KPMG LLP Consensus – Immutable agreement for the internet of value Understanding an evolving Bl ockchain technology l andscape of cons ensus-driven opportunity in financial services
Ap pendix 3 – Detailed Int erview / Questionnai re Resp on ses
Operating Features
Acces s/ On-Boarding Tokenization
Performance/ Scalability Risks Governance
Strength of Algorithm
Privacy Cryptography Uses Cases
Security Consensus Methodology
Implementation
Note: This Appendix 3 contains detailed responses to the evaluation questionnaire listed in
Appendix 2. Responses are based on a combination of interviews with DLT contacts (where permission has been granted to publish) and KPMG research. In most cases (and where applicable), questionnaire responses from the DLT contacts have been preserved and published verbatim.
1
Table of Cont ents 1.
BigChainDB
4
2.
BitShares
13
3.
CASPER
20
4.
Corda
29
5.
DAG (Directed Acycl ic Graphs)
34
6.
Deri ved PBFT (Hyperledger pro ject)
39
7.
Distribut ed Concurrence
45
8.
Evernym
53
9.
Graphene
67
10.
Juno
76
11.
MultiChain
82
12.
OpenChain
93
13.
PoET by Intel
101
14.
RAFT
107
15.
Ripple
114
16.
Steem
123
17.
Stellar
129
18.
Tangaroa
136
2
19.
Tendermint
Contact Us and Acknow ledgeme nts
143 150
3
1. BigChainDB Source: Interview / Questionnaire
Contact name: Trent McConaghy (
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? “ Two-leve l con sensus. Botto m level is Ra ft, to order & s tore all writes. Top-leve l is a new algorithm where nodes do a post-write vote .” How many nodes are need to validate a transaction? (percentage vs. number) Majority. Do all nodes need to be online for system to function? No. # Nodes is up to deplo yer of network. Upcoming p ubli c network wil l supp ort >10 0K client n odes, with 20-3 0 server nodes to st art and many mor e late r. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? No Who has ownership of the nodes? (e.g., consensus provider or participants of network) Participants of network. What are the different stages involved within the consensus mechanism? Write ( and impli citly: o rder) a blo ck, vote whethe r blo ck is valid. When is a transaction considered "safe" or "live"? Majori ty of no des have voted blo ck as valid. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? One round . Main l atency limi t is speed of li ght. In practi ce, <1 s to <100 ms.
4
How much time does a node need to reach a decision? See above. How much time is actually needed to build the consensus until a new block is added? See above. Does system contain synchronous node decision making functionality? Eventually consistent. What is the number of current and planned validators? # Nodes is up to depl oyer of network. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? 1/3 of nodes. FT ++. In road m ap: BFT, for rare sit uations when t he severe performance compromise is justified. Is there a forking vulnerability? No. Algo rith ms in the lineage of P axos, includi ng Raft, create transaction l ogs; fo rking i s not i n their vocabula ry. How are the incentives defined within a permissioned system for the participating nodes? Extrinsic: Legal contracts.
“ If you're ma licious, see you in court.”
What process does the system follow when it receives data? It allocates the transaction int
o a block (set of TX ), then writ es the block to th e DB usi ng
the botto m-leve l cons ensus algorit hm (Raft). Voting o n the block occ urs afterwards. How is data currently stored? JSON-style do cument s tore. It's a databa se. How does a party take ownership of an asset? They can register an asset, or h ave an asset transferred t o th em. Owner(s) = control s private key. Interledger protocol supported.
5
Governance, Risks and Contro l How is governance / controls enforced? Up to the ringleader deploying t he network. W e recommend levera ging exist ing legal system, e. g., a joint venture or a nonpro fit foun dation, with st andard governance documents. Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? An in di vi du al nod e, or the go ver ni ng bo dy , it depend s o n t he s it uat io n. L ever age exis ti ng legal syst em. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Not built into the code itself. It could be built into the governing
documents.
How does the consensus mechanism allow access? Ring of pub lic keys of servers. In road map: more fine-grained suppor
t.
How does the consensus mechanism restrict access, concerning malicious activities? Each nod e listens to the change fe ed, maliciou s actions wi ll be undon e after quor um. What is the permission management process? What is the process for adding or deleting nodes? Voted on by existing nodes. How does the protocol assess the trustworthiness of other participants? Key assesses the pe rmiss ions. Trustwo rthi ness can be asse ssed based on, for example, how m any times does a node agree with t he quoru m. Are there separate admin / administrator privileges? Who manages them? Currently, no. In road map: admin role proposes changes, which go through upon quorum by nodes. Are there restriction / privacy rights defined and enforced by node? Restri ction righ ts: by o wner (more fine-grained than by nod e), via private ke y based fulf illm ent condit ions. Privacy righ ts: cli ents see less than server nodes and any T X can have client-side encryption.
6
Can a node or a user have only "Read" or only "Write” access? Is specific node access required if only performing one functionality? (e.g., back office outsourcing) At this poin t, all feder ation no des are eq ual and hav e read /writ e per mi ss io ns. Cli ent s, however only h ave read permission s throu gh an API . At this poin t they can rea d all the info rmation i n the database . What are the measures in place to reduce risk? In SW development pr ocess, we optimize for r isk and o ther relevant DB criteria. Opensour ce, third-party audits, etc. In case of permissioned systems, who manages the “know your client” (KYC)/anti-money laundering (AML) process and where is the data stored? It's a database. KYC /AML, etc. are at the applic atio n level, not t he DB level. How is counterparty risk / settlement risk addressed? See above.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? <1 s to <100 ms. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) 1M writ es/s, capacity > 1 PB. Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Whate ver you l ike. Doesn't r ely on nativ e tokens. How do you measure scalability? Through put, latency, capa city. Is there a limitation on the number of fields within a transaction? Keys are JS ON docum ents, so you no t only have a list o f fields, but th ey can be hierarchic ally or ganized. N o li mit, except that th e JSON docum ent must be <65MB. Is the speed of the system impacted if the system is made more scalable?
7
As mo re nod es ar e added, t hr ou gh pu t and c apac it y imp ro ve, and l atency wo rs ens . Just like any modern " big data" di stributed DB. Does synchronization have any impact on scalability? The curren t con sensus algorithm is transactions).
mostly asynchronous
(except for depende nt
Security How is transaction activity monitored? However the system deployer woul d like. W e provide code to help moni tori ng. Does the consensus mechanism utilize Digital Signatures? Yes. bigc haindb.readthedocs.org, big
chaindb.com /whitepaper, G itHub.com/BigChainDB.
How does the consensus mechanism address an assumed industry standard? No. There will be co de and security audits. Which risk/security issues are currently being worked on? Shrinking the list
of known fault vectors.
Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? Raft is for mally verified. We ’ll ch eck the ce rtifi cation bo x if there is suffi cient demand. What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) It's a database . Obvious h ow t o pl ug i nto MVC , LAMP stack, e tc. Briefly describe the security testing performed till date (if any) Extensive internal benchmarks
, ongoin g, with FT engineers.
How are you planning to implement/integrate Digital wallets? (Including private key management) Client si de SW libraries.
8
In case of a breach, what data is at risk? None, if encrypted. If not, a compromi sed node can read the data. But assets can't be transferred because protected by owners' pri vate ke ys; and data won't be lost assumin deployer u ses indust ry-standard DB backup practi ces (offline storage etc.) .
g
How does the system prevent signature fraud (e.g., stolen keys)? Just multi sig nature . “Don't lose your keys. ” Does the consensus mechanism have full documentation in place? Yes. See http:// bigc haindb.readthedocs.org, ht http://www.GitHub.com/bigchaindb
tp://www.bigchaind b.com/whitepaper,
How is the system expected to address general server issues? The same way “ sysadmin s” curr ently administ er their DBs. No magic nee ded. How does the consensus mechanism address the risk of "double spending"? A b lo ck of TXs onl y passes v ali dat io n b y vot ing n od es i f it d oes n't hol d an y dou bl e spend TXs. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? See overall consensu s methodol ogy Q's. In short: Raft to ord er + write; th en vote. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Raft has a Lamport-style log ical clo ck. Under which conditions does a lock/unlock happen? (i.e., what is the proof safety?) No concept of l ock needed. T hat would greatly impact perfor mance. What is the process for disaster recovery? Like any modern DB: use the offl
ine backup.
What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? It's a database. Fraud etc. are at the application level, not the DB level.
9
Privacy How does the system ensure privacy? Client nodes' visib ilit y limit ed by what they ca n query. Se rver nodes can see all which isn't encrypted. Clients are represented in th e databa se by a pu blic key. T he database ha s no id ea of the mappin g between the public key and the entity th at owns it. Does the system require verifiable authenticity of the messages delivered between the nodes? Yes, signatur e verific ation in place. Do all nodes have visibility into all other transactions? Server-side no des have transparency to
each ot her.
How is privacy defined and ensured between applications? Deploy different networks or use encryption. How does the data encryption model work? Client-side. If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? This can be don e by client. As a cli ent, one may chose, for example, pair fo r each transaction/asset.
to cr eate a new ke y
Are participants' identities hidden from one another? (e.g., Blackpool) Clients are represented in th e databa se by a pub lic key. T he database ha s no idea of th e mappin g betwee n the publi c key a nd the entity that owns i t.
Cryptography/Strength of Algorithm How are the keys generated? The keys are created using the ED2 5519 (Schnor r) sig nature scheme. As of A pril 2016, EdDSA was in “ Internet- Draft” status wi th th e IETF but was already widely us ed. Each user and federation nod e crea tes his own set of keys. What does the key life cycle management look like? It is advised to rot ate the m every few months. Keys can be ea sily im port ed using CLI commands and/or updating t he configuration file.
10
What is the library approach? The library us ed comes is a pyth on wr apper of the SUP ERCOP C benchm ark suit e, using the portable " ref" i mplementation (not th e high-performance asse mbly co de), and is very simi lar to the copy in the NaC l libr ary. What is the HSM integration approach? NA, we do advise users not to share virtual machines on cloud platforms in order to avoid memory leaks. Does the consensus mechanism require a leader? The bottom-level Ra ft cons ensus has a dynamically c hosen leader. The top-leve l pro toco l doesn't. How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) Currently, majorit y. Easy to change as code is open sou
rce.
How is node behavior measured for errors? Change fe ed mechanism: all nod es always hear about behavior of
other nod es.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology The cont ent of a transactio n contains : ID, time stamp, crypto-ful filments (inp uts), cryptocond itio ns (outp ut) and a payload (json-data) . The ID is a hash of the transaction except for th e fulfillm ent, since a transaction needs an ID before signin g and signatur es cannot sign itself (ref: transaction malleability). Which security mechanisms are assigned to the tokens? Private ke ys. Interledger proto col sup port ed. Briefly described the life cycle management process for the tokens Clients request th e issuance of assets. Only federation nod es can create assets. An owner o f an asset, i.e ., cont roll er(s) of private key, can transfer th e asse t. Does the consensus mechanism utilize transaction signing? Yes, the client needs to sign
transaction s.
11
Implementation Approach What are the current uses cases being explored, tested or implemented? The use ca se of consensus is con sistency, like any dist ribu ted DB. Higher-leve l use cases: ID , IP, supply chain, financi al, energy, certifi cation. Put another way: anywhere you n eed a DB wit h no sin gle owner / contr oller, or anywhere you need a Blockch ain at enterprise scale through put/stor age/latency. What is the implementation cost? In genera l, just the cost of clo ud resour ces. What is the time required to implement? Up & run ning i n <5 min. I t's a database a fter all. T he real time is the time to application.
buil d the
Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? If you can afford to run a DB, you can afford to us e our DB. N o magical new con cepts necessary. You should only use this DB compared to non-Blockchain DBs if there is benefit from decentralization (no single entity owns or controls), immutability (greater tamper-resistance) , or asse ts (easy mechanisms t o issu e & transfer assets; asse ts " live" on DB). Who are you currently working with? (e.g., Venture Capitalists, Banks, Credit Card companies, etc.) Organizations that need a da tabase with Block chain ch aracte risti cs. This i nclu des the following; we are working with all of these : consorti um ringleade rs, Blockchain startups in ID/IP/etc., FORTUNE 500 enterprises, financial services, storage vendors, cloud services.
12
2. BitShares Source: Interview / Questionnaire
Contact name: Ryan R. Fox (
[email protected].)
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? Delegated Proof of Stake (D POS) https://bitshares.org/technolo stake-consensus/
gy/delegate d-proof-of-
How many nodes are need to validate a transaction? (percentage vs. number) Live stats: http://cryptofresh.com/witnesses Currently 27 witnesses are producing blocks. This is dyn amic based on shareholders voti ng for a witness slate. Do all nodes need to be online for system to function? Same as Graphene. See below . Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Same as Graphene. See below . Who has ownership of the nodes? (e.g., consensus provider or participants of network) Same as Graphene. See below . What are the different stages involved within the consensus mechanism? Same as Graphene. See below . When is a transaction considered "safe" or "live"? Same as Graphene. See below . Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? Same as Graphene. See below .
13
How much time is actually needed to build the consensus until a new block is added? Same as Graphene. See below . Does system contain synchronous node decision making functionality? Same as Graphene. See below . What is the number of current and planned validators? Currently 27, but is dynamic based on approval voting. http://cryptofresh.com/witnesses What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? Same as Graphene. See below . Is there a forking vulnerability? Same as Graphene. See below . How are the incentives defined within a permissioned system for the participating nodes? Same as Graphene. See below . What process does the system follow when it receives data? Same as Graphene. See below . How is data currently stored? Same as Graphene. See below . How does a party take ownership of an asset? BTS is the tok en.
Governance, R isks and Controls How is governance / controls enforced? Same as Graphene. See below . Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? Same as Graphene. See below .
14
Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Same as Graphene. See below . How does the consensus mechanism allow access? Same as Graphene. See below . How does the consensus mechanism restrict access, concerning malicious activities? Same as Graphene. See below . What is the permission management process? What is the process for adding or deleting nodes? Same as Graphene. See below . How does the protocol assess the trustworthiness of other participants? Same as Graphene. See below . Are there separate admin / administrator privileges? Who manages them? Same as Graphene. See below . Are there restriction / privacy rights defined and enforced by node? Same as Graphene. See below . In case of permissioned systems, who manages the KYC/AML process and where is the data stored? Same as Graphene. See below . How is counterparty risk / settlement risk addressed? Same as Graphene. See below .
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Same as Graphene. See below .
15
Provide some general measures of volume that the consensus mechanism can or will handle (e.g., number of trades) http://coinmarketcap.com/currencies/bitshares/#charts How do you measure scalability? http://stats.bitshares.eu/ Is the speed of the system impacted if the system is made more scalable? Same as Graphene. See below .
Security In case of a breach, what data is at risk? Same as Graphene. See below . Does the consensus mechanism have full documentation in place? Same as Graphene. See below . How does the consensus mechanism address the risk of "double spending"? Same as Graphene. See below . How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Same as Graphene. See below . Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Same as Graphene. See below . Under which conditions does a lock/unlock happen? (i.e., what is the proof safety?) Same as Graphene. See below . What is the process for disaster recovery? Same as Graphene. See below .
