Guarding the ‘Trust’: Blockchain Security and Protection
UDC Story — Insights from UDC 2018
“Ethereum technology is better than Bitcoin? Bitcoin is the most perfect cryptocurrency in existence.”
That’s a statement by Bitcoin Core developer Jimmy Song in April of 2018. He is a ‘Bitcoin Maximalist (fundamentalist).’
Generally, Bitcoin is categorized as a first-generation cryptocurrency and Ethereum as a second-generation cryptocurrency. Many acknowledge Bitcoin as the forerunner but as view its technologically to be behind the times. Ethereum has smart contract features allowing it to be used in finance as well as various other areas including real estate, logistics, and insurance, making it seem more advanced.
However, Song strongly refutes this. Bitcoin does possess smart contract language (scripts). The difference with Ethereum is the ‘Turing Completeness.’ Turing completeness means having calculation abilities that are at the same level as Turing machines. Almost all programming that is executable on regular computers is possible with Ethereum due to its Turing completeness. Various distributed applications (DApps) can be made based on the Ethereum platform. However, infinite loops of the operating language could also occur due to its Turing completeness making it vulnerable to hacks.
Song participated in the Colored Coins project in 2013. Colored Coins is a type of token where physical assets are expressed in digital form through the Bitcoin blockchain. It is similar to the ERC-20 token based on Ethereum. A 19-year-old named Vitalik Buterin was also on the Colored Coins team. Buterin wanted to make a platform with smart contracts that could be used in more areas than just finance. Due to disagreements with core developers who opposed smart contracts due to fears of hacking, Buterin left the team and founded Ethereum in 2014.
This fear eventually became reality. Bitcoin has never really been hacked in its decade plus history. The only hacking that occurred was when the private key was lost due to personal negligence. Ethereum, on the other hand, went through two major hacking incidents. The hacks targeted the vulnerability of smart contracts, not the blockchain structure.
The two worst hacking incidents in Ethereum network history, in which the most Ether (ETH) were stolen, both involved attacks using a minor smart contract bug. Decentralized investment fund project The DAO lost 3.6 million Ether in June 2016, and the incident made Ethereum conduct a hard fork. Cryptocurrency wallet Parity lost 153,000 Ether in July 2017. Although it was not directly caused by hacking, there was another incident just four months later where USD 500,000 worth of Ether was frozen due to a smart contract bug. This issue has yet to be resolved. Blockchains were believed to be completely safe from hacking threats, but the smart contracts within created new openings.
◇ Protecting blockchains from security threats
Blockchain projects have an open source mentality and usually disclose their codes. Newly launched projects sometimes borrow code from existing projects for development efficiency. The term ‘borrow’ is used as a nice way to describe this process; it’s more similar to ‘copying and pasting’ in reality. If existing smart contracts are copied and used, any vulnerabilities it may have are also copied over. According to Zeus, a service that analyzes smart contract security vulnerabilities, 94.6% of the 22,400 smart contract codes have security vulnerabilities.
This issue was pointed out by Lee Heejo, professor of computer science at Korea University. At UDC 2018, he spoke about how reusing code has led to the spread of vulnerability in open-source blockchain projects.
“Currently, a large number of software are being developed as open source. Of the 2,600 well-known projects, around 2,202 are using code that overlaps with other projects”. Lee shared statistics that illustrated how similar blockchains like Litecoin, Monero, and Steemit were created using overlapping code, and how that exposed them to security threats.
Lee added, “Even though the security vulnerabilities of the original code may be patched, it is very difficult to look up the original source, leaving the vulnerabilities intact in the projects that reused the code. Security issues from reusing code can continuously occur during the development stage, so constant and automated security systems are needed to resolve this issue.”
Blockchain projects with wallet services that store user assets must do everything in its power to ensure security. Blockchains themselves are difficult to hack, but private keys are frequently exposed to hacking threats.
Founded in 2013, the Palo Alto-based startup BitGo launched the industry’s first multi-sig wallet. Multi-sig wallets use a method where there are three electronic wallet keys, and asset withdrawals are only possible with two or more keys.
The majority of cryptocurrency wallets have only one key. If this key is hacked, cryptocurrencies can be withdrawn without the owner’s knowledge. When multi-sig wallets are used, hacking any one key is useless, making it much safer. In Korea, exchanges like Upbit and Korbit are using the BitGo’s services.
At UDC 2018, BitGo CTO Benedict Chan spoke on expandable multi-coin wallet platforms. “BitGo has currently evolved into a multi-currency wallet platform that can manage around 2,000 digital currencies. It is our mission to provide infrastructure where digital currencies can be publicly circulated.” Chan continued by adding that “BitGo will consider the wallet provider’s position and strengthen our services by increasing hardware security, implementing existing good security practices from around the industry, and investing in blockchain platforms.”
◇ Privacy Protection
The most fundamental idea of cypherpunk, which inspired the creation of Bitcoin, is the absolute protection of privacy. A Cypherpunk’s Manifesto (1993) contains statements like “Privacy is a requirement for an open society in the electronic era. Privacy is different from secrecy. Privacy is the desire not to be known to everybody in the world, while secrecy is the desire to not be known by anybody. Privacy is the power to reveal yourself to the world selectively.”
