Author: Dr. Liew

ETHKL #5 : Security Audits & Scaling

The meetup was at HelloGold office , KL on Friday 23, Nov.

Speakers:

  1. Petar Tsankov-Chief Scientist/co-founder of ChainSecurity AG & Senior Researcher at the ICE center. ETH Zurich. 
  2. Andras Kristof- Founder and Advisor of Akomba Labs
  3. Lai Ying Tong- Researcher at Ethereum Foundation
  4. Ken Chan

The session began with Ken Chan introducing the audience about Zero-Knowledge Proofs. I was sure many developers among the audience understand what it is but the concept sounds strange to me. Fortunately, Ken was good in demonstrating the concept by using the scenario of the American presidential election involving Trump and Clinton as well as a “live demo” with Harith of HelloGold as the co-actor.

Apparently, the Zero-knowledge proof method, or more exactly zk_SNARKS, is a consensus protocol used by Zcash to validate its shielded transactions that are fully encrypted on its blockchain. According to Zcash(https://z.cash/technology/zksnarks/), the acronym zk-SNARK stands for “Zero-Knowledge Succinct Non-Interactive Argument of Knowledge,” and refers to a proof construction where one can prove possession of certain information, e.g. a secret key, without revealing that information, and without any interaction between the prover and the verifier.

Zcash further pointed out that “Zero-knowledge” proofs allow one party (the prover) to prove to another (the verifier) that a statement is true, without revealing any information beyond the validity of the statement itself. For example, given the hash of a random number, the prover could convince the verifier that there indeed exists a number with this hash value, without revealing what it is.

Ken illustrated the process of Succinct and Non-interactive using a diagram, where the prover begins by generating a proof string and then the verifier needs to verify the proof string, as shown below:

The above process is actually more complex than illustrated in the diagram. According to Zcash,  zk-SNARKs work by first turning what you want to prove into an equivalent form about knowing a solution to an algebraic equation, as follows:

Computation → Arithmetic Circuit → R1CS → QAP → zk-SNARK

Here is an example of what an arithmetic circuit looks like for computing the expression (a+b)*(b*c) :

Diagram Adapted from Zcash

The output is then verified by the verifier. However, Ken pointed out that the process might be compromised by some malicious codes which he called toxic waste that produce false proofs. Ken concluded with the following points:

Why ZK SNARKs?

  • Strong cryptography research by Zcash team
  • Math-based- not coin joining
  • Short proofs

Why not ZK SNARKS?

  • Trusted setup for every contract
  • No transparency for counterfeiting
  • Computationally expensive

Next, Dr.Petar from ChainSecurity discussed the importance of security audit. His topic was “How Not to get Hacked”. ChainSecurity is a smart contract auditing platform. They can identify security vulnerabilities and certify the functional correctness of smart contracts and blockchain projects. 

ChainSecuity has developed an Audit platform that can perform Automated Security Check on smart contracts. This platform can test and audit both Ethereum smart contracts (Security Scanner)and the Hyperledger Fabric chaincode(Chaincode Scanner).

According to Dr.Petar,  more USD$1 billion have been stolen this year due to crypto hacks. He stressed that writing secure smart contracts is difficult.  Developers might fail to see bugs and security flaws, therefore we need to audit the smart contracts.  However, currently, most audits are done manually and tend to miss many issues. Furthermore, in the post-development stage, most anomalies are invisible. 

To work around the aforementioned issues, ChainSecurity has developed some AI-based automated tools to help in every stage of smart contract lifeline. At the developmental stage, the automated tools will assist in certifying the correctness of the code. At code audit stage, the machine-checked audit will generate the audit report by committing the smart contract onto the Audit platform which runs security auditing using the security scanner, the symbolic verifier and the AI-based Tester. Finally, in the post development stage, there are monitoring tools to help track the smart contract health.

More information on security audit can be found on ChainSecurity website.

The final topic was scaling presented by Andras Kristof and Lai Ying Tong.  This is a topic where all Ethereum enthusiasts are concerned about. According to the speakers, the solution is to develop a two-layer architecture. Layer 1 is called serenity which comprises sharding, casper, random beacon, and p2p networking. Layer 2 comprises payment channels, state channels, sidechains, and plasma. The solution also comprises succinct proofs using snarks and starks. Furthermore, there are more integrations that include swarm, light clients and client optimizations.

