Blockchain 103 – It’s all about Collaboration

I recently attended the Consensus conference in New York, and although I was disappointed in the “technical” level of most of the presentations (more focussed on business applications than blockchain tech) I came away with a strong feeling of “collaboration” and growing maturity of the industry.  (Minus all the ICO frenzy and crypto-speculation of course.)

For example, I learned a little bit about the state of banking in the Caribbean, and a couple of ways that blockchain-based solutions are providing real-world value today.

Due to the amount of money-laundering and lax regulation, banking in the Caribbean is under heavy scrutiny.  In fact, even when trading between the islands, payments are denominated in US dollars and have to flow through New York or Toronto.  That means that inter-island trading gets hit with currency exchange twice, and settlement takes longer.  In addition, the banks are always at risk of being “de-risked”, which means that Canadian and US banks can cut them off if they feel the risk is not commensurate with the reward.

Use of a crypto-currency is an obvious remedy for the former problem – Caribbean islands can trade with each other directly and settle with the use of Bitcoin or any other crypto-currency of choice.  However, crypto-currencies are currently very volatile and this is not amenable to trading.  Recently a solution has been developed in partnership between one bank and a vendor, whereby they use a blockchain-based secure ledger to authenticate and record their KYC (“Know Your Customer”) compliance for all their customers.  This allows them to share this information in a secure and non-repudiatable way, satisfy compliance obligations and manage and reduce the “de-risk” risk.

These are two examples where blockchain can have an immediate impact, and in a way that improves the democratization of large-scale de-centralized computing.

Blockchain technology is exploding, with hundreds if not thousands of coins and chains emerging.  However, a large portion of the industry is settling around either Ethereum or the Enterprise Ethereum Alliance as a development platform (according to my non-scientific informal survey), and there are many large organizations that are exploring solutions using Hyperledger Fabric.  There are countless other platforms available, most of which have specific differentiators, and many of which are forked originally from Ethereum or Bitcoin.

Are you considering blockchain for your business?

Collaboration is the key.  A common theme from the Consensus 2017 presenters was: focus on your key use cases, and make sure you are developing of value to the business.  The benefits of a blockchain-based solution are pretty specific (sharing of a secure, de-centralized ledger) so it’s important for the technical stakeholders and the business work together.  It’s also key, since a blockchain solution is all about “sharing”, that you work with partners from the beginning, and establish a “minimum viable ecosystem” of stakeholders when developing the initial solution.  Establishing the ecosystem of participants early will validate the business case as well as ensure that the blockchain is used for what it does best, which is consensus-based sharing of data.

A few things to consider:

  • What is the data being shared and who are the participants? What are the other possible solutions, and what additional benefits does a blockchain-based solution promise?  If the solution is not a good fit, then the blockchain might wind up acting as a poorly performing database.
  • Is the solution “open” or “closed”? e. is the solution open for anyone to join, or will it be restricted to a closed set of participants?  What is the process to “on board” new participants in the network and what roles can they play?  (BitCoin and Ethereum are both open, in that anyone can generate a set of keys for themselves and join the network, whereas Hyperledger Fabric depends on a CA to issue certificates that nodes must present when transacting.  The former is self-identifying but the latter requires a strong identity management infrastructure.)
  • What are the performance requirements? Is the solution required to support high transaction volumes and fast settlement cycles?  Or is the solution targeted at lower volumes and slower, perhaps unpredictable, settlement times?  (Bitcoin generates a block every 10 minutes “on average”, dependant on the random nature of its proof-of-work.  In contrast, Ripple has a very fast, dependable settlement cycle.  Bitcoin’s scaling issues are well known and should be a study for anyone implementing blockchain-based solutions.)
  • What are the various security aspects of the solution? Can the solution deal with a node that becomes compromised and “goes bad”?  Will the solution stay secure if it grows very big (or conversely stays very small)?  (Bitcoin’s consensus algorithms ensures that “bad” nodes are filtered out, and the proof-of-work becomes more secure as the network scales (and a “51% attack becomes less feasible).)
  • What are the incentive mechanisms in the solution? Is there more incentive to “play by the rules” than there is to “go rogue”?  (With the escalating values of Bitcoin and other crypto-currencies, there is a strong incentive to be a “good” miner and earn tokens.  For non-currency based solutions, the incentives are in line with traditional enterprise systems – support the business (“good”) or disrupt/attack the business (“bad”) and all traditional security models apply.)

If you’re building a blockchain solution (or planning to build one) do an analysis of your solution to determine the key requirements and how they map to a blockchain implementation, and review the differentiating characteristics of the available technology.  If there’s a clear fit, then you’re in the clear, however if not then stick with one of the major players.  Also check your local market to see what your peers are using.  In Canada there are major initiatives using Hyperledger Fabric, although the majority of the startups are focussing on Ethereum.