The expression “Cypherpunks write code” symbolizes the cypherpunk movement. Cypherpunk activists actually wrote code to bring their ideas into reality, eventually giving birth to the blockchain-based cryptocurrency Bitcoin in January 2009.
Blockchain technology was introduced to protect privacy, but there are concerns that it may actually lead to the invasion of privacy due to transaction records being made transparent. Although the encryption is built in to guarentee privacy, the encryption process is certainly not full-proof.
Seoul University professor Cheon Jung Hee spoke on privacy protection through encryption at UDC 2018. Cheon stated that the gradually increasing risk of personal data leaks is accelerating the evolution of enhanced encryption methods, particularly homomorphic encryption.
Homomorphic encryption allows for statistical analysis of data while maintaining the encryption status, meaning the contents of the encrypted files cannot be viewed. Homomorphic encryption is gaining interest as a future technology that keeps personal data in an encrypted state while still allowing it to be utilized safely. As encryption keys are being used more and more frequently, they have also become the main targets of hackers.
Homomorphic encryption is a technology that protects these encryption keys. Cheon opened his presentation by saying, “Until now, public key passwords (third-generation passwords) have been used to protect data, but hacking has continued. Encryption keys are used every time passwords are entered, and as the process of entering and removing the encryption key is repeated, data is easier for hackers to grab.” Homomorphic encryption, fourth-generation passwords of the future, are passwords that protect the key and involve the key only when someone directly reviews the data.
With homomorphic encryption, the results calculated utilizing encrypted data are returned to the data owner and then personally decrypted by the same owner to view the results. “We are heading toward a world without encryption keys. Homomorphic encryption technology is a technology that protects data because it doesn’t require computers to use keys to carry on their tasks,” stated Cheon.
He also pointed out that the current process of decrypting all the data first and then calculating it leaves both the data and the key entirely exposed. By using homomorphic encryption, the encryption key does not need to be relayed to the computer, subcontractor, or data processing personnel. That means the risk of personal data leaks can be reduced significantly.
Cheon explained that it would be possible to request tasks such as the storage or query of data while only uploading encrypted data with homomorphic encryption. With previous methods, the data had to be uploaded in plain text, which meant it could also be accessed by any machine learning AI. “If it is possible for the task to be handled on the cloud without the AI knowing what the task is, that would make machine learning impossible. That means the data can’t be used by the cloud or company device for other purposes”.
As of now, only the so-called third-generation public key encryption methods are being used. According to Cheon, homomorphic encryption has yet to be commercialized. The Industrial & Mathematical Data Analytics Research Center of Seoul University is currently partnering with Korea Smart Authentication Corp to develop services that combine homomorphic encryption-applied biometric authentication with financial data. “Commercialization of homomorphic encryption-applied biometrics and financial data analysis will be possible soon, making Korea the first country to commercialize this technology,” he added.
There are those that believe smart contracts are the best way to resolve private data leak issues. At UDC 2018, UC Berkeley professor and Oasis Labs founder and CEO Dawn Song discussed this topic during her presentation titled, “Oasis: Privacy-preserving Smart Contracts at Scale.”
Song said that “The ‘data silo (barrier between departments within an organization)’ issue still exists, where data is not combined and utilized only in isolation by individual companies or business units. And personal data leak issues still persist. We can resolve these issues through smart contracts.”
Oasis Labs develops fraudulent transaction prevention solutions utilizing blockchain-based cloud computing and machine learning technology. Song argued that “If the personal data handled by banks can be integrated, fraud prevention models can become more sophisticated and precise. The problem is that sharing personal data outside of the organization is a very sensitive and complicated matter. Sensitive data can be sufficiently protected, and the data can be used in an integrated fashion if the smart contract features of blockchain are used.”
Oasis Labs focuses on the fraud detection systems independently operated by financial organizations. They have developed a method where data from these sources can be integrated and used while still protecting personal data. When sensitive financial data is shared, privacy protection devices are automatically run by the smart contracts.
“Basically, a large amount of data must be available for artificial intelligence to learn fraud detection patterns. Better performing fraud detection models can be developed if smart contract features can be used to integrate transaction data safely,” Song added.
Founded in 2018, Oasis Labs is developing a next-generation protocol that allows developers, regardless of expertise, to develop privacy protection smart contracts easily and cost-efficiently. Song concluded that “the main mission of Oasis Labs is to protect security and privacy. We are working hard on hardware with enhanced security, the Oasis platform, and an open source design to achieve this mission.”
※ Referenced speeches (The speeches can be viewed in their entirety on the UDC 2018 YouTube page)
- “Blockchain Software Security — Case Analysis of Blockchain Platform Vulnerabilities” by Korea University Professor Lee Heejo
- “BitGo’s Multi-signature Wallet” by BitGo CTO Benedict Chan
- “Approximate Homomorphic Encryption and Machine Learning” by Seoul University Professor Cheon Jung Hee
- “Oasis: Privacy-preserving Smart Contracts at Scale” by Oasis Lab Founder & CEO Dawn Song
*This post is a translated excerpt from Proof of Report UDC 2018 written by Ran Ko, CCO of Join:D, a blockchain media affiliated with JoongAng Daily.