In more details, the layer 1(serenity) structure includes the Main Chain(provides staking and PoW), the Beacon Chain((provides random number and PoS), the Shard Chain(provides data) and VM(provides state execution result).

For the payment channels, there are two channels, the Open Channel and the Close Channel. The transactions include blockchain transactions and Off-chain payments. Besides that, Lai also spoke on payment channels on the lightning network. The layer2 solutions are to move state-modifying operations off-chain, which include payment channels and state channels.

Besides that, Lai also covered topics on sidechains, plasma mvp, morevp, swarm, light clients and more. These are heavy topics and I shall discuss them in future articles.

A Wrap-up of Blockchain And Cryptocurrency Conference 2018

I am trying to summarize a bit of the Blockchain and Cryptocurrency conference 2018 (from 13th to 15th Nov 2018) but it is far from comprehensive as I missed out the first day programmes. Besides that, I  couldn’t capture all the mind-boggling stuff delivered by the elite speakers, all of them are crypto experts! I am sure all the participants benefited immensely in one way or another unless they slept   through the sessions.

The conference was co-organized by Twinintel, QF4 Tech Asia and Blueshare. The venue was at the impressive five-star Sheraton Imperial Hotel located at Jalan Sultan Ismail, Kuala Lumpur. The event was very well organized and the speakers’ line-up is simply overwhelming, kudos to the organizers!

The topics were very comprehensive and catered for everyone needs, be them crypto investors, tech-savvy nerds, govt officials, regulators(maybe hiding among us), academicians, and students etc.  I would say there were not much marketing hypes about ICO, mostly educational.  The topics covered ICO, ISTO, Crypto analytics, Blockchain training, Blockchain standards, Blockchain smart cities , fundamentals and more.

I was particularly impressed by the cool topic “Predicting Cryptocurrency Exchange Rate with AI and social media” delivered by Dr.Tim Frey.  I like forecasting the future as it is my personal interest , that was why I watched all the back to future and time machine movies. I learned how Dr.Tim used Twitter’ tweets (or rather gossips) as the data for his forecasting model, which gives an impressive level of 70%-90% accuracy. Maybe One day we can develop a forecasting model that can deliver 99% accuracy.  I believe by using AI machine learning we can achieve that goal. I managed to catch up with Dr.Tim at tea time to get more insights from him. According to him, it seemed 90% of the audience couldn’t grasp the concepts, I am not too sure. I myself don’t understand much too. For example,  I don’t know what the heck is Kappa Architecture, I am sure our computer science experts can understand better.

Dr.Sindhu illustration of Crypto banking was an eye-opener.  I like the diagram that showed clearly how various components from KYC, front-end app, ledger, and the blockchain’s bank wallet are connected to the bank’s backend. It showcases a banking model for the future crypto transaction. we also learned about the Microsoft, Ethereum and R3 11 banks experiment on simulation an exchange of value on the blockchain. The banks involved were HSBC, Credit Suisse, Barclays, Wells Fargo and more. Very useful for a case study. In addition, he also highlighted the advantages of using Blockchain in the banking industry:

  • Transparency
  • Less Labour intensive
  • Disintermediation
  • Tamper-proof
  • Nearly instantaneous

However, there are also some key challenges , as follows:

  • Privacy
  • Integration
  • Threat of Rivalry
  • Energy Consumption

I couldn’t remember who spoke on steps in launching an ICO but the points given were super good. According to him, the steps in doing an ICO are as follows:

  1. Decide if an ICO is suitable for your business
  2. Adviser reach out and on-boarding
  3. Get legal opinion
  4. Create a light paper/whitepaper/deck for your ICO
  5. Private sale or an angel investment to develop the MVP
  6. Create the product
  7. Create a token
  8. Create a community and buzz
  9. Getting your token out on an exchange

He further showed us the shocking statistics that 81% of the ICO projects were found to be a scam scheme. Out of the genuine ICO projects, 6% failed, another 5% gone dead and only a meagre 8% proceed to trade. Therefore the ICO projects are not as rosy as what people claim.

Another speaker spoke on potential blockchain applications. He subdivided the potential applications into four areas, smart contracts, digital currency, securities and record keeping.

