The myth of the immutability of blockchains
The author of the material with the help of concrete examples refutes one of the most popular characteristics of the blockchain - immutability.
The issue of blockchain immutability, which has caused quite a bit of heated debate in the cryptocurrency world, has become something of a quasi-religious doctrine - a fundamental belief, unshakable or undeniable. And as in the case of the doctrines of the dominant religions, the participants of the opposing camps use immutability as an instrument of ridicule and mockery.
')
Last year we witnessed two striking examples:
Those who keep aloof from all this are funny to watch attempts to throw mud at infidels, not least because such criticism is simply erroneous, and rooted in a fundamental misunderstanding of the nature of the immutability of blockchains (and in fact of any computer system). In short, the essence of this material comes down to the following:
For blockchains, there is no such thing as perfect immutability. It would be more correct to ask the following question: what are the conditions under which a particular blockchain can and cannot be changed? And are these conditions suitable for the problem we are trying to solve?
Let's consider two theses given in the introduction. Both use immutability as a basis for ridiculing another point of view. Let's start with the statement that the agreed validation procedures used in controlled blockchains cannot guarantee the “true immutability” that blockchains promise to open.
This criticism is easily parried by pointing out the vulnerability in the open blockchains themselves. Take, for example, Ethereum, affected in June 2016 by hackers who took advantage of the disastrous vulnerability of the entire system. Someone managed to find a loophole in the code of a smart contract called The DAO, which by that time had already managed to collect investments in the amount of $ 250 million, as a result of which the attackers were able to quickly “drain” the funds into their accounts. Of course, this situation completely contradicted the concept of the creators of the contract and the aspirations of investors, and when the contract was involved, the phrase “code is the only law” was repeated everywhere as to the mantra. Law or not, but in less than a month, Ethereum was updated to prevent the cryptocurrency from being earned by hackers.
Of course, such an update could not be enforced, since every Ethereum user himself controls his own computer. Nevertheless, this measure received public support from Vitalik Buterin, founder of Ethereum, and many other community leaders. As a result, most users made the transition, and the blockchain with the new rules retained the old name Ethereum. Some minority of users expressed their disagreement with the change and continued to use the previous blockchain in accordance with its original rules of work, and it has since been called Ethereum Classic. Of course, it would be more accurate to call them, for example, “Ethereum stained” and “Ethereum pure”. Be that as it may, democracy is democracy, and the practical and popular Ethereum is now more than 10 times more expensive than the idealistic Ethereum Classic left on the backstage of the blockchain-world.
Now let's consider a less favorable scenario, as a result of which the retrospective immutability of the blockchain can be undermined. Let us recall that during the process of creating blocks or the so-called mining in Bitcoin and Ethereum, a proof-of-work scheme is used, in which a node is required to solve a mathematical problem to generate a block and receive a reward for the work. The value of this award inevitably turns the extraction of new units into an arms race: the miners compete in the speed of solving the problem. To compensate for this process, the network periodically changes the complexity of tasks to maintain a constant rate of creating blocks: every 10 minutes in Bitcoin or 15 seconds in Ethereum.
Over the past 5 years, the complexity of the Bitcoin network has increased 350 thousand times . Today, the vast majority of mining activity occurs on expensive specialized equipment in places with cold weather and cheap electricity. If you, for example, have 1089 dollars, you can buy Antminer S9 , able to cope with cryptocurrency calculations 10 thousand times faster than any home computer and consumes 10 times more electricity. The difference in the face and is very far from the underlying ideals of bitcoin democratic ideals, even if such an approach can significantly increase the security of the blockchain.
But what does this security mean? If someone wants to undermine the immutability of the bitcoin blockchain, then there is one surefire way for this. First, the attackers will acquire more mining power than all other network nodes combined, creating the conditions for the so-called attack of 51%. Further, instead of openly and equally with everyone participating in the process of extracting new blocks, they will mine the own secret blockchain branch, containing any transactions suitable for them and prohibiting any other undesirable ones. And finally, after a convenient time, they will hold an anonymous announcement of their secret branch on the network. Since in the mining power race our attackers will be stronger than the other participants, their blockchain branch will contain more proof of work than the public one. As a result, each node will go exactly to it, because, according to the rules of Bitcoin, the more “complex branch” wins. All previously confirmed transactions that are not included in the secret branch will be canceled, and the attackers sent with their help will be able to send the bitcoins to any address convenient to them.
