Posted on by Human-Machine Interactionsin
By Eliezer Kanal
Technical Manager, Cyber Security Foundations
Blockchain technology was conceived a little over ten years ago. In that short time, it went from being the foundation for a relatively unknown alternative currency to being the "next big thing" in computing, with industries from banking to insurance to defense to government investing billions of dollars in blockchain research and development. This blog post, the first of two posts about the SEI's exploration of DoD applications for blockchain, provides an introduction to this rapidly emerging technology.
At its most basic, a blockchain is simply a distributed ledger that tracks transactions among parties. What makes it interesting are its fundamental properties, which apply to every single transaction:
This combination of properties results in a system that, by design, timestamps and records all transactions in a secure and permanent manner, and is easily auditable in the future. In addition to the above, due to its distributed nature, the system is highly resilient to downtime. All these properties combined makes an appealing system for a wide variety of applications, and indeed explains much of the interest in the technology.
Before describing blockchains in general terms, I'll describe one of the simplest and best-known implementations in use today: the cryptocurrency Bitcoin. The blockchain in Bitcoin literally acts a ledger; it keeps track of the balances for all users and updates them as money changes hands.
The Bitcoin application allows for two types of users, whom we will refer to as participants and miners. Participants are individuals who want to use Bitcoin as a currency, sending and receiving Bitcoins in exchange for goods and services. These users apply the Bitcoin software to create a "wallet" from which they can send and receive Bitcoins to other participants. The transactions--literally just a message sent to the Bitcoin network broadcasting that this user gave a specific number of Bitcoins to that user--indicate to users that the ledger should be updated.
The role of the miner is to cement these transactions in time through a process called mining. Mining involves solving a hard mathematical puzzle to create blocks, grouped sets of transactions that have been verified to be valid. A good overview for this process appears here, and a brief description follows. The miner selects a random group of unverified transactions that have been generated by users, as well as the solution to the preceding block. The miner's computer will then do some math that involves searching for a random number to solve the puzzle. When a miner finds a solution, the miner conveys it to all other miners, who quickly verify the answer and agree that it is correct. At this point, all the transactions that were included in that block are now cemented in time, and the miners start working on a new set of transactions, linking it to the newly minted block, and begin mining again. This mechanism links each new puzzle piece indelibly to the previous piece, and the chain continues for each new transaction set added to the chain. As a result, every time a new puzzle piece is added, the transactions are cemented in time and their validity is verified by their connection to the preceding piece in the chain: evidence of what transaction occurred, who was involved, and when it occurred.
In this environment, it is impossible to pretend that a transaction took place if it did not. All parties involved are able to look at the transaction history and see that such a transaction never occurred. If a party tries to add a fraudulent transaction, the answer to the puzzle will be different from the correct answer, because the next puzzle piece can be linked only to the actual verified transaction; only the true transaction will be linked to the next puzzle piece. If a malicious actor attempts to insert a new block in the chain, other miners will compare the fake block to their own copy of the blockchain and quickly recognize that the new block is fake.
While Bitcoin is a simple implementation of a blockchain, it was the first real-world application of the technology. A message sent in Bitcoin is, literally, of the form, "give five of my Bitcoins to that person." The Bitcoin blockchain is simply a big, distributed ledger, and the messages sent back and forth are identical to someone handing some cash to a friend. Exchanging Bitcoins by means of exchanging messages is what allows the exchange of money between two parties.
Why Is Interest in Blockchain Exploding?
While blockchain has gained significant popularity due to its role in cryptocurrency (e.g., Bitcoin, Ethereum, etc.), industries as disparate as real estate, healthcare, insurance, systems of records, and even sports ticket sales may be disrupted by blockchain. Fifty financial institutions have committed resources to blockchain-related research, dozens of healthcare companies have expressed interest in blockchain-based technologies, and consulting companies across the globe are helping their clients understand the promise that blockchain can hold for them.
This interest in blockchain technology stems from its four fundamental properties, all of which are highly attractive in many industries. Blockchain is
In short, blockchain provides a distributed, authenticated messaging system that tracks all events, is tamper resistant, and maintains a history.
Such a system can be applied in a number of commercial settings. For example, within the financial industry, tracking transactions between parties is one of the primary purposes of a financial clearinghouse, which acts as an intermediary between parties in the transaction. Blockchain technology shows significant promise in facilitating financial transactions, eliminating the intermediary and significantly reducing costs for everyone involved. Moreover, if the currency itself can be represented by the messages being passed around (as it is in Bitcoin), then the blockchain becomes more than just a method for representing transactions; it becomes the currency itself.