16
What is the threat model being tested? What has been defined as “normal’? How do you monitor fraud? Same as Graphene. See below .
Privacy How does the system ensure privacy? Same as Graphene. See below . Does the system require verifiable authenticity of the messages delivered between the nodes? Same as Graphene. See below . Do all nodes have visibility into all other transactions? Same as Graphene. See below . How is privacy defined and ensured between applications? Same as Graphene. See below . How does the data encryption model work? Same as Graphene. See below . If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? Same as Graphene. See below . Are participants' identities hidden from one another? (e.g., Blackpool) Same as Graphene. See below .
Cryptography / Strength of Algorithm What does the key life cycle management look like? Ad dr ess = ‘BTS’+b ase58(r ip emd(sh a512(compres sed _pu b))) (c hec ks um ob viated ) But addresses are not used directly, inst ead you have a n account (th at can be controll ed by one or mo re address, pubkey or another account ). https://bitshares.org/technology/dynamic-account-permissions/ What is the library approach?
17
Same as Graphene. See below . Does the consensus mechanism require a leader? Same as Graphene. See below . How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) Same as Graphene. See below . How is node behavior measured for errors? Same as Graphene. See below .
Tokenization (if us ed) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology The token is BTS. Which security mechanisms are assigned to the tokens? Same as Graphene. See below . Briefly described the life cycle management process for the tokens Same as Graphene. See below . Does the consensus mechanism utilize transaction signing? Same as Graphene. See below .
Implementation Approach What are the current uses cases being explored, tested or implemented? Same as Graphene. See below . What is the implementation cost? Free, Licens e is MIT.
18
What is the time required to implement? A w it nes s nod e can be s pu n u p o n t he Bit Shar es netw or k usi ng th e Mic ro so ft Azure Bloc kchain as a Service platfor m (https ://GitHub.com/Az ure/a zure- quic kstarttemplates/tree/master/bitshares-ubuntu-vm) Who are you currently working with? (e.g., venture capitalists, banks, credit card companies, etc.) CCEDK, OpenLedger, BlockTrades
19
3. CASPER Source: Interview / Questionnaire
Contact name: Vlad Zamfir (
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? “ consensus-by- bet” - nodes e xpose themse lves to loss in c oncert, in order to co mmit to decisions. How many nodes are need to validate a transaction? (percentage vs. number) If a node commi ts at a ll to an invalid t ransaction execution t hey lose their entire security deposit . All consensu s-formin g nod es are expecte d to valid ate every T X. Do all nodes need to be online for system to function? The system functions so long as one consensus-forming node remains online (Casper very strongly favors availability). Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? At any ti me t he p artic ip ant s ar e know n t o al l c li ent s - cur rent p art ic ip ant s fin ali ze chang es to the set of consensus-forming nodes. What are the different stages involved within the consensus mechanism? Casper involves betting in c oncurrent “ betting cycles” , each of w hich onl y has one stage . Betting cycles neve r restart from ground zero, they “ just continu e” until convergence or until they are combined. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? There is a (in-consensus) pro cess that manage s the betting cycles, they terminate on conv ergence a nd when th ey are compo sed. If applicable, what is the voting process after the "propose" stage? Each betting cycle chooses between mutually exclusive proposals.
20
When is a transaction considered "safe" or "live"? The “safety” of a given transac tion r eceipt R is th e amount of security deposits that woul d be lost i n all consensus states where the T X receipt i s not R. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? Betting cycles aren't guaranteed to terminate in a given amount of ti me, and does not prog ress in roun ds. Bets form a D AG, and some DAG s correspo nd to a convergent betting cycle. C ycles are used to choos e between competing b lock s at eve ry height . How much time does a node need to reach a decision? Decisi ons are not guarantee d to happen in a finite amount of tim network (FLP impossibility).
e in an asynchr onou s
Does system contain synchronous node decision making functionality? No – althoug h some strategy choic es involv e timeouts, these choi ces are never decisions in the traditi onal sense of the word. What is the number of current and planned validators? We like to say 25 0, but th e number is not s et in sto ne. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? >50% can censor transaction s (altho ugh no t witho ut being pu nish ed), b% can revert bloc ks/state crea ted by a% < b% of nodes, unless a% > finality th reshold F in which case no amount of faults can revert the block/state, the proportion of nodes required to preve nt con verge nce depe nds o n network c ondition (one fa ulty n ode is enough under asynchro nous networks, a la FLP) , and 10 0% of no des must b e faulty to secretly create an invalid block, but o nly the finality threshold of faults are required for nodes to fi naliz e invalid block s, and 2* (F – 50%) faults can cause permanent co nsensus f ailure in an asynchro nous n etwork (requires hard-fork to fi x) , but F faults are required to cause consensus failure in a synchronous network (we ird network co nditions will require some numb er of faults 2*(F – 50%) < x < F for consensu s failu re). Is there a forking vulnerability? Non finalized state ca n be reverted, consensu s failur e is possib le due to finality conditions.
21
How are the incentives defined within a permissioned system for the participating nodes? Precisely the same way they are de fined for a public econ omic sy stem – super weird question because incentives normally are not required for permissioned systems. What process does the system follow when it receives data? The I of I/O work s only t hrou gh tr ansactions. Transactions have payload. O through transa ction receipts.
happens
How is data currently stored? A Pat ri ci a Merk le t ree that st or es t he s tat e of all th e di stri bu ted vi rt ual mac hi ne. How does a party take ownership of an asset? That depe nds on the asset – Ethereum suppor ts arbitr ary access polici es.
Governance, Risks and Contro l How is governance / controls enforced? Hard for ks happen completely out side of the proto col, and without a clear process. This miti gates people's a bili ty to game upgrades. Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? Not clear that a ny legal action w ill be taken, we want to inv ite attack, not d iscou rage it. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? The protocol aims to byzantine behavior.
guara ntee the forfe iture of security
deposits of nod es exhibiting
How does the consensus mechanism allow access? As lo ng as t her e is no cen so rs hi p an yo ne c an plac e a bo ndin g t ran sacti on and bec om e a consensus-forming node. How does the consensus mechanism restrict access, concerning malicious activities? It revokes a ccess when it sees clearly maliciou s behavior, and institut es punishm ent when it seems shady behavior .
22
What is the permission management process? What is the process for adding or deleting nodes? Al l c han ges to th e set of no des are v alidat ed and f in ali zed b y t he c onsen sus - t her e is a queue for bon ding and a waiting tim e before deposit s are returned, some deta ils vary between versions of Casper. How does the protocol assess the trustworthiness of other participants? Securi ty deposit s are taken a s perform ance bonds – nodes that perform poor left with as much of their deposit .
ly will n ot be
Are there separate admin / administrator privileges? Who manages them? No – Casper is designed specif ically no t to have admins. Are there restriction / privacy rights defined and enforced by node? No – Casper is a public p roto col. Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., Back Office outsourcing) Only bo nded no des can write, anyone can read. What are the measures in place to reduce risk? A l ot of eff or t i s b eing p lac ed in f or mal ver if ic ati on, and mo re an d mor e peer rev iew is being do ne. How is counterparty risk / settlement risk addressed? Finalized blocks are used to mitigate settlement risk, economic consensus punishes coun terparties who behave badly.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? We're still in early p rotot ype phases, no real measurements are ava
ilable.
How do you measure scalability? Not much mor e scala ble than a norm al Blockch ain.
23
Is the speed of the system impacted if the system is made more scalable? Ad di ng no des in cr eases ov erh ead an d does not s cale cap acity – incr easi ng th e cap acity of nod es does scale capacity. W e plan on moving t o Bloc kchain sharing ASAP. Does synchronization have any impact on scalability? Networ k weirdness in crease the proto col's o verhea d and reduces capacity.
Security How is transaction activity monitored? By validators who verify signatures and transaction fees. Does the consensus mechanism utilize Digital Signatures? Yes – the bitc oin c urve. How does the consensus mechanism address an assumed industry standard? For any standard consensus protocol, one can find a network condition where Casper converg es but that consensus p roto col do es not. C asper is more flexible than PBF T, RAFT, Tendermi nt, etc. Which risk/security issues are currently being worked on? “ Greifing” attacks where nodes go offline to punish online nodes, who the protocol believes are censori ng the offli ne nodes. Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? No – ha ven't thou ght about i t – still in early peer review stages. Briefly describe the security testing performed till date (if any) Small amounts of simulation, mostly analysis. How are you planning to implement/integrate Digital wallets? (Including private key management) This question is i ndependent of the consensus pro
tocol , and is an E thereum-wide thing.
In case of a breach, what data is at risk? Data on the Bloc kchain is n ot pri vate.
24
How does the system prevent signature fraud (e.g., stolen keys)? Systems for revocation and recovery of credentials can be built into smart contracts. Does the consensus mechanism have full documentation in place? Not yet – the protocol is s till in fl ux. How is the system expected to address general server issues? The validators are responsib le for these issues, if they don 't fix them they will b e operating at a loss. How does the consensus mechanism address the risk of "double spending"? We provi de a consensus pro tocol . There is no separate mechanism for doubl e-spe nds. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Security-deposit proof-of-stake allows for super-fast synchronization. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Clocks need to be synchron ized, but networ k messages don't need to propagate in predict able times. Under which conditions does a lock/un-lock happen? (i.e., what is the proof safety?) A f in ality th res hold of no des are r equ ir ed t o m ake fin ali zed deci sion s. What is the process for disaster recovery? Hard for ks are used to recover from consensu are used to recover from mass c
s failure, long (ord er of months) timeouts
rash-faults.
What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? We assume that the market of bon ded validators i s high ly con centrated, a nd we want to show that t he protocol g uara ntee s are not u ndermined under oligopolisti c market models, unless there is some quantifiable extra-protocol incentive to undermine the protocols.
25
Privacy How does the system ensure privacy? It doesn't Does the system require verifiable authenticity of the messages delivered between the nodes? Al l blo ck s and t ran sac ti on s an d bets hav e si gnatu res . Do all nodes have visibility into all other transactions? Yes – it's a public Blo ckchain. How is privacy defined and ensured between applications? It's not If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? Crede ntials sh ould be issues to each node. Are participants' identities hidden from one another? (e.g., Blackpool) No, all members kn ow the list o f all members.
Cryptography/Strength of Algorithm How are the keys generated? We use the Bitcoin curve for transactions, but contracts can verify arbitrary credentials. What does the key life cycle management look like? Still too i mmature to tell – ve ry flexibl e crede ntial management systems can be top o f Ethereum.
built o n
Does the consensus mechanism require a leader? Some versions of Casper have a roun d-robin , none have leaders who prod uce block s unti l they timeout, however.
26
How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) We do not su pport changing the rules of the protocol be a vulnerability.
from inside the protocol
as it would
How is node behavior currently measured for errors? The be ttin g cycle's tr ace evidences the node's perform payoffs.
ance, and is used to determin e
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology Ether is used for deposit s, possibl y fees, contr acts can be use d for arbit rary token stuff . Which security mechanisms are assigned to the tokens? Securi ty deposit s are taken a s performance bond s – nodes that perform poor ly will n ot be left with as much of their deposit . Briefly described the life cycle management process for the tokens Securi ty deposit s have a lifetim e on the order of months th at the protocol s ets. Does the consensus mechanism utilize transaction signing? Yes – for now the bitcoi n cur ve – eventually we're moving t o use arbitrary st atele ss credential verification.
Implementation Approach What are the current uses cases being explored, tested or implemented? The public Ethereum Blockchain. What is the implementation cost? So far we've probably sp ent around $100K, probably we require a lot mo re. What is the time required to implement? Unknown , althou gh pro gress seems to be ste ady.
27
Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? Not a business case, but we do comp are Casper to oth er public econom ic cons ensus protocols. Who are you currently working with? (e.g., Venture Capitalists, Banks, Credit Card companies, etc.) This work is being done by academics and individual professional researchers and hobbyists.
28
4. Corda Source: KPMG Research
Contact name: See Contact Us below
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? Corda achieves consensus between firms at the level of ind the syst em.
ividu al deals, not th e level of
How many nodes are need to validate a transaction? (percentage vs. number) n2n Corda transactions are validated by parties to th pool of unrelated validator s (N2N/2).
e transaction rather than a broader
Do all nodes need to be online for system to function? N2N so onl y 2 parties invol ved need to be onli ne. Who has ownership of the nodes? (e.g., consensus provider or participants of network) Participants When is a transaction considered "safe" or "live"? Determini stically fi nal settled when the counterparty ledger is upd
ated.
Are thereround multiple rounds of vetting to decide which set of transactions are going to make it into the next of consensus? No How much time does a node need to reach a decision? Instantaneous as soo n as no des agree. What is the number of current and planned validators? n2n
29
Is there a forking vulnerability? No What process does the system follow when it receives data? Each co unterparty h as their own vi ew. They hash their versio n of th e data and present it to other party to view for comparison. They transmit their version of the hash to coun terparty and vic e versa. T hese should match. How is data currently stored? Corda has no unnecessary global sharin g of data: only thos e parties with a legitimate need to know c an see the data within an agreeme nt. Gets stor ed in the indi vidu al nodes. How does a party take ownership of an asset? Off-chain.
Governance, Risks and Contro l How is governance / controls enforced? Corda’s design directly enables regulatory and supervisory observer nodes. How does the consensus mechanism allow access? Ac ces s i s gran ted for n od es i nv olved in tr ans actio n. What is the permission management process? What is the process for adding or deleting nodes? Implementation dependent. C an have a n opt-in f or oth er nodes to be part of a transaction. How does the protocol assess the trustworthiness of other participants? By allowing only the counterparties who want to transact be involved assumptions can be can be made around tr ust in t hat transaction. Are there separate admin / administrator privileges? Who manages them? No Are there restriction / privacy rights defined and enforced by node? Yes
30
What are the measures in place to reduce risk? The system is clo sed to only th e counterparties so that reduces a
lot of r isk.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Instantaneous as soo n as no des agree. Is the speed of the system impacted if the system is made more scalable? No Does synchronization have any impact on scalability? No synch roni zation N2N.
Security How is transaction activity monitored? At each coun ter par ty wi th full lo ggin g of all t ran sac ti on s bot h s uc ces sf ul and attempted/fa iled/canceled tr ansactions. Does the consensus mechanism utilize Digital Signatures? Yes Which risk/security issues are currently being worked on? Corda's design directly enables regulatory and supervisory observer nodes. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Not applicable as the counterparties transactio
ns are handled serially.
Privacy How does the system ensure privacy? Transactions are N2 N and available to th e counterparty w ith w hich i t is s hared. N o external parties are nee ded but there is an opt-in f or regul ators.
31
Does the system require verifiable authenticity of the messages delivered between the nodes? Yes, messages are data e ncryp ted and no de to no de. Do all nodes have visibility into all other transactions? No How does the data encryption model work? Node to n ode. Are participants' identities hidden from one another? (e.g., Blackpool) Yes
Cryptography / Strength of Algorithm What does the key life cycle management look like? Hash’s signature cryptographic support, keys generated between counterparties. Multipl edigital different keys b/c ea ch cou nterparty wil l have different keys and create ne w ledger with n ew set of keys. Does the consensus mechanism require a leader? No How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) N2N/2
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology Corda has no native crypto curr
ency.