This story, of course, will make everyone who believes in Bitcoin laugh, since I wrote about “acquiring more mining power than all other network nodes combined” as if it were a trivial task. And of course, they will be right, because this is not an easy task, otherwise this would have been done more than once by many willing. Anyone who wants to crank something like this will need a lot of mining equipment and a lot of electricity to power it. Both are worth a lot of money. But there is one inconvenient fact that most of the “bitcoiners” prefer to mention only in passing: from the point of view of the government of any medium-sized country, the amount needed to conduct an attack still amounts to little money.
Let's calculate the cost of an attack of 51%, capable of canceling all bitcoin transactions over the past year. With the actual $ 1,500 bitcoin cost at the time of the material preparation and 15 bitcoin reward (including transaction fees) for a 10-minute block, miners earn about $ 1.2 billion a year ($ 1,500 Ă— 15 Ă— 6 Ă— 24 Ă— 365). If we assume, and not without reason, that in general miners do not face losses, or lose a little, it turns out that the total mining costs will also be within these limits. (The calculation is simplified, it does not take into account the one-time cost of purchasing equipment for mining, but $ 400 million is enough for a sufficient number of Antminer 9s able to match the power with the current capacity of the entire Bitcoin network, therefore, in general, this does not greatly affect the final result).
And now let's remember the information that Chinese people use Bitcoin to evade state control over the movement of capital. It is also known that the income of the Chinese government from taxes is approximately 3 trillion dollars a year. Will the authorities of a non-democratic country want to spend 0.04% of their budget on disabling the popular scheme of illegal withdrawal of funds from the country? I would not say for sure that this will be the case, but to think that such a scenario is unbelievable is too naive point of view. The fact that the police oversee the Internet in China involves 2 million employees , whose salaries should be 10 billion dollars a year with a minimum wage of 5 thousand dollars a year, adds sharpness. For this reason, the allocation of 1.2 billion dollars to intervene in the course of transactions becomes quite a real step in the foreseeable future.
However, even such an analysis leads to an underestimation of possible scenarios, since the Chinese government could undermine the activities of the Bitcoin network in a much simpler way. It turns out that mining of bitcoins, due to low prices for hydropower and other factors, occurs, for the most part, in China . The security forces will need only a few platoons of soldiers and units of heavy equipment in order to physically seize the enterprises where this mining takes place, and then use them to censor or cancel the transaction. Despite the fact that members of the Bitcoin community around the world will definitely notice these changes, they simply cannot oppose them in any way unless they agree to change the fundamental processes of the Bitcoin network, that is, the very nature of cryptocurrency. What did they say about free money that is not censored?
If I had to make a bet in this dispute, I would bet that neither China nor other governments would most likely attack Bitcoin in the manner described above, because ultimately this behavior differs from their own interests. It is much more likely that they will direct their anger on less controlled members of the cryptocurrency family, such as Dash, Zcash or Monero.
However, the slightest chance that such an intervention may in itself put the doctrine of cryptocurrency immutability in its rightful place. The blockchains of Bitcoin and other similar networks simply cannot be called ideal or absolutely unchangeable entities. Rather, it can be said that they are unchangeable only until someone large enough and rich decides to destroy them. And yet, relying on the economic complexity of network destabilization, the immutability of cryptocurrency fully satisfies the specific needs of all those who do not want to trust governments, companies and banks. This approach may not be perfect, but it is the best of what is available to them today.
Now let's move on to closed blockchains, developed for the needs of governments and large companies. First of all, it should be understood that the combination of the proof-of-work algorithm with immutability is an idea doomed from commercial, legal and regulatory points of view, since it allows any (fairly wealthy) player to make an anonymous attack on the network. Immutability for institutions can only be based on the good behavior of other such institutions with which they can sign a contract and meet in court if the need arises. Closed blockchains have another added advantage: they are much less expensive to maintain, since the blocks only require a simple digital signature generated by the validator nodes. As long as the majority of confirming nodes follow the general rules, such immutability allows to achieve more reliable and cheap results than is possible with any open cryptocurrency.
