Blockchain is ideal in situations where settlements need to be instant and systems exceptionally efficient, and it has been proposed as a way to secure states against cyberattacks. Recently it is considered one of the most innovative and potentially useful technologies around. That is all well and good, but can we trust it? Is blockchain as secure as it is cracked up to be?
Technologies, and especially those as spectacular as blockchain, are not (and should not) be taken on faith. Indeed, any slip-up, any gap in the system or failure to fend off hackers will (with the help of a hysterical mass media) kill them.
Blockchain is steadily evolving. Right now, it is being tested in the field, and generating great expectations. This huge interest coming from industry and state governments is due, in part, from the promise made to the world by its authors: “We are giving you a system whose protections are unmatched.”
But, are they? The technology is very new and, as such, will experience teething problems. That must be understood. To decide whether it is truly secure – and will therefore establish itself in the mass market – we must first distance ourselves from the hype and frenzy over the exchange rates of the bitcoin and other cryptocurrencies.
Secure by nature
The security of blockchain results from the fundamental premises assumed in its development and embedded deep in its architecture. I am referring to the inviolability of transaction history, decentralization and the principle of cryptographic encryption – all of which translate to a high level of transaction security. (I have written about other aspects of blockchain many times, most recently here.)
Briefly, blockchain is a public ledger of transactions recorded in chronological order. Each transaction is entered in a chain of the so-called blocks. These are created based on information encrypted in previous transactions. Anyone wishing to modify the record (perhaps to the disadvantage of others) would have to change all previous records down the entire chain or alter all previous blocks or at least most of its copies. But, to do that, they would need the consent of the other users, as blockchain is a consensus-based system. Only after a specified majority (51% or other agreed) of the users (measured in terms of the computational power of new block mines) greenlight a modification can it be permanently entered in the register. If all goes well, it is confirmed in a “proof of work”: a set of complex calculations which result in the creation of a new block. The list of verified transactions is created through communications among the nodes (users), each of whom keeps a copy of the ledger and shares any new information with the other nodes.
It is, in effect, a giant jigsaw puzzle; you can’t put it together unless and until each successive piece fits with the ones laid down before. The pieces that do not fit are rejected, i.e., denied entry into the register. There is no ledger guardian, no transactional middleman. Everything that takes place within the ledger is beyond the reach of third parties, be they individuals or institutional intermediaries.By its very definition, this peer-to-peer technology is based on the premise of direct intercourse among users.
Picture 1. In certain situations, smart contracts could expose certain information to designated agencies if predefined conditions are met.Source: McKinsey
Estonia already believes
So, blockchain is a multi-level security system: records depend on history, user consensus is required, users interact directly. As a result, what has only recently been a theoretical construct has now taken concrete shape and is successfully selling itself to industry, one sector after another. The technology supports cryptocurrency markets; its diverse versions are being tested by banks, fintechs, the energy industry and health care organizations. Blockchain has become synonymous with cybersecurity. Interest has also been expressed by states which see it as a possible protection against cyberattacks. Estonia, for instance, has recently resolved to adopt a system that relies on blockchain to allow its citizens to vote, file their tax returns and pay their taxesonline. Experts believe the Estonian system cannot be hacked, at least without leaving an easy to follow trail that would, of course, discourage hackers.
By all indications, blockchain’s popularity is fluctuating in lockstep with the cryptocurrency market. In the popular imagination, blockchain isbitcoin and other cryptocurrencies. Reports on hack attacks on cryptocurrency exchanges, and sensational news on cryptocurrency theft, have eroded people’s confidence, making them wonder if blockchain is as secure as its advocates and promoters claim.
Even the optimism of those who trust it has been dented by reports on the capabilities of quantum computers. Once blockchain falls into unauthorized hands, quantum machines(as I have explained in greater detail here) could pose a threat to the cryptographic protections of the public key (which, after all, is the core of blockchain) by hacking it and replicating it, which would compromise the security of information exchange among users.
In a nutshell, a blockchain network user uses the so-called public key, which is generally available, to encrypt specific information before it is passed on. To decrypt such information, its recipient would use a private key: a unique, counterfeit-proof string of characters generated by an algorithm and available solely to private key holders.
The chance of generating a private key by examining the public one is virtually nil. It would take billions of years to complete such decryption.However, what an ordinary computer cannot do is within the reach of quantum machines, whose computing capacities – thanks to its freedom from binary bondage – are astonishing, and a hacker with a quantum machine could (theoretically) reproduce a public key character string.
And, even without the quantum monster…
Another threat – more pressing today than worrying about quantum machines in the hands of hackers – is the loss or theft of the private key. This usually occurs when it is stored on a computer connected to the internet. Once a key has been stolen, the rightful owner has no recourse. No transaction concluded by means of a stolen private key can be distinguished from one conducted legally.
Now, cases like this can hardly be attributed to a security flaw in the blockchain itself. The problem is user carelessness. But this gives rise to the dilemma of whether and under what circumstances one should cancel verified transactions if they are believed to result from theft. The inviolability and irreversibility of transactions is one of blockchain’s main pillars, its value proposition, if you will. Repeal or change this rule, and users could lose their confidence in the system’s impartiality.
Picture 2. Quantum computing could make conventional cryptography obsolete. Source: McKisney
These challenges to 100% blockchain security result from its relative newness. The IT solutions, codes and protections on which it relies are only beginning to blaze new technological trails. The consensus is that distributed data is much harder to hack than data stored on a single machine. The rule requiring multiple parties to consent to changes sounds equally convincing. However, the actual practice is more complicated. This applies also to areas that seem immune to trouble, such as encryption. Much depends on the policies adopted by private blockchain network operators.
Nevertheless, I am certain that despite sensational reports on the hacking of cryptocurrency exchanges, we are witnessing the dawn of a breakthrough technologythat is also incredibly secure. The changes it will bring to financial settlement and transaction markets will be as radical as the transformation the internet wrought in communications.
. . .
Steve Cheng, Matthias Daub, Axel Domeyer, and Martin Lundqvist,Using blockchain to improve data management in the public sector,McKinsey Global Institute, link, 2018.
Nolan Bauerle, What is Blockchain Technology,CoinDesk, link, 2017.
Martin Lundqvist and Peter Braad Olesen,Digitizing the delivery of government services, McKinsey Global Institute, link, 2017.
Estonian blockchain technology. What is blockchain technology and how is it related to e-Estonia,e-Estonia, link, 2017.
The CEO of D-Wave Systems, Vern Brownell, The growing potential of quantum computing, McKinsey Global Institute, link, 2016.
. . .