The speaker from Cryptology gave advice for those who intend to start an ICO project. First of all, he reminded that blockchain is not a get rich quick scheme. It is about the distribution of trust. Secondly, do not just explore blockchain technology just because it is hot or trendy. Think in terms of how the product or services can benefit from it. Finally, bear in mind that the most successful companies are those who can accept and adapt to constant changes.

Miss Daphne Chong, the CTO from Logistics Worldwide Express and a director of Woman Who Code KL explained how blockchain could disrupts the supply chain and logistics industry. She emphasized on the advantages of implementing blockchain  in supply chain and logistics in terms of

  • Efficiency-less paperwork, elimination of the intermediaries
  • Transparency-price, ownership, location
  • Inventory tracking, quality control
  • Disputes settlement, reduction in cost of regulations and compliance

Last but not least, Mr. Fattah, the chairman of Malaysia’s National Standards Committee on Blockchain and Distributed Ledger Technologies told the audience about the development of Blockchain and DLT standards in Malaysia. He spearheaded the formation of the national committee and played a key role in putting Malaysia on the international scene. You can follow his blog https://fattahyatim.wordpress.com/ to learn more about the subject.

This is all about the conference that I can recollect, I welcome your valuable inputs if I have missed out anything important.

Hyperledger Fabric Architecture Part 2

In my article ” Hyperledger Fabric Architecture Part 1“,  you have learned about the client applications, endorsing peers and committing peers as well as well as the ordering service. We have also discussed the transaction workflow and how consensus is reached. In this article, I shall explain the channels and membership service provider.

Channels

In permissionless blockchains like Bitcoin and Ethereum, all peers share and have access to the same ledger. However, this kind of blockchain may not be suitable for business applications. For example, a supplier may want to set different prices for different wholesalers, and he would not want everyone in the supply chain to view this information. In this scenario, he or she will prefer to deal with the different wholesalers separately. To solve this issue, Hyperledger Fabric came out with the novel concept of channels that allow private transactions within the same network.

Channels partition the Fabric network in such as way that only the stakeholders can view the transactions. In this way, organizations are able to utilize the same network while maintaining separation between multiple blockchains.  The mechanism works by delegating transactions to different ledgers. Members of the particular channel can communicate and transact privately. Other members of the network cannot see the transactions on that channel. The concept is illustrated in the following diagram:

The diagram above shows two channels, channel 1 and channel 2. Each channel has its own application, peers, ledger and smart contract (chaincode). In this example, channel 1 has two peers, P1 and P2 and channel 2 also has two peers, P3 and P4.  Ordering service is the same across any network and channel.

Application 1 will send transaction proposals to channel 1. P1 and P2 will then simulate and commit transactions to ledger L1 based on chaincode S1. On the other hand, Application 2 will send transaction proposals to channel 2. P3 and P4 will simulate and commit transactions to ledger L2 based on chaincode S2. 

Though our example shows peers belong to two distinct channels, in actual case peers can belong to multiple networks or channels. Peers that participate in multiple channels simulate and commit transactions to different ledgers. In addition, the same chaincode can be applied to multiple channels.

Membership Service Provider (MSP)

Hyperledger Fabric is a permissioned blockchain, therefore, every user needs permission to join the Fabric network. In order to obtain permission to join the Fabric blockchain network, the identity of every user must be validated and authenticated. The identity is  important because it determines the exact permissions over resources and access to information that user has in the Fabric network.

To verify an identity, we must employ a trusted authority. In Hyperledger Fabric, the trusted authority is the membership service provider (MSP).  The membership service provider is a component that defines the rules in which identities are validated, authenticated, and allowed access to a network. The MSP manages user IDs and authenticates clients who want to join the network. This includes providing credentials for these clients to propose transactions, defining specific roles a member might play and defining access privileges in the context of a network and channel.

The MSP uses a Certificate Authority to authenticate or revokes user certificates upon confirmed identity. In Fabric, the default Certificate Authority interface used for the MSP is the Fabric-CA API. However, organizations can choose to implement an External Certificate Authority of their choice.  Hyperledger Fabric supports many types of External Certificate Authority interfaces. As a result, a single Hyperledger Fabric network can be controlled by multiple MSPs.

