It’s one of these things that if people say it often enough it starts to sound like something that could work,
I'm sure you've all read the supernova of hype surrounding cryptocurrencies and blockchain, the miracle new technology that is the Solution to Everything™. Almost everything positive you have read about it is paid advertising, and should be completely ignored. So why should you believe what I'm about to tell you? Two reasons. The first is that no-one is paying me and I have no investments in cryptocurrencies or blockchain companies.
Bitcoin's Academic Pedigree,
Arvind Narayanan and Jeremy Clark
The second is that more than fifteen years ago, nearly five years before Satoshi Nakamoto published the Bitcoin protocol, a cryptocurrency based on a decentralized consensus mechanism using proof-of-work, my co-authors and I won the "best paper" award at the prestigious SOSP workshop for a decentralized consensus mechanism using proof-of-work. It is the protocol underlying the LOCKSS system. The originality of our work didn't lie in decentralization, distributed consensus, or proof-of-work. All of these were part of the nearly three decades of research and implementation leading up to the Bitcoin protocol, as described by Arvind Narayanan and Jeremy Clark in Bitcoin's Academic Pedigree. Our work was original only in its application of these techniques to statistical fault tolerance; Nakamoto's only in its application of them to preventing double-spending in cryptocurrencies.
We're going to walk through the design of a system to perform some function, say monetary transactions, storing files, recording reviewers' contributions to academic communication, verifying archival content, whatever. Being of a naturally suspicious turn of mind, you don't want to trust any single central entity, but instead want a decentralized system. You place your trust in the consensus of a large number of entities, which will in effect vote on the state transitions of your system (the transactions, reviews, archival content, ...). You hope the good entities will out-vote the bad entities. In the jargon, the system is trustless (a misnomer).
Techniques using multiple voters to maintain the state of a system in the presence of unreliable and malign voters were first published in The Byzantine Generals Problem by Lamport et al in 1982. Alas, Byzantine Fault Tolerance (BFT) requires a central authority to authorize entities to take part. In the blockchain jargon, it is permissioned. You would rather let anyone interested take part, a permissionless system with no central control.
In the case of blockchain protocols, the mathematical and economic reasoning behind the safety of the consensus often relies crucially on the uncoordinated choice model, or the assumption that the game consists of many small actors that make decisions independently.
The Meaning of Decentralization,
Vitalik Buterin, co-founder of Ethereum
The security of your permissionless system depends upon the assumption of uncoordinated choice, the idea that each voter acts independently upon its own view of the system's state.
If anyone can take part, your system is vulnerable to Sybil attacks, in which an attacker creates many apparently independent voters who are actually under his sole control. If creating and maintaining a voter is free, anyone can win any vote they choose simply by creating enough Sybil voters.
From a computer security perspective, the key thing to note ... is that the security of the blockchain is linear in the amount of expenditure on mining power, ... In contrast, in many other contexts investments in computer security yield convex returns (e.g., traditional uses of cryptography) ... analogously to how a lock on a door increases the security of a house by more than the cost of the lock.
The Economic Limits of Bitcoin and the Blockchain,
Eric Budish, Booth School, University of Chicago
So creating and maintaining a voter has to be expensive. Permissionless systems can defend against Sybil attacks by requiring a vote to be accompanied by a proof of the expenditure of some resource. This is where proof-of-work comes in; a concept originated by Cynthia Dwork and Moni Naor in 1992. To vote in a proof-of-work blockchain such as Bitcoin's or Ethereum's requires computing very many otherwise useless hashes. The idea is that the good voters will spend more, compute more useless hashes, than the bad voters.
|The blockchain trilemma|
The economics of blockchains,
Markus K Brunnermeier & Joseph Abadi, Princeton
Brunnermeir and Abadi's Blockchain Trilemma shows that a blockchain has to choose at most two of the following three attributes:
Your system needs names for the parties to these transactions. There is no central authority handing out names, so the parties need to name themselves. As proposed by David Chaum in 1981 they can do so by generating a public-private key pair, and using the public key as the name for the source or sink of each transaction.