Which security mechanisms are assigned to the tokens? Corda has no native crypto curr
ency.
Briefly described the life cycle management process for the tokens Corda has no native crypto curr
ency.
32
Does the consensus mechanism utilize transaction signing? Digital Signatur es.
Implementation Approach What are the current uses cases being explored, tested or implemented? Corda used with Barclays for smart con tract usage (I SDA) derivatives swaps. Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? Banks subscribe to service. Who are you currently working with? (e.g., venture capitalists, banks, credit card companies, etc.) A c on sort iu m of b ank s.
33
5. DAG (Dir ect ed Ac ycl ic Graphs ) Source: Interview / Questionnaire
Contact name: Aviv Zohar (
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? Proof of Work. Do all nodes need to be online for system to function? No Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes Who has ownership of the nodes? (e.g., consensus provider or participants of network) P2P How much time is actually needed to build the consensus until a new block is added? We expect block t o be added a t a rate of 1 per sec or so. W aiting ti me for irr eversibilit y is then on th e order of several seconds. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? 51 percent Attacks. How are the incentives defined within a permissioned system for the participating nodes? When we talked last you talked about h ow the whit e paper is all abou t changin g incenti ves for the miners and can you explain how smaller min ers bene fit to o. Rewards are given throu gh: 1. M inti ng: to everyone who creates a bloc k (not a probl em - incenti ves are we ll align ed as each block adds t o the securit y of the ledger, a nd no one can create blo cks at will d ue to the Proof of Work. 2. Tax fees: only to t he miner that inclu ded the tax in hi s block . If there a re seve ral miners that attempt to incl ude the ta x (in confli cting blo cks) we can pay only one of them - the one whose bloc k is earliest. R e the transaction
34
fees: if you now know that your blocks may not be ea rlier than other conflicting blocks that appear, you have the option of including transactions that pay slightly less but are unlikely to be included by others, thus guarante eing a higher probability that you will coll ect payment for them. I n contr ast, in the vanilla bitc oin imp lementation, you are incenti vized to alwa ys incl ude the highest paying taxes, a nd you l ose all rewards if yo ur block i s in conflict and you did not eventually win. This beha vior can be used by sm aller miners (who oft en lose block races) to mitigate their losses and to still earn more than they would u nder " vanilla bitcoin". r implications arekstha t they also include additio nal transactions in the chainThe andothe that conflicti ng bloc are not very simil ar (again, in contrast to vanilla bitcoin).
Governance, Risks and Contro l Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? No. There is none. I t is jus t show n to be hard to d o. How does a party take ownership of an asset? Same as Proof of Work. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? No. There is none. I t is jus t show n to be hard to do . How does the consensus mechanism allow access? Same as Proof of Work. What is the permission management process? What is the process for adding or deleting nodes? Same as Proof of Work. How does the protocol assess the trustworthiness of other participants? Same as bitc oin. Are there separate admin / administrator privileges? Who manages them? No Are there restriction / privacy rights defined and enforced by node? Same as Proof of Work.
35
Performance How long does it take for transactions to be validated and/or consensus to be achieved? 1 MB per second of bl ock adding as opp osed to every 10 minut es in Proof of Work now confirmation time several seconds. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) 2000 TX per secon d. Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Unlimited. How do you measure scalability? Bloc ks are crea ted eve ry second i n the system and this allows fo mitigated.
r doub le spend to be
Is there a limitations on the number of fields within a transaction? No Is the speed of the system impacted if the system is made more scalable? No
Security Does the consensus mechanism utilize Digital Signatures? Yes, Same as Proof o f Work . Which risk/security issues are currently being worked on? Double spending attacks, selfish mining attacks, network connectivity. What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) We are indeed usin g the same infrastru cture, and based on Proof of Work, thou gh we are also working on non-Proof of Work based variants (permissioned chains).
36
Briefly describe the security testing performed till date (if any) We are prov ing th eorems regarding the security of t he double spend attack, a nd also have begun implementing simulations to verify these claims independently. How are you planning to implement/integrate Digital wallets? (Including private key management) We're not dealing with t his di rectly. We plan to adopt Bi tcoin 's code here. In case of a breach, what data is at risk? Generally a breach can only harm th
e security of o ne's own wallet.
How does the system prevent signature fraud (e.g., stolen keys)? Just as in Bitcoi n. Does the consensus mechanism have full documentation in place? We are not bu ildi ng a complete system, but are change the consensus co re.
worki ng on a paper to e xplain ho w to
How does the consensus mechanism address the risk of "double spending"? We are using the DAG to order transaction thus discarded.
s. Doubl e spends receive lower prior ity and are
How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? As in Bi tc oi n, all n od es need t o b e conn ect ed to t he m ain net wo rk . We assum e a ro bust P2P infrastructure, through which blocks are downloaded. A full node needs to download all past block s, while a lig ht node is expected to nee d to dow nload onl y block h eaders (8 0 bytes per bloc k or so). Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? We do no t assume clocks held by no des are synchr onized/a ccurate. What is the process for disaster recovery? Same as Proof of Work.
37
Cryptography/Strength of Algorithm How are the keys generated? Same as Proof of Work. Does the consensus mechanism require a leader? No
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology We are token a gnos tic. Sma rt con tracts/tokens/anything does not matter much to us.
else that would go i n the chain
Implementation Approach What are the current uses cases being explored, tested or implemented? Same as bitc oin. What is the time required to implement? We have a runn ing versio n of the code for the consensu s core, but a full b lown impl ementation as a curr ency will pr obably take on the order of six mon ths to a yea r to get. Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? Same as bitcoin and working
on soluti ons for Proof of Work.
38
6. Deri ved PBFT (Hyp erledg er pr oj ect) Source: KPMG Research
Contact name: See Contact Us below.
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? PBFT Deri ved. How many nodes are need to validate a transaction? (percentage vs. number) Minimum mathematical one but then you c have practical four.
ould n’t really leverage PBFT which means you
Do all nodes need to be online for system to function? The mathematical minim um is fou r due to one-third faulty n odes due to PBF T mechanism; pr actical beyond fou r, currently testin g with 12 - 15 nodes (depending on use cases). Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes, permission ed system as assumpti on. Who has ownership of the nodes? (e.g., consensus provider or participants of network) To rea lly use the Blockc hain infr astructur e the owner of the network sh all own them. Valid ating nodes = owned by transaction parti cipants, other (reading nodes + re gulator s) will help to improve the resiliency of the network. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? Three rounds (but depends on u se case) . How much time does a node need to reach a decision? That depe nds on th e scenario to b e valid ated, three roun ds of network c ommun ication and in best case scena rio it also d epends on latency, but then the va lidation i s happening in mil liseconds.
39
How much time is actually needed to build the consensus until a new block is added? Depends on use case. Does system contain synchronous node decision making functionality? The time-out wind ow depends on the busi ness scenario (today five se cond s). What is the number of current and planned validators? Current testing w ith appro x. ten but can be more. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? PBFT one thir d Is there a forking vulnerability? Theoretically, yes. How are the incentives defined within a permissioned system for the participating nodes? No incentives defined, only co st of particip ating in the network. What process does the system follow when it receives data? Depends on the use case. How is data currently stored? Depends on the use case. How does a party take ownership of an asset? Depends on the use case.
Governance, Risks and Contro l How is governance / controls enforced? Depends o n t he use case.
40
Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? Depends o n t he use case. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Depends o n t he use case. How does the consensus mechanism allow access? Configurable. What is the permission management process? What is the process for adding or deleting nodes? Since the consensus is a defined by a ma jori ty of nod es, it is a prerequisites to kn ow what the network consists of. By removing nodes you could change the consensus and potenti ally see a split. The membership of th e network has to be a meta-la yer or o verlay of the overall consensus building. Addin g a new participant has to be a transa ction which is pr opagated in the network and validated by th e other nodes. Re movin g a node is a bit more complex: beca use if a node is n ot replying anymore it cannot just simply be removed. The actual removal of a node would need to be propo sed as a transaction to the network and t o be agree d upo n. Once the new status is con firm ed (the nodes com e to the agreeme nt that the new status do esn’t inc lude the node) you can move to a new system status and the nod e is removed. Are there separate admin / administrator privileges? Who manages them? That is use case dependent, te chnic ally it is co nfig urable; ideally that is a central authori ty or pot ential other appropri ate governance struct ure (ma ybe eve n a regulator). Are there restriction / privacy rights defined and enforced by node? We rely on variou s crypto graphic co ncepts, but that is con figur able by use ca se. We can establish a bilateral exchange of infor mation; w e have got a few option s, we ca n replicate and encrypt d ata in vario us ways and so th at is case by case de pendent, but it needs to have a mechanism to also ensur ing th e nuance s in the indu stry are a ddressed by vario us layers (a nnou ncements will be made thir d week of Ap ril). Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., back office outsourcing) Yes, rings of access management: outer = reading access and inn er layers = validating and writ ing access wh ere inner layers have the greate r degree of access.
41
A r eadi ng no de w ould get a copy of th e event, but th ey ar e not v ali dat in g o r pro ces si ng but have the capability still to communicate with other nodes. How is counterparty risk / settlement risk addressed? That is separa te from the cons ensus mechanism t hat would need to be checked a s part of author ization before you go to th e consensus stage.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Depends on use case, but mi llis econds. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) Depends on use case. Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Depends on use case. How do you measure scalability? Transaction thro ughp ut in seconds, and number of nodes able
to particip ate in validation .
Is there a limitations on the number of fields within a transaction? Depends on use case.
Security How is transaction activity monitored? Depends on use case. Does the consensus mechanism utilize Digital Signatures? Yes, distri buted si gning as second step. Tha t service will receive transa ctio n, check and determine if it c an authorize a nd that can check in with exist ing B O systems. T echnically, it is not part of the actua l cons ensus mecha nism; it is a second step to di stributed signing, tr ansa ctions once confi rmed will th en be added. Steps (increasing com plexity) distribution of data, distribution of sign ature , distribute consensus, distribute of business logic.
42
How does the consensus mechanism address an assumed industry standard? Hyperledger project. Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? Hyperledger project, aiming for project participants’ review; are aiming for certification by Hyperledger foundation. What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) Depends on use case. How are you planning to implement/integrate Digital wallets? (Including private key management) Depends on use case. In case of a breach, what data is at risk? Depends on use case. Does the consensus mechanism have full documentation in place? Yes What is the process for disaster recovery? Reprod uce the key from t he archi ve, goin g forward yo u use rolli ng keys. What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? It create s an entirely new class of th reat denia l of servi ce, like a node is not p laying t he rules.
Cryptography / Strength of Algorithm How are the keys generated? Generally, we limi t the chances of keys ge tting l ost and also limi ting th e potential for stro ng keys due to the potential vuln erability. Keys will be genera ted out of master keys in a hierarchy.
43
What does the key life cycle management look like? Via the hierarchy, the master of a higher key can cr eate a new key a lower l evel down; moving down the hierarchy is simple, moving up is impossi ble. T he maste r key is o wned and will b e commonly shared via fractura l pieces and will be reconstructed if lower hierarchy k eys will need to be recreated. If we would use random k eys it incr eases the chances we woul d lose some of them or they would be corr upted. A hierarchy sys tem of creating keys whi and ch are used a single transactio is safer.toTstor he hierarchy cankalso used to rol l daily mont hlyfor keys. At some point, wen have e some root eys be and they are stored not in on e piece. That makes it mo re flexible. How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) Supermajority as PBFT chara cteristi cs, one third The system is flexibl e; phase 1 (Hyperledger proj ect): central a uthor ity certi ficate determines who p articipates like DTT C; phase two: decentralize d authori ty on th e basis of democratic votes. Evaluating the adjustment of the stri
ctness is a theoretical bound
ary, we cannot be less
stri ct than the one third oth erwise we lose the properti es, practically th e one thir d is the upper limit in practice within th e industry would require stronger me chanism, in rea lity if only one bank behaves suspicious, intervention manually first then later system defined will happen, syste m continuity has priority. How is node behavior measured for errors? An adm inis tr ator m on it or in g c ur rentl y build in , ever y nod e is / audit lo g an d au di t t rail.
Tokenization (if used) Does the consensus mechanism utilize transaction signing? Yes, but depends on use case.
44
7. Dis tr ib ut ed Con cu rrenc e Source: Interview / Questionnaire
Contact name: Dan Conner (
[email protected])
Questio nnaire r esponses Consensus Methodology How many nodes are need to validate a transaction? (percentage vs. number) Nothing happens outside of the two parties. two counterparties no independent validator and no in dependent auditor. Regulators data store. Do all nodes need to be online for system to function? Bo ju st the two nod es involved in the transaction. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes Who has ownership of the nodes? (e.g., consensus provider or participants of network) Parti cipants on th e nodes, they implement in best manner for th and data center.
emselves. Cloud service
What are the different stages involved within the consensus mechanism? Three stages: 1) T ransaction Concurr ence 2) Chain Concur rence Re peate d Periodi c Polling of hash. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? See process flowchart for transaction and chain concurrence flows. If applicable, what is the voting process after the "propose" stage? See process flowchart for transaction and chain concurrence flows.
45
When is a transaction considered "safe" or "live"? One of the ke y differentiators of concu rrence ledgers is that the transactions are definitively and deterministically final settled when the counterparty ledger is updated. This fea ture is something that consensus Bl ockchain cannot offer and is critical in securities transactions. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? No consensus. How much time does a node need to reach a decision? Time to reach a decision is determined by p hysic al distance between the se rvers. How much time is actually needed to build the consensus until a new block is added? Instantaneous node to nod e. What is the number of current and planned validators? No externa l parties have a sa y in th e concurr ence model so no on e can cor rupt, delay, or refuse to pro vide cons ensus (e. g., a denial of service via denial of consensu s voti ng). Is there a forking vulnerability? No, the re is no Blockchain so n o possibil ity for a fork. T he maximum devia tion is one transaction could be proposed that is not accepted by the other counterparty. It would be caught by eith er the ne xt period ic hash check, or when the next transa ctio n is pro posed whichever comes first. But no other transaction can be entered into until the discrepancy is resolved and the le dger in error is bro ught into synch. How are the incentives defined within a permissioned system for the participating nodes? Node to node so in centive is pri vate trade s. What process does the system follow when it receives data? Each co unterparty h as their own vi ew. They hash their versio n of the data and present it to oth er party to view for comp arison. T hey tra nsmit their version of the hash to coun terparty and vic e versa. T hese should match. How is data currently stored? Data is sto red in th e nodes that do the transaction . They own t he data.
46
How does a party take ownership of an asset? Ownership of assets: work w/off chain assets, on ramp how do you get your physical assets, ne eds to be trust t here that a sset will be lin ked-trust created in audit pr ocess, trust gov entities, account firms, internal/external auditors are doing their jobs to verify in good faith that cou nterparties and assets are real.
