Geert Lovink on Thu, 18 Dec 2014 15:47:49 +0100 (CET)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> One Chain to Rule Them All by Eduard de Jong


One Chain to Rule Them All
by Eduard de Jong

Original on the INC/MoneyLab website: http://networkcultures.org/moneylab/2014/12/16/one-chain-to-rule-them-all/.

See also: http://networkcultures.org/moneylab/2014/03/23/edward-de-jong-towards-an-open-e-currency-system/.

(the upcoming INC MoneyLab Reader (out in February 2015) contains a long
interview with the former DigiCash employee Eduard de Jong)

In the wake of the Bitcoin phenomenon, the term ?block chain,? which
describes a critical, technical aspect of the Bitcoin payment system, is
presented by Bitcoin adherents as a technical innovation on par with the
invention of the transistor, accrediting it with a similar scope of
fundamental change in society. This short write-up attempts to demystify
some of the mythical thinking around block chains.

The technological advances that have led to the block chain stem from
two different approaches in the 1980s for repeatedly applying a
cryptographic hash function.[1] The first approach came from Ralph
Merkle,[2] who used the hash function to construct a binary ?tree? of
hashes with each of the ?leaves? of the hashes used as a one-time-only
key to create a special kind of public key signature. The tree is build
by hashing each pair of leaves together and by continually pairing the
results of this until a single hash value is obtained. The final, single
hash value, called the ?root? of the Merkle tree, is?indirectly?a hash
over all the data in the leaves.

The second approach came from Leslie Lamport.[3] He created a way to
generate one-time passwords to secure computer logins over an insecure
network. It all starts with computing a series of hash functions,
starting from a random number and subsequently using the previous
function?s output as a starting point. The original random number is
then stored as the master password, and the list of hash values is given
to the user. The result of the last hash computation serves as the first
one-time password. The next time a password is needed the input value in
the last computation is used. Subsequently, each of the inputs to a hash
computation in the chain is used as a new one-time password, until the
last computation, when the master password is reached. At this time a
new master password is generated and a new hash chain calculated. Its
values are sent to the user as a new sequence of one-time passwords. The
sequence of one-time passwords is called a ?Lamport-chain,? or simply a
?hash chain.?

A Bitcoin block chain can be seen as a combination of a Merkle-tree with
a Lamport-chain: each one-way computation uses the result of the
previous computation as input in order to make a chain (Lamport), and
uses an additional hash value as input (Merkle) to add new data.

Chains, or trees, of hash functions have been used in different
proposals for the implementations of electronic money. For example,
e-Cash, the electronic money implemented by DigiCash, uses a specially
constructed tree of hash values to encode the value of a money transfer
protected by a digital signature over the root of the tree. Ted
Pederson,[4] working with DigiCash in the European Cafe project,
describes the use of a single chain as being similar to the
Lamport-chain passwords in the way it reveals a preimage with the
payment of small amounts.

This posting provides the theoretical basis for analysing the security
of payments protected by a one-way chain. Stanford,[5] together with the
present author, suggests a practical implementation for electronic cash
whereby each preimage in a hash chain is used as a payment of a unit
value. In this electronic cash system unit values are specified by the
merchant, while the security is provided by the hash chain. This also
protects the moneys received, which are cryptographically bound to the
merchant, as well as the process of redemption.[6] In 2000, a hash chain
was proposed to securely record the progression of operations. In the
same year, this author[7] filed a patent for the use of a chain of
one-way functions to protect both communication with a smart card and
the operations inside it. The hash chain was built by a sequence of
hashes: the first hash sending input data to a smart card; the second
hash, which was computed from the first, was changed in the card memory,
and the third hash was created over the memory record and any output
data. The chain could be extended to include any number of subsequent
interactions with the smartcard.