This was not because our Bitcoin was stolen from a honeypot, rather the graduate student who created the wallet maintained a copy and his account was compromised. If security experts can't safely keep cryptocurrencies on an Internet-connected computer, nobody can. If Bitcoin is the "Internet of money," what does it say that it cannot be safely stored on an Internet connected computer?
Risks of Cryptocurrencies,
Nicholas Weaver, U.C. Berkeley
In practice this is implemented in wallet software, which stores one or more key pairs for use in transactions. The public half of the pair is a pseudonym. Unmasking the person behind the pseudonym turns out to be fairly easy in practice.
The security of the system depends upon the user and the software keeping the private key secret. This can be difficult, as Nicholas Weaver's computer security group at Berkeley discovered when their wallet was compromised and their Bitcoins were stolen.
|Bitcoin "price" history|
Who is on the other side of those trades? The answer has to be speculators, betting that the "price" of the cryptocurrency will increase. Thus a second essential part of your system is a general belief in the inevitable rise in "price" of the coins by which the miners are rewarded. If miners believe that the "price" will go down, they will sell their rewards immediately, a self-fulfilling prophesy. Permissionless blockchains require an inflow of speculative funds at an average rate greater than the current rate of mining rewards if the "price" is not to collapse. To maintain Bitcoin's price at $4K requires an inflow of $300K/hour.
|Ethereum pools 04/06/18|
The Meaning of Decentralization,
In order to spend enough to be secure, say $300K/hour, you need a lot of miners. It turns out that a third essential part of your system is a small number of “mining pools”. As of last August Bitcoin had the equivalent of around 3M Antminer S9s, and a block time of 10 minutes. Each S9, costing maybe $1K, could expect a reward about once every 60 years. It will be obsolete in about a year, so only 1 in 60 will ever earn anything.
To smooth out their income, miners join pools, contributing their mining power and receiving the corresponding fraction of the rewards earned by the pool. These pools have strong economies of scale, so successful cryptocurrencies end up with a majority of their mining power in 3-4 pools. Each of the big pools can expect a reward every hour or so. These blockchains aren’t decentralized, but centralized around a few large pools.
At multiple times in 2014 one mining pool controlled more than 51% of the Bitcoin mining power. At almost all times since 3-4 pools have controlled the majority of the Bitcoin mining power. Currently two of them are controlled by Bitmain, the dominant supplier of mining ASICs. With the advent of mining-as-a-service, 51% attacks have become endemic among the smaller alt-coins.
The security of a blockchain depends upon the assumption that these few pools are not conspiring together outside the blockchain; an assumption that is impossible to verify in the real world (and by Murphy's Law is therefore false). Similar off-chain collusion among cryptocurrency traders allows for extremely profitable pump-and-dump schemes.
Since then there have been other catastrophic bugs in these smart contracts, the biggest one in the Parity Ethereum wallet software ... The first bug enabled the mass theft from "multisignature" wallets, which supposedly required multiple independent cryptographic signatures on transfers as a way to prevent theft. Fortunately, that bug caused limited damage because a good thief stole most of the money and then returned it to the victims. Yet, the good news was limited as a subsequent bug rendered all of the new multisignature wallets permanently inaccessible, effectively destroying some $150M in notional value. This buggy code was largely written by Gavin Wood, the creator of the Solidity programming language and one of the founders of Ethereum. Again, we have a situation where even an expert's efforts fell short.
Risks of Cryptocurrencies,
Nicholas Weaver, U.C. Berkeley
In practice the security of a blockchain depends not merely on the security of the protocol itself, but on the security of the core software and the wallets and exchanges used to store and trade its cryptocurrency. This ancillary software has bugs, such as last September's major vulnerability in Bitcoin Core, the Parity Wallet fiasco, the routine heists using vulnerabilities in exchange software, and the wallet that was sending user's pass-phrases to the Google spell-checker over HTTP. Who doesn't need their pass-phrase spell-checked?
Recent game-theoretic analysis suggests that there are strong economic limits to the security of cryptocurrency-based blockchains. For safety, the total value of transactions in a block needs to be less than the value of the block reward.