Of course, immutability in this case can easily be nullified if all the participants in the system decide to do this together. Let's imagine a closed blockchain for collecting data on infectious diseases, which is used by a group of six hospitals. Suppose a program of one of the hospitals sent a large and erroneous data set in a block chain that caused inconvenience to other participants. After a few phone calls, the IT departments of all hospitals agreed to “roll back” the state of all nodes 1 hour ago, remove the problem data and allow the network to work as if nothing had happened. Who will then be able to stop the network members if they all agree on something similar? (It should be noted that some consensus algorithms like PBFT do not provide a formal mechanism for such kickbacks, however this restriction will not stop the nodes from self-management and bypassing the rules if they set such a goal).
Now let's consider the case when the majority of participants in a closed blockchain agree to roll back and delete a transaction, but some of them oppose it. Since each of these organizations has absolute control over its site, no one can impose the need to join a consensus on a minority. However, not wishing to sacrifice principles, such users will create a situation with a fork, because they will be ignored by all other nodes. They are waiting for the same fate as the noble supporters of Ethereum Classic and a place in paradise to boot when the time comes. However, as long as they are on our sinful earth, they will be excluded from the process of consensus, which in fact was the main reason for the creation of the chain. As a result, the whole undertaking will lose meaning for them, since the only beneficial use of transactions outside of the consensus process is their use as evidence in court.
Having remembered this situation, let's talk about the second example. Consider the Accenture proposal for the use of chameleon hashes that make it possible to simplify the process of replacing blocks that are somewhere far at the beginning of the chain. The main incentive for such an operation, as described by David Trit , is the desire to quickly and effectively remove the old, problematic transaction. The proposed scheme assumes that each such replacement reserves a “scar”, visible to all network participants. (It should also be noted that any subsequent transactions that depend on the remote transaction must also be deleted.)
It is difficult to estimate how many critics mocked this idea after its publication. Twitter and LinkedIn were overflowing, seething with indignation and fear. Not only representatives of cryptomir, who enjoy sports pleasure from making fun of everything that is related to corporate blockchains, were noted. The idea was also met with hostility by many supporters of closed blockchains.
Still, there are cases when the idea of ​​openly making retrospective changes to the blockchain with the help of chameleon hashes fits perfectly into the network. To understand what's the point, let's ask a simple question: who will have the authority to replace the old blocks? It is obvious that it is impossible to transfer them to a certain random and unknown member of the network, otherwise the chain will simply become uncontrollable.
The answer is that the hash chameleon can only be used by the owner of his secret key. The key is required so that the new version of the block with other transactions has the same hash chameleon inside. Of course, we probably want to avoid centralization of control in the blockchain, so we can strengthen the scheme by making the block have several chameleon hashes at once, and the key of each of them is from different network participants. Or, we can use the secret sharing technology to share the key of one hash chameleon between multiple participants. Anyway, the work of the chain can be configured so that the retrospective replacement of blocks occurs only if it is approved by the majority of key holders. Sounds like something familiar, isn’t it?
Let me draw a more explicit parallel. Imagine that we have divided the control of chameleon hashes between the same validator nodes that are responsible for creating blocks. This means that the old block can be replaced only if most of the validator nodes agree to such an operation. And yet, as we have already explained, from the very beginning of its existence, any blockchain is already vulnerable to retrospective changes: most of the validator nodes can do this using a rollback mechanism. Therefore, from the point of view of the organization of network management, the chameleon hashes within the model of the majority of validators do not actually change anything.
And if so, why bother with them? It’s all about optimizing performance: chameleon hashes allow replacing old chain blocks much more efficiently than previously proposed methods. Imagine that you need to delete a certain transaction, located almost at the very beginning of the blockchain that has been existing for 5 years. Perhaps this need arose because of the law on the right to oblivion adopted in the European Union, allowing individuals to demand the removal of their personal data from company records. Nodes cannot simply delete the problematic transaction from the disks, since the result will change the hash of the corresponding block and the connectivity of the chain will be broken. The next blockchain scan or data exchange between nodes will cause the entire system to crash.
To solve this task without using chameleon hashes, the nodes would have to eliminate the problematic transaction and rewrite the block containing it, recalculate its new hash, and change the old hash in the next block of the chain. However, this operation will also affect the hash of the next block, which will also need to be recalculated and re-substituted into the block following it, and so on, right down to the newest block. Despite the fact that the creation of mechanisms allowing to make such changes is in principle possible, such procedures could go on for hours or days without a break if millions of blocks and transactions have already accumulated in the blockchain. Worse, a node occupied with such calculations may well lose the ability to process new information about network activity. Therefore, chameleon hashes provide a much more computationally efficient way to achieve the same goal. If you compare an unwanted transaction with a deeply buried stone, the chameleon hashes allow you to teleport this stone to the surface instead of making deep excavations, pull out the stone and bury the resulting hole.
