I Threw Away $7.6 Million In Bitcoin Five years ago, I threw away a hard drive. An utterly generic 250GB portable hard drive, already a few years old, with a duo of dings and scrapes in its shell and with the beginnings of an audible click that would have eventually killed it. It had a […]
bitcoin and blockchain
By Eliezer Kanal
Technical Manager, Cyber Security Foundations
Blockchain technology was conceived a little over ten years ago. In that brief time, it went from being the foundation for a relatively unknown alternative currency to being the “next big thing” in computing, with industries from banking to insurance to defense to government investing billions of dollars in blockchain research and development. This blog post, the very first of two posts about the SEI’s exploration of DoD applications for blockchain, provides an introduction to this rapidly emerging technology.
At its most basic, a blockchain is simply a distributed ledger that tracks transactions among parties. What makes it interesting are its fundamental properties, which apply to every single transaction:
- All parties agree that the transaction occurred
- All parties agree on the identities of the individuals participating in the transaction
- All parties agree on the time of the transaction
- The details of the transaction are effortless to review and not subject to dispute
- Evidence of the transaction persists, unchangeable, over time
This combination of properties results in a system that, by design, timestamps and records all transactions in a secure and permanent manner, and is lightly auditable in the future. In addition to the above, due to its distributed nature, the system is very resilient to downtime. All these properties combined makes an appealing system for a broad diversity of applications, and indeed explains much of the interest in the technology.
Before describing blockchains in general terms, I’ll describe one of the simplest and best-known implementations in use today: the cryptocurrency Bitcoin. The blockchain in Bitcoin literally acts a ledger; it keeps track of the balances for all users and updates them as money switches palms.
The Bitcoin application permits for two types of users, whom we will refer to as participants and miners. Participants are individuals who want to use Bitcoin as a currency, sending and receiving Bitcoins in exchange for goods and services. These users apply the Bitcoin software to create a “wallet” from which they can send and receive Bitcoins to other participants. The transactions–literally just a message sent to the Bitcoin network broadcasting that this user gave a specific number of Bitcoins to that user–indicate to users that the ledger should be updated.
The role of the miner is to cement these transactions in time through a process called mining. Mining involves solving a hard mathematical puzzle to create blocks, grouped sets of transactions that have been verified to be valid. A good overview for this process shows up here, and a brief description goes after. The miner selects a random group of unverified transactions that have been generated by users, as well as the solution to the preceding block. The miner’s computer will then do some math that involves searching for a random number to solve the puzzle. When a miner finds a solution, the miner conveys it to all other miners, who quickly verify the response and agree that it is correct. At this point, all the transactions that were included in that block are now cemented in time, and the miners begin working on a fresh set of transactions, linking it to the freshly minted block, and begin mining again. This mechanism links each fresh puzzle lump indelibly to the previous lump, and the chain proceeds for each fresh transaction set added to the chain. As a result, every time a fresh puzzle chunk is added, the transactions are cemented in time and their validity is verified by their connection to the preceding chunk in the chain: evidence of what transaction occurred, who was involved, and when it occurred.
In this environment, it is unlikely to pretend that a transaction took place if it did not. All parties involved are able to look at the transaction history and see that such a transaction never occurred. If a party attempts to add a fraudulent transaction, the reaction to the puzzle will be different from the correct response, because the next puzzle chunk can be linked only to the actual verified transaction; only the true transaction will be linked to the next puzzle lump. If a malicious actor attempts to insert a fresh block in the chain, other miners will compare the fake block to their own copy of the blockchain and quickly recognize that the fresh block is fake.
While Bitcoin is a plain implementation of a blockchain, it was the very first real-world application of the technology. A message sent in Bitcoin is, literally, of the form, “give five of my Bitcoins to that person.” The Bitcoin blockchain is simply a big, distributed ledger, and the messages sent back and forward are identical to someone handing some cash to a friend. Exchanging Bitcoins by means of exchanging messages is what permits the exchange of money inbetween two parties.
Why Is Interest in Blockchain Exploding?
While blockchain has gained significant popularity due to its role in cryptocurrency (e.g., Bitcoin, Ethereum, etc.), industries as disparate as real estate, healthcare, insurance, systems of records, and even sports ticket sales may be disrupted by blockchain. Fifty financial institutions have committed resources to blockchain-related research, dozens of healthcare companies have voiced interest in blockchain-based technologies, and consulting companies across the globe are helping their clients understand the promise that blockchain can hold for them.
This interest in blockchain technology stems from its four fundamental properties, all of which are very attractive in many industries. Blockchain is
- Collective–Traditional databases are stored on a single server, which acts as a single point of failure. Additionally, if the server gets overcharged, users can’t query it for data in a timely manner. In the case of blockchain, numerous copies of the data are stored at many points via the network of participants, with participants each having a total copy of the entire ledger. As a result, the system more resilient to attack and disruption.
- Authenticated–Every transaction on a blockchain is associated with an identity. This enables semitransparent audit trails, the capability to require specific types of content based on the user, and transaction authorization based on permissions.
- Auditable–The entire history of the blockchain is stored on numerous knots and is lightly viewable by an auditor, thus creating a very semi-transparent system.
