REAL-WORLD CRYPTO Editors: Peter Gutmann, [email protected] | David Naccache, [email protected] | Charles C. Palmer, [email protected]

On the Origins and Variations of Blockchain Technologies

Alan T. Sherman, Farid Javani, Haibin Zhang, and Enis Golaszewski | University of Maryland, Baltimore County

e explore the origins of help people understand where and controls who may update state Wblockchain technologies blockchains came from, whether and issue transactions. A private to better understand the enduring they are important, and if they will blockchain is a permissioned block- needs they address. We identify the persist. (For a complete list of refer- chain controlled by one organiza- five key elements of a blockchain, ences, see A. Sherman et al.)1 tion. A consortium blockchain is show the embodiments of these a permissioned blockchain involv- elements, and examine how these Elements of Blockchains ing a group of organizations. In a elements come together to yield Blockchains provide a mechanism permissionless blockchain, anyone important properties in selected through which mutually distrustful may potentially append new blocks, systems. To facilitate comparing the remote parties (nodes) can reach with the consensus policy (e.g., a many variations of blockchains, we consensus on the state of a ledger majority of participants) determin- also describe the four crucial roles of information. To trace the origins ing which continuation is valid. of common blockchain participants. of these technologies, we start by Blockchains achieve ­consensus Our historical exploration highlights identifying their essential elements and control (and, in particular, the 1979 work of David Chaum, informally. A blockchain is a dis- prevent double spending) in part whose vault system embodies many tributed ledger comprising blocks through applying protocols and of the elements of blockchains. (records) of information, includ- establishing high costs (both eco- ing information about transac- nomic and computational) to modify Understanding tions between two or more parties. the ledger. Typically, permissioned Blockchains The blocks are cryptographically systems run faster than permission- With myriad blockchain distrib- linked to create an immutable led- less systems do because their control uted ledger systems in existence, ger. Nodes may append informa- and consensus strategies depend on more than 550 associated pat- tion to the ledger through invoking faster fault-tolerant protocols3 rather ent applications under review, and transactions. An access policy deter- than on time-consuming crypto- much associated hype, it can be mines who may read the informa- graphic proofs of work (PoWs), and difficult to make sense of these tion. A control policy determines they usually involve fewer nodes. systems, their properties, and how who may participate in the evolu- Gencer et al. show that permission- they compare. Through exploring tion of the blockchain and how new less blockchains (such as Bitcoin the origins of these technologies, blocks may potentially be appended and Ethereum) are much more cen- including David Chaum’s 1979 vault to the blockchain. A consensus policy tralized than many people assume: system, we provide insights and a determines which state of the block- 20 mining pools control 90% of the clear and useful way to think about chain is valid, resolving disputes computing power. blockchains. Our historical perspec- should conflicting possible continu- Some blockchains additionally tive distills important ideas, identi- ations appear. support the idea of smart contracts, fies enduring needs, and shows how As explained by Cachin and which execute terms of agreements changing technologies can satisfy Vukolic,2 a range of control policies between parties, possibly without those needs. This perspective will is possible, including permissioned, human intervention. These agree- consortium, private, and permis- ments might be embodied as arbi-

Digital Object Identifier 10.1109/MSEC.2019.2893730 sionless blockchains. In a permis- trary computer programs including Date of publication: 20 March 2019 sioned blockchain, a body identifies conditional statements.