Your system needs an append-only data structure to which records of the transactions, files, reviews, archival content, whatever are appended. It would be bad if the miners could vote to re-write history, undoing these records. In the jargon, the system needs to be immutable (another misnomer).
|Merkle Tree (source)|
The blockchain is mutable, it is just rather hard to mutate it without being detected, because of the Merkle tree’s hashes, and easy to recover, because there are Lots Of Copies Keeping Stuff Safe. But this is a double-edged sword. Immutability makes systems incompatible with the GDPR, and immutable systems to which anyone can post information will be suppressed by governments.
A user of your system wanting to perform a transaction, store a file, record a review, whatever, needs to persuade miners to include their transaction in a block. Miners are coin-operated; you need to pay them to do so. How much do you need to pay them? That question reveals another economic problem, fixed supply and variable demand, which equals variable "price". Each block is in effect a blind auction among the pending transactions.
|BTC transaction fees|
How Crypto-Kitties Disrupted the Ethereum Network,
Open Trading Network
So lets talk about CryptoKitties, a game that bought the Ethereum blockchain to its knees despite the bold claims that it could handle unlimited decentralized applications. How many users did it take to cripple the network? It was far fewer than non-blockchain apps can handle with ease; CryptoKitties peaked at about 14K users. NeoPets, a similar centralized game, peaked at about 2,500 times as many.
CryptoKitties average "price" per transaction spiked 465% between November 28 and December 12 as the game got popular, a major reason why it stopped being popular. The same phenomenon happened during Bitcoin's price spike around the same time. Cryptocurrency transactions are affordable only if no-one wants to transact; when everyone does they immediately become un-affordable. If, over time, running a node continues to be expensive enough to preserve security, fees for inclusion in a block must increase because rewards for mining blocks are set to decrease.
Risks of Cryptocurrencies,
Nicholas Weaver, U.C. Berkeley
"Smart contracts" are programs, and programs have bugs. Some of the bugs are exploitable vulnerabilities. Research has shown that the rate at which vulnerabilities in programs are discovered increases with the age of the program. The problems caused by making vulnerable software immutable were revealed by the first major "smart contract". The Decentralized Autonomous Organization (The DAO) was released on 30th April 2016, but on 27th May 2016 Dino Mark, Vlad Zamfir, and Emin Gün Sirer posted A Call for a Temporary Moratorium on The DAO, pointing out some of its vulnerabilities; it was ignored. Three weeks later, when The DAO contained about 10% of all the Ether in circulation, a combination of these vulnerabilities was used to steal its contents.
The loot was restored by a "hard fork", the blockchain's version of mutability. Since then it has become the norm for "smart contract" authors to make them "upgradeable", so that bugs can be fixed. "Upgradeable" is another way of saying "immutable in name only".
Permissionless systems trust:
- The core developers of the blockchain software not to write bugs.
- The developers of your wallet software not to write bugs.
- The developers of the exchanges not to write bugs.
- The operators of the exchanges not to manipulate the markets or to commit fraud.
- The developers of your upgradeable "smart contracts" not to write bugs.
- The owners of the smart contracts to keep their secret key secret.
- The owners of the upgradeable smart contracts to avoid losing their secret key.
- The owners and operators of the dominant mining pools not to collude.
- The speculators to provide the funds needed to keep the “price” going up.
- Users' ability to keep their secret key secret.
- Users’ ability to avoid losing their secret key.
- Other users not to transact when you want to.
So, this is the list of people your permissionless system has to trust if it is going to work as advertised over the long term.
You started out to build a trustless, decentralized system but you have ended up with:
- A trustless system that trusts a lot of people you have every reason not to trust.
- A decentralized system that is centralized around a few large mining pools that you have no way of knowing aren’t conspiring together.
- An immutable system that either has bugs you cannot fix, or is not immutable
- A system whose security depends on it being expensive to run, and which is thus dependent upon a continuing inflow of funds from speculators.
- A system whose coins are convertible into large amounts of "fiat currency" via irreversible pseudonymous transactions, which is thus an irresistible target for crime.
Maybe it is time for a re-think.
Suppose you give up on the idea that anyone can take part and accept that you have to trust a central authority to decide who can and who can’t vote. You will have a permissioned system.
