Revisiting the blockchain
The buzz around blockchain technology is louder than ever. Blockchains are no longer limited to the financial world – they have been linked to potential applications within areas such as identity and security, the property market, and the sharing economy. As the list of conceivable use cases grows, let’s take a moment to revisit some basic facts and limitations of blockchain technology.
In this blog post I will compare permissionless blockchains (like Bitcoin) with so-called ‘permissioned’ blockchains that also pop up in discussions about uses for blockchain technology. Let’s start with the famous Bitcoin. Nobody seems to know the real reason why the mysterious Satoshi Nakamoto invented and deployed Bitcoin, but it is safe to say that it is one of the largest financial experiments the world has seen so far with around 10 billion dollars in market capitalization to date.
A clue to the Bitcoin’s raison d'être can be found in the very first sentence of the abstract of his 2008 paper Bitcoin, A Peer-to-Peer Electronic Cash System, in which he introduces Bitcoin as a “purely peer-to-peer version of electronic cash”. This, to me, says it all as Bitcoin consists of three important parts:
- A transaction system for storing and transferring assets between users
- A peer-to-peer network that makes the system robust
- A transaction history - called a ledger - and an algorithm to reach consensus of what is included in the ledger as it grows
For those of you less familiar with financial terminology, a ‘ledger’ is a tool designed to keep track of your transactions and accounts. In the case of Bitcoin, the ledger is implemented using a blockchain. I will use the terms ledger and blockchain interchangeably to denote the instrument that records the transaction. In order to understand some of the properties of the blockchain technology, we will look at the requirements for a ledger for cash handling and in particular Bitcoin’s ledger.
Three properties of cash
So, what is it that characterizes handling cash and what is bitcoin trying to mimic? Here we’ll look at three main properties. (Adopted and modified from Richard Brown’s blog):
- Cash is an asset you hold. There is no way for anyone to take away your money unless they rob you of it. And governments and banks cannot devaluate your cash without affecting everybody else too.
- It is intrinsically a peer-to-peer instrument. There is no need for a trusted third party (TTP) involvement for me to give you some cash, assuming we are in geographical proximity. Note that there is a need for a TTP (the central bank) in order to give the pieces of metal coins and paper notes a value, but a TTP does not need to be involved in the transaction per se.
- There is also no way a central authority can stop me from giving you cash. The distribution of cash is non-discriminatory.
These three properties together are called ‘censorship-resistance’ and Bitcoin is more or less derived to meet these goals. Take for example the first property. It is addressed by the use of public/private keys to control the assets. The third one means that there cannot be a central identifiable issuer of money. Because this issuer could act in a discriminatory way and favor some participants over others, which leads to the fact that the currency must be created automatically in the system. In Bitcoin’s case, it is created on the blockchain as part of the mining process.
The third property also implies that the users of an electronic cash system cannot be identifiable, since then the validators could choose to block certain transactions and that would violate the third property. We can also see that the non-discriminatory goal makes it natural to avoid the use of a central validator and to treat each participant in the network equally. Hence, it must be permitted (and encouraged) for each anonymous participant to act as a validator and to keep and maintain their own complete copy of the ledger.
Now, in order for the transactional system to work, there must be a way of reaching consensus about the order of transactions to prohibit double-spending of assets. The FLP-theorem tells us that in general we cannot reach consensus in an asynchronous network with faulty (malicious) nodes, but Bitcoin weakens the consensus rules to one that could be described as asymptotic consensus. There could be a fork in the chain a few blocks down, producing two paths with similar length, but eventually one of them will supersede the other and become the dominant chain. There is so much work (energy) invested in the history of the chain that it becomes impossible for anyone to alter the chain a few blocks back and grow the chain longer than the “correct” one unless they control the majority of the compute power. Because of this weakened variant of consensus, it is recommended to wait for at least six blocks (about an hour) before regarding a transaction as final. The Proof-of-Work (PoW) algorithm works as both a consensus mechanism and as an insurance of immutability. Consensus about which block should grow the chain is simply reached by saying that whoever is fastest in solving the problem involved in the PoW gets to decide the next block.