72 January/February 2019 Copublished by the IEEE Computer and Reliability Societies 1540-7993/19©2019IEEE Embodiments of PoW for both mining and achiev­­ and private transaction computa- the Elements ing consensus. tions that protects individual pri- Although the seminal paper on Bit- PoW aims, in part, to defend vacy through physical security. coin appeared in 2008 (with the against Sybil attacks, in which adver- The building blocks of this system mysterious author Satoshi Naka- saries attempt to forge multiple include physically secure vaults, moto),4 most of the underlying identities and use those forged iden- existing cryptographic primi- technological ideas had arisen many tities to influence the consensus pro- tives (symmetric and asymmetric years earlier. A blockchain is a type cess. With PoW, however, a node’s encryption, cryptographic hash of distributed database, an idea that influence on the consensus process functions, and digital signatures), goes back to at least the 1970s (e.g., is proportional to its computational and a new primitive introduced by Wong11). More generally, the idea of power: forging multiple identities Chaum—threshold secret sharing.8 record keeping goes back millennia, that share the adversary’s given com- Chaum’s 1982 work went largely including to ancient Mesopotamia. putational power does not help. To unnoticed, apparently because he Kanare describes proper methods adapt to varying amounts of avail- never made any effort to publish it for scientific logging, including the able computational resources, PoW in a conference or journal, instead idea of preserving all transaction systems dynamically throttle the pursuing different approaches to records, in addition to the history difficulty of the PoW problem to achieving individual privacy. of any modifications to the collected achieve a certain target rate at which In Chaum’s system, each vault data—ideas that are found in many the problems are solved. signs, records, and broadcasts each systems (e.g., Hyperledger Fabric). Permissioned blockchains can be transaction it processes. Chaum The idea of immutably chaining modeled using the concept of (Byz- states, “Because the aggregate blocks of information with a cryp- antine fault-tolerant) state machine in­­cludes COMPRESSED_HIS- tographic hash function appears replication, a notion proposed in TORY, the [cryptographic] check- in the 1979 dissertation of Ralph 1978 by Lamport and, later, con- sum is actually ‘chained’ through the Merkle at Stanford, in which Merkle cisely formalized by Schneider. entire history of consensus states.”9 explains how information can be State machine replication specifies He further says, “Nodes remember linked in a tree structure now known what are the transactions and in and will provide all messages they as a Merkle hash tree. A linear chain what order they are processed, even have output—each vault saves all it is a special case of a tree, and a tree in the presence of (Byzantine) faults has signed, up to some limit, and will provides a more efficient way of and unreliable communications.3 supply any saved thing on request; chaining information than does a Thereby, to achieve a strong form only dead vaults can cause loss of linear chain. Subsequently, in 1990, of transaction consensus, many recently signed things.”9 Haber and Stornetta applied these permissioned systems build on the Chaum’s system embodies a ideas to time-stamp documents, cre- ideas from the 1998 Paxos protocol mechanism for achieving member- ating the company Surety in 1994. of Lamport7 (which deals only ship consistency: “Among other These prior works, however, do not with crash failures) and from the things, the algorithms must provide a include other elements and tech- 2002 Practical Byzantine Fault kind of synchronization and agree- niques of blockchain. Tolerance protocol of Castro and ment among nodes about allowing To prevent an adversary from Liskov. Nakamoto observed that new nodes into the network, remov- unduly influencing the consen- the permissionless Bitcoin system ing nodes from the network, and the sus process, many permissionless realizes Byzantine agreement in status of nodes once in the network.”9 systems require that new blocks open networks. The system also embodies a weak include a proof of computational Arguably, many of the elements form of transaction consensus, albeit work. Nakamoto’s paper cites Back’s5 of blockchains are embodied in vaguely described and apparently 2002 effective construction from David Chaum’s 1979 vault system,8 not supporting concurrent client re­­ Hashcash. In 1992, Dwork and described in his 1982 dissertation9 quests: “If the output of one partic- Naor proposed proof of compu- at Berkeley, including detailed ular processor module is used as the tation to combat junk mail. The specifications. Chaum describes output for the entire vault, the other idea and a construction underly- the design of a distributed com- processors must be able to compare ing PoW, however, may be seen in puter system that can be estab- their output to its output, and have an initial form in 1974 in Merkle’s lished, maintained, and trusted by time to stop the output on its way puzzles,6 which Merkle proposed mutually suspicious groups. It is a through the isolation devices.”9 The to implement public-key cryptog- public record-keeping system with consensus algorithm involves major- raphy. Bitcoin was the first to use group membership consistency ity vote of nodes based on observed www.computer.org/security 73 REAL-WORLD CRYPTO

