How secure and private are blockchains?
Both public and private blockchains provide a certain level of out-of-the-box security for your data. The consensus mechanism is the main driver behind the security and correctness of the blockchain. With a public blockchain, all users need to abide by the consensus algorithm that verifies all transactions, and when doing so they need to prove that they made a sufficient amount of effort by solving a mathematical problem. In many cases, the first user to solve the problem, or who is chosen to solve the problem, gets rewarded. Each new solution then forms the basis for the next block of transactions to be solved. It becomes almost impossible to manipulate data that is confirmed in an earlier block, since it directly affects the blocks that were created after that block. A private blockchain is even more secure, since you need to have secured permission to participate on the network. Since read and write access needs to be granted explicitly to a participant, it is likely that you know and trust them. The changes on the ledger can be tracked back to an actual person, whereas with a public blockchain, it is only tied to a network address that can be owned by anyone.
Nonetheless, there are still some security risks that the software and the network rules cannot fix for you. Public blockchains, for example, that use cryptocurrencies to fuel their network have also led to black market trading. Since transactions are bound to an address and not a personal identity, it is hard to figure out who is actually trading. Because of this, public blockchains increasingly draw the attention of cybercriminals who steal cryptocurrencies or other available assets. Another security issue relates to the method of reaching consensus.
The most commonly-used means of achieving consensus consume a lot of energy. This may lead to centralization or the possibility of collusion, because the majority of the network nodes are run in countries with cheap electricity, or even within a single country.
This does not mean there are no security concerns when using a private blockchain. With a private blockchain, operators can control who is allowed to connect to the network and operate a node. Some concerns include the fact that a node can restrict the transmission of information or transmit incorrect information. Such nodes must be identified and bypassed in order to maintain the integrity of the system.
Besides security, you need to think about the participant's privacy on the blockchain. Privacy is much more nuanced, and addressing this issue can lead to uncomfortable questions. What needs to be kept private? Why? From whom? When looking into maintaining privacy, there are solutions that can be easily implemented in some cases, while in others it may be much harder. Many of these solutions are compatible with the currently existing blockchains, but it depends on what you want to achieve as to whether they will prove satisfactory. Technologies that allow users to do absolutely everything on blockchain without the possibility of being tracked are more difficult to create.
To secure private data on a public blockchain, you can look into the following methods:
- Cryptographic obfuscation
- Secure multi-party computation
- Zero-knowledge proofs
In short, cryptographic obfuscation is a way of turning your application into a black box version (or its equivalent). The application still has the same underlying logic, and it also returns the same outputs for the given inputs. However, because the data is encrypted along the way, it's impossible to determine any details of how it works.
Secure multi-party computation is a type of cryptographic system where parties jointly compute a function over their inputs while keeping those inputs private. Each party initially receives access to a share of the input by the sender and computes a function over that share. The outputs are returned to the sender, who can assemble the final output without any party knowing more than their initial share.
Another powerful technology is zero-knowledge proofs. This allows you to construct a mathematical proof that, when executing a given program on some input by the user, returns a particular output without revealing any other information. One zero-knowledge proof that can easily be implemented uses a digital signature showing that you know the value of a private key, which, when processed by the smart contract, can be converted into a particular public output.
When using a private or permissioned blockchain, it is much easier to secure the privacy of the data in the blockchain because participants and operators can limit read and write permissions on shared data (assets) and the execution of transactions. Even though you might think you're losing the decentralization of the network, there is still some degree of decentralization maintained in their structure. This is done by allowing participants to grant read/write permissions to other participants, which leads to a partially decentralized design.
I will discuss the security risks and the privacy methods of both public and private blockchains in more detail in Chapter 5, Blockchain 101 - Security, Privacy, and Smart Contracts.