Other consensus algorithms have been proposed for blockchains similar to Bitcoin. For example, those using the Proof-of-Stake (PoS) class of algorithms. The PoS build on the notion that only those holding assets in the system may participate in the consensus process growing the chain. Simplified, it works as follow. Those users that want to participate in the consensus protocol must have assets (coins) on the chain. They lock their assets by cryptographic means for a period of time and thus have “a stake” at progressing the chain in order to be able to unlock their assets. An algorithm chooses which of the participants are selected to sign the next block. A majority of the selected participants then need to sign off the new block and it is added to the ledger. After some time, their assets are unlocked. Since the selection is random, it is argued that the probability of participants teaming up in a collusion is very low, and they are in power only for a short period of time so they cannot cause much mayhem.
This has been criticized by some as fundamentally flawed. For example, Andrew Poelstra writes in the paper Distributed Consensus from Proof of Stake is Impossible:
“Suppose that at some early point in consensus time, a single person has the ability to extend history. (For example, they have control over every key which a new block is required to be signed by.) This may have happened organically, if this person’s keys were chosen randomly by the stake-choosing algorithm, but it could also happen if this person tracks down the other keyholders and buys their keys. This may happen much later in consensus time (and real time), so there is no reason to believe these keyholders are still incentivized to keep their keys secret. Alternately, they may have revealed the keys through some honest mistake, the chances of which increase as time passes, backups are lost, etc.
Now, we have a consensus history and an attacker who is able to fork it at some early time. To actually replace the entire consensus history, he needs to produce an alternate history, starting from his fork, which is longer than the existing history. But every block needs a new random selection of signers, so is this possible? The answer is absolutely yes: we have been using this word “random”, but in fact we have required consensus on the set of signers (otherwise forks would trivially happen), so even a random selection must be seeded from past consensus history. Therefore, an attacker with enough past signing keys can modify the history he has direct control over, causing future signer selections to always happen in his favour. (It is likely he needs to “grind” through many choices of block before he finds one which lets him keep control of the signer selection. In effect, he has replaced proof-of-stake with proof-of-work, but a centralized one.)“
Poelstra goes even further to state that he believes it is impossible to reach consensus in a specific space without consuming resources in that space. In our case, as we are living on planet Earth, we need to produce entropy in the real world in order to reach consensus. In this thermodynamic viewing, you (locally) decrease the entropy when you reach consensus amongst a number of participants, hence you need to increase entropy somewhere else in the system. This is done by consuming energy in CPU-cycles. If Poelstra’s hypotheses turns out to be true, a global economy based on virtual coins will be hard to achieve when considering environmental aspects. The collected amount of power consumed by the Bitcoin miners is today greater than the total power consumed by the Republic of Ireland.
Permissionless or permissioned ledgers?
At a recent workshop I attended, one potential application from the industry representatives was to have production and product audit trails in a blockchain to be able to trace components and services for a product. Take for example a car. They would like to register all the components of the car in a blockchain and whenever there is a service of the car or some parts are exchanged, it is recorded in the ledger who did the service and what the new part is. It would be like having a complete list of components for each car in the market. When you go to the owned car sales lot, you can query the ledger about the car you are interested in and get a complete history of ownership and services.
Can we use a Bitcoin-like ledger to achieve this? More generally, can a cash-related blockchain be used? I believe that the answer in general is no. Since the users of such blockchain must be anonymous, there is no way to tie the user’s actions on the blockchain to actions in the real world. In fact, there is no way a user can put trustworthy information about the real world on the chain, so applications such as identity management cannot be supported in these types of chains. This type of blockchain is normally called a permissionless blockchain. You don’t need a permission to submit transactions and you don’t need to be validated to participate in growing the chain. In order to achieve what we want here, we need to authenticate the users of the blockchain. This is called a permissioned blockchain. In the permissioned blockchain implementations we see today, it is the validators that receive the transactions from the users. And to be able to authenticate a user on behalf of the blockchain, the validator needs to be trusted and authenticated. So in essence all users of the blockchain must be identifiable.