There is a lot happening in this space, and academic researchers are taking more notice (academic research and industry is another important area of collaboration), so expect the security and architecture models to become more formalized in the near future.

And of course expect more tokens, and more and even more crazy ICO’s.

If you have any questions about blockchain, or are interested in how blockchain can work for you, please feel free to drop us line.

 

Threshold Cryptography and You

Threshold Cryptography refers to a system whereby multiple parties are required to engage in a cryptographic process, either to produce a digital signature (for example to sign a document) or to decrypt a file or a piece of data.  This can be accomplished by dividing a key into multiple “shares”, and devising a system that requires multiple shares in order to perform the cryptographic operations.  Threshold Cryptography systems are characterized as (n, t+1), where n refers to the number of shares and t+1 refers to the number of shares required to perform crypto operations.  Up to “t” shares can be compromised without affecting the security of the system.

For example in a (3, 2) system, a key is divided into 3 shares and any 2 can combine to sign or decrypt files.  A single share can be compromised without losing security.

Note that in this kind of scheme the key is not simply divided up into sections, the shares are derived using “scary math”, so if an adversary gets hold of one of the shares, it doesn’t actually reveal any information about the key.

Threshold Cryptography has a number of use cases, including:

  • Securing private keys for applications like BitCoin wallets. Private keys (which are used to unlock BitCoin transactions) can be stored across multiple devices, making the keys more difficult for hackers to steal, and improving the security of your Bitcoins.
  • Securing keys for decrypting sensitive data. Multiple shares would be required to decrypt the data, making the private key more difficult for hackers and other adversaries to obtain.
  • Providing for a multi-party signature, without having to combine multiple different private keys. The parties would use the “shares” to participate in the signatory process and the final signature would represent a single private key.
  • Social password recovery – a private key’s shares could be distributed to friends and relatives (or to a lawyer or notary) to be used to recover a lost password or key. None of the “bearers” would have enough information to act on their own (or for a hacker to exploit) however this could provide a failsafe recovery for a forgotten password or lost key.
  • Distribution of public and private keys. In fact, one of the early use cases for Threshold Cryptography was to support a distributed CA model for an ad-hoc mobile network, to improve the resilience and security of the network.  A similar model could be applied to a blockchain network (which is a similar model), and could be used to either improve the security around Hyperledger Fabric’s CA process, or to support a distributed CA for a public version of a Hyperledger Fabric network.

In all the above scenarios, if any of the “shares” were lost or compromised, new shares could be generated and distributed without having to revoke and re-generate the underlying private key.

Threshold cryptography can be used in combination with tokenization to devise a system where data can be securely shared between users without revealing the data to third-party observers or adversaries, without having to reveal or share secret keys between the end users or any intermediary systems.  Anon Solutions is currently doing research in this area, which will be discussed in a future blog post.

If you have any questions or comments, or are interested in any of the solutions discussed, please send me a note.

Tools for Securing your Data (for Developers) – Tokenization

In this and the next few blog posts I’ll talk about two useful tools that can help secure and share your data – Tokenization and Threshold Cryptography.

Tokenization refers to the process of replacing sensitive data fields with a randomly generated token value, and storing the sensitive data value in a logically separate data store.  The token value should be randomly generated, so there is no way to map back from the token to the data value without the use of the tokenization system.  (This is a different approach from encrypting the data values, where the encrypted value can potentially be reversed.)  The generated token can potentially be of the same data type and format as the original data value, allowing the capability of integrating tokenization into existing legacy systems, or using tokenization to sever sensitive data values from public cloud-based systems.

Tokenization is an alternative to encryption using strong cryptography.  The two techniques can be combined, using string encryption to secure all data and token values that are transferred between the application data store and token “vault”, as well as encrypting the actual data values within the vault.

A lot of vendors are now talking about something called “Vault-less Tokenization”, which is something like tokenization but without having to maintain a separate token repository.  (The drawbacks to a token database is that if you lose it, you lose your data!)  Vault-less Tokenization is something like encryption, where the token value is derived from the original data, plus some “secret” or some values derived from a lookup table, and then rendered in the data’s original format.  It has the advantages of tokenization, without the cost of a separate data repository.  To recover the original value, you apply the reverse of the “secret” on the token value.  It’s really not that much different than strong cryptography, the main benefit that it gives you a properly formatted token.

There are a number of properties a secure tokenization system should possess and I’ll be talking about these in a future blog post.

Another great tool in your toolkit is threshold cryptography.  This one is a bit more complicated, and I’ll be talking about it (and its applications) in my next post.  And later I’ll demonstrate where tokenization and threshold cryptography can be combined to form a secure platform for social data sharing.