- Tamper-proof–The cryptographic underpinnings of blockchain technology make the system resistant to tampering with historical data. No single participant can affect the data, and advances are regularly being made to ensure that the data cannot be switched once logged.
In brief, blockchain provides a distributed, authenticated messaging system that tracks all events, is tamper resistant, and maintains a history.
Such a system can be applied in a number of commercial settings. For example, within the financial industry, tracking transactions inbetween parties is one of the primary purposes of a financial clearinghouse, which acts as an intermediary inbetween parties in the transaction. Blockchain technology shows significant promise in facilitating financial transactions, eliminating the intermediary and significantly reducing costs for everyone involved. Moreover, if the currency itself can be represented by the messages being passed around (as it is in Bitcoin), then the blockchain becomes more than just a method for signifying transactions; it becomes the currency itself.
Healthcare is awash with transactions that would benefit from inherently authenticated and tamper-proof messages, from prescriptions to procedure orders to medical records themselves. Two healthcare providers providing services to the same patient often need to share data about a patient, and this sharing still often takes place by means of the telephone or U.S. mail. Such transactions are insecure, slow, and unreliable. Some healthcare providers build an application program interface (API) that permits queries from authorized outer parties, which is an improvement over telephone or mail, but the information remains managed by the healthcare provider who generated it.
With blockchain, health records would be possessed by the patient, and the patient would provide permission to any healthcare providers needing access to the records. Health records could then be distributed: every participant would store a utter copy of the entire encrypted data set. Rather than querying a remote server, healthcare providers would simply pull needed data from the chain. Should the patient begin watching a fresh doctor, he or she would simply give the fresh doctor the adequate permissions, and the doctor would then have access the patient’s medical data. This could be customized as much as is needed; there are some types of data which only specific doctors should see–a radiologist reading an x-ray of a violated wrists doesn’t need to see psychiatric history, for example–and blockchain can lightly support this type of granularity. Further reading on blockchain in healthcare can be found here, and an example implementation of a medical health record system using blockchain technology can be found here.
Real estate could also benefit from having records of ownership stored in a distributed, digital ledger that could be lightly accessed rather than stored in a single database administered by a county or region. Local ownership of records is complicated by variance in regulations for property ownership, record keeping, contracts, etc. With blockchain, both buyers and sellers would have a finish record of information about a property and could transfer data and assign ownership of that data more lightly and securely than is presently possible. Further reading on blockchain in real estate can be found here.
What are the Risks?
Blockchain shows tremendous potential, but is still slightly out of its infancy. Initial experiments with creating businesses built using blockchain technology have been mixed, with many failures. The largest public failure was the hack of The DAO, a blockchain-based venture capital fund that lost more than $50 million due to a poorly designed blockchain program, called a “clever contract.” A more latest hack lost more than $30 million due to a critical flaw in another “brainy contract” that managed the Parity multi-signature wallet on the Ethereum network. Other ventures have had difficulty getting began or are still in stealth startup mode, working on overcoming limitations in the technology.
The largest problem with current blockchain implementations is that it requires an enormous number of users acting as miners to function. Mining requires computers to run many millions of calculations per 2nd, thereby consuming a significant amount of electro-therapy, which costs money. While this may be an acceptable cost in the case of Bitcoin for hobbyist users, large businesses will not want their machines running at utter speed simply because the blockchain software needs numbers to run. This otherwise-purposeless tens unit expense is a significant hindrance so far to adoption. While there are alternative approaches to mining, these are presently academic exercises, and none have been implemented in any large-scale blockchain.
A 2nd impediment to the adoption of blockchain in a well-established industry, as with any fresh technology, is simply the inertia of existing solutions. Any blockchain-based solution for any sector would require major infrastructure switches and wide-scale user adoption. Particularly in the case of blockchain, where a technology went from non-existent to worldwide buzzword in two years, more conservative companies will need to see a number of successful use cases before even thinking about adopting this fresh technology.
With all that in mind, many businesses recognize the potential of blockchain and are working hard to make the transition effortless. IBM specifically has invested significant resources into the Hyperledger Platform and has released significant documentation and tooling for developing blockchain-based applications.
Why Is the SEI Investigating Blockchain?
The defense sector has identified a number of potential use cases for blockchain technology. The Department of Homeland Security (DHS) recently distributed $400,000 to four blockchain companies to investigate the use of blockchain in identity management and privacy protection. DARPA recently initiated a program researching the applicability of blockchain technology to secure, resilient messaging. The Office of the Assistant Secretary of Defense for Readiness also recently put out a Broad Agency Announcement (BAA) that included research into the applicability of blockchain technology to training and readiness programs.
At the SEI, we have also been investigating the use of blockchain technology within the DoD. Taking advantage of our deep understanding of software engineering principles, our current concentrate has been on ensuring that the blockchain application-development process doesn’t expose applications and users to unnecessary risk. Unluckily, as with any fresh technology, early adopters have helped expose a number of significant design flaws with existing blockchain implementations. Our team is focused on developing a “secure by design” language that can be used for blockchain application development. By creating a language that specifically makes certain types of bugs unlikely to create, we aim to significantly reduce the risk inherent in the adoption of blockchain technology. We will describe this work in greater detail in a forthcoming blog post.