signed messages entering and leav- Chaum assumes, essentially, a unique pseudonym which appears ing vaults. best-effort broadcast model, and he in a roster of acceptable clients.”9 Chaum created his vaults system does not provide mechanisms for To enable private transactions for before the emergence of the terms achieving consensus with unreli- blockchains, engineers are explor- permissioned and permissionless able communications—technolo- ing the application of trusted blockchains, and his system does gies that subsequently have been execution environments, continu- not neatly fall into either of these developed and applied in modern ing an approach fundamental in discrete categories. In Chaum’s permissioned systems. Chaum’s Chaum’s vaults. system, each node identifies itself dissertation does not include the In 1994, Szabo10 coined the uniquely by posting a public key, ideas of PoW, dynamic throttling of term smart contract, but the idea of authenticated by level 2 trustees. work difficulty, and explicit smart systematically applying rules to exe- For this reason, some people may contracts (though Chaum’s vaults cute the terms of an agreement has consider Chaum’s system a permis- support arbitrary distributed pri- a long history in trading systems. sioned blockchain. vate computation). For example, in 1949, with a system This narrow view, however, dimin- Unlike in most blockchain sys- involving ticker tapes and humans ishes the fact that each node can be tems, nodes in Chaum’s system hold applying rules, Future, Inc. gener- authorized in a public ceremony secret values, which necessitates a ated buy and sell orders for com- independently from any trustee. more complex mechanism for restart- modities. Recently, so-called hybrid During this ceremony, vaults are ing after failures. Using what Chaum blockchains have emerged, which assembled from bins of parts, which calls partial keys, any vault can back combine Byzantine fault-tolerant the public (not necessarily nodes) up its state securely by encrypting state machine replication with can inspect and test—a procedure it with a key and then escrowing defenses against Sybil attacks—for that inspired Chaum to coin the this key using what we now call example, PeerCensus, ByzCoin, more limited phrase cut and choose. threshold secret sharing. After reading Solidus, Hybrid Consensus, Elas- Regardless of whether one views Chaum’s February 1979 technical tico, OmniLedger, and RapidChain. some configurations of Chaum’s report8 that describes partial keys, Also, Hyperledger (an umbrella vaults as permissionless systems, Adi Shamir published an elegant project involving Fabric, a system the trust bestowed through the alternate method for secret sharing for permissioned blockchains) and public ceremony creates a system in November 1979. Ethereum (a platform for public whose trust model is the antithesis Chaum also notes that pseudonyms blockchains) have joined forces. of that of a private (permissioned) can play an important role in effect- Recently, researchers have applied blockchain. For these reasons, we ing anonymity: “Another use allows game theory to model and analyze consider Chaum’s system pub- an individual to correspond with a the behaviors of players and mining licly permissioned. record keeping organization under a pools in blockchain-based digital currencies (see Dhamal and Lewen- berg). Table 1 chronicles some of the important cryptographic Table 1. A timeline of selected discoveries in cryptography and blockchain technology. discoveries underlying blockchain 1970 James Ellis, public-key cryptography discovered at Government Communications technologies. For example, in Headquarters (GCHQ) in secret 2018, the European Patent Office issued the first patent on block- 1973 Clifford Cocks, RSA cryptosystem discovered at GCHQ in secret chain—a method for enforcing 1974 Ralph Merkle, cryptographic puzzles (paper published in 1978) smart contracts. 1976 Diffie and Hellman, public-key cryptography discovered at Stanford 1977 Rivest, Shamir, and Adleman, RSA cryptosystem invented at the Massachusetts Comparison of Selected Institute of Technology Blockchain Systems 1979 David Chaum, vaults and secret sharing (dissertation in 1982) To illustrate how the elements come together in actual blockchain systems, 1982 Lamport, Shostak, and Pease, Byzantine Generals Problem we compare a few selected systems, 1992 Dwork and Naor, combating junk mail including Chaum’s vaults, Bitcoin, 2002 Adam Bach, Hashcash Dash, Corda, and Hyperledger Fab- 2008 Satoshi Nakamoto, Bitcoin ric, chosen for diversity. Table 2 describes how each of these sys- 2017 Wright and Savanah, nChain European patent application (issued in 2018) tems carries out the four crucial