Using the hash chain in this way, with each new hash value in the chain
adding a hash over additional input data, is a very secure way to record
events. It establishes a time line in which earlier events are being
included in the chain of later event. An example of such an event is the
secure version control of documents like business contracts or a set of
program files. Git is such a software code version control system that
uses a hash chain. By binding the present with the past, a hash chain
can provide non-repudiation[8] for any transaction that has been
recorded in the chain, as long as the most recently computed hash value
is known, or available, to all parties involved in the transaction.
Storing the hash value in a smartcard is one way of making it available
for non-repudiation.

As we have seen, the Bitcoin block chain follows a well-established
tradition in securing data. The use of a hash chain for securing
financial data in Bitcoin, however, differs from the cases mentioned
above. In the earlier systems the hash values are used to represent a
unit value of electronic cash that is securely transferred from payer to
payee. The hash value  is the equivalent of a physical coin. Bitcoin, on
the other hand, is a ledger system in which, as at all present-day
financial institutions, a central database keeps records of the amount
of money a user has to spend. In Bitcoin, the central database is
implemented in a distributed fashion and each processor in the
distributed systems maintains a copy of the full database. After
performing an update of the database, consolidating one or more
transactions, a processor computes the next hash in a hash chain with
the data used in the update. The newly computed hash value is used to
securely synchronise the database copies between all the distributed
processors. The hash value acts as a synchronisation token sent to all
distributed processors by the one consolidating processor that computed
it. Each distributed processor already knows the previous hash value and
has also received all new data incorporated in the new hash value. For
Bitcoin, the new data is a set of all the hash values, each computed
over the details of a transaction that a user has made. The
synchronisation token is computed as a hash value over data that is
known to every processor. Each of the processors can verify that the
synchronisation token is valid by recomputing the hash function.

Synchronisation between processors is essential for a distributed
(database) system to work correctly. The second aspect of the
implementation of a distributed system is coordination between the
processors, i.e. determining which processor does what. For a ledger
system like that of Bitcoin, coordination determines which processor has
the lead in updating the database. In the Bitcoin system,  coordination
of processors can be compared to the throwing of a dice: the processor
with the highest number of eyes wins and is the only one to update the
database. In fact, Bitcoin uses a very clever trick to simultaneously
update the database and randomly select which processor is the one that
will generate the synchronisation token.

In Bitcoin, this combined operation of throwing die, consolidating the
database, and computing the synchronisation token is called ?mining,?
the distributed processor a ?miner,? and the synchronisation token a
?blockchain.? The normal computation of a hash function in a computer
would roughly take the same amount of time in each processor, which is
typically much shorter than the time needed to communicate a message to
all distributed processors. However, this process is too fast to be used
to compute a synchronisation token and so the computation of the hash
chain in Bitcoin is done differently. The block chain is computed by
repeatedly computing the hash function from transaction data and
additional random input until the resulting hash value has a particular
form.  On average the computation of the block chain takes about 10
minutes. Block chain computations are effectively synchronised; each
processor starts its  computations after receiving a synchronising block
chain and uses all transactions submitted by the users since the
computation of the received blockchain started. The first processor to
find a hash value with the correct form to be a block chain has obtained
the next synchronisation token and broadcasts this value to all other
processors. They then synchronise the database and restart their
computing to get the next hash in the chain. The block chain beauty is
that the computation used to randomly pick the lead processor amongst
the set of distributed processors is the very same computation used to
consolidate the database and in the creation of the synchronisation
token.

The process of the computation of a block chain from a consolidating and
synchronising function could be used for any distributed implementation
of a shared database. However, it is one that uses a lot of energy as
each of the processors is actively computing the next hash value in the
chain for 10 minutes each time, while applying all its processing power.
All energy spent by all these processors, bar that of the ?lucky? one,
is wasted. Even without considering the environmental consequences of
wasting energy, it seems hard to scale such a distributed system to a
very large size, especially if used commercially. However, there is a
body theoretical and practical knowledge on the implementation of
distributed systems and cheaper techniques do exist. As the Bitcoin
system is supported by a community of miners that are seemingly
primarily motivated by ideals and ideology, considerations of
environmental and commercial effects may be irrelevant, in particular at
the current size of the system.