Only permissioned blockchains can track and operate on real world assets.
Several very interesting things happen when we go from anonymity to identification of users. Firstly, there is no need to run the expensive PoW algorithm to reach consensus. Since all validators are known we can adopt much lighter schemes such as the Practical Byzantine Fault Tolerance (PBFT) algorithm, or some 2-phase commit scheme. Secondly, there is no purpose of having coins generated in the blockchain. The mining of coins is the incentive of the permissionless blockchain to make the miners perform the work. If we have simpler (in terms of energy consumption) consensus algorithms we don’t need to reward the miners. In fact, the miners probably have some real world incentive to operate the blockchain. In the car example, it would be reasonable to think that car manufactures all over the world operate this blockchain in order to get better audit trails of cars, or perhaps that each car manufacture runs their own blockchain, tracking only a specific brand.
Permissionless blockchains and electronic cash appears to be closely linked together. We have seen that operating a virtual cash system requires a permissionless blockchain. Also the opposite seems true, if we have a permissionless blockchain there needs to be some incentive for the validators/miners. And the only thing that is possible to control are on-chain assets. Hence, to operate a permissionless blockchain we need some form of virtual currency living on the chain.
To operate a permissionless blockchain, there needs to be an on-chain currency to incentivize the mining process. And to operate an electronic cash system, a permissionless blockchain is needed.
Another aspect of permissionless vs permissioned blockchains is the legal status of transactions on the blockchain. We have stated that permissionless blockchains can only handle on-chain assets. This also comes down to the fact the if all users are anonymous, there is no way to enforce actions on the chain in the real world. There is no one to hold accountable. The only way we have is to enforce actions is by cryptography and that can only be applied to assets living on the chain. Permissioned blockchains on the other hand have identifiable users and they can be held accountable by law. This makes it possible to track and trade off-chain assets with the same protection as in the real world. If someone behaves maliciously we can take that person or organization to court and resolve the issue.
Permissioned blockchain versus distributed database.
First of all, I don’t think a blockchain is comparable to a database in the normal sense. A blockchain is more of a write-once/read-many (WORM) type of storage, possibly with integrity protection depending on how the new blocks in the chained are created and how the consensus algorithm works. For a PoW type we have a seemingly strong integrity protection after 15-20 blocks or so. But even that is not totally immutable. The occurrences of the hard fork in the Ethereum chain in June 2016 proved that . The short story is that a lot of investments into a smart contract were stolen because of a bug in the scripting language and the question was whether to back the chain before the attack and fork it, creating an alternate future in where the bug was fixed and the money still in the right place. The Ethereum consortium chose this path and now there are two chains of Ethereum, one “official” backed by the consortium and one called “classic” in which the stolen money is still in control of the attacker(s).
I think that most people in the blockchain business consider permissioned blockchains a way of implementing a WORM distributed database. And as always with different implementations, you get benefits and disadvantages. The benefits mostly listed includes less administration and less required trust in administrators, more cost efficient, and increased robustness. The disadvantages are less confidentiality, worse performance, and that the blockchain technology is less tested in production system.
Yet, there are certainly areas where a permissioned blockchain is a better choice. A lot of activities have recently been seen in the financial and banking sector, trying to implement permissioned blockchains . I think that this mainly happens for two reasons: Firstly, banks are intrigued by Bitcoin and virtual currencies. It is still unclear whether this is just curiosity and a large-scale experiment or if it will fundamentally disrupt the monetary system. Faced with this uncertainty, they believe it is better to join the game and try to be part of it instead of being left behind.
The second reason is that the financial sector utilizes a vast number of databases that need to interoperate with each other. This costs a great deal of money in terms of maintenance and they look to blockchain technologies to replace legacy systems and at the same time make them more interoperable.
Either way, the blockchain technology is evolving fast and it will be interesting to follow the potential applications and use cases.