This post aims to explain what mana is since this Coordicide feature is essential for the IOTA consensus model to work correctly once the Coordinator is turned off. It must be taken into account that most of the concepts reviewed here are product of a work in progress, so even when they are part of the Coordicide whitepaper they only reflect the current research status.

If you didn’t read “A simple explanation of how the IOTA Foundation will decentralize its consensus mechanism” it might be a good idea to spend a few minutes on it as it explains some of the concepts referenced in this post.

Mana is a mechanism designed to deal with Sybil attacks and guarantee that consensus outcome reflects the right decisions while voting on two conflicting transactions. Next, we will try to explain what Sybil attacks are and some of the systems that exist to deal with it.

Understanding Sybil attacks

One of the most known security issues in peer-to-peer (P2P) networks -in which peers communicate to exchange information and arrive at decisions- is the creation of fake identities to manipulate the outcome of the decision-making process.

This attack vector is known as Sybil attack, following the subject of the book “Sybil” (1973, Flora Rheta Schreiber), a case study of a woman diagnosed with dissociative identity disorder.

On P2P networks that allow the creation of identities without much effort, attackers can introduce multiple identities that will be seen as honest participants from the perspective of existing peers. Once these fake identities have been introduced, they can be used to manipulate the process of arriving to some consensus regarding whatever data the network transacts.

An example of Sybil attack. Notice how the green node is almost fully Eclipsed by the Sybil nodes.

Sybil attacks can be used as stepping stones to other attacks such as Eclipse attacks, where malicious actors manage to isolate a node’s communication with honest nodes, blocking peer information and altering its vision of the network.

Some mechanisms to deal with Sybil attacks

On P2P networks Sybil attacks are overcome by having participants doing some task that demonstrates their honesty as peers (Proof of Work) or by checking the possession of a certain finite scarce resources (Proof of Stake, Proof of Scarcity) in order to introduce a new identity.

This way, to forge identities has a cost that usually is too high compared to what someone could gain from such an attack. In Bitcoin, for instance, the amount of computational power needed to forge identities and influence consensus to attack the network costs way more than what an attacker could obtain by doing so.

Let’s briefly review some of the methods used on P2P networks to protect against Sybil attacks.

Proof of Work (PoW)

With PoW, P2P networks get some protection from Sybil or Spam attacks by requesting the completion of a task that involves computational power. PoW is used by Bitcoin and other mined coins. Because it requires a lot of computational power and IOTA tailors to the needs of the Internet of Things, this system is not suitable as a protection mechanism.

Proof of Stake (PoS)

In PoS systems, consensus relies on a committee of nodes that are selected based on the amount of tokens they own (stake). Voting is in the hands of a few participants that lock their staked funds as collateral while each participant assist in arriving to a consensus. Proof of stake allows to achieve consensus without mining (PoW) but the node operators work requires some sort of incentive, so PoS based system will commonly have some sort of fees.

Proof of Resource (PoR)

Like Proof of Stake, PoR relays on some scarce resources that network participants need to have in order to prove their honesty. This resource can be represented by anything that involves some sort of effort to get it: PoR can be computational work such as in PoW or staking of a finite resource gained by doing tasks that are aligned with operating the network. Some examples of this could be PoMemory or PoDiskSpace.

The mana system

We can think of mana as a parallel reputation token to the IOTA token, that is held by addresses at a rate proportional to the stake they hold. This is known as pending mana, and it will be pledged to nodes becoming mana on value transactions.

When a given amount of iota tokens are transferred from one address to another address, a node selected by the issuer is pledged with mana, gaining “trust”. The amount of mana this node will get is proportional to the amount of iota tokens sent on the transaction.

Mana aims to grant nodes participating in the network with a ranking/reputation that will allow us to distinguish honest working nodes that have a validated history from new nodes (identities) that just joined.

It is important to clarify that mana can be pledged to the node being used to issue an IOTA tokens transaction, but it can also be sent to other nodes. This way new nodes can get a reputation to work in the network (something useful when dealing with IoT nodes that would benefit from having some mana).

“The principles of a mana system is that one should get or have more mana the more one contributes to the network. Contribution is naturally associated to how much stake one holds, but although having tokens helps the network, one should not be able to “mine” an unrestrained amount of mana by simply holding some quantity of tokens for a large amount of time, or by frequently sending tokens around.” Coordicide Whitepaper

But, how does mana protect the network from identity forgery and Sybil attacks? It’s simple: most aspects of the new protocol (voting, peering, rate control) will prioritize nodes with high mana over nodes that cannot prove their honest work on the network. So, even if an attacker manages to create 100 fake identities, his “opinion” will not be taken into account as his reputation (mana) will put him behind all the honest nodes working on the network for a while.