I hope that by providing you with an overview of the proof-of-work risks of blockchains and the technical value of chameleon hashes, I managed to convince you that the answer to the question of whether blockchains are not amenable to retrospective changes depends on a large number of nuances and not can be given in the form of a simple "yes" or "no." To quote Simon Taylor, who once quoted Ian Grigg, the main question you should ask is: “Who are you and what do you want to achieve?”
For supporters of cryptocurrency who want to avoid using government money and services of the traditional banking system, the belief in open proof-of-work blockchains, the immutability of which rests on economic restraints, rather than trusting other participants in the system, is absolutely logical. And even if they have to put up with the risk that an influential government (or another wealthy player) can disable their network, they can still console themselves with the fact that any such operation will cost the attacker a lot of manpower and resources. They also undoubtedly believe that, over time, cryptocurrencies will become more and more secure as their value and power requirements for mining equipment increase.
On the other hand, for corporations and other institutions wishing to establish a secure exchange of information in a database of organizations, the use of an immutable proof-of-work model does not make any sense at all. And the point here is not so much in the incredible cost of this approach, but in the fact that the work confirmation scheme allows any sufficiently motivated participant to anonymously capture the chain and censor or return transactions. Instead, such users need immutability, based on the good behavior of the majority of previously known validator nodes, supported by legal treaties and laws.
And finally, in most cases of application of controlled blockchains, we probably will not have the need for validators to be able to easily and easily replace the old blocks of the chain. As Dave Birch wrote earlier : “you can correct an incorrect debit with the help of a correct loan”, and not with the help of attempts to pretend that this debit never existed. Be that as it may, in cases where additional flexibility is required, the chameleon hashes help the blockchain become more practical.
The issue of blockchain immutability, which has caused quite a bit of heated debate in the cryptocurrency world, has become something of a quasi-religious doctrine - a fundamental belief, unshakable or undeniable. And as in the case of the doctrines of the dominant religions, the participants of the opposing camps use immutability as an instrument of ridicule and mockery.
')
Last year we witnessed two striking examples:
- Proponents of cryptocurrency, arguing that immutability can only be achieved through mechanisms of a decentralized economy, such as proof of work. From this position, closed blockchains are subject to ridicule, since they are entirely dependent on the correct behavior of a small group of validators who obviously cannot be trusted.
- Negligence of editable (or changeable blockchains), which implies the introduction of certain retrospective changes upon the achievement of certain conditions. Critics asked the following question: is there any point in using the blockchain, if its contents can be edited or changed?
Those who keep aloof from all this are funny to watch attempts to throw mud at infidels, not least because such criticism is simply erroneous, and rooted in a fundamental misunderstanding of the nature of the immutability of blockchains (and in fact of any computer system). In short, the essence of this material comes down to the following:
For blockchains, there is no such thing as perfect immutability. It would be more correct to ask the following question: what are the conditions under which a particular blockchain can and cannot be changed? And are these conditions suitable for the problem we are trying to solve?
Variability in open circuits
Let's consider two theses given in the introduction. Both use immutability as a basis for ridiculing another point of view. Let's start with the statement that the agreed validation procedures used in controlled blockchains cannot guarantee the “true immutability” that blockchains promise to open.
This criticism is easily parried by pointing out the vulnerability in the open blockchains themselves. Take, for example, Ethereum, affected in June 2016 by hackers who took advantage of the disastrous vulnerability of the entire system. Someone managed to find a loophole in the code of a smart contract called The DAO, which by that time had already managed to collect investments in the amount of $ 250 million, as a result of which the attackers were able to quickly “drain” the funds into their accounts. Of course, this situation completely contradicted the concept of the creators of the contract and the aspirations of investors, and when the contract was involved, the phrase “code is the only law” was repeated everywhere as to the mantra. Law or not, but in less than a month, Ethereum was updated to prevent the cryptocurrency from being earned by hackers.
