Satoshi Nakamoto’s seminal paper “Bitcoin: A Peer-to-Peer Electronic Cash System,” published in 2009, which took cues from “How to Time-Stamp a Digital Document,” published by Stuart Haber and W. Scott Stornetta in 1991, sparked a feeding frenzy of accolades for blockchains which inscribed an urban legend about trusted public decentralized blockchains, a historical departure from the mediation of brokers and third parties. The first paper sought to create trust in digital currencies by solving the decades-old “double spend” problem associated with digital currencies with applied cryptography and the second by preventing the tampering of digital documents with time stamping.
The information, documents, transactions or digital coins are mathematically protected with hard-to-crack hash functions that create a block and interconnect it to previously created blocks. To validate the new chain of blocks, it is then broadcasted and shared, to a distributed network of computers, to collectively agree about the authenticity of the transactions, using additional mathematics of a consensus algorithm. The entire cryptographic proof of transactions is stored as an immutable record on a distributed and shared ledger, or the blockchain. “In effect, this is triple entry accounting which includes the two entries of the transacting parties and a third record for the public, registered on a public distributed ledger, which cannot be tampered with,” Ricardo Diaz, the Charlotte, North Carolina-based founder of Blockchain CLT and management consultant for commercialization of enterprise blockchains, told us.
Rising from the trough of disillusionment, the myths around public centralized blockchains have been reexamined and we will now assess the controversy. (Blockchain is being used for much more than just cryptocurrency. Learn more in Why Data Scientists Are Falling in Love with Blockchain Technology.)
Myth #1: Private permissioned blockchains cannot be secure.
Private permissioned blockchains are a contradiction in terms and public blockchains are the only secure and viable option. Public blockchains gain trust by consensus, which is not possible when private blockchains need permission for a small group of people.
In actual implementations, centrally controlled private or federated permissioned blockchains, albeit distributed, are common. Federated blockchains focus on specific verticals such as R3 Corda for banks, EWF for energy and B3i for insurance companies. The motivation to keep a blockchain private is confidentiality and certainty of regulatory compliance as in banking, unique needs such as in renewable energy where small producers need to connect with consumers, or the fear of cost overruns or underwhelming performance of unproven technologies as in insurance.
The jury is still out whether private blockchains will last beyond their pilot programs. TradeLens is one private blockchain which IBM created with Maersk, the largest container company in the world. According to press reports, the project has gotten off to a slow start as other carriers, which could be potential partners, have expressed skepticism about the benefits they will realize from joining.
Steve Wilson, VP and Principal Analyst at Constellation Research, cautioned against a rush to judgment. “IBM is moving slowly because it is bringing together a group of partners who have not worked together before. They are also transitioning from a world where trades were mediated by brokers to an unfamiliar world of direct trading. The trade documentation is convoluted, and IBM is trying to avoid errors,” he told us.
Fundamentally, Wilson does not see a well-defined use case for public blockchains. “Public blockchains overlook the plain fact that any business solution is inseparable from people and processes. The double spend problem does not exist when transactions in physical worlds are tracked at each stage,” he concluded.
By contrast, private blockchains, such as Corda in financial services, are solving real problems. “The supervision of private blockchains by credible stewards narrows down the problem of trust. Private blockchain realize efficiency gains from a common and secure distributed ledger which takes advantage of the cryptography, time-stamping, and smart contracts which were prototyped in public blockchains,” Wilson explained.
Myth #2: Hybrid blockchains are an incompatible mix of private and public.
Public, permissionless decentralized blockchains and private centrally controlled permissioned blockchains are mutually exclusive. They seek to create a trustworthy environment for transactions in entirely different ways which are not compatible. It is not possible to have a combination of the private and the public in a single secure chain.
Hybrid combinations emerge as the market matures and dispel the skepticism about the early forms of new technologies. Just like the precursors to the internet were intranets and extranets which evolved into the internet with sites searchable with browsers; the cloud followed a similar path and hybrid clouds are widely accepted these days.
In the crypto community, there are two camps: the public, permissionless blockchains and private, permissioned blockchain. According to Diaz:
The private blockchain side has historically presumed to require miners and a cryptocurrency financial incentive to validate the blockchain was unnecessary. Today, new blockchain projects support private and public distributed ledger technologies. Ternio.io, an enterprise blockchain platform, leverages Hyperledger Fabric (a permissioned blockchain technology) AND Stellar (a permissionless blockchain). Veridium.io, a carbon credit marketplace blockchain project, also has a similar DLT architecture.
Diaz also noted:
Jaime Dimon, CEO of JPMC, who dismissed bitcoin as a fraud, has not only invested in building a popular, secure, private blockchain called Quorum, but also introduced an enterprise stablecoin (a type of cryptocurrency token) called the JPM Coin. It was built using the Ethereum blockchain code base, a public blockchain protocol, and the privacy technology from ZCash, another public but more secure blockchain protocol. Security on Quorum is reinforced by secure enclave technology which is hardware-based encryption.