The Authentication Process

In the authentication process,  the Fabric-CA identifies the application, peer, endorser, and orderer identities, and verifies them. Next, a signature is generated through the use of a Signing Algorithm and a Signature Verification Algorithm.  The Signing Algorithm utilizes the credentials of the entities associated with their respective identities and outputs an endorsement. The generated signature is a byte array that is bound to a specific identity.

In the following step, the Signature Verification Algorithm will accept the request(to join the network) if the signature byte array matches a valid signature for the inputted endorsement, or reject the request if not. If the user is accepted, he or she can see the transactions in the network and perform transactions with other actors in the network. On the other hand, if the user is rejected, he or she will not able to submit transactions to the network or view any previous transactions.

We shall explore chaincode in the next article.

Hyperledger Fabric Architecture Part 1

In a previous article, you have learned that Hyperledger Fabric has a highly modular and configurable architecture.  In this article, we shall examine the architecture in more details.

Hyperledger Fabric Network

Hyperledger Fabric is a permissioned blockchain network that provides ledger services to application clients and administrators. It allows multiple organizations to collaborate as a consortium to form the network.  The permissions to join the network are determined by a set of policies that are agreed to by the consortium when the network is configured. The network policies may change over time subject to the agreement of the organizations in the consortium.

The Hyperledger Fabric network comprises the following components:

  • Ledger 
  • Peers
  • Ordering service
  • Chaincode (aka smart contract)
  • Channels
  • Membership service provider

The Hyperledger ecosystem also consists of the client applications that allow users to interact with the network.  Moreover, The Hyperledger Fabric application SDK provides a powerful API for developers to program applications to interact with the blockchain network on behalf of the users.  

Peers

The Fabric network is comprised primarily of a set of peers or nodes. Peers maintain the state of the network and a copy of the ledger. In addition,  they also host smart contracts(chaincode).

There are two different types of peers in Fabric, the endorsing peer and the committing peer. The endorsing peers (aka endorsers) simulate and endorse transactions. On the other hand, the committing peers (aka committers) verify endorsements and validate transactions before committing transactions to the blockchain. On a separate note, the endorsing peers can also commit transactions to the blockchain. Indeed, the endorsers are special kind of committers. However, the committers cannot be the endorsers.  All peers can commit blocks to the distributed ledger.

Ordering Service

The ordering service is  made up of a cluster of special nodes known as orderers. The ordering service accepts the endorsed transactions and specifies the order in which those transactions will be committed to the ledger.  However, It does not process transactions, smart contracts, or maintains the shared ledger. 

The Transaction workflow

Let’s examine the transaction workflow that involves the client applications, the peers and the orderers.  By examining the entire transaction workflow, we will learn how consensus is reached in the process.

The transaction flow to reach consensus consists of three phases:

  • Transaction endorsement
  • Ordering
  • Validation and commitment

Phase 1 Transaction Endorsement

Transactions begin with client applications sending transaction proposals to the endorsing peers, as shown in the following diagram:

Phase 2 Transactions Simulation

At this phase, the endorsers will simulate the proposed transactions, without actually updating the ledger.  The Endorsers must hold smart contracts in order to simulate the transaction proposals. In the simulation process, the endorsing peers will capture the set of Read and Written data, known as RW Sets.

These RW sets contain data that was read from the current world state while simulating the transaction, as well as data that would have been written to the world state had the transaction been executed. The endorsing peers then sign these RW sets and send them back to the client application for use in the next phase of the transaction flow, as shown below:

Phase 3 Ordering 

At this phase,  the client application submits the endorsed transactions and the RW sets to the ordering service. The ordering service will take the endorsed transactions and RW sets and orders them into a block and delivers the block to all committing peers.

The order of transactions needs to be established to ensure that the updates to the world state are valid when they are committed to the network. Unlike the Bitcoin blockchain or Ethereum, where ordering occurs through mining, Hyperledger Fabric allows the organizations to choose the ordering mechanism that best suits that network.

Hyperledger Fabric provides three ordering mechanisms i.e. SOLO, Kafka, and Simplified Byzantine Fault Tolerance (SBFT). However, SOLO is used only for experimentation purposes and SBFT has not yet been implemented. Therefore, Kafka is the default ordering mechanism for production use. The Kafka mechanism provides a crash fault-tolerant solution to ordering.