Governance, Risks and Contro l Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? Settled off-chain. Legal recou rse. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? No externa l parties have a sa y in th e concurr ence model so no o ne can corrupt , dela y, or refuse to pro vide cons ensus (e. g. a denial of service via denial of con sensus vo ting ). How does the consensus mechanism allow access? Ac ces s i mplem ent ation : r un so me c od e bas e cr eate c ou nt erpart y ledger f or new per so n. N-1 number o f ledgers, actual num ber of count erparties: ledgers c reated are 1-1 so n-1 for yo u to create with all cou nterparties. How does the consensus mechanism restrict access, concerning malicious activities? One key fe ature is that the concu rrence ledger will l ock b ecause the ledgers don’ t hash equally. So malicio us transactio ns won’t be able to be a ppli ed no matter how many times they are attempted. Malici ous activi ty detection is automated with t he periodic ledger hash checks. And the bad transaction is always at the top of the chain on onl y one side with lo g entries recording the activity so roll back is very ea sy to clean up the system post-attack. What is the permission management process? What is the process for adding or deleting nodes? It can be implemented in v arious w ays depending o n the use case, but yes N2 N makes it simpler. How does the protocol assess the trustworthiness of other participants? Trust is deriv ed from the regulated membe rs’ co mpli ance de partments, auditors, examiners and regulators oversight.
47
Are there separate admin. / administrator privileges? Who manages them? No consensus protocol industry standa rd.
but the concurr ence p rotocol is patent pending and may become
Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., back office outsourcing) The two counterp arties have complete a ccess to data no one else on chain does un you want them to. If the functi onal area doesn’t need access to live data they can operate off read onl backup data.
less
y,
What are the measures in place to reduce risk? The system is clo sed to only th e counterparties so that reduces a lot of r isk vectors . Ad di ti on all y, at each lev el steps can be imp lem ent ed t o p ro tec t t he s ys tem fr om ph ys ic al isolation to active ne twork and transa ction m onitoring. In case of permissioned systems, who manages the KYC/AML process and where is the data stored? Handled by th e members dir ectly – a ssumes entity perfo rms its KYC/AM L checks pri or to establishi ng a counterparty ledger.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Instantaneous. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) Not a monolit hic Bl ockchain - 100 ,000s TX per sec simul taneously on i ndiv idual ledgers as well. Provide som e general measures of the value that the consensus mechanism c handle (e.g., $ value of trades)
an or will
Structu re less da ta no limit o n the amount of data. How do you measure scalability? Because the counterparty ledgers can all be separate ly pr ocessed the system is n-tim es more scalable than a consensu s network (where n is the number of nodes in th e
48
network ). Addi tion ally, since a ll of th e delay in seeking consensu s is eliminated each transaction i s much faster as well. Is there a limitations on the number of fields within a transaction? No Is the speed of the system impacted if the system is made more scalable? No Does synchronization have any impact on scalability? No synch roni zation N2N.
Security How is transaction activity monitored? At each coun ter par ty wi th full lo ggin g of all t ran sac ti on s bot h s uc ces sf ul and attempted/fa iled/canceled tr ansactions. Does the consensus mechanism utilize Digital Signatures? Yes How does the consensus mechanism address an assumed industry standard? No Which risk/security issues are currently being worked on? A h ol is ti c appr oac h evalu ating fr om th e phys ic al l ayer (wh at fib er b undl e will inter conn ect coun terparties) a ll th e way to feasibili ty stu dies of AI at the me mbers’ no de for deep learning of usual/unusual activity. Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? Different rou tes are possi ble for diff erent indu stri es and us e cases (e .g., ISO 20022 messages for payments but aren’t needed by e xchanges/clearinghou ses) so it will depend on customer requirements. What are the infrastructure hosting options? (e.g., cloud, hosted in a data center, etc.) System can be cloud, data ce nter or in divi dual server based depending on of processers/threads active, and counterparty proximity requirements.
scale, numb er
49
Briefly describe the security testing performed till date (if any) Haven’t deployed and tested yet. How are you planning to implement/integrate Digital wallets? (Including private key management) No wallets planned at this
time as it is a B2B system.
In case of a breach, what data is at risk? Depends on the severity of t he breach. How does the system prevent signature fraud (e.g., stolen keys)? Key manageme nt is cr itic al with any syst em. In this case, we have the a bili ty to termi nate and create new counterparty l edgers ea sily si nce only th e specific particip ants are affected. Addition ally, a s each count erparty ledger can be con troll ed by a separate key, loss o f a single key would be limited to th at single ledger and not affect the entire system. Does the consensus mechanism have full documentation in place? Currently in development. How is the system expected to address general server issues? Can be hosted in cloud , data center, or indivi dual servers for s mall enterprises. Expect the usual redund ancies a nd backup s to be in place. Addi tion al bene fit is th at since this is for tr ansactional systems old data ca n be moved to secondary servers so the data is stil l accessible but not clogging the operational servers. How does the consensus mechanism address the risk of "double spending"? There is no in herent crypto c urrency requi red so no chance for a double spend. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Not applicable as the counterparties transactio
ns are handled serially.
What is the process for disaster recovery? Backup s erver.
50
What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? Currently wo rkin g the details on a reputation sc ore for co unterparties – e. g., if a counterparty ledger fails a periodic hash, notify/poll other members of the network to determine if it’s a larger issue or just t hat one transaction that is an issue. S ince only o ne transaction can be improperly added to a counterparty ledger without concurrence the total ris k is capped.
Privacy How does the system ensure privacy? The ledgers a re only available to the count entities have access.
erparty with w hich i t is shared – no external
Do all nodes have visibility into all other transactions? No How is privacy defined and ensured between applications? N2N How does the data encryption model work? Encrypt ion can be applied on each cou nterparty ledger and is easily managed because only the parties need to agree to ch ange encryp tion methods, etc., they don’ t have to wait for t he entire network to make system-wide changes. If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? No Are participants' identities hidden from one another? (e.g., Blackpool) No for KYC/ AML counterp arties are completely known. (Pse udon ymity fails after the first transactio n with a counterp arty in a permissioned networ k so this may not b e relevant.)
Cryptography / Strength of Algorithm What does the key life cycle management look like? Hash’s digital signature cryptographic support, keys generated between counterparties. Multipl e different keys b/c ea ch cou nterparty wil l have different keys and create ne w ledger with n ew set of keys.
51
Does the consensus mechanism require a leader? No How is node behavior measured for errors? Immediate dispu te resolution n ode behavior. N eed to onl y look fo r errors in l ast transaction t o see the difference. Auth entication at the indivi dual level.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology Everything i s representation of an off c hain asset, va lidated by the audito rs, exa miners, etc. There is no inherent crypt ocurr ency that a dds ri sk for th e partic ipants du e to va lue fluctuation or during the state transition. Does the consensus mechanism utilize transaction signing? Digital Signatur es.
52
8. Evernym Source: Interview / Questionnaire
Contact name: Jason Law / Timothy Ruff / Drummon Reed (
[email protected] /
[email protected] /
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? We have implemented a BFT protocol c alled Ple num w hich i s a variation of the Redund ant Byzantine F ault Tolerant protoco l (http://pakupaku.me /plaublin/rbft /report.pdf). Major di fferences includ e no reliance on MAC authenti cators. We a re usin g Ed255 19 digital sig natures thr ougho ut. Als o, RBF T doesn't specify a method for election, so we've implemented one consistent with Byzantine Agreement ( BA) proto col it self. How many nodes are need to validate a transaction? (percentage vs. number) Like ot her BFT protoc ols, RBFT re lies on 2f+1 nodes t o co me to agreement. T here is on e impo rtant variation: do uble-spend-proof (DSP ) transactions, such as the crea tion o f an identif ier, must be executed across all n odes. H owever, where D SP is not requi red, say in the case where attribut es are added to an existing i dentifier, then a subset of nod es are used to validate and exe cute the transactio n. This is on e of the extensions to RBFT we have that a llow s us to sc ale BFT , a prot ocol th at is traditi onally hard t o scale. Do all nodes need to be online for system to function? No, a littl e more than 2/ 3 of the nodes need to be online for t he system to fun ction . In fact in a system of n nodes, floor (n-1/ 3) can go down and the system will s till f uncti on. A p il ot is un derway now. Sev eral fi nan cial i ns ti tuti on s, lif e managem ent platf or ms , univ ersities, and other interested parties, includ ing a large data ce nter are pa rtici pating. These exist in Euro pe, Asia, and N orth A merica. T hey span multi ple operating sy stems (Windows and Lin ux), virtual and dedicated machines, cloud and data centers, a nd adminis trative zones. I n thi s phase, load testing and PoC for use cases are underway. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes and No. Yes, some nodes and t heir Stewards (operators of Validator nodes) are boot strapped in a set of "g enesis transactions" . No, in the sense that those nodes and stewards c an change ov er tim e. There is a s pecial Pool Management ledger—sepa rate
53
from t he main transaction ledger—for governance of how Validator nod es are added to the network . New Ste wards and th e requirements for their n odes are a lso m anage d by this g overnance process, as is revocation of Stewa rds. Va rio us algori thmic and tim ebased mechanisms wil l be employed, but there are ca ses where node me mbershi p will require votes from existing membership, perhaps even leveraging some kind of limited proof-of-stake for pool membership. This aspect of the governance model is still under development (see below). Who has ownership of the nodes? (e.g., consensus provider or participants of network) Valid ator nodes are contro lled by st ewards, which are se lected per the governance mention ed above. There is a second type of nod e called a n " Observer", who d oes not partici pate in the consensus pro cess but one keeps track of a ll the transaction s that the consensus pool has successfully processed. The purpose of Observer nodes is to provide a service to any party who is concerne d with only reading " safe/live " transaction s. This typ e of node reduces the load on the Validator node so t he Valid ator node can only focus on providing consensus. What are the different stages involved within the consensus mechanism? Clients submi t requests to at lea st one node, a nd the nodes verify the client si
gnatures
and prop agate the client requests to the other nod es. When e noug h requests have bee n prop agate d, the prim ary (lea der) starts th e three- phase commi t. The consensus mechanism cur rently uses a three phase commi t which can tol erate Byzantine faults. T he three phases that a ny transactio n goes thro ugh for c onsensu s are: Phase 1 . The first phase is PRE-PREPARE phase ( read can Commit accordi ng t o st andard three phase commi t termin ology ) in wh ich the pri mary sends a PRE-PREPARE message to all non-primaries to tell them about a new transa ction w hich is coming fo r consensus. Phase 2 . The non l eaders r espond with a PREPARE message to th e primary demonst rating th eir willi ngness to accept this tr ansaction in th is phase. Phase 3. In the third phase, all participants (primary and non-primaries) give their consent to this transaction in the form of a COMMIT message. If a Byzantine quorum (2f+1) of COMMITs is achieved, then the transaction is executed. One distin ction , betwee n RBFT ( the basis f or Plenum) and PBFT is that th ere are f+1 parallel RBF T “ instance” ' that execute the sa me three-phase -commit w ith a different pri mary. T here is one Ma ster and multi ple Backups. If the Backups detect perform ance anomalies or favoritism or other abnormalities with the Master, then through consensus, a new Primary is elected for t he Master inst ance. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? Preconditi on for PREPARE. Any non leader who g ets a PRE -PREPARE from a leade r wi ll send a PR EPARE if it has enough con firm ations fr om other no des that the request actually did c ome from a client in the system and not by some malicio us leader who sent a fake PR E-PREPARE. The thr eshold is f +1, f being the maximu m failu res th e system c an
54
tolerate. Precondition for COMMIT. Any node (leader and non leader) will send a COMMIT if it sees qu oru m o f PRE-PREPARE and PREPARE (2f+1 , 1 PRE-PREPARE and 2f PREPAREs) from diff erent nodes in t he system . If applicable, what is the voting process after the "propose" stage? If propose phase refers to the can Commit phase (PRE-PREPARE in RBFT) then there are two more phases after the can Commit phase (PRE-PREPARE). Refer to the answer of the " current stages" question above . When is a transaction considered "safe" or "live"? As soon as t he t hr ee-phase-c om mit i s c om pl eted on a req uest, it i s execu ted . Execut io n involves writing t o a physical ledge r on d isk. As soon as this is done, it is co nsidere d safe or live. This is consid erably faster than Bitcoi n transaction s. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? No. Alth ough th ere are three phases, we don't have multipl e rounds of co nsensus li ke Ripple. How much time does a node need to reach a decision? Less than one second with n etwork latency. How much time is actually needed to build the consensus until a new block is added? We do not put transa ctions in blocks. We split transa ctions in to multiple files, but that is not material to the pro tocol . We have impl emented a pe rpetual Merkle tree , much li ke the one employed in Goog le Certifi cate Transparency. This tree grows predic tably, which allows for fast audit (inclusion) proofs and consistency proofs and verification of t hose proo fs. We do emplo y batching i n severa l places for perform ance; for instance, the threephase-commit can process mu ltip le ordered a nd validated transactions i n a single batch. Does system contain synchronous node decision making functionality? Yes. Also s ay 2 transactions T1 and T2 were submitt ed to the same sub po ol at tim es t1 and t2 w here t1 < t2. T he syst em guarantees that T1 will compl ete before T2 completes. What is the number of current and planned validators? Current is 10 with a set of pilo t validators m entioned above. T he expe ctation i s we'll have from 60 to 120 world-wide. Te sting and usage will r eveal the ri ght n umber.
55
What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? More than one- thir d of the nodes need to be compr omised before the system is considered unreliable (non functional). Is there a forking vulnerability? No. How are the incentives defined within a permissioned system for the participating nodes? This is not in pl ace today; we a re in discussi ons about how the incentive syste m will work . We do not have a crypt o-currency, but usage of credit or co upons and s ome leve l of accounting are pa rt of the discussions. What process does the system follow when it receives data? The process is: 1) validatio n of t he request, 2) verific ation of the signatur e, 3) authori zation of the request, 4) prop agation of the request to o ther nodes. Then it starts the three-phase -commit. See the answer to the 'current st ages of mechanism' questio n for mo re deta ils. How is data currently stored? There a re five data struc tures: 1. A ledger for Pool Mana gement transactio ns. 2. A ledger for Domain tr ansactions (in th e case of Sovrin, these would b e identity transaction s). The domain transactio n ledger can be broken down furth er. It will have one ledger for do uble-spend-proof tr ansactions (like identifi er crea tion ), and then ea ch subpool w ould have its own ledge r that would be propaga ted to other sub-pools after execution. 3. Indexes of ledger tr ansactions. These levera ge the same database as the attrib graph (below), but can be broken out.
ute
4. Attri bute graph st ored in a mutable database . Today, this is OrientDB, but it is n implementation-dependent.
ot
5. Any external fee ds and d ata stores to whi ch li nks are made. How does a party take ownership of an asset? No pri vate keys are e ver created by a thi rd p arty and sh ared with anot her. Howeve r, there is the concept of an identity “ sponsor” , whe re a sponsor bootstraps an individual. T he indi vidu al may provide a public key at the time of boo tstrappi ng, or it may happen a t a
56
later time. I f it h appens at a late r tim e, there is an equality tr ansaction th at assigns an individual's publi c key to an existing id entifie r.