Healthcare is awash with transactions that would benefit from inherently authenticated and tamper-proof messages, from prescriptions to procedure orders to medical records themselves. Two healthcare providers providing services to the same patient often need to share data about a patient, and this sharing still often takes place by means of the telephone or U.S. mail. Such transactions are insecure, slow, and unreliable. Some healthcare providers build an application program interface (API) that allows queries from authorized external parties, which is an improvement over telephone or mail, but the information remains controlled by the healthcare provider who generated it.
With blockchain, health records would be owned by the patient, and the patient would provide permission to any healthcare providers needing access to the records. Health records could then be distributed: every participant would store a full copy of the entire encrypted data set. Rather than querying a remote server, healthcare providers would simply pull needed data from the chain. Should the patient begin seeing a new doctor, he or she would simply give the new doctor the appropriate permissions, and the doctor would then have access the patient's medical data. This could be customized as much as is needed; there are some types of data which only specific doctors should see--a radiologist reading an x-ray of a broken wrists doesn't need to see psychiatric history, for example--and blockchain can easily support this type of granularity. Further reading on blockchain in healthcare can be found here, and an example implementation of a medical health record system using blockchain technology can be found here.
Real estate could also benefit from having records of ownership stored in a distributed, digital ledger that could be easily accessed rather than stored in a single database administered by a county or region. Local ownership of records is complicated by variance in regulations for property ownership, record keeping, contracts, etc. With blockchain, both buyers and sellers would have a complete record of information about a property and could transfer data and assign ownership of that data more easily and securely than is currently possible. Further reading on blockchain in real estate can be found here.
What are the Risks?
Blockchain shows tremendous potential, but is still barely out of its infancy. Initial experiments with creating businesses built using blockchain technology have been mixed, with many failures. The largest public failure was the hack of The DAO, a blockchain-based venture capital fund that lost more than $50 million due to a poorly designed blockchain program, called a "smart contract." A more recent hack lost more than $30 million due to a critical flaw in another "smart contract" that controlled the Parity multi-signature wallet on the Ethereum network. Other ventures have had difficulty getting started or are still in stealth startup mode, working on overcoming limitations in the technology.
The biggest problem with current blockchain implementations is that it requires an enormous number of users acting as miners to function. Mining requires computers to run many millions of calculations per second, thereby consuming a significant amount of electricity, which costs money. While this may be an acceptable cost in the case of Bitcoin for hobbyist users, large businesses will not want their machines running at full speed simply because the blockchain software needs numbers to run. This otherwise-purposeless electricity expense is a significant hindrance so far to adoption. While there are alternative approaches to mining, these are currently academic exercises, and none have been implemented in any large-scale blockchain.
A second impediment to the adoption of blockchain in a well-established industry, as with any new technology, is simply the inertia of existing solutions. Any blockchain-based solution for any sector would require major infrastructure changes and wide-scale user adoption. Particularly in the case of blockchain, where a technology went from non-existent to worldwide buzzword in two years, more conservative companies will need to see a number of successful use cases before even thinking about adopting this new technology.
With all that in mind, many businesses recognize the potential of blockchain and are working hard to make the transition easy. IBM specifically has invested significant resources into the Hyperledger Platform and has released significant documentation and tooling for developing blockchain-based applications.
Why Is the SEI Investigating Blockchain?
The defense sector has identified a number of potential use cases for blockchain technology. The Department of Homeland Security (DHS) recently distributed $400,000 to four blockchain companies to investigate the use of blockchain in identity management and privacy protection. DARPA recently initiated a program researching the applicability of blockchain technology to secure, resilient messaging. The Office of the Assistant Secretary of Defense for Readiness also recently put out a Broad Agency Announcement (BAA) that included research into the applicability of blockchain technology to training and readiness programs.
At the SEI, we have also been investigating the use of blockchain technology within the DoD. Taking advantage of our deep understanding of software engineering principles, our current focus has been on ensuring that the blockchain application-development process doesn't expose applications and users to unnecessary risk. Unfortunately, as with any new technology, early adopters have helped expose a number of significant design flaws with existing blockchain implementations. Our team is focused on developing a "secure by design" language that can be used for blockchain application development. By creating a language that specifically makes certain types of bugs impossible to create, we aim to significantly reduce the risk inherent in the adoption of blockchain technology. We will describe this work in greater detail in a forthcoming blog post.
Read other blog posts by Eliezer Kanal.