Phase 4 Transactions Validation

At this final phase, the committing peers validate the transactions by checking that the RW sets still match the current world state. In addition, they need to ensure that Read data that existed during the simulation process is identical to the current world state.

After the committing peers validated the transactions, the transactions are then written to the ledger, and the world state is updated with the Write data from the RW Set. Committing peers are responsible for adding blocks of transactions to the blockchain and updating the world state.  Lastly, the committing peers asynchronously notify the client application the results of the transactions.

I shall discuss channels, membership service provider and chaincode in another article.

Hyperledger Fabric- A Short Introduction

You have learned about Hyperledger in one of my previous articles. Hyperledger is not a platform but it is an umbrella body that incubates and promotes business blockchain technologies.

The Hyperlegder projects,  which is known as The Hyperledger Greenhouse consists of five projects, as follows:

  • Hyperledger Fabric
  • Hyperledger Sawtooth
  • Hyperledger Burrow
  • Hyperledger Iroha
  • Hyperledger Indy

I shall introduce Hyperledger Fabric in this article.

Hyperlegder Fabric Key Features

Hyperledger Fabric is the first blockchain project developed and hosted by the Linux Foundation.  It was initially contributed by Digital Asset and IBM, as a result of the first hackathon. According to the Linux Foundation , it was Intended as a foundation for developing DLT applications or solutions with a modular architecture.

Hyperledger Fabric is an open-source enterprise-grade permissioned distributed ledger technology (DLT) platform, designed for use in developing enterprise applications. It features some key differentiating capabilities over other popular distributed ledger or blockchain platforms.

One special feature of  Hyperledger Fabric is that it allows components, such as consensus and membership services, to be plug-and-play. Besides that, Hyperledger Fabric uses container technology to host smart contracts called chaincode that comprises the application logic of the system.

Channels are another unique feature of Hyperledger Fabric. They allow transactions to be private between two actors, while still being verified and committed to the blockchain.

Hyperledger Fabric Architecture

Hyperledger Fabric has a highly modular and configurable architecture. Therefore, enterprises can make use of its versatility to develop innovative business applications.  Besides that, it can be used to optimize the applications. Indeed, Hyperledger Fabric is well suited to develop a broad range of industry use cases including banking, finance, insurance, healthcare, human resources, supply chain and even digital music delivery.

Like Ethereum, Hyperledger Fabric also features smart contracts. However, it does not use Solidity as the programming language to code smart contracts. Hyperledger Fabric smart contracts are written in general-purpose programming languages such as Java, Go and Node.js. This means that most enterprises already have the skill set needed to develop smart contracts, therefore no additional training to learn a new language is needed.

Unlike Ethereum and many other public blockchains or DLT platforms, Hyperledger Fabric is a permissioned platform. It means the participants are known to each other, rather than anonymous and fully untrusted. In the Hyperledger Fabric ecosystem, while the participants may not fully trust one another, it can be operated under a governance model that is built with trust exist between participants, such as a legal agreement or framework for handling disputes.

Consensus Protocol

One key difference between Hyperledger Fabric and other DLT platforms is its support for pluggable consensus protocols. It enables the platform to be more effectively customized to fit particular use cases and trust models.

For example, when Hyperledger Fabric is implemented within a single enterprise or operated by a trusted authority, fully Byzantine fault tolerant consensus might be considered unnecessary as it might cause excessive drag on performance and throughput. Instead, a crash fault-tolerant (CFT) consensus protocol is more than adequate. However,  in a multi-party, decentralized platform, a more traditional Byzantine fault tolerant (BFT) consensus protocol might be required.

Another significant difference between Hyperledger Fabric and other DLT platforms is that it can implement consensus protocols that do not require a native cryptocurrency. It means it neither need a cryptocurrency to incentivize costly mining nor to fuel smart contract execution.  The avoidance of a cryptocurrency reduces some significant risk due to hacking via attack vector. Besides that, the absence of cryptographic mining operations means that the platform can be deployed with the same operational cost as other distributed platforms.

The combination of the aforementioned differentiating features makes Hyperledger Fabric one of the better performing DLT platforms available today both in terms of transaction processing and transaction confirmation latency. Besides that,  it enables privacy and confidentiality of transactions and the smart contracts (chaincode) that implement them.

I shall discuss the Hyperledger Fabric architecture and chaincode in more details in another article.