Solution 2: Distributed saving

To prevent prefix-attacks on reusable addresses each node needs to store a different value making it impossible to find a seed with an address approved by a lot of nodes. Therefore each node only saves T random trits from the address. Which ones and in which order is decided by a node-seed.

This seed is a sequence of numbers from 1 to 243 (=3⁴), containing each of them exactly once in random order (this seed actually has way more combinations than a regular iota seed). For each number n in the sequence, the node will take trit n of the address input. This reorders the trits to a given order. Here’s an example for an example 8-trit value.

Only drew arrows for the first 4 trits to keep it clean.

We only take the first T trits of this new value, let’s call this set of trits H. This procedure results in thousands of different Hs for each address on the network, each participant saving a different part of the original address.

Independence of nodes

Each node is free in choosing if and how it uses this system as it does not affect consensus. Furthermore, every node can choose which value for T it uses. Nodes with a lot of space can use higher values of T, while Rasps could use very low ones. The value of T can also be decreased over the time if the node needs more space.

Preventing propagation of invalid tx

With low values of T, the attacker can create transactions wrongly approved by a node. He simply brute-forces until he finds a seed which has the same trit values at the positions the node remembered. Despite the transaction spends from a totally different address, the node will deem it as valid. The risk for this is 1:3^T, which isn’t low for smaller values of T.

Unless a neighbour randomly happens to have the same H (which is extremely low if T is not too small), they will reject the transaction through. As a result, the evil transaction never leaves the node it was broadcasted to. If the attacker wants his evil transaction to propagate to a new node, he therefore needs a seed that results in a correct value of H for BOTH nodes. For two nodes, we therefore have a chance of 1:(3^T)². This increases dramatically if we want to reach even more nodes, so the transaction will never get confirmed as the vast majority of the nodes won’t ever receive them.

Choosing the right value for T

Note: For all further examples I’m assuming that there are 1000 honest nodes on the network. I’m aware that this number is too small, this is assuming a worst-case scenario with less honest nodes.

Saving 27 trytes (81 trits) is way more than enough using this method. In this case, just convincing 3 nodes (in our example network) is just as hard as brute-forcing the seed (81 trits security per node * 3 nodes=243 trit security). If we decrease T to 27, getting 3 nodes on my side is as hard as double-spending a tx with sec lv. 1 (27 trits *3 nodes=81 trits security), reaching 10 nodes (1%) is again as difficult than brute-forcing the seed. Note that we cannot reach higher security than 243 trits, as the seed would be easier to crack in this case.

We can now continue to play this game. Each halving of T will allow the attacker to reach two times more nodes with the same work. T=12 (4 trytes) has shown to be a reasonable minimum. As 12 is ~2-times lower than 27, it has become fairly easy to reach .5%, but impossible to reach more than 2% of the network.

Security of a transaction in Trits as node count and T changes. An increase in 1 means a balance is 3 times harder to brute-force.

Why T can’t be too low

With this system, we need to ensure, that the transactions of attackers never confirm. If they do, we have a fork in the network as some nodes will accept the attacker’s transaction and some do not. While even for T=3 a 33% attack looks impossible, it is not too far fetched that less than 1% of the nodes are responsible for 33% of the transactions.

Finally, T=3 would only result in 27 possible outcomes for H. 3^T therefore has to be higher than the total amount of nodes so duplicate Hs don’t become a problem. This automatically excludes T<10.