Governance, Risks and Contro l How is governance / controls enforced? We are curr ently fleshing out gov ernance in the form of a S ovri n trust fr amework being developed with th e help of seasoned indus try specialist s. The Sovri n ledger divid es respons ibil ities among two ki nds of n odes, V alidators and Observers. V alidators are the nodes that take part in the consensus pro cess. Observers nodes only p rovi de the re sults of already exe cuted transacti ons (i.e. , they a re a "read-only" layer that suppo rts caching /scaling). V alidators and Observer nodes are op erated by Stewards. Sovrin governance will specify criteria for adding and removing Stewards, and for Stewa rds to add or remove Validator and Observer nodes. I t will define the requirements for diffusi on of Stewa rds so it is extreme ly difficul t for one or a sma ll set of collud ing organi zation s to take control of t he whole system. T he governance model will also define the fee s to be levied on different transaction s to pro vide the right balance of incenti ves. Lastly, the governance model will also define the criteria for releasing new code for the nodes. Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? The Sovrin tr ust framework wi ll define the parame ters for legal liabilit y in case of malicious actions. I t will also define how blacklisting will work upon dete ction of malicious behaviors by nodes and clients. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? When attempts to in trodu ce error s in con sensus pro cess are detected, the suspected parties can be blacklisted for short or long term depending on the severity of the suspicion. How does the consensus mechanism allow access? Ac ces s at th e Stew ard lev el w il l b e go ver ned by th e Sovri n tru st fr amew or k and t he special govern ance consensus po ol. Access at the client level is available to registered clients by virt ue of their control of the private ke ys necessa ry to sign tr ansaction reque sts to the consensus pool. How does the consensus mechanism restrict access, concerning malicious activities? Nodes a nd cli ents can be blackli sted (different leve ls of bl acklisti ng can come into action depending o n the type a nd persist ence of ma lici ousness).
57
What is the permission management process? What is the process for adding or deleting nodes? See the Sovrin governance pr ocess descri bed in C30 above. How does the protocol assess the trustworthiness of other participants? Participants are deemed trustworthy unless some suspicion is reported against them. Participants can be suspected to be malicious base d on various behaviors including slow respons e times, inappro priate message s atte mpti ng to disr upt the consensus pr ocess, floo ding, etc. E very suspi ciou s activity has a seve rity attached to it and that severity form s the basis of the a ctio n taken suspect. Are there separate admin. / administrator privileges? Who manages them? The provider of a node rese rves the administrator r ights o f the node like starting, stop ping , resta rtin g, upgrading (hardware and software). Are there restriction / privacy rights defined and enforced by node? Only thos e transactions that need to be doubl e spend proof need all nodes to be part of the consensus process. Other transactions involve specific subset of all the nodes for the consensus process. Can a node or a user have only "Read" or only "Write” access? Is specific node access required if only performing one functionality? (e.g., back-office outsourcing) Currently, all Va lidator n odes fun ction i n Read/Write mode. Observe r nod es functi on as read-only nodes si nce their job i s alleviate the load on th e Validator nod es. Observer nodes can be used by any clients of the system who want to qu ery for the transactions already processed using consensus. What are the measures in place to reduce risk? We avoid cor relation by allo wing a different key for each transaction a client makes. O ur strong encryption is much harde r to brea k than many existing encryption schemes like RSA, DES, etc. We use digital si gnatures fo r no de-to-node and node-to-client comm unicatio n ins tead of MAC authenticators. Finally, the S tewards themselves form a trust network who share the incentives to reduce risk across the system. In case of permissioned systems, who manages the KYC/AML process and where is the data stored? We will let financial institutions drive these requirements, including where the data is stor ed, how it i s discl osed, a nd to wh om. This can be an e xcellent applicatio n for th e work we're doing with Zero Knowledge Proofs.
58
How is counterparty risk / settlement risk addressed? Sovrin d oes not handl e settlement. Howe ver, the pa rties inv olved in a transactio n can use strongly proofed identity, and Sovrin/Plenum can provide triple-signed-receipts which provide all parties with proof of transaction, even if that transaction is not stored in a distributed ledger.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? - The client request is us ually valid ated in a fe w mil lisecond s. - It takes a roun d one second for th e pool to reach consensus . So transactions take in order of seconds as compared to minutes for Bitcoin-based or other proof of work relate d Blockchain. How do you measure scalability? Scala bili ty for a Plenum syst em may be de fined as the ability o f the system to handl e an incr easing n umber of cli ent requests in the same amount of ti me. An y r easo nab ly lar ge ap pl ic ati on bu il t usi ng Plenum mu st hav e mult ip le c on sen sus pool s. The reason is th at, unli ke traditional Web a ppli cations, adding mo re nodes to an RBFT consensu s pool i ncrease the fault tolerance but slow s down th e pool due to increased network traffic. So the way to scale up the system to handle more transactions p er minute is to add more cons ensus pool s. Each pool gets its own ledger. Ledge r transaction s are synch roni zed independe ntly and asynchronously. Is there a limitations on the number of fields within a transaction? No. But th ere is a cost associated with additi
onal attribu tes.
Is the speed of the system impacted if the system is made more scalable? Scalability of the system is primarily achieve d by adding more consensus pools to the system as mentioned above. T he effect of adding mo re consensus poo ls on sp eed should be negligibly small. Does synchronization have any impact on scalability? No, as soon as a node has caught up on any transactio lik e any oth er node in the system.
ns it has missed, it starts wor
king
59
Security How is transaction activity monitored? A m on it or in g s ys tem track s t he t hr ou gh put of nod es an d t hei r laten cies i n p ro ces sing transactions across all clients as well as per individual client. Does the consensus mechanism utilize Digital Signatures? Yes, all comm unic ation between nodes is digitall
y signed by th e nodes.
How does the consensus mechanism address an assumed industry standard? Plenum is based on RBFT which is a more robus t version of PBFT . PBFT and RBFT share the same three -phase commit pr otoc ol along with the view change mechanism. However PBFT is not as robu st as RBFT. First, as describ ed in th e Aardvark paper (Cleme nt et al., M aking B yzantin e fault tol erant systems tolerate Byzantine faults, NS DI '09), a malicious client can trig ger view ch anges at will that will stop t he progression of the protocol. Second , from an implementation poi nt of view it does not s epara te the logi c of accepting client requests and or dering th em, whic h leads to possibl e DoS attacks fro m the client. Third, a maliciou s primary can ord er requests a t an arbit rary speed without b eing detected. T hese problems are fixed in Aardvark. RBF T improves A ardvark by executin g several protocol s in parallel to detect any pe rfor mance problem in real-time, with out assuming anything about the previous or future performance /condition of the system. Finally, Plenum furt her impr oves upo n RBFT . For inst ance, it u ses Ed25 519 instead of MAC authenti cation. Also , Plenum is mo re scalable than pl ain RBFT . See the questions on Scalability fo r more details. Which risk/security issues are currently being worked on? One of the biggest risks wit h a public ledger focus ed on identity i s correlation. We 're working on anonymous authentica tion and credentia ls to reduce corre lation risk for the system as a wh ole. What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) We would advise not to run Plenum or Sovrin nodes on any machine which i s also serving some other application. Hosting a node on any cloud environment is fine. Briefly describe the security testing performed till date (if any)
60
Plenum's sou rce code (https://G itHub.com/eve rnym /plenum) includ es a ple thor a of tests that describe various faults (malicious and nonmalicious) and Plenum's resistance to them. W e are also workin g with t he authors of RBFT a nd ot her crypt ographers fo r ideas and extensions to the protocol to increase security, privacy, reliability, and robustness. How are you planning to implement/integrate Digital wallets? (Including private key management) We are exploring integration opportunities with existing digital wallets. In case of a breach, what data is at risk? A b reac h i s p os sibl e but w ou ld n't c om pr om is e th e syst em as th e data th at is meant to visible to o nly a selec ted number of parties is encrypted using symmetric key encryption and the keys a re disclos ed to only th ose parties for whom th e transa ctio n is meant. Also the disclosure of keys is made using asymmetric encryption. So the system does not prov ide any incentiv e for a brea ch. How does the system prevent signature fraud (e.g., stolen keys)? If a key theft is reported then those keys would b e blacklisted in the system so no fu transactions made using those keys will be successful.
rther
Does the consensus mechanism have full documentation in place? Not complete but qui te extensive. P lenum has a wiki and also documentation f source code.
or the
How is the system expected to address general server issues? The Sovrin trust framework will defines SLAs including minimum hardware and software requir ements that Va lidator and Observer nodes must satisf y to be a part of the network. The protoco l tol erate s low-perfor mance Va lidator s, but if there are too many, it can have a negative impact on sy stem perform ance as a whole. N ode performance is recor ded on the ledger and can become a criteria for t he node to remove from t he network. How does the consensus mechanism address the risk of "double spending"? The system is do uble spend pro of as more than two third sof the nodes need to agree on a particu lar transaction for it to be writt en to the distr ibuted ledger. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Each no de maintains a Me rkle tree which record s all transactio ns that have occurr ed up to t he present. W hen a node has been unable to receive transaction s (because it crashed or is new in th e network ), it comm unic ates its status to o ther nodes and receives the updates and Me rkle proo fs of t hose updates from every nod e. When it has received
61
suff icient Merkle proofs that are consistent, it applies those updates. W hile the node is in this process of getting updates, it does not participate (give its votes) in the consensus process. However, it will still receive and record every transaction on which consensus has been e stablish ed. When it is fully caugh t up it wil l become a fully p articip ating node. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? The node s do no t depe nd on clock synchroni zation to function as of now (although some domain im plementations mi ght requi re the sa me view of time for ea ch nod e) sinc e transactions use a mechanism similar to Lamport timestamps. Under which conditions does a lock/un-lock happen? (i.e., what is the proof safety?) Nodes a nd cli ents can be blackli sted upon sus pici ous activit y. They can be a gain whitelisted in certain ca ses where the seve rity of their suspicious action is not high or their past record h as been good. What is the process for disaster recovery? Because nodes are geographically distributed, it is difficult for natural disasters, large Proof of Work er/Internet outages (like the ones over entire contin ents), or oth er acts of God to bri ng the system down since the syste m can function even if one thirdsof th e nodes are down. After coming back up, the nodes go through a recovery process in whi ch th ey are a ble to g et data for t he transaction s they h ave already miss ed (see C65). Al so in cas e of per manent lo ss of a no de, a new nod e can be added in th e syst em according to the governance model. This new node then starts synchronization with other nodes.
Privacy How does the system ensure privacy? Every transaction cont ains encrypted data a nd it can onl y be decrypted by the intended party (th e one(s) who have the keys). Does the system require verifiable authenticity of the messages delivered between the nodes? Yes, all messages betwe en nodes and b etween no des and clients are digitally s ign ed usin g ellipti c curv e cryptog raphy (Ed25 519). Do all nodes have visibility into all other transactions? Yes. How is privacy defined and ensured between applications? Since transaction d ata is encry pted, one a pplic ation can see the data of another applicatio n but cannot make sense of it.
62
How does the data encryption model work? Symmetric keys used to encryp t data of transa ctio n is stor ed in the client's wallet and is shared us ing ellipti c cur ve Diffie-H ellman key exchange, Curve25 519. Symmetric keys use XSalsa20 stream cipher (https://en.wikipedia.org/wiki/Salsa20). If consensus happens in a permissioned network, are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? The client making t he transaction can use a diff erent public key for each transaction bu the network needs to know b eforehand which pu blic k eys the client can use.
t
Are participants' identities hidden from one another? (e.g., Blackpool) No. Pool m embership is highl y vis ible, because they nee d to be accountable. T he membership is managed throug h governance as de fined by th e Sovri n trust f ramework.
Cryptography / Strength of Algorithm How are the keys generated? The Steward whil e setting up the nod e generates keys for that partic ular nod e using a scri pt pr ovided by Plenum. These se cret keys are stored on the node and they never leave the node. T he publi c keys of the nod e are told to t he other nodes th roug h a new transaction. What does the key life cycle management look like? There a re transaction ty pes for key creation, rotation , revocation, and delegation. Creating a new key is a transaction i n the system. I f that transactio n is suc cessful (consensus i s reached) , then the nodes begin recogn izing that key as a va lid k ey and new transactio ns can be ma de in the system using th at key. The system also supp orts transferri ng cont rol of key(s) from one user to another via a key dele gation tr ansaction. In case of keysnor of lkeys (out ofany band disclo sure), a wi userthcan makeofa loss transactio to accidental revoke thedisc ke ys.losu Thisrewil invalid ate future transaction that key. What is the library approach? The library u ses ellipti c cur ve crypt ography . Curve255 19 Diffie–He llman key-exchange func tion i s used for pub lic key encrypti on. Curve2 5519 can compute a 3 2 byte public key usin g a 32 byte private key. Given one user's 32-byte private key and another u ser's 32byte pu blic key, C urve255 19 computes a 32- byte secret sh ared by the two users. This secret can then be used to authenticate and encrypt m essages betwe en the two u sers. Digital sig natures use Ed2 5519 whic h is a very fast key genera tion and s igni ng pu blic k ey sign ature system. W ith Ed2551 9 signin g and verifi cation are both 32 bytes and th e sign ature is just 64 bytes.
63
What is the HSM integration approach? We've had some discussi on about usi ng HSMs, but Plenum does not suppo rt them yet. Does the consensus mechanism require a leader? Yes, the algorithm does create leader (called a Primary in RBFT). However, in RBFT a leader can change if it is found to be performing badly without halting the system. How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) The number of faulty nodes the prot ocol can tol erate depends on the number of no des. Plenum is engi neered so that once a satisfactory f value is achieved, the nodes can serve as standby s, much l ike that of a RAID array. Reducing the number of required participants in the consensus is definitely possible, and would be a trivial code change; however, we would strongly caution against that since it would affect the robustness of the system. How is node behavior measured for errors? Al l er ro rs , war ning s and ex cep tion s ar e logg ed t o fil es. Nodes mo ni tor o th er n od es for their perfor mance a s well as other a ction s. If a node discovers a suspic ious b ehavior from another node, it can blacklist the other node temporarily or permanently depending on the severity of the suspicio us action. T he discoverin g node can a lso comm unic ate to other nodes about the suspicious activity by an offending node. Any node that receives a quorum of suspicio us activity message s for a particula r offending no de will blacklist that node. In this case, even if a ma lici ous n ode is being selectiv ely malicious , it can still be blacklisted by the whole network.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology Plenum does no t use tokens; it us es signed tr ansactions. See C43. Which security mechanisms are assigned to the tokens? Plenum does no t use tokens; it us es signed tr ansactions. See C43. Briefly described the life cycle management process for the tokens Plenum does no t use tokens; it us es signed tr ansactions. See C43.
64
Does the consensus mechanism utilize transaction signing? A c li ent bef or e makin g a t ran sacti on , digi tally si gn s it. Als o a Valid ator n od e aft er executing a transaction will si gn the transaction. For de tails of digit al signing r efer to C25.