However, the Bitcoin system is not without its commercial aspect.
Independently from the prime consolidating and synchronising functions
of the blockchain, computation is also used to add a small, fixed value
to the pool of spendable money. The newly added money is allocated to
the miner that computes the block chain. Being a miner in the Bitcoin
system is like partaking in a lottery in which the price of each lottery
ticket is the cost of computing the hashes. The purpose of the lottery
is to provide a financial incentive to acting as a miner. An interesting
consequence of this lottery aspect of mining comes from the creation of
additional value out of thin air. This forces Bitcoin to operate as a
closed financial system, using its own currency, where money creation
has no macroeconomic consequences.

The block chain does a decent job of consolidating and synchronising the
distributed database when implementing the Bitcoin ledger. However,
consolidation and synchronisation are not sufficient for the correct
operation of the ledger: it merely makes sure that all instances of the
database contain the result of all transactions in the right order. It
does not ensure that the transactions are in fact correct. A correct
transaction is one in which, for instance, the account paying money has
enough funds and the owner of the account is the person authorising the
transfer. Before a transaction can be consolidated in the database, it
has to be semantically evaluated in a process separated from updating
the database. The transaction has to perform this evaluation correctly
for the database to be correct. To summarise: there is no semantic
relationship between the creation of a block chain and the additional
data hashed into it. Hence, the blockchain does not guarantee the
security of the Bitcoin system. Security in the Bitcoin system is based
on making all transactions public while each miner semantically verifies
every transaction before adding it to the data to be hashed. This system
assumes the correct implementation of software at each miner, and that
this software has not been modified unnoticed by the miner, e.g. by a
worm. The Bitcoin system does not have a built-in mechanism to recover
from such a breach of security.

To summarise this writeup, the block chain used by the Bitcoin system is
a form of hash chain that is very suitable for distributed computation
with continually added data to be hashed where all data is collected by
each distributed hashing node. Despite a distributed implementation the
Bitcoin system is a centralised ledger of financial transactions.[9]

--- 

[1] A cryptographic hash function is a computation using a message as
input to compute another message in such a way that it is practically
not feasible to compute the input when only the output is known. The
result of computing is called a hash value or a hash, and in some cases
the input is called a ?preimage.? For a good, cryptographically strong,
hash function only brute force, that is trying all possible inputs, is
the only possible way to determine the input that goes with a given
output. For a hash function the number of bits in the output determines
the level of security, as that determines the number of brute-force
tries. The input for a hash function can have any length, for instance
in a Merkle tree it is twice the output size.

[2] R. Merkle. Secrecy, authentication and public key systems/ A
certified digital signature. Ph.D. dissertation, Dept. of Electrical
Engineering, Stanford University, 1979.

[3] L. Lamport, ?Password Authentication with Insecure Communication?,
Communications of the ACM vol. 24, no.11, pp 770-772, 1981

[4] T. Pedersen, ?Electronic payments of small amounts,? Proc. of
Security Protocols Workshop, Lecture Notes in Computer Science,
Vol.1189, Springer Verlag, pp.59? 68, 1997.

[5] C. Stanford, E. de Jong, ?System and method of cryptographically
protecting communications? patent EP0904581, filed may 24, 1996.

[6] In 2014 this so-called n-Count system for electronic money has been
deployed by Transaxiom Ltd, as LET system in Canada.

[7] E. de Jong, ?method and system of communicating devices, and devices
therefor, with protected data transfer? patent US7828218, filed July 20,
2000

[8] Non-repudiation is the impossibility to deny that an event has
happened or a more specific a contract has been signed. An electronic
signature, created using a public key system, typically provide
non-repudiation. As explained in the text a hash chain, which is much
easier to compute than an electronic signature, can also provide
non-repudiation.

[9] A central register is a precondition for a correct ledger system.


#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org