The first thing that happens is that it is no longer possible to mount a Sybil attack, so there is no reason running a node need be expensive. You can use BFT to establish consensus, as IBM’s Hyperledger, the canonical permissioned blockchain system does. You need many fewer nodes in the network, and running a node just got way cheaper. Overall, the aggregated cost of the system got orders of magnitude cheaper.
Now there is a central authority it can collect “fiat currency” for network services and use it to pay the nodes. No need for cryptocurrency, exchanges, pools, speculators, or wallets, so much less temptation for bad behavior.
Permissioned systems trust:
- The central authority.
- The software developers.
- The owners and operators of the nodes.
- The secrecy of a few private keys.
This is now the list of entities you trust. Trusting a central authority to determine the voter roll has eliminated the need to trust a whole lot of other entities. The permissioned system is more trustless and, since there is no need for pools, the network is more decentralized despite having fewer nodes.
Decentralization in Bitcoin and Ethereum Networks,
Adem Efe Gencer Soumya Basu, Ittay Eyal, Robbert van Renesse and Emin Gün Sirer
How many nodes does your permissioned blockchain need? The rule for BFT is that 3f + 1 nodes can survive f simultaneous failures. That's an awful lot fewer than you need for a permissionless proof-of-work blockchain. What you get from BFT is a system that, unless it encounters more than f simultaneous failures, remains available and operating normally.
The problem with BFT is that if it encounters more than f simultaneous failures, the state of the system is irrecoverable. If you want a system that can be relied upon for the long term you need a way to recover from disaster. Successful permissionless blockchains have Lots Of Copies Keeping Stuff Safe, so recovering from a disaster that doesn't affect all of them is manageable.
I've shown that, whatever consensus mechanism they use, permissionless blockchains are not sustainable for very fundamental economic reasons. These include the need for speculative inflows and mining pools, security linear in cost, economies of scale, and fixed supply vs. variable demand. Proof-of-work blockchains are also environmentally unsustainable. The top 5 cryptocurrencies are estimated to use as much energy as The Netherlands. This isn't to take away from Nakamoto's ingenuity; proof-of-work is the only consensus system shown to work well for permissionless blockchains. The consensus mechanism works, but energy consumption and emergent behaviors at higher levels of the system make it unsustainable.
|Blockchain buzzwords in S&P500 presentations|
Still new to NYC, but I met this really cool girl. Energy sector analyst or some such. Four dates in, she uncovers my love for BitCoin.
You wrote, "You can use BFT to establish consensus, as IBM’s Hyperledger, the canonical permissioned blockchain system does."ReplyDelete
I assume you mean Hyperledger Fabric (HF), since that is the Hyperledger project most closely associated with IBM. (All Hyperledger projects are under the umbrella of the Linux Foundation, not IBM, but HF did begin its life inside IBM.)
In any case, HF is not yet BFT, although an option to support that is in the roadmap. HF supports a plugin "ordering service," but there is no working/maintained BFT ordering service for HF. If you want to follow the HF progress on a BFT ordering service, see issue FAB-33 in their JIRA: https://jira.hyperledger.org/browse/FAB-33
Disclosure: I am, or was, associated with BigchainDB, which uses Tendermint, a third-party blockchain system that is BFT. Hyperledger Burrow also uses Tendermint.
Thanks for the correction!ReplyDelete
The headline writers at Vulture Central were on form with John Oates' Blockchain is a lot like teen sex: Everybody talks about it, no one has a clue how to do it. Oates looked at the latest from the credulous "analysts" at Gartner, who found that:ReplyDelete
"According to a survey of supply chain specialists carried out by Gartner, nine out of 10 blockchain-based projects will have come unstuck by 2023. Only 9 per cent of companies have actually spent money on blockchain projects and just 19 per cent said it was a very important technology for their business.
Alex Pradhan, senior principal research analyst at Gartner, said: "Supply chain blockchain projects have mostly focused on verifying authenticity, improving traceability and visibility, and improving transactional trust. However, most have remained pilot projects due to a combination of technology immaturity, lack of standards, overly ambitious scope and a misunderstanding of how blockchain could, or should, actually help the supply chain. Inevitably, this is causing the market to experience blockchain fatigue."