Implementation Approach What are the current uses cases being explored, tested or implemented? - In Bitcoin, the “ longest chain” – the cha in with t he most proof-of- work – is considered to be the valid ledger - Crypto-economics –Distributed economic consensus methods - Central and commercial banks – Ripple, Bitcoi - Custodian banks – Hyperledger, Ripple Gatewa
n ys
- Clearing houses – Eris, Ethereum In banks it can be used for: - Cross-border Settlement / B2 B int ernational transfers - Impro ving t he SWIFT and co rrespon dent banking network - Central clearing (e.g., derivative clearing) - Mortgages - Design ated settlement s ystems - Financial and fiduciary computations What is the implementation cost? As su mi ng each sy st em has d ual core CPU, 4GB RAM an d 30 GB disk , cost on AWS can be $4000-$5000 for one year f or a 16 node sy stem. What is the time required to implement? Integration tim e would be 2 hours f or each system.
65
Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? Distrib uted consensu s ledgers (DC Ls) can make a difference compared to existin g technology. They enable distributed, balanced control to situations where it’s currently not po ssible or easy. This is particularly true where monitoring by a central authority is not feasible or where a centralized control point c reate unnecessary ineffici encies, costs and barriers. E xamples includ correspondent banking payments, card transactions andesintinternational ernationalpayments, remittances. DCLs also go beyond the capa bilities of existing technology by pro viding tr anspa rency where it has previou sly been impossib le or difficul t to achieve. Examples incl ude in antimoney laund ering (AML) —an area where DCL’s p otential is attracti ng gro wing interest and investment. For exa mple, the London -based startup Ellipti c has harnessed the underlying technology sup porting its visualiza tion of the Bitcoin ecosystem to develop a suit e of AML services. Sour ce: ht tps ://www.accent ur e.com/t2015 1002T010405__w__/usen/_acnmedia/Accenture/ConversionAs set s/DotCo m/Docu ments /Glo bal /PDF/Dualpub_22/A cc ent ur e-Ban king -Dis tr ib ut edconsensus-ledgers-payment.pdf The transactio ns in Plenum do not i nvolv e the expensive process of min ing. Also , the time taken to rea ch consensu s is in second s as compared to nea rly 10 minutes on bitcoin-based Blockchain that use proof-of-work. Plenum is cheaper by orders of magnitude as compared to bitcoin (i.e., if an application like bitcoin is built using Plenum).
66
9. Graphene Source: Interview / Questionnaire
Contact name: Ryan R. Fox (
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? Delegated Proof of Stake (D POS) https://bitshares.org/technolo stake-consensus/
gy/delegate d-proof-of-
How many nodes are need to validate a transaction? (percentage vs. number) 11 witn ess nodes is the recommended minimu m by the authors. The numb er of nodes is conf igur able by a vote of the commi ttee account. An odd num ber is re quir ed to ensure fork s are resolved by a majori ty, not a 50/ 50 split. Do all nodes need to be online for system to function? A s in gl e node c ou ld sust ain th e Bloc kc hai n, but tr ans act io n t hr ou ghpu t w ou ld be impacte d as the non-producing w itness time slots when unfulfi lled. C ommunication is between nodes is key. Offline due to network is sues may lea d to fork ing, requiri ng the majorit y of nodes to validate the longest approved chain. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes, the a lgorithm i s dete rministic i n its block producer ordering per round. A blo ck prod ucer is a witness, as in it wit nesses the transactions on the wire, validates them, and produces a block containing unpu blished transa ction within its timeslot window (thre e seconds). A witness set is the group o f electe d witn esses, as voted on by stakeholders that are a ble to produce blocks. A round i s the productio n of one block by each witness in the witn ess set. At the end of a roun d, the algorit hm determines the order of witn esses within the witness set. A witness cannot produce a block back to back, so the algorithm ensures this between rounds. Who has ownership of the nodes? (e.g., consensus provider or participants of network) Witness nodes are ope rated by indivi duals. Anyone can run the witness sof tware, but only those with the threshold number of votes approving them to be an active witness are allowed to sig n bloc ks to be acce pted by the network. What are the different stages involved within the consensus mechanism?
67
Valid ation of transaction and blo cks is don e by witn ess nodes. There is not a proposal of bloc ks, rather va lidatio n by futu re block pr oducers to extend that chain. There is the concept of a proposed transactio n on the Block chain, whereby a user may submit a transa ction pro posal to the network lookin g for a threshold of valid sign ature s to l ater reference the tra nsaction and sign i t. When the threshold is met, the transaction may be validated. T his all happens o n chain, rather than needing to send aroun d a partial transaction offline and submit a fully signed transaction to the network. The transaction may have a time lock and expire prior to thr eshold sig natures reached. Also, a signer may update the transaction to remov e their signature at a ny time prio r to the threshol d being met. When is a transaction considered "safe" or "live"? A t ran sacti on is cons id ered co mm it ted wh en at leas t h alf +1 of act iv e witn ess es h ave appended to the block in q uestion. As all witnesses are va lidatin g all transactions, a witness may choose to fork out a given transaction, a nd subsequent witness nodes will dete rmine which fork to follow by signing their prefe rred fork. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? The block interval is three seconds. A witness is collecting and validating all transactions it r eceives, the n appends a block containing only the unique transactions within their blo ck at the a ppoin ted time slot. How much time does a node need to reach a decision? Transactions are received, va lidated and br oadcast to p eers. I don't have calculation timi ng of the validate transaction o peration, but i t's fast gi ven we tested 3 ,000+ transactio ns per second on a Te stnet (https://bitsharestalk.org/index.php/topic,18684.msg241050.html#msg241050) How much time is actually needed to build the consensus until a new block is added? Each wi tness is v alidating each tr ansaction, so th ey each have their vi ew of state. Consensus is fi nalize d when half + 1 of active witnesses buil d upon th e target block . Does system contain synchronous node decision making functionality? I'm not sure how it could be distributed and synchronous at global scale with multiple nodes. C hain state needs to be synch roni zed thru cons ensus. Each node independently valida tes the transa ctions and blocks prese nted. Block producti on will require a block producer to by in sync w ith their pee rs to have their block included. What is the number of current and planned validators? Default i s 11 initial wit nesses. S takeholders elect a witness set (always an odd nu mber) by votin g for a slate of witnesses (a ny number they want to produce blocks f or the network ). The number of witn esses is based on the stake ba sed weight of t he number of witn esses on all slates. The witn ess set is the highest vo te rece ivers wit hin th e maintenance cycle (defa ult i s one hour , configur able by commit tee vote) . At the
68
beginn ing of a maintena nce cycle the votes are tallied and the witnesses are se next election.
t unti l the
What is the Fault Tolerance? How many nodes nee d to be compromised before e verything is sh ut down? A single node could sustain the Blockchain, but transa ction th roughput would be impacted as the nonproduci ng witness time slots when unfulfilled. I f by compromised you mean hacke d, well the witn esses nodes could c onti nue to prod uce empty blo cks as a D DOS. Is there a forking vulnerability? The Bloc kchain state is deterministi c after ha lf +1 of witn esses sign a given fork. G oing below a three- second-bloc k interval is not r ecommended on a global scale due to speed of li ght latency and transaction broad casts and block replica tion. How are the incentives defined within a permissioned system for the participating nodes? Each wi tness nod e is rewarded with t he CORE asset from th e rese rve pool . Each operation performed has a giv en fee a ssociated. These operation f ees are returned to th e rese rve pool to continue funding the Blockchain. What process does the system follow when it receives data? Receive a transaction, if new tr ansaction, validate the transaction, if vali d, broadcast to peers. R eceive block , valid ate transaction wi thin w ith mempoo l, if valid transaction, remove from mempool, if block contains completely valid transactions, build on, else crea te fork; wait for block pr oduction ti me slot, a dd transactions from m empool to new block and publi sh block to peers. How is data currently stored? LevelDB is the databa se. Only valid bl ocks are logg ed to the database to track Bl ockch ain state. All acco unts, balances a nd tr ansactions are held in memory and used to evaluate transaction validity. How does a party take ownership of an asset? The CORE asse t is used to pay operation fees. The user presents a transactio n cont aining: si gned transaction o peration [transf er operation (fee , from, to, asset, amount, memo)].
Governance, Risks and Contro l How is governance / controls enforced? Ultimately the active witnesses are in contro l of the network, because they are prod ucin g the block s. They must be coord inated to ensure they are runni ng com patible code across the network, so as not to prod uce forks and reach consensus. The C ommi ttee ca n modi fy Bloc kchain p arameters by vot ing o n them. The witnesses automatically r ead these values
69
from the Blockchain at each maintenance window. This allows dynamic Blockchain beha vior wi thout witness nodes changing anything in th eir codeba se or runnin g configuration. Who is responsible and what are they responsible for in case of malicious actions within the network? The stakeholders elect the witnesses to produc e blocks at their appoint ed timeslots. Failur e to do so will get them voted out . A bug in the code will requir e developer intervention to resolve, post and witness no des to implement. A single node running patched softw are can furt her the chain. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Incentive to maintain the Blockc hain and one’s reputation h ave thus far prevented corruption of the block producers and the Blockchain. A single witness behaving badly will be spotted and voted out. Block producers following that misbeha ving nod e will not buil d on their ch ain, thus nulli fyin g their attempts. T his is DPO S, not Proof of Work, so one must corrupt multiple individuals, not just acquire hash P roof of Worker to control the network. How does the consensus mechanism allow access? An yo ne c an r un th e witness no de s of tw are, but only achiev in g a thr eshol d of v ot es fro m the stakeholders can one produc e a bloc k. How does the consensus mechanism restrict access, concerning malicious activities? Block pr oducers that issue blocks on multiple forks wi ll be voted out. T his resolves the noth ing at stake probl em found i n many POS impl ementations. O ne cannot create a long er chain in secret and present it, as the witness timeslo ts are fixed and a ll no des validate a ll transactio ns and block s, then a dd their si gnature. What is the permission management process? What is the process for adding or deleting nodes? This is dyn amic and handled on chain usi ng a voting pr ocess. A stake hold er may vote for any nu mber of wit nesses. T heir vote is cast based on th eir total CO RE asset holdin gs. The vote is for the entire slate of witnesses, not spi tting the stake a cross them. S o hold ing 1000 CORE and votin g for 11 witnesses allocates 10 00 votes to tho se 11 witn esses. Changing th e vote to 22 different witn esses late r then mo ves thos e 1000 CORE votes as defined. The user reta ins their COR E asset and does not lock them up in this vote pro cess. I f the num ber of CORE changes in t he users account, th eir votes are automatically adju sted to match th eir CORE hold ings. Votes for th e Commi ttee are handled similarly. How does the protocol assess the trustworthiness of other participants? Trust for stakeholders is primarily with the witnesses, as they produce the blocks. Less so, with the Committee, a s they set th e Blockch ain paramete rs.
70
Are there separate admin. / administrator privileges? Who manages them? Separation of d uties is a design g oal: Deve lopers wr ite code. W itnesses watch networ k, validate transactions and blo cks, Committee adjusts Bl ockch ain parame ters. Stake hold ers elect who they want to perfo rm the tasks. Are there restriction / privacy rights defined and enforced by node? An yo ne c an r un a witness no de. Only th e elected wi tn ess es m ay produ ce a v ali d blo ck at their appointed time slot. In case of permissioned systems, who manages the KYC/AML process and where is the data stored? Not part of the cod e base . How is counterparty risk / settlement risk addressed? Witness nodes validating t he Blockchain state .
Performance How long does it take for transactions to be validated and/or consensus to be achieved? The de fault Blo ck int erval is three seconds. T his c an be adjus ted by the commi ttee at any time, or defined in th e gene sis if s tarting anew. Three seconds i s close to t he global minimum given latency replicat ion constraints. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., #number of trades) See BitShares and Ste em for th is inf ormation , as Graphene is just a toolki t, not a Blockchain implementation. How do you measure scalability? See p eek stats: http: //bitsh aresta lk.org/ind ex.php? topi c=18684.0 Is the speed of the system impacted if the system is made more scalable? " Graphene D esign Goals: Limi t Database D isk I/O ( only l og n ew blocks to DB) Keep State Objects in Memory (name, key, balances < 1KB) Minimize Ha sh Operations (Favor determinist
ic ob jects)
Single Thread (queue base d pr eprocessor) Separate Va lidatio n f rom State Changes
71
Keep Tra nsaction Interpretation Dete rmini stic and Explicit (end st ate determined by TX inputs) Separated Pe rmiss ions f rom Identity (Hierarchical Threshold Multi
-Sig)"
Does synchronization have any impact on scalability? Because G raphene is designed to hold th
e Blockchain state within m emory, the
validation o f transaction i s as fa st as validating the sign ature of the tra nsactio n, evaluating the operations w ithi n and updatin g the balances refe renced. V ery few operation s are signature validatio n, as the objects wit hin Graphene are represe nted as an objectID (see above) not a hash. The objectID a re link ed to a key and t his d oes get validated, but the obj ectID for an acco unt is only 48-bits rather th an 20 or 32- bytes in Bitc oin and Ethereum. Huge sa ving s on the wire and in compu tational resourc es.
Security What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) Cross platfor m for Li nux, Ma c and W indo ws. How are you planning to implement/integrate Digital wallets? (Including private key management) Ac coun t s ecu ri ty is a key des ig n goal wi thin Grap hen e, and th ereb y t he t ok ens each holds. Accounts should be setup using hiera rchical threshold accounts. T his novel technology allows an arbitrary depth of accounts with approva l weighting required to spend given balances within the account (https://bitshares.org/technology/dynamicaccount -permission s/). Continue reading under Steem, as this applies to Graphene, Steem and BitShares. In case of a breach, what data is at risk? If the Owner key is breached, a ll assets held b y that accou nt are at risk, as the attacke r may prod uce transactions u sing t he Owner key. I f the Acti ve key is brea ched, the a ttacker may prod uce transaction, but will l ose that ability when the Owner ke y is used to assign a new Owner ke y to the Na med Accou nt. Simil ar for memo, re ading this f ield withi n previous transa ctions. Does the consensus mechanism have full documentation in place? Yes. http ://docs.bits hares. eu///index.html How does the consensus mechanism address the risk of "double spending"? Transaction and block validation by witnesses. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network?
72
Nodes use N TP for tim e sync and produ ce blocks at their determinist
ic timeslo t.
Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? NTP Under which conditions does a lock/un-lock happen? (i.e., what is the proof safety?) Only validated block s are writ ten to disk, all other chain state is held in memory for valida tion pri or to the disk write. What is the process for disaster recovery? A f ail ed n od e can do wnlo ad t he enti re c hain f ro m p eers if th eir dat abas e is co rr upt or boot strap. Better is to validate existing databa se, then catch up t he delta blocks by validating t hose sent by peers. What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? Witnesses are e lected by th e stakeholders. E ach is assum ed to act to p rotect th e network , else will be voted out of th is rol e.
