...by Daniel Szego
"Simplicity is the ultimate sophistication."
Leonardo da Vinci

Sunday, February 12, 2017

How secure is Blockchain?

Well, that is a difficult question to be answered. It is regarded actually more secure as a classical client server model, however I guess there is still no explicit study or comparison on that. It is actually a question as well if the regard security rather from a theoretical or a practical point of view. 

NODE SECURITY: First of all the wallets are regarded pretty secure, as they are protected by cryptographic algorithms, like SHA-256 for bitcoin. However this construct has a practical trade off, if you your private key is not leaked or lost, the system is secure. However at both previously mentioned cases your money is probably lost, which gives many different constructs of storing your keys redundant but secure. As a conclusion, yes the system is from a cryptographic point of view secure but it must be really payed attention at the practical usage to behave secure. Typical examples scandals of the last couple if years, where investors stored Bitocoin in Web Wallets, in which coins and private keys were stored in a central server. Having hacked the central server, the private keys were leaked and the money was stolen. 

NETWORK SECURITY: On the other hand, we should consider the Blockchain and the transaction validation. Hacking the system basically mean elements like hacking a transaction, like making a double spending, hacking the Blockchain itself, like modifying an old transaction in the Blockchain or simply causing performance issues in the chain itself. As examples a 51% attack can cause double spending for Bitcoin, actually less than 51% can be enough if the attack is combined with a sybil attack, meaning partly of the communication of  the nodes are disabled. Considering the size of the current Bitcoin network and the Proof of Work consensus mechanism a successfully 51 attack would cost as much energy as small nuclear plant. There might be other attacks as well that are rather Denial as a Service trying to destabilize the network or hard-fork the ledger. 

CONSENSUS SECURITY: The situation is getting more and more complicated if we consider different consensus mechanism like, Proof of Stake or Proof of existence and beside public different other style of networks, like private or corporate networks. As a rule of thumb, we can say that the size of the network matters. Small networks are more unstable by design. At private or corporate networks, the main question is always how difficult is to hack a certain node. There are some opinions, that only the long-living public networks are secure enough simply because surviving long-enough many hacking attempts in a public domain provides a certain immunity.  

SMART CONTRACT SECURITY: The situation is getting complicated with smart-contract systems, like Ethereum as well. As these solutions are "self-programmed" in a certain way further question is how secure is the smart-contract itself that is running on the Blockchain. As an example The DAO project was hacked not because of problems of the Blockhain itself, but because the smart-constract code was simply not designed secure enough.