Of course, such an update could not be enforced, since every Ethereum user himself controls his own computer. Nevertheless, this measure received public support from Vitalik Buterin, founder of Ethereum, and many other community leaders. As a result, most users made the transition, and the blockchain with the new rules retained the old name Ethereum. Some minority of users expressed their disagreement with the change and continued to use the previous blockchain in accordance with its original rules of work, and it has since been called Ethereum Classic. Of course, it would be more accurate to call them, for example, “Ethereum stained” and “Ethereum pure”. Be that as it may, democracy is democracy, and the practical and popular Ethereum is now more than 10 times more expensive than the idealistic Ethereum Classic left on the backstage of the blockchain-world.
Now let's consider a less favorable scenario, as a result of which the retrospective immutability of the blockchain can be undermined. Let us recall that during the process of creating blocks or the so-called mining in Bitcoin and Ethereum, a proof-of-work scheme is used, in which a node is required to solve a mathematical problem to generate a block and receive a reward for the work. The value of this award inevitably turns the extraction of new units into an arms race: the miners compete in the speed of solving the problem. To compensate for this process, the network periodically changes the complexity of tasks to maintain a constant rate of creating blocks: every 10 minutes in Bitcoin or 15 seconds in Ethereum.
Over the past 5 years, the complexity of the Bitcoin network has increased 350 thousand times . Today, the vast majority of mining activity occurs on expensive specialized equipment in places with cold weather and cheap electricity. If you, for example, have 1089 dollars, you can buy Antminer S9 , able to cope with cryptocurrency calculations 10 thousand times faster than any home computer and consumes 10 times more electricity. The difference in the face and is very far from the underlying ideals of bitcoin democratic ideals, even if such an approach can significantly increase the security of the blockchain.
But what does this security mean? If someone wants to undermine the immutability of the bitcoin blockchain, then there is one surefire way for this. First, the attackers will acquire more mining power than all other network nodes combined, creating the conditions for the so-called attack of 51%. Further, instead of openly and equally with everyone participating in the process of extracting new blocks, they will mine the own secret blockchain branch, containing any transactions suitable for them and prohibiting any other undesirable ones. And finally, after a convenient time, they will hold an anonymous announcement of their secret branch on the network. Since in the mining power race our attackers will be stronger than the other participants, their blockchain branch will contain more proof of work than the public one. As a result, each node will go exactly to it, because, according to the rules of Bitcoin, the more “complex branch” wins. All previously confirmed transactions that are not included in the secret branch will be canceled, and the attackers sent with their help will be able to send the bitcoins to any address convenient to them.
This story, of course, will make everyone who believes in Bitcoin laugh, since I wrote about “acquiring more mining power than all other network nodes combined” as if it were a trivial task. And of course, they will be right, because this is not an easy task, otherwise this would have been done more than once by many willing. Anyone who wants to crank something like this will need a lot of mining equipment and a lot of electricity to power it. Both are worth a lot of money. But there is one inconvenient fact that most of the “bitcoiners” prefer to mention only in passing: from the point of view of the government of any medium-sized country, the amount needed to conduct an attack still amounts to little money.
Let's calculate the cost of an attack of 51%, capable of canceling all bitcoin transactions over the past year. With the actual $ 1,500 bitcoin cost at the time of the material preparation and 15 bitcoin reward (including transaction fees) for a 10-minute block, miners earn about $ 1.2 billion a year ($ 1,500 Ă— 15 Ă— 6 Ă— 24 Ă— 365). If we assume, and not without reason, that in general miners do not face losses, or lose a little, it turns out that the total mining costs will also be within these limits. (The calculation is simplified, it does not take into account the one-time cost of purchasing equipment for mining, but $ 400 million is enough for a sufficient number of Antminer 9s able to match the power with the current capacity of the entire Bitcoin network, therefore, in general, this does not greatly affect the final result).
And now let's remember the information that Chinese people use Bitcoin to evade state control over the movement of capital. It is also known that the income of the Chinese government from taxes is approximately 3 trillion dollars a year. Will the authorities of a non-democratic country want to spend 0.04% of their budget on disabling the popular scheme of illegal withdrawal of funds from the country? I would not say for sure that this will be the case, but to think that such a scenario is unbelievable is too naive point of view. The fact that the police oversee the Internet in China involves 2 million employees , whose salaries should be 10 billion dollars a year with a minimum wage of 5 thousand dollars a year, adds sharpness. For this reason, the allocation of 1.2 billion dollars to intervene in the course of transactions becomes quite a real step in the foreseeable future.