Privacy How does the system ensure privacy? Large ly, privacy is an illusion. All public Blockchain suffer from heuristic scanning to infer transactio n outcom es. It is incumb ent upon th e end user to maintain th e level of pri vacy they are capable of. T elling a user th eir transaction s are securely priv ate is a fallacy that Graphene woul d rather call out and d emonstrate that accounts and balances are public. Using unlinked accounts in an attempt to produce private transaction is possi ble on any Bl ockchain , it just requi res end user manageme nt. The memo field of a transfer op eration can be e ncry pted and reada ble only by the parties to th e transaction. See BitShares for an imp lementation of Stealth Transactions. Does the system require verifiable authenticity of the messages delivered between the nodes? Yes, witness nodes publi sh their publ ishi ng key to the Bloc kchain. T he network uses this publishing key to verify it was signed by the proper witness at the given time slot. A witn ess may update their signi ng key at any time, the peers will see the update transaction and update their chain state to recognize the new signing k ey (held in memory). Do all nodes have visibility into all other transactions? Yes, all nod es can va lidate any transaction on th e wire. Only bloc k produ cers can submit them within a block. How is privacy defined and ensured between applications?
73
OpenSSL for RPC and WebSockets between API server and wallet. How does the data encryption model work? Same as Bitcoin, secp256k1. Are participants' identities hidden from one another? (e.g., Blackpool) No, named a ccoun ts and values a re contained withi n transaction s, public kn owledge.
Cryptography / Strength of Algorithm How are the keys generated? Same as Bitcoin, secp256k1. What does the key life cycle management look like?
See BitShares column.
Substitute CORE for BTS. What is the library approach? The code is C++ buildin g atop Boost and FC ( Larimer, et al.) . The command lin e client wallet is a separate e xecutable from t he witness no de Block chain executable. T he witn ess node allows an API endpoin t to be exposed throug h web sockets to the client. A Node. JS light c lient is also available, where by the ke ys remain with in th e browser and the chain state is from a tru sted API se rver runn ing th e witness nod e executable. Does the consensus mechanism require a leader? Original autho r is Danial Larimer of Cryptonom ex, Inc. The re are a handful o f active developers. How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) A k ey c on cep t of Gr aph ene i s flex ib il it y of Blo ck chain par amet ers . Fees, num ber of witnesses, block in terval, block rewards, e tc. are all configu rable by the committ ee, which is separate group of elected stakeholders fr om the witn esses, but th ey do not r eceive any rewards, but the ability to manipu late the global Bl ockch ain parame ters by vote and applied in a maintenance window . How is node behavior measured for errors? Witne ss nodes that sign
on multipl e forks will be voted out of the witness role.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology
74
Tokens are " Assets" withi n Graphene , a special objectID defined withi n the Block chain. The default asset is " CORE" and is objectID 1. 3.0 and each new asset intro duced b y th e commi ttee will incr ement the instance ID (third p art of the dott ed notation). S ee the reference for obj ectID in Graphene that describes thi s for mat. Which security mechanisms are assigned to the tokens? The CORE asset is defined in t he genesis blo ck. All ot her assets are de fined by the issu er. The issuer may confi gure the assets parame ters as they wish: asset symbo l, descrip tion , number of tok ens, precision, fees, etc. Briefly described the life cycle management process for the tokens For all assets OTH ER THAN CORE, the issuer has gr eat con trol over the asset thr ough out the life cycle. White lists / black lists may be defined, revocation o f tokens, issu ance of additio nal tokens, a nd much m ore. Does the consensus mechanism utilize transaction signing? Yes, transaction m ay be proposed and sig ned on chain.
Implementation Approach What are the current uses cases being explored, tested or implemented? BitShares, Steem, soon PeerPlays. What is the implementation cost? Free, Licens e is MIT. What is the time required to implement? Depends on pr oject goals. Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? See BitShares vs. many other decentralized exchanges. See Steem vs. Reddit.
75
10. Ju no Source: KPMG Research
Contact name: See Contact Us below
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? BFT "Hardened" Tangaroa variant. How many nodes are need to validate a transaction? (percentage vs. number) A s im pl e maj or it y is all t hat is need ed t o m ake pro gr ess , but t he num ber of no des th at can vote is somethin g that can change while the system is runnin g (i.e. adding/removi ng nodes). Do all nodes need to be online for system to function? No, but a ma jorit y need to be runnin g to make progr ess. We've te sted out cl usters of 50 nodes previously. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes Who has ownership of the nodes? (e.g., consensus provider or participants of network) Participants – you're not much of a distributed system if t he provider nee ds to hold the nodes… why bother with Blockchain at all, just centralize the solution. What are the different stages involved within the consensus mechanism? In BFT R aft, e ach node i s in one of the three states: leader, follower, or c andidate. S imil ar to Raft, BF T Raft divides tim e into terms, which start with an election . The winner of th e election serves as the lea der for th e rest of the term. S ometimes, a n election wi ll result in a split vo te, and the term will end with no leade r and a new e lection w ill b e held.
76
If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? To become Leade r, a node must gather a majori ty vot e from th e cluster. To become a Follower, a node must receive a set of votes (representing a majority) fro m a node that is declaring i tself leader. As all messages are signed, the Le ader converts no des to foll ow it by retransmit ting t he votes it received. To become ca ndid ate, a foll ower must encou nter an election timnode eout(in (not heard leader in issues X time)its and a request votea from anot her this casefro them foll ower votnote have to thereceived ca ndid ate and stays follower). If applicable, what is the voting process after the "propose" stage? Af ter a lead er i s el ected, ev ery no de t ran sm it s its Ap pen d Entr y Respo ns e to ever y oth er node and every node awaits such evidence to decid e when to increase its commi t index. The answer to this question is technically " N/A" but this second process is somewhat simi lar to what is being asked. When is a transaction considered "safe" or "live"? When it is commit ted to the log (fully repli cated) . Each node independently decid to comm it a log entry based on evidence it rece
es when
ives from ot her nodes.
Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? No How much time does a node need to reach a decision? ~5ms for fu ll con sensus + network latency. How much time is actually needed to build the consensus until a new block is added? Every log entry is individually committed, incrementally hashed against the previous entry. ~5 ms for a singl e log entry to go fr om leade r receiving th e entry to f ull con sensus being r eached + network l atency. Does system contain synchronous node decision making functionality? No What is the number of current and planned validators? The lea der decides the ord er of com mands, eve ry n ode validates. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down?
77
This isn't wr ong " In standard Ra ft, you need to replicate a log entry to a majori ty of nod es in the cluster before committing it. For BFT consensus algorithms, including Tangaroa, the required qu orum size is 2 f + 1, where f is the num ber of failures you want to tol erate (including both crashe d nodes and compr omised nodes) ." But the brief answe r is Juno handles up to half th e cluster being byzantine. Is there a forking vulnerability? Hardened Ra ft establishes lin earity: no for king. How are the incentives defined within a permissioned system for the participating nodes? As Juno tar get s t his, t her e are n o i nc ent iv es. This is n' t w ro ng " Each rep li ca i n BFT Raft comp utes a cryptogr aphic hash every time it a ppends a new entry to its log . The hash is comp uted over the previous hash and the newly appended log entry. A node can sign its last hash to p rove that it has replicated the entirety of a log, and other servers can verify this qui ckly using th e signature and the ha sh." What process does the system follow when it receives data? See Juno’ s readme performance section f or an example. O rigi nal: The data comes from clients of the Raft cluster, who s end requests to the leade r. The leade r repli cates these requests to the clus ter, and respon ds to the client when a quorum i s reached in the clus ter on that request. W hat constit utes a " request" is system-dependent. How is data currently stored? In memory.
Governance, Risks and Contro l How is governance / controls enforced?
Juno seeks to provide immutable evide nce for dealing with
malicious behavior in the
cour ts after an Like eve nt occuR rred. Forrandomi the domain we're stargeting, will elections. happen anyway. O rig: Rahas ft, BFT aft uses zedthat timeout to t riggerthis l eader The lea der of each term period ically sends heartbea t messages (e mpty AppendEntri es RPCs) to maintain i ts author ity. If a foll ower receives no commu nication from a leader over a randomly c hosen perio d of ti me, the election tim eout, then it becomes a ca ndid ate and initi ates a new election. I n additio n to the spont aneous follo wer-triggered elections BFT Raft also allows cli ent interventio n: when a client ob serves no prog ress with a leader for a period of time called the pro gress timeout , it broadcasts UpdateLea der RP Cs to all nodes, telling th em to ignore futu re heartbeats from wh at the client believes to be the curr ent leade r in th e current term These foll owers wil l ign ore heartbea t messages in the curr ent term and time out as thou gh the cur rent leader had fa iled, starting a new election. Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place?
78
There are many thou sands of pages of regulation s stipu lating how t his is to take place. Running a different system will never change this. We seek only to have known partici pants and immut able evidence. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? No How does the consensus mechanism allow access? K-way admin. key signing . How does the consensus mechanism restrict access, concerning malicious activities? Al l m ess ages mu st be sig ned and th e pubk ey + nod e id kn ow n t o all n od es b efo re any message is accepted. Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., Back Office outsourcing) Yes, no, yes, no
Performance How long does it take for transactions to be validated and/or consensus to be achieved? See Juno’ s readme performance sectio n for an example. W e run at 5k/s now. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) See Juno’ s readme perform ance section fo r an example. We run at 5k/ s now . Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Unlimited. How do you measure scalability? See Juno readme's performance section
for an example. We run at 5k/s now.
Is there a limitations on the number of fields within a transaction? No
79
Is the speed of the system impacted if the system is made more scalable? No Does synchronization have any impact on scalability? Minor, mostly due to required bandwidth.
Privacy How does the system ensure privacy? Juno doesn't care about the bod y of the log entry. As such, every message encrypt ed if need be in wh atever method th e user prefers.
can be
Does the system require verifiable authenticity of the messages delivered between the nodes? Yes Do all nodes have visibility into all other transactions? Juno doesn't care about the bod y of the log entry. As such, every message encrypt ed if need be in wh atever method th e user prefers.
can be
How is privacy defined and ensured between applications? Juno doesn't care about the bod y of the log entry. As such, every message encrypt ed if need be in wh atever method th e user prefers.
can be
How does the data encryption model work? Every message ca n be encrypt ed if need be in whatever method th
e user prefers.
Cryptography/Strength of Algorithm How are the keys generated? Ed25519 is used to create ke y pairs p rior to startu p. Does the consensus mechanism require a leader? Consensus has a leader. How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?)
80
Flexible. Adding new supported languages is trivial. Juno has previously run Hopper, Transmatic, Scheme. S witch ing between them t akes ~3 0min.
Tokenization (if used) Does the consensus mechanism utilize transaction signing? Blockchain solves this problem by Public-Private key pairs for signatures on and verific ation of transaction s. Tangaroa's protocol s pecifies using a simil ar system, but at the cons ensus level as well. T his pr ovid es a means for one nod e to validate that a message ca me from another n ode (so long as keys haven't been comprom ised).
Implementation Approach What are the current uses cases being explored, tested or implemented? Private ne twor ks in enterpris e enviro nments, e ither int ra or inter firm. What is the implementation cost? Depends on the domain. What is the time required to implement? Depends on th e domain, but pr etty fast a t this po int.
81
11. Mul ti Chain Source: Interview / Questionnaire
Contact name: Gideon Greenspan / Maya Zehavi (
[email protected] /
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? " Distributed consensus betwe en a configurable group of validators, in which the valida tors confirm b locks i n a round -robin patte rn, with some (configura ble) le niency in that patte rn to allow for non-functioning nodes. S ee the "mi ning diversity" expla nation in the MultiChain wh ite paper. How many nodes are need to validate a transaction? (percentage vs. number) There are two aspects to validation. First, that the transaction is a legitimate one in and of itself. This is validated by eve ry sin gle node independently, and there is no ro om for opinion. Second, that the transaction is not performing a double spend against another transaction. This is the role of the Blockchain, and is validated by whichever individual node generates the ne xt blo ck. Eve ry blo ck as a whole is still evaluate d ind ependently by every node, and aga in there is no roo m for opi nion . Do all nodes need to be online for system to function? No, not at all. Any number of regular nod es can go dow n, and the system fun ction s fine. There will o nly be a problem is too many mi ning n odes have gone down, in which case the distri buted con sensus scheme will fr eeze up. In this case ne w transaction s can still be processed, but not achieve final confir mation in th e Blockchain. (T his is a key advantage of bitcoin-style Blockchain over Ethereum-style Blockchain - that unconfirmed transaction s can be me aningf ully pr ocessed and chained together.) Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? The only way to join a MultiChain Blockch ain is if one or the admins node granted that node permiss ion. But these permissi ons are dynamic and nodes can be a dded or removed at any ti me. Who has ownership of the nodes? (e.g., consensus provider or participants of network) Each participant owns its own node, completely.
82
What are the different stages involved within the consensus mechanism? Nodes which are able to create the next block (because they have mining permi ssion and because they have not mi ning a previous blo ck too r ecently) gene rate and br oadcast a bloc k at a random tim e interval, whos e average is con figur able in the Blockchain paramete rs (default: 15 seconds). Other nodes then buil d on thi s blo ck in exactly the same way a s the bitco in networ k. If two mi ning n odes happen to generate a bloc k at the same then a fork occurs i n the consensus and thi s resolves itself when the next bloc k time, is generated. When is a transaction considered "safe" or "live"? Immediately a fter a tra nsaction i s received, it is co nsidered live, a nd conf licti ng transaction s are not accepted by a node. This means that unless a node is deliberately broadcasting double spend transactions, the network effectively reaches consensus in a second o r less. I n a trusted envir onment, doubl e spends can lead to people being sued, so the Blockchain's purpose is to act as a final confirmation that there was no double spend (and to help any nodes who miss ed transactions due to dow ntime). F or day-to-day practic al purpos es, transaction s can be trusted before they a re even confir med in the Bloc kchain. Again, this is a key a dvantage of using a bitco in-style transaction m odel, in which tr ansactions are directly chained toge ther from outp uts to i nputs. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? No How much time does a node need to reach a decision? This depe nds on the number of tr ansa ctions in a block, but for second.
most purposes a split
How much time is actually needed to build the consensus until a new block is added? Because there is no back-and-forth voting, it's simply the network propagation time for a bloc k. This depends mor e on the geographic separation of the nodes than anything else. Does system contain synchronous node decision making functionality? This is no t a feature of Multi Chain but can be e asily added on to p by an external process whic h queries each node for its l ast X block hashes, a nd th erefore ca n ascertain that consensu s has b een reached. What is the number of current and planned validators? This is completely configurable in the produ
ct.
83
What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? Ag ain , this is bas ed on t he c on fi gu rat io n of t he pro du ct, but t he p arameter s can b e set so that the system can tolerate 49 percent of com prom ised nod es, exactly l ike bitco in. Is there a forking vulnerability? If the Blockchain is configured to allow some lenie ncy for no nfunctioning mining no des (via the mini ng div ersity parameter) then a fork can occur bu t this wi ll be resolved when the next block is g enerated. Note also my pr evious com ments about the transaction model, in whic h only deli berate (i.e., contr act violating ) double spends can cause network disagreement. Be cause of this a te mpor ary fork in t he Blockch ain itself does not affect the ability to continue transacting safely, unless somebody has done something illegal. How are the incentives defined within a permissioned system for the participating nodes? This is conf igur able in the Blockch ain parame ters, e ither pur ely externa l incenti ves, or else rewa rds can be conf igur ed for the validating n odes, a nd th e system can e ven be made proof-of-work if the users wish. What process does the system follow when it receives data? " Transactions are first added to the me based storage is updated?
mory p ool, then when a block comes in the disk
-
How is data currently stored? Raw bin ary files for t he blocks, LevelDB for many oth
er aspects of the system's state.
