[Cryptography] blockchain and trustworthy computing

ianG iang at iang.org
Mon Oct 5 12:03:16 EDT 2015


On 1/10/2015 03:08 am, Natanael wrote:
> Den 1 okt 2015 05:38 skrev "ianG" <iang at iang.org <mailto:iang at iang.org>>:
>  >
>  > Thought experiment.
>  >
>  > The blockchain [0] provides a way to do verifiable computing [1].
>  >
>  > Popularly under the tag of "smart contracts" these little scripts can
> be executed on every node, and the ability of the nodes to come together
> and find consensus on the state or results provides a way to not only
> compute, but also know that we have verifiably computed.
>
> [...]
>
>  > If we have verifiable computing finally in the blockchain - a thesis
> - does this mean we now have a trustworthy computing platform?
>
> [...]
>
>  > In practical terms, if I run a personal blockchain on my laptop, home
> computer, TV, android tablet, iPhone, and xWatch, have I created a
> trustworthy computing platform?  In the process, has the
> hardware-I-Don't-Trust conundrum been solved?


This seems to solve the problem for me, but trustworthy computing was 
always about being able to run my code on someone else's facility.  For 
example, I-as-movie-mogul run my movie on your TV, after payment received.


>  > Or, for a more hypothetical example, if I have an EPA-tester running
> on the blockchain calculating in turn over the various cars that are
> providing the nodes, does this solve the VW problem?
>
> Yes and no.
>
> It does nothing useful in the VW case. Their problem was insufficient
> data from testing, no amount of trustworthiness in the processing can
> fix that. You need trustworthy measurements in the right places.


Right - so leaving aside the "stick the probe in the pipe" solution - 
let's assume that the basic sensors are trustworthy.

Then, if EPA or California or whoever were to mandate that a private & 
certified blockchain were run on the car, and the sensors all followed a 
standard API, would we have a platform we (the EPA) could trust?


> The blockchain can provide some assurances that some chain of
> computations were done correctly. But with what limits?
>
> First of all, Bitcoin is essentially a shared fully public state machine
> with version control - you're free to rewind it at will locally and try
> again. It is *your* brain in a jar.


Right.  But we solved that problem with the odometer already - you're 
not allowed to rewind your odometer any more.

I'm speaking very hypothetically, imagining a future.  If people are 
uncomfortable with cars as a thought platform, think of a plane, far 
less scary :)  We already have much stronger and secure standards for 
plane automation systems, so it should be a snap to add in a blockchain (*).


(*) I'm kidding of course...


> The primary purpose of the
> construction is to approximate a global concensus well enough to be
> practically useful (majority proof-of-work chain wins). It isn't made
> for keeping secrets or as an impenetrable C&C platform (for malware OR
> for your home), or for providing guarantees about the trustworthiness of
> input data.


The primary purpose *was* to provide that.  But there are at least two 
groups who differ in their view of the future.  One is the financial 
world, which are being teased by the notion of disruption, so their plan 
is to use the blockchain-as-invention, internally, in permissioned 
fashion.  The other is the smart contract heavy crowd led by Ethereum, 
which hope to build a generalised computing platform.


> It was made to let the public collectively track the ownership history
> of digital tokens, through using game theory to ensure there's a strong
> incentive for a majority to cooperate. Essentially it is a big Access
> Control List for digital money, and works because your digital signature
> proves you are you, because it has a practical distribution method
> (mining rewards) and because users are assumed to ensure they're
> connected to the majority network, and therefore likely won't be fooled
> by acting on false assignments of tokens.
>
> Maybe you've seen the Enigma blockchain is using homomorphic encryption
> and threshold key sharing to enable keeping secrets? But that's really
> just a clever way of letting strangers perform Multiparty Computation
> for you, with what that entails - if any majority of them is hacked or
> infiltrated or collude, all secrets can be recovered. But maybe you
> happen to trust it won't be compromised while you still need the inputs
> to remain secret?


Right - similar claim - at the hypothetical.


> There are Zero-knowledge proofs and homomorphic encryption with proofs
> of correctness (see Zerocoin, Monero and others). Their limitation is
> that they only proves the rules were followed ONCE, not that nobody ever
> performed other computations as well on the inputs. It doesn't reveal
> bruteforce attempts. If all you need to show is that the output was
> computed correctly, that's fine. But if you're protecting a game with
> the protocol, you can't stop the other player from evaluating the
> results of other moves.


So the claim here would be that if our VW has a blockchain, then we 
can't stop others from evaluating the EPA program on the fly and then 
doing other computations to trick the vehicle into compliance mode. 
Which is precisely the problem that got us here in the first place.

Right, ok, I see that.  That's a serious limitation of 'trustworthy' 
computing.  You get your calculation but your inputs can be gamed in 
real time without you knowing.  Fail.

To get around this the EPA would have to certify every other program on 
the blockchain, and then we'd be back to walled garden ... might as well 
use the old methods.


> If you have a set of networked devices that trust each other internally,
> you have a number of options.
>
> You can move from proof-of-work to a notary network with you as a
> gatekeeper (the Ripple model).


Right.  It doesn't take many changed assumptions to collapse the 
blockchain design.  It is quite an elegant result.


> Then, first of all, your devices can log all their actions and
> decisions, sign it together with the last block hash, and checkpoint it
> in a shared blockchain (git?). All devices would only trust a chain
> signed by the other trusted devices. This can be used to send commands,
> send alerts and to provide a degree of verifiability of past actions. It
> can also be used for other kinds of coordination.
>
> If you make the blockchain be THE real world that matters for your own
> devices, forced to iterate forwards without forks because all your
> devices enforce that collectively, then you can extend the range of
> verifiable actions. Just like how the Bitcoin blockchain (with majority
> proof-of-work) is THE definition of who has control of what Bitcoins,
> your blockchain would be the system that control all of your network's
> access controls and capabilities. Make every action that matters be
> verified collectively. But the caveats above still apply - hacked
> devices can test multiple choices internally to see what outcome is more
> desirable.
>
> (More comments will come later. Gonna look up some other sources on what
> kind guarantees these constructions could provide.)



Thanks!  Thinking of the gaming attack has certainly clarified my thinking.



iang



More information about the cryptography mailing list