74 IEEE Security & Privacy January/February 2019 participant roles of any blockchain that implements policy. Despite ledgers, they will likely be around defined ahead. For more context, these significant powers, the control in various forms for a long time. Table 3 characterizes a few important structure is still more distributed There are, however, some trou- properties of these systems and of (anyone can potentially become a bling fundamental conflicts that one additional system—Ethereum. core developer) than for a permis- have not been solved. These con- In his vault system, Chaum9 sioned system controlled entirely flicts include tensions between identifies four crucial participant by a prespecified entity. In Bitcoin, the following pairs of poten- roles of any blockchain, which in each round, the winning miner (a tially dissonant concerns: privacy we call watchers, doers, executives, doer) becomes an executive for that and indelibility, anonymity and and czars. The watchers passively round. It is instructive to understand accountability, stability and alter- observe and check the state of the how each blockchain system allo- native future continuations, and ledger. The doers (level 1 trustees) cates the four participant roles. current engineering choices and carry out actions, including serving Table 3 illustrates some of the long-term security. For example, state. The executives (level 2 trust- possible variations of blockchains, recent European privacy laws grant ees) sign (or otherwise attest to) the including varying control and con- individuals the right to demand blocks. The czars (level 3 trustees) sensus policies as well as different that their personal data be erased change the executives and their pol- types of smart contracts. Whereas from most repositories (the right icies. Chaum refers to these partici- most blockchain systems maintain to be forgotten). Satisfying this pants as bodies,9 leaving it unclear a single chain, Corda supports mul- erasure requirement is highly prob- whether they could be algorithms. tiple independent chains, per node lematic for indelible blockchains, Although most systems do not or among subsets of nodes. Similarly, especially for ones whose nodes explicitly specify these roles, all Chaum’s system also supports mul- lack physical security. systems embody them, though tiple chains. While most blockchains An attraction of blockchains is with varying nuances. For example, require each node to maintain the their promise of stability enforced many people naively think of Bit- same state, Corda’s and Chaum’s sys- through consensus, yet sometimes coin as a fully distributed system tems do not. the nodes cannot agree, resulting in free of any centralized control, but, a fork and associated possible splits in fact, Bitcoin’s core developers— Conflicts and Challenges in the continuations of the chain. In as is true for all distributed sys- Because blockchain technologies­ a hard fork, level 3 trustees issue a tems—carry out the role of czars, address enduring needs for per­­­­ significant change in the rules that is changing the underlying software manent, indelible, and trusted incompatible with the old rules. In a

Table 2. Alignment of participant roles across five blockchain systems.

Chaum, 1982 Bitcoin, 2008 Dash, 2014 Corda, 2016 Hyperledger Fabric, A flexible A permissionless A system that speeds up A permissioned 2016 system based system using Bitcoin with a masternode system with A permissioned system Role on vaults PoW network smart contracts with smart contracts Watchers Any computer Nodes (distinct Any computer online Nodes Peers Passively check state online9 from full nodes) Doers Level 1 trustee Full nodes Miners Nodes Peers Carry out actions, including serving state Executives Level 2 trustee Winning miner Winning masternode Nodes (each Endorsing peers Sign blocks (or (promoted (promoted (promoted by an algorithm node is an otherwise attest to from level 1 by from doers from the masternode executive for its them) czars)9 each round) network, which anyone Corda blocks, may join for 1,000 Dash) called states) Czars Level 3 Core developers Quorum of masternodes Permissioning Endorsement policies Change executives and trustee9 service their policies

www.computer.org/security 75 REAL-WORLD CRYPTO

o understand blockchain sys- Table 3. Three properties of several distributed ledger systems. T tems, it is helpful to view them in terms of how the watchers, doers, System Permissioned? Basis of Consensus Smart Contracts executives, and czars carry out their Chaum, Permissioned, Weak consensus; Private arbitrary functions under the guidance of the 1982 with option does not handle distributed access, control, and consensus poli- for publicly concurrent client computation cies. This systematic abstract view permissioned requests helps focus attention on crucial ele­­ ments and facilitates a balanced Bitcoin, Permissionless PoW Conditional comparison of systems. Blockchains 2008 payment and address many longstanding inherent limited smart needs for indelible ledgers, from finan- contracts through cial transactions to property records scripts and supply chains. With powerful Dash, Combination Proof of stake No existing cryptographic techniques, a 2014 wide set of available variations, and a Ethereum, Permissionless PoW Yes, nonprivate large amount of resources allocated to 2014 Turing complete these technologies, blockchains hold objects significant potential. Hyperledger Permissioned Based on Yes, off-chain Fabric, state machine Acknowledgments 2015 replication We thank Dan Lee, Linda Oliva, and Corda, Permissioned Based on Yes (set of Konstantinos Patsourakos for their 2016 state machine functions), helpful comments. Alan T. Sherman replication including explicit was supported in part by the National links to human Science Foundation under Scholarship language for Service grant 1241576.