However, even such an analysis leads to an underestimation of possible scenarios, since the Chinese government could undermine the activities of the Bitcoin network in a much simpler way. It turns out that mining of bitcoins, due to low prices for hydropower and other factors, occurs, for the most part, in China . The security forces will need only a few platoons of soldiers and units of heavy equipment in order to physically seize the enterprises where this mining takes place, and then use them to censor or cancel the transaction. Despite the fact that members of the Bitcoin community around the world will definitely notice these changes, they simply cannot oppose them in any way unless they agree to change the fundamental processes of the Bitcoin network, that is, the very nature of cryptocurrency. What did they say about free money that is not censored?
If I had to make a bet in this dispute, I would bet that neither China nor other governments would most likely attack Bitcoin in the manner described above, because ultimately this behavior differs from their own interests. It is much more likely that they will direct their anger on less controlled members of the cryptocurrency family, such as Dash, Zcash or Monero.
However, the slightest chance that such an intervention may in itself put the doctrine of cryptocurrency immutability in its rightful place. The blockchains of Bitcoin and other similar networks simply cannot be called ideal or absolutely unchangeable entities. Rather, it can be said that they are unchangeable only until someone large enough and rich decides to destroy them. And yet, relying on the economic complexity of network destabilization, the immutability of cryptocurrency fully satisfies the specific needs of all those who do not want to trust governments, companies and banks. This approach may not be perfect, but it is the best of what is available to them today.
Editable private blockchains
Now let's move on to closed blockchains, developed for the needs of governments and large companies. First of all, it should be understood that the combination of the proof-of-work algorithm with immutability is an idea doomed from commercial, legal and regulatory points of view, since it allows any (fairly wealthy) player to make an anonymous attack on the network. Immutability for institutions can only be based on the good behavior of other such institutions with which they can sign a contract and meet in court if the need arises. Closed blockchains have another added advantage: they are much less expensive to maintain, since the blocks only require a simple digital signature generated by the validator nodes. As long as the majority of confirming nodes follow the general rules, such immutability allows to achieve more reliable and cheap results than is possible with any open cryptocurrency.
Of course, immutability in this case can easily be nullified if all the participants in the system decide to do this together. Let's imagine a closed blockchain for collecting data on infectious diseases, which is used by a group of six hospitals. Suppose a program of one of the hospitals sent a large and erroneous data set in a block chain that caused inconvenience to other participants. After a few phone calls, the IT departments of all hospitals agreed to “roll back” the state of all nodes 1 hour ago, remove the problem data and allow the network to work as if nothing had happened. Who will then be able to stop the network members if they all agree on something similar? (It should be noted that some consensus algorithms like PBFT do not provide a formal mechanism for such kickbacks, however this restriction will not stop the nodes from self-management and bypassing the rules if they set such a goal).
Now let's consider the case when the majority of participants in a closed blockchain agree to roll back and delete a transaction, but some of them oppose it. Since each of these organizations has absolute control over its site, no one can impose the need to join a consensus on a minority. However, not wishing to sacrifice principles, such users will create a situation with a fork, because they will be ignored by all other nodes. They are waiting for the same fate as the noble supporters of Ethereum Classic and a place in paradise to boot when the time comes. However, as long as they are on our sinful earth, they will be excluded from the process of consensus, which in fact was the main reason for the creation of the chain. As a result, the whole undertaking will lose meaning for them, since the only beneficial use of transactions outside of the consensus process is their use as evidence in court.
Having remembered this situation, let's talk about the second example. Consider the Accenture proposal for the use of chameleon hashes that make it possible to simplify the process of replacing blocks that are somewhere far at the beginning of the chain. The main incentive for such an operation, as described by David Trit , is the desire to quickly and effectively remove the old, problematic transaction. The proposed scheme assumes that each such replacement reserves a “scar”, visible to all network participants. (It should also be noted that any subsequent transactions that depend on the remote transaction must also be deleted.)
It is difficult to estimate how many critics mocked this idea after its publication. Twitter and LinkedIn were overflowing, seething with indignation and fear. Not only representatives of cryptomir, who enjoy sports pleasure from making fun of everything that is related to corporate blockchains, were noted. The idea was also met with hostility by many supporters of closed blockchains.
Still, there are cases when the idea of ​​openly making retrospective changes to the blockchain with the help of chameleon hashes fits perfectly into the network. To understand what's the point, let's ask a simple question: who will have the authority to replace the old blocks? It is obvious that it is impossible to transfer them to a certain random and unknown member of the network, otherwise the chain will simply become uncontrollable.