Despite this, they remained optimistic about blockchains:
"Gartner predicted that at least one cryptocurrency-funded, non-mainstream political party will win a national election by 2023 and that countries will begin to use cryptocurrencies over their own legal tender to counter hyperinflation. Mmkay.
It even forecast that: "By 2025, a public blockchain will provide a core interoperable foundation for global, decentralised identity management."
Jeffrey Lee Funk's Big Tech leapt on the blockchain bandwagon but its applications are stuck in cryptocurrency is appropriately skeptical:ReplyDelete
"Blockchain remains a far cry from the grandiose projections of Gartner and other consultants. The benefits will likely depend on the number of companies that participate in blockchain projects in, for example, finance or supply chain management, and it may take decades for many to become involved."
The security of your blockchain depends not just on the security of the node you run, but on the security of all the other nodes in the network. One big problem for permissionless blockchains is that there is no mechanism for enforcing good behavior among the nodes. Catalin Cimpanu's A large chunk of Ethereum clients remain unpatched illustrates this problem:ReplyDelete
"security researchers from SRLabs revealed that a large chunk of the Ethereum client software that runs on Ethereum nodes has not yet received a patch for a critical security flaw the company discovered earlier this year.
"According to our collected data, only two thirds of nodes have been patched so far," said Karsten Nohl, one of the researchers."
The reason is that:
""The Parity Ethereum has an automated update process - but it suffers from high complexity and some updates are left out," Nohl said.
Parity clients that have been configured incorrectly will not receive automatic updates, even if node maintainers believe they are. Any Parity client that doesn't synchronize with the main Ethereum blockchain, or is not available from all nodes, will not receive updates.
On the other hand, Geth lacks an automatic update system altogether, making node patching a manual process that requires the operator to keep an eye out for patches and apply them manually when they're available.
All of these issues put all Ethereum users at risk, and not just the nodes running unpatched versions. The number of unpatched notes may not be enough to carry out a direct 51% attack, but these vulnerable nodes can be crashed to reduce the cost of a 51% attack on Ethereum, currently estimated at around $120,000 per hour."
Why is there reluctance to update nodes?
"The bad news is that these problems are not unique to Ethereum and its node client software.
"Patch problems are widespread among blockchain clients," Nohl told ZDNet. "The patch gap signals a deep-rooted mistrust in central authority, including such any authority that can automatically update software on your computer."
"The blockchain patch gap is more critical for clients that process more complex protocols, in particular smart contacts, since these protocols typically create more surface for bugs that need to be patched."
If you trust a central authority to update your software, what is the point of a permissionless blockchain?
Dan Goodin's Website for storing digital currencies hosted code with a sneaky backdoor describes yet another software supply chain attack in the cryptocurrency space:ReplyDelete
"A website that bills itself as providing a safer way to store Bitcoin and other digital currencies has been using a coding sleight of hand to generate private keys that are suspiciously trivial for the operators to guess, leaving all funds stored in the wallets open to theft, researchers with a different service said on Friday."
Amy Castor has more on the Bitfinex/Tether trainwreck. The mystery 26% of the backing keeping USDT stable at $1 included, wait for it, BTC!:ReplyDelete
"The Block got hold of a court transcript from the Bitfinex court hearing on May 16. “Tether actually did invest in instruments beyond cash and cash equivalents, including bitcoin,” a lawyer for Bitfinex told the court.
Wait, what? Bitcoin? Tether invested in bitcoin?
The entire purpose of tether is to be a stable asset that traders can use to escape market volatility. Yet, Tether is taking its reserves—money that it was supposed to keep an eye on, so that tethers always remained fully backed—and investing it in a highly volatile asset. What if bitcoin crashes? What then of the stablecoin?
We learn something new about Tether everyday, it seems. According to CoinMarketCap, every 24 hours, the entire $3 billion supply of tethers changes hands 7.5 times, but not really, because most of that volume is fake.
