trade of energy. In project Alvarium, formed under the Linux Foundation, IOTA is used as an immutable storage and validation mechanism. The privacy centered search engine Xayn uses IOTA as a trust anchor for its aggregated AI model.

On 11 February 2020, the Eclipse Foundation and IOTA Foundation jointly launched the Tangle EE (Enterprise Edition) Working Group. Tangle EE is aimed at enterprise users that can take IOTA technology and enable larger organizations to build applications on top of the project, where the Eclipse Foundation will provide a vendor-neutral governance framework.

Announcements of partners were critically received. In 2017, IOTA released the data marketplace, a pilot for a market where connected sensors or devices can store, sell or purchase data. The data marketplace was received critically by the cryptocurrency community over the extent of the involvement of the participants of the data marketplace, suggesting that "the IOTA Foundation was actively asking publications to use Microsoft’s name following the data marketplace announcement.". Izabelle Kaminska criticized a Jaguar press release: "our interpretation is that it's very unlikely Jaguar will be bringing a smart-wallet-enabled marketplace any time soon."

Criticism
IOTA promises to achieve the same benefits that blockchain-based DLTs bring - decentralization, distribution, immutability and trust - but remove the downsides of wasted resources associated with mining as well as transaction costs. However, several of the design features of IOTA are unusual, and it is unclear whether they work in practice.

The security of IOTA's consensus mechanism against double-spending attacks is unclear, as long as the network is immature. Essentially, in the IoT, with heterogeneous devices having varying levels of low computational power, sufficiently strong computational resources will render the tangle insecure. This is a problem in traditional proof-of-work blockchains as well, however, they provide a much greater degree of security through higher fault tolerance and transaction fees. At the beginning, when there is a lower number of participants and incoming transactions, a central coordinator is needed to prevent an attack on the IOTA tangle.

Critics have opposed role of the coordinator for being the single source of consensus in the IOTA network. Polychain Capital founder Olaf Carlson-Wee, says "IOTA is not decentralized, even though IOTA makes that claim, because it has a central "coordinator node" that the network needs to operate. If a regulator or a hacker shut down the coordinator node, the network would go down." This was demonstrated during the Trinity attack incident, when the IOTA foundation shutdown the coordinator to prevent further thefts. Following a discovered vulnerability in October 2017, the IOTA foundation transferred potentially compromised funds to addresses under its control, providing a process for users to later apply to the IOTA Foundation in order to reclaim their funds.

Additionally, IOTA has seen several network outages as a result of bugs in the coordinator as well as DDoS attacks. Early in the seed generator scam, a DDoS network attack distracted IOTA admins, leaving initial thefts undetected.

In 2020, the IOTA Foundation announced that it would like to operate the network without a coordinator in the future, but implementation of this is still in an early development phase.