The answer is that the hash chameleon can only be used by the owner of his secret key. The key is required so that the new version of the block with other transactions has the same hash chameleon inside. Of course, we probably want to avoid centralization of control in the blockchain, so we can strengthen the scheme by making the block have several chameleon hashes at once, and the key of each of them is from different network participants. Or, we can use the secret sharing technology to share the key of one hash chameleon between multiple participants. Anyway, the work of the chain can be configured so that the retrospective replacement of blocks occurs only if it is approved by the majority of key holders. Sounds like something familiar, isn’t it?
Let me draw a more explicit parallel. Imagine that we have divided the control of chameleon hashes between the same validator nodes that are responsible for creating blocks. This means that the old block can be replaced only if most of the validator nodes agree to such an operation. And yet, as we have already explained, from the very beginning of its existence, any blockchain is already vulnerable to retrospective changes: most of the validator nodes can do this using a rollback mechanism. Therefore, from the point of view of the organization of network management, the chameleon hashes within the model of the majority of validators do not actually change anything.
And if so, why bother with them? It’s all about optimizing performance: chameleon hashes allow replacing old chain blocks much more efficiently than previously proposed methods. Imagine that you need to delete a certain transaction, located almost at the very beginning of the blockchain that has been existing for 5 years. Perhaps this need arose because of the law on the right to oblivion adopted in the European Union, allowing individuals to demand the removal of their personal data from company records. Nodes cannot simply delete the problematic transaction from the disks, since the result will change the hash of the corresponding block and the connectivity of the chain will be broken. The next blockchain scan or data exchange between nodes will cause the entire system to crash.
To solve this task without using chameleon hashes, the nodes would have to eliminate the problematic transaction and rewrite the block containing it, recalculate its new hash, and change the old hash in the next block of the chain. However, this operation will also affect the hash of the next block, which will also need to be recalculated and re-substituted into the block following it, and so on, right down to the newest block. Despite the fact that the creation of mechanisms allowing to make such changes is in principle possible, such procedures could go on for hours or days without a break if millions of blocks and transactions have already accumulated in the blockchain. Worse, a node occupied with such calculations may well lose the ability to process new information about network activity. Therefore, chameleon hashes provide a much more computationally efficient way to achieve the same goal. If you compare an unwanted transaction with a deeply buried stone, the chameleon hashes allow you to teleport this stone to the surface instead of making deep excavations, pull out the stone and bury the resulting hole.
Immutability has many nuances
I hope that by providing you with an overview of the proof-of-work risks of blockchains and the technical value of chameleon hashes, I managed to convince you that the answer to the question of whether blockchains are not amenable to retrospective changes depends on a large number of nuances and not can be given in the form of a simple "yes" or "no." To quote Simon Taylor, who once quoted Ian Grigg, the main question you should ask is: “Who are you and what do you want to achieve?”
For supporters of cryptocurrency who want to avoid using government money and services of the traditional banking system, the belief in open proof-of-work blockchains, the immutability of which rests on economic restraints, rather than trusting other participants in the system, is absolutely logical. And even if they have to put up with the risk that an influential government (or another wealthy player) can disable their network, they can still console themselves with the fact that any such operation will cost the attacker a lot of manpower and resources. They also undoubtedly believe that, over time, cryptocurrencies will become more and more secure as their value and power requirements for mining equipment increase.
On the other hand, for corporations and other institutions wishing to establish a secure exchange of information in a database of organizations, the use of an immutable proof-of-work model does not make any sense at all. And the point here is not so much in the incredible cost of this approach, but in the fact that the work confirmation scheme allows any sufficiently motivated participant to anonymously capture the chain and censor or return transactions. Instead, such users need immutability, based on the good behavior of the majority of previously known validator nodes, supported by legal treaties and laws.
And finally, in most cases of application of controlled blockchains, we probably will not have the need for validators to be able to easily and easily replace the old blocks of the chain. As Dave Birch wrote earlier : “you can correct an incorrect debit with the help of a correct loan”, and not with the help of attempts to pretend that this debit never existed. Be that as it may, in cases where additional flexibility is required, the chameleon hashes help the blockchain become more practical.
Source: https://habr.com/ru/post/370547/
All Articles