The Block analyst Larry Cermak posted a graph of exchanges that trade tether, and some of the ones with the highest volume are obscure platforms nobody has heard of. “If I were to make an educated guess, at any given time, only a maximum of 15% of the total Tether volume is real,” he tweeted. In other words, it is all wash trading, i.e., trading bots simultaneously buying and selling tether to create the appearance of frenetic activity."
Izabella Kaminska's Blockchain officially confirmed as slower and more expensive reports on the Bundesbank's experimental blockchain implementation:ReplyDelete
"The experiment, launched by the Bundesbank together with Deutsche Boerse in 2016, concluded late last year that the prototype “in principle fulfilled all basic regulatory features for financial transactions.” Yet while advocates of distributed ledger technology say it has the potential to be cheaper and faster than current settlement mechanisms, Jens Weidmann said the Bundesbank project did not bear those out.
“The blockchain solutions did not fare better in every way: the process took a bit longer and resulted in relatively high computational costs,” Weidmann said in Frankfurt on Wednesday. “Similar experiences have been made elsewhere in the financial sector. Despite numerous tests of blockchain-based prototypes, a real breakthrough in application is missing so far.”"
Kaminska illustrates this conclusion with a series of quotes from previous Alphaville posts starting 4 years ago with:
"For one, we’re not convinced blockchain can ever be successfully delinked from a coupon or token pay-off component without compromising the security of the system. Second, we’re not convinced the economics of blockchain work out for anything but a few high-intensity use cases. Third, blockchain is always going to be more expensive than a central clearer because a multiple of agents have to do the processing job rather than just one, which makes it a premium clearing service — especially if delinked from an equity coupon — not a cheaper one."
Catalin Cimpanu reports that a Wave of SIM swapping attacks hit US cryptocurrency users:ReplyDelete
"Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week, ZDNet has learned, in what appears to be a coordinated wave of attacks.
SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card.
The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts."
NiceHash is a mining-as-a-service marketplace (from which $64M in customers' cryptocurrency was stolen in December 2017). David Gerard reports that:ReplyDelete
"The founder of NiceHash, Matjaž Škorjanc, has been indicted by the US for his past exploits on hacking forum Darkode."
Izabella Kaminska has two posts about Bitcoin transaction fees, which have started to rise again. In Here’s how much Izzy paid to move $19.1 worth of Bitcoin she recounts her adventures trying to move a small amount of BTC from one wallet to another:ReplyDelete
"First, it took over an hour to figure out how to gain access to the wallet — the service, it turns out, had migrated to an entirely new app since Alphaville last used it in 2017.
Second, even a standby team of bitcoin aficionados were unable to virtually guide me through the process of figuring out how to initiate a transaction without having to cough up a $5 or so default fee, which is what this particular service was demanding time and time again from me.
In the end, the system beat me. The transaction processed for a fee of 109773 satoshis, approximately $3.1 in dollar terms on the day, which our aficionado friends claimed was unreasonable and probably preventable had anyone other than a tech ignoramus attempted it.
While this is a fair comment, we would argue this reporter represents the rule rather than the exception in society meaning we're not the first to have made this mistake.
Until the crypto geeks understand that, this technology is going nowhere quick in retail payments."
The post starts:
"Something cryptocurrency supporters don't admit to enough — mostly to their own detriment — is just how user unfriendly most of their services are."
And, after discussing Visa's "blockchain-enabled" but centralized product B2B Connect, ends with:
"Something the core finance community clearly doesn't admit to enough — mostly to their own detriment — is just how user friendly their services already are and the degree they don't need to be upgraded with systems that pretend to be decentralised when really they're not, purely for the sake of PR traction with a public that doesn't care either way."
In SegWit and the bitcoin transaction fee conspiracy theory she discusses Craig Wright's theory that transaction fees are manipulated, as the "price" is. His idea is that after the Silk Road busts, the dark markets started to develop the Lightning Network, to provide peer-to-peer transactions off-chain, without logs. But this required the SegWit fix, which had the byproduct of freeing up space in the block. The spike in transaction fees was created to motivate SegWit adoption.
I shouldn't need to warn you not to take anything Craig Wright says at face value.