Quorum is not a hybrid blockchain that has public and private blockchains working together, but it incorporates the code from public blockchains and cryptocurrencies that are normally integral to public blockchains. It creates a fork on Ethereum to create a private blockchain. There are other hybrid blockchains in which private and public blockchains play complementary roles.
Hybrid blockchains have a compelling value that is driving skeptical enterprise clients to progress from private blockchains to hybrid ones that incorporate public blockchains and token economics on an as-needed basis. The bridges between the private and the public chains in the hybrid blockchain ensure that the security is not compromised, and intruders are disincentivized by requiring them to pay to cross the bridge.
Hybrid crypto networks of the future will be more secure than anything the internet, Web 2.0, has today. Diaz explained:
Crypto mesh networks that are supported by crypto routers, like the wireless router in your home, will only process transactions that are cryptographically secured not only with blockchain technology but also true crypto economics. Imagine a crypto router or device that requires a small amount of cryptocurrency to process a transaction like an email between two parties. This one key difference will drastically impact hackers across the planet who are used to freely hacking computers and networking them together to launch a massive denial of service attack on some business. On the Decentralized Web, Web 3.0, the hacker would have to pay upfront for his/her bot army to launch the same attack. That is token economics crushing a major cybersecurity issue.
Myth #3: Data is immutable in any circumstance.
A cornerstone of public blockchains is the immutability of the pool of the data for all transactions that it stores.
The reality is that public blockchains have been compromised either by an accumulated majority, also known as a “51% attack” of the mining power by leasing equipment rather than purchasing it, and profit from their attacks or by bad code in poorly written smart contracts.
Rogue governments are another cybersecurity risk. “Private individuals respond to incentives for keeping the data honest. My worry is governments who have other non-economic objectives immune to financial incentives,” David Yermack, Professor of Finance at the Stern Business School in New York University, surmised.
Public blockchains have to come to grips with the fact that human error is possible despite all the vetting — it happens in any human endeavor. Immutability breaks when corrections are made. Ethereum was split into Ethereum Classic and Ethereum following the DAO attack which exploited a vulnerability in a wallet built on the platform.
“The Bitcoin blockchain network has never been hacked. The Ethereum blockchain has suffered attacks but the majority of them can be attributed to bad code in smart contracts. Over the last two years, an entirely new cybersecurity sector has emerged for the auditing of smart contract code to mitigate the common risks of the past,” Diaz told us. Auditing of software associated with blockchains, including smart contracts, helps to plug the vulnerabilities in supporting software that exposes blockchains to cybersecurity risks. (For more on blockchain security, see Can the Blockchain Be Hacked?)
Myth #4: Private keys are always secure in the wallets of their owners.
Blockchains rely on public key infrastructure (PKI) technology for security, which includes a private key to identify individuals. These private keys are protected by cryptography and their codes are not known to anyone except their owners.
The reality is that in 2018 over $1 billion in cryptocurrency was stolen.
The myth about the privacy and security of private keys rests on the assumption that they cannot be hacked. Dr. Mordechai Guri of the Ben-Gurion University in Israel demonstrated how to steal private keys when they are transferred from a safe location, unconnected with any network, to a mobile device for usage. The security vulnerability is in the networks and associated processes.
“Today there are many best practices and technologies that reduce the risk of this perceived weakness in basic cryptography to protect private keys. Hardware wallets, paper wallets, cold wallets and multi-signature (multi-sig) enabled wallets all significantly reduce this risk of a compromised private key,” Diaz informed us.
Myth #5: Two-factor authentication keeps hot wallets secure.
My private keys are safe on a crypto exchange like Coinbase or Gemini. The added security of two-factor authentication (2FA) these sites provide in their hot wallets can’t fail.
A crypto hot wallet cybersecurity hack that is becoming more and more common is called SIM hijacking, which subverts two-factor authentication. Panda Security explains how hackers receive verification passcodes by activating your number on a SIM card in their possession. This is usually effective when someone wants to reset your password or already knows your password and wants to go through the two-step verification process.
“If you must purchase cryptocurrency through a decentralized or centralized crypto exchange, leverage a third-party 2FA service like Google Authenticator or Microsoft Authenticator, NOT SMS 2FA,” Diaz advised.
Distributed ledger technologies and blockchain technologies are evolving, and the current perceptions about their risk are more muted as new innovations emerge to solve their inadequacies. Although it is still early days for the crypto industry, when Web 3.0 and decentralized computing become more mainstream, we will live in a world that will put more trust in math and less in humans.