References soft fork, there is a less severe change time (Bitcoin’s ledger is currently 1. A. Sherman, F. Javani, H. Zhang, in the rules for which the old system more than 184 GB). and E. Golaszewski, On the ori- recognizes valid blocks created by As of September 2018, the hash gins and variations of blockchain the new system (but not necessar- rate for Bitcoin exceeded 50 mil- technologies. 2018. [Online]. ily vice versa). lion TH/s, consuming more than Available: http://arxiv.org/abs Security engineers must commit 73 TWh of power per day, more /1810.06130 to particular security parameters, than the amount consumed by Swit- 2. C. Cachin and M Vukolic, “Block- hash functions, and digital signa- zerland. These hashes were attempts chain consensus protocols in the tures methods. to solve cryptographic puzzles of wild,” in Proc. 31st Int. Symp. Distrib- No such choice can remain com- no intrinsic value (finding an input uted Computing, 2017, vol. 1, pp. 1–16. putationally secure forever in the that, when hashed, produces a cer- 3. L. Lamport, R. Shostak, and M. face of evolving computer technol- tain number of leading zeroes), and Pease, “The Byzantine generals ogy, including quantum comput- almost all of these computations went problem,” ACM Trans. Program- ers and other technologies not yet unused. Attempts, such as Primecoin ming Languages Syst., vol. 4, no. 3, invented. The hopeful permanence and others, to replace cryptographic pp. 382–401, 1982. [Online]. Avail- of blockchains is dissonant with hash puzzles with useful work (e.g., able: https://dl.acm.org/citation the limited-time security of today’s finding certain types of prime inte- .cfm?doid=357172.357176 engineering choices. gers) are challenging because it is very 4. S. Nakamoto, “Bitcoin: A peer-to- Additional challenges facing­ hard to find useful problems that have peer electronic cash system,” Bitcoin, block­­chains include the huge assured difficulty and whose level of 2008. [Online]. Available: https:// amounts of energy spent on block- difficulty can be dynamically throt- bitcoin.org/bitcoin.pdf chain computations (especially tled. Some researchers are exploring 5. A. Back, “Hashcash: A denial of service PoW), the high rates at which ledgers alternatives to PoW, such as proof counter-measure,” Hashcash, 2002. grow, and the associated increases of space, proof of stake, and proof of [Online]. Available: http://www in transaction latency and processing elapsed time. .hashcash.org/papers/­ hashcash.pdf­

76 IEEE Security & Privacy January/February 2019 6. R. C. Merkle, “Secure communi- 10. N. Szabo, “Smart contracts,” 1994. [On­­ Farid Javani is a Ph.D. student at cations over insecure channels,” line]. Available: http://www.fon.hum the University of Maryland, Bal- Commun. ACM, vol. 21, no. 4, .uva.nl/rob/Courses/Information­ timore County. Contact him at pp. 294–299, 1978. [Online]. Avail- InSpeech/CDROM/Literature [email protected]. able: https://dl.acm.org/­citation /LOTwinterschool2006/szabo.best .cfm?doid=359460.359473 .vwh.net/smart.contracts.html Haibin Zhang is an assistant professor­­ 7. L. Lamport, “The part-time parlia- 11. E. Wong, “Retrieving dispersed in the Department of Compu­ ment,” ACM Trans. Comput. Syst., vol. data from SDD-1: A system for ter Science and Electrical Engi- 16, no. 2, pp. 133–169, 1998. [Online]. distributed databases,” in Proc. 2nd neering at the Univer­sity of Available: https://dl.acm.org Berkeley Workshop Distributed Data Maryland, Baltimore County. /citation.cfm?doid=279227.279229 Management and Comput. Networks, Haibin recei­­ved a Ph.D. from the 8. D. L. Chaum, “Computer systems May 1977, pp. 217–235. University of California,­­ Davis, established, maintained, and trusted in 2001. His research­­ interests by mutually suspicious groups,” Alan T. Sherman is a professor of include distributed comput- Elect. Eng. Res. Lab., Univ. Cali- computer science at the University ing and secure blockchains. fornia, Berkeley, Tech. Memo. of Maryland, Baltimore County. Contact him at hbzhang@ UCB/ERL/M79/10, 1979. His research interests include umbc.edu. 9. D. L. Chaum, “Computer systems secure voting, applied cryptog- established, maintained and trusted by raphy, and cybersecurity educa- Enis Golaszewski is a Ph.D. student mutually suspicious groups,” Ph.D. tion. He is a Senior Member of the at the University of Maryland, dissertation, Dept. Comput. Sci., IEEE. Contact him at sherman@ Baltimore County. Contact him Univ. California, Berkeley, 1982. umbc.edu. at [email protected].

Call for Articles

IEEE Pervasive Computing

seeks accessible, useful papers on the latest

peer-reviewed developments in pervasive,

mobile, and ubiquitous computing. Topics

include hardware technology, software

infrastructure, real-world sensing and

Author guidelines: interaction, human-computer interaction, www.computer.org/mc/ and systems considerations, including pervasive/author.htm deployment, scalability, security, and privacy. Further details:

[email protected] www.computer.org/pervasive Digital Object Identifier 10.1109/MSEC.2019.2900896