The amount of mana held by each node will be available in the public ledger (Tangle) as its mana state. This will allow us to take into account mana when randomly selecting nodes to query about conflicting transactions. Therefore, on the Fast Probabilistic Consensus voting rounds, nodes will select other nodes to request their opinion in a random fashion biased by how much mana they have.

According to the Coordicide whitepaper, the mana system introduces these concepts:

Pending mana. Addresses generate pending mana at a rate proportional to the stake they hold. Mana. When funds (i.e., IOTA tokens) are spent from an address, the pending mana that has been generated by this address, is converted to mana and pledged to a node . Pending mana is now generated by the funds on the receiver’s address. Decay. Both mana and pending mana decay at a rate proportional to its value, hence keeping mana from growing unrestrained over time.

The mana lifecycle starts with the existence of pending mana on every funded address, proportional to its balance. Say that address A sends 10 Miotas to address B. The full node chosen by the issuer in this operation will then get a proportional amount of mana pledged. This way nodes will stake mana over time as they work for the network, but they will continuously lose some mana given the decay mechanism. Notice that pending mana does not decay over time (as mana) but addresses accumulating pending mana will decrease its rate of generation in order to avoid reaching a certain limit set by the protocol.

Mana: a key feature

Mana is a key feature in the post Coordinator era. It helps to deal with Sybil attacks in many scenarios related to neighboring, voting and rate control. The IOTA future consensus model will be one in which conflicts between transactions (i.e: two transactions spending the same funds) will be solved by node’s votes.

This means that if address A sends to address B its whole balance twice, the network nodes will have to examine these transactions to determine which one is the valid one. This will be done considering the time in which both transactions were made, in favor of the oldest one; here we should note that nodes with high mana will be preferred by other nodes while selecting which ones to query.

According to the recently published Coordicide videos series, mana will be used by most of the modules involved in the new consensus mechanism. Let’s review how this reflects on each case.

Rate Control: as a Sybil control mechanism to prevent spam

The more mana you have the more of your messages/transactions will be broadcast/read/processed.

The more mana you have the more of your messages/transactions will be broadcast/read/processed. FPC voting: prevent attacks in voting

The more mana you have the more your opinions will be taken into account.

The more mana you have the more your opinions will be taken into account. Auto-peering: prevent Eclipse attacks

Your neighbors/peers have a similar amount of mana as you.

As we can see, mana is central to the proposed consensus model, forming a reputation mechanism that impacts multiple aspects involved in this new protocol logic.

Additional notes on mana

Even though mana is fundamental in how IOTA will work, the modular design of the solutions proposed on Coordicide allows IF to introduce changes or even migrate to a different system such as Proof of Stake if anything goes wrong.

The idea behind mana is crystal clear: form a sort of system that recognizes the network participants doing a good job and prefer them over other nodes on every decision the protocol takes.

Something that might be considered is that nodes doing massive work in the network (Exchanges nodes, for instance) are expected to get a very high amount of mana once the protocol is rolled out in the mainnet and, therefore, they could have a very large amount of mana resulting in a lot of power over the decision-making process.

Regarding this, we should point out that having high mana does not force nodes to query those mega-mana nodes. Any node operator can decide to exclude certain nodes -despite their mana- from its nodes list. In fact, they are expected to do so in case of bad behavior from mega-mana nodes.

When we say that mana is objective we refer to this condition: a node with high mana can start misbehaving on the network and, although this won’t alter its mana, other nodes will start ignoring it.

Conclusions

Sybil attacks are a well-known attack vector on P2P networks and, since the IOTA Research team seeks for a way to get rid of the Coordinator, some mechanism to deal with these attacks is of the utmost importance.

Mana may not be the only protection mechanism the new IOTA protocol deploys to protect its network. We think that a few other systems have been considered such as Proof of Age (evaluation of the time a node has been working on the network), Proof of Consistency (check whether a node has voted the last N rounds according to the consensus finality results or preferred an invalid transaction), etcetera. Our impression is that the IOTA Research team does not rule out any other mechanisms to aid in protecting the network but at the same time it is fully aware of how every new protective system may introduce attack scenarios.

We do not know for sure what will prove to be best on the simulations and on Chrysalis. For now, mana seems to be a very reasonable system to deal with Sybil attacks at many levels and simulations for FPC biased by mana look promising. We look forward to seeing how it does in the real world.

___________________

Many thanks to Eric Hop for debating ideas, Herbert Bossaerts for perfecting my written English and to the IOTA Research team for their feedback.