How does a party take ownership of an asset? By that asset being sent to their publ ic address, e ither in th e initial issuance transaction s, or by b eing transferred from anoth er party. Only addresses with receive permission s are able to take ownership.
Governance, Risks and Contro l How is governance / controls enforced? MultiC hain has an integrate d permissions model in which o ne or more administrators cont rol permi ssion ing (per address) for seve n types of operation - connect, send, rece ive, issu e, mine, activate and admin. The latter four o f these permission s are subject to conf igur able a dmin c onsensus, i.e. , a certain prop ortio n of admin s have to agree on a permiss ions c hange before it becomes active. Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place?
84
MultiChain is a stand-alone platfor m, like Oracle or MyS QL, so we do not s ee or h ave any infl uence over the transa ctio ns taking pl ace in a particular Blo ckchain. There fore, this is entirely up to t he users of a pa rticu lar Block chain to decide for th emselves. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? There is no int rinsi c negative pena lty for attempted cor rupt ion bu t there can be a positive rewa rd for those who successfully validate blocks. How does the consensus mechanism allow access? Through the per-address permissioning system. How does the consensus mechanism restrict access, concerning malicious activities? Each node throttles or disconnects peer nodes which are behaving antisocially. What is the permission management process? What is the process for adding or deleting nodes? To add a new node: first , any existin g node on the network sh ares its "no de address" (e.g., chain1@ banknet.org:567 8) with th e new nod e. This gives th e new nod e an init ial entry point for connecting to the Blockchain. T he new node make s an initial connection to thi s node address, obtains a mini mal number of Blo ckchain parameters, is then disc onnected, and se lf generates a nd disp lays its fir st priv ate key and pub lic address. This publ ic address is sent to an administr ator who gr ants it (a t least) the right t o connect to t he Blockchain, a nd the transaction granting t his rig ht pro pagates to all n odes rapidly. The ne w node then reconnects to its initial entry point, self- identifying using its publi c address and sig ning a challenge message ( in the peer-to-pee r pro tocol ) to prove it ow ns the corresponding private key. So this time it is granted permission to remain connected and begins to act like a ny other nod e, and it can start disco vering and connecti ng to other no des. To remove a new node: this co nnect permissi on is revoked by an adminis trator, and the transaction enacting this p ropagates to all nodes rapidly. Every node immediately disc onnects any peers who were connected using a revoked address. How does the protocol assess the trustworthiness of other participants? Through permissioning, and by thr
ottling or disconn ecting antisocia l peers.
Are there separate admin / administrator privileges? Who manages them? Yes, this is one of the permissi ons in th e system, and it is up to th e partic ipants in a Blockchain to decide who has these permissions and what leve l of consensus is required between the administrator for certain high-risk actions. Are there restriction / privacy rights defined and enforced by node?
85
There are restrictions through the permissioning system, but these apply to write rather than read actions. Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., back-office outsourcing)
MultiChain's permissions management system consists of seven types of permissions conn ect, send, re ceive, issu e, min e, activate a nd admi n. It is possi ble for a no de to have read-only access, if it has conn ect permission s only. It is possi ble for a node to have read/ writ e but no validation access, if it does not have mining p ermissio n. There is less value in a node ha ving wr ite but no read access, because it cannot b uild t ransactions if i t does not know wh ere it is receiving its assets from. Please define which sorts of risk you are referring to? Al l p erm is si on ch ang es ar e rec or ded in th e Bloc kc hai n its elf , so a full audit tr ail is available of who allowed whom to d o what, a nd when. I t is up to th e developers bui ldin g on Multi Chain to decide who manages this pro cess and whether to sto re the KYC /AML data inside the chain or outsi de it. How is counterparty risk / settlement risk addressed? There is ful l and ea sy-to-use suppor t in th e Multi Chain transaction mod el and API for DvP exchange transactions, betwee n any number of parti es and inv olvi ng any number of assets. T his m eans a singl e Block chain transacti on can represent any exchange of v alue, and if for some reason any part of the exchange fails, then e very other part of t he exchange will f ail as well.
86
Performance How long does it take for transactions to be validated and/or consensus to be achieved? This compl etely depe nds on th e Blockch ain para meters, the geographical spr ead of the nodes, and how many permitted min ers there are. The initi al propagation of t ransactions can be a split second. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., number of trades) On regular (cloud) servers, around 200 TX/second. On top end, 500-1000 TX/second. Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Irreleva nt, the quantities invol ved have no inf luence on the Blockc hain’s perfor mance. How do you measure scalability? The number of nod es is not relevant because this is a peer-to- peer protoco l and there is no need for every peer to be connected to every other. The sca lability is li mited rather by the volu me of transactions per second th at can be proc essed by ea ch nod e. Is there a limitations on the number of fields within a transaction? Up to 8MB of metadata can be added to any transacti on, either as a single blo b of d ata, in JSON form at, or w hateve r th e appli cation level requi res. Is the speed of the system impacted if the system is made more scalable? The number of nod es does not have a be aring on t he expe rience of each node in its elf. An d as we s cale the total su pp or t t ran sacti on thro ug hp ut hi gh er, thi s wil l n eces sar il y mean that ea ch tr ansaction i s pro cessed faster. Does synchronization have any impact on scalability? No, be cause ea ch no de does not need to wait to hear back from every oth to pro cess a block.
er node in ord er
Security How is transaction activity monitored? This is up to the applicatio n developer, but we offer the free open source MultiChain Explorer wh ich can make this easy. Does the consensus mechanism utilize Digital Signatures?
87
Yes, ECDSA. How does the consensus mechanism address an assumed industry standard? N/A (and I think it may be too early to talk of i ndust ry standards i n this case!) . Which risk/security issues are currently being worked on? We have one outstanding security i ssue we are aware of, which i s that a malicious n ode can cause a slowd own by tr ansmittin g an old bloc k that genera tes a long f ork. The solution is easy, by ve rifying the min er permissions of a fork-gene rating block b efore it is proc essed, ba sed on the end state of the immediately preceding blo ck. Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? We've had some requests for a securit happen, but it is too early for no w.
y audit to b e done in futu re, and expect this wil l
What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) The node should be installed either on pr emise or on a remote server ( dedicated or clo ud) that is under the end user's control, through a trusted provider. It is compatible with any modern 64-bit Linux. Briefly describe the security testing performed till date (if any) MultiC hain is a fork of Bitcoin Core, which continu es to safe ly steward billions of dollars in crypto currency value, and we follow any vulnerabilities that are reported in Bitcoin Core. The vast majori ty of ou r mod ific ations do n ot tou ch securit y sensitive areas ( e.g., API i nt erf ace, w all et manag emen t, peer-t o-p eer t ran sac ti on s). Thos e chang es t hat do touc h these area s have bee n repeatedly reviewed internally, and will be externally reviewed at the appropr iate time. How are you planning to implement/integrate Digital wallets? (Including private key management) MultiChain has an integrated digit
al wallet, with encr ypted on-dis k key storage, a nd it i s
also highly co mpatible with the ecosyste network.
m of di gital walle ts develope d for the bitcoin
In case of a breach, what data is at risk? The biggest risk i s the private keys, a nd if d esired, M ulti Chain can be used with out storing any private keys within the node itself, via the "raw transactions" interface. How does the system prevent signature fraud (e.g., stolen keys)? On-disk encrypti on of p rivate keys, or else don't store pri
vate ke ys in th e node a t all.
Does the consensus mechanism have full documentation in place?
88
Extensive documentation is available a t http://www.multic hain.com/developers/ a nd this also references the bitcoi n docu mentation where appropri ate. How is the system expected to address general server issues? Nodes perform a full s anity check wh en launched, a nd if a data discrepancy is d etected, rol l back 128 block s and attempt to recover the database by replaying from t hat point . (The current alpha of MultiChain does not impl ement this comp letely, but we're worki ng on it at this exact moment.). There is also the optio n of " re-indexing" , i.e. full y rebuildi ng the databa se state from sc ratch, using the Blo ckchain st ored on disk . How does the consensus mechanism address the risk of "double spending"? MultiChain uses th e unspent transacti on o utput (UTXO) model, in whi ch assets are passe d dir ectly from one transaction's outputs to the next one’s inputs. E ach output can only b e spent once. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? This entirely depends on the numb er of transaction s that have take n place since a node last co nnected. The initial syn chro nization is very fast (100 0s of TX/ sec) beca use sign ature checking is perfor med in parallel on multi ple CPU cores. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? System time ( for wh ich NTP is a good sync mechani sm) is suffic ient and the consensus protocol allows for signi ficant time skew. What is the process for disaster recovery? Blockchain by nature is highly disaster resista nt since the transaction log i s stored in f ull on multiple nodes. So multiple nodes can simply be run by each participant, on different servers in d ifferent lo cations. If necessary private keys can be shared between these nodes, or fund s split acros s the addresses be long ing to d ifferent nodes. Private keys can also be easily externally backed up. What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? The biggest threat would be in a hybrid Blockchain where certain key actions (including mining and administra tion) were pe rmissioned, but the chain is open to the wider world for con necting, se nding and r eceiving. (A Blockchain can be configured in this way using its p arameters.) W e assume that these e xternal actors could be highl y malici ous. Howeve r we do not m onito r fraud di rectly because we do not see the a ctivit ies that take place on a pa rtic ular MultiChain Blockc hain.
89
Privacy How does the system ensure privacy? The Bloc kchain its elf can be permissi oned in terms of th e right to conn ect, howeve r there is not currently a notion of finer-grained privacy between nodes. Does the system require verifiable authenticity of the messages delivered between the nodes? Yes, completely. Do all nodes have visibility into all other transactions? For now , yes. How is privacy defined and ensured between applications? MultiChain curr ently assumes that all full nod
es can se e all transaction s.
How does the data encryption model work? An y b in ary dat a can be sto red in tr ans actio n m etad ata, so an y encr ypti on met ho d c an b e used to store information in a Blockchain, which should not be visible to all of its participants. If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? This is the choic e of the system's users. Randomi zing publ ic addresses for every transaction is not compatible with address-based permissioning for send and receive actions. But a chain could be defined with closed connect permissions only, and anyone can send or r eceive, in which c ase each particip ant would be free to use as many selfgenerated as they wished. It would stil outside worla ddresses d.
l be private from t he perspective of the
Cryptography/Strength of Algorithm How are the keys generated? " Chain will also collabora te with other open source Bl ockchain, cryptography and distributed s ystems projects to ensure interope rability and harmoniz ation across industry efforts.” As set Iss uer cr eates unli mi ted numb er o f cry pt og rap hi cal ly uniq ue Ass et IDs.
90
Rotating keys - every two to three wee ks. May need 2 out of 3 keys to signi ng. Advi sed to keep e ach key in diff erent data center. I f one gets compr omised th en use other to generate ba ckup keys and tr ansfer over all assets to new key. " What does the key life cycle management look like? "Blockchain depend on proper management and rotation of key material to secure digital assets. C hain Core integrates with indu stry-standard h ardware security mo dule (HS M) technol ogy. All blo ck and transaction si gnin g takes place with in hardened HS M firmware. Multi signature accounts using independent HSMs can further increase Blockchain security. HSM firmware that secures all transactions and bl Multi signature accounts to
ocks
elimina te single points of failure. "
What is the HSM integration approach? Al l blo ck and tr ans act io n s ig ning tak es plac e with in har den ed HSM fir mw are. Chain par ts and plans to partne r with industry leaders for HSM for production environments.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology The Chain OS is focused on n etworks th at can digitize the worlds existing assets (not a new currently li ke bitcoin ), whether commo nplace ones like gift cards of mo re obscure ones like syndic ated loans and was de veloped by applying th e technolo gy to real objects in areas such as bankin g, payments, capital markets and insu rance. Briefly described the life cycle management process for the tokens NO Natural bit coin. No rippl e. Partners wo rking with c hain prefer that.
Implementation Approach What are the current uses cases being explored, tested or implemented? " Asset Issuance – Digitize e xisti ng assets for transactin g on a Blockchain n etwork. Simple Payment – T ransfer assets from one account t o another. Bil ateral Trade – Swap one asset for another with Order book – Name your sale price and let a buyer fi
no cou nterparty ris k. nd yo u.
91
Collateralize d Lo an – Lend assets, guarantee d by locked coll ateral Au ct io n – Set a mi ni mum p ri ce an d sell your assets to th e hi gh est bi dd er" Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? Nasdaq, in partnership wi th Chain, wa s the first to launc h a Blockchain pr oduc t, Linq, a platfor m for trading shares in pr e-IPO companies. In late D ecember, the first priv ate securities transa ction was recorded on a Blockchain in Linq and today it rema ins the only live privately run Bl ockchain network. Who are you currently working with? (e.g., Venture Capitalists, Banks, Credit Card companies, etc.) Visa, Nasdaq, First Data, Citi , Capital One, MUF G, State Street, F id elity , Orange, Fiserv.
92
12. Open Chain Source: Interview / Questionnaire
Contact name: Flavien Charlon (
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? OpenC hain is pri vate cha in sof tware, and eve ry org anization wo uld deplo y their own chain and become administr ator for that chain. OpenC hain relies on the underlyi ng database for con sensus. Data bases such as Cassandra offer a very efficient and s calable consensu s mod el, and OpenChain leverage s thi s. Ope nChain offers a plu ggable architectur e that allows the organization deployin g it to select which stor age engine to use, and therefore which c onsensu s to u se. On top of that, Ope nChain uses a publisher/subscriber model across trust boundaries. There is generally one validating cluster, and many subscribers that act as non–validating full nodes. How many nodes are need to validate a transaction? (percentage vs. number) Because transaction validation is under the control of the organization deploying the OpenC hain inst ance, generally one node is suf ficient to validate the transaction (but that has to be a node contr oll ed by the a dmini strator). Do all nodes need to be online for system to function? No, only t he valid ating clust er (contr olled by the admini strator of th e instance) has to be onli ne for the system to be writable. Only one node on the given chain has to be online for t he system to b e readable. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? The va lidating organization has to b e known ahead of time. If applicable, what is the voting process after the "propose" stage? The voting mechanism i s outs ourc ed to the underly ing database ( SQL Lit e, SQL Server curr ently sup ported, MongoDB, and Ca ssandra on t he roadmap).
93
When is a transaction considered "safe" or "live"? As soon as t he v ali dat or rec eiv e the tr ans act io n, it w il l d ecide w het her th e trans act io n i s live (few millisecond s). How much time does a node need to reach a decision? Generally around 10 mill isecond s. How much time is actually needed to build the consensus until a new block is added? Since the va lid ating clus ter for a given chain is the one a nd onl y source of tru th for t hat chain, it is inst ant. Does system contain synchronous node decision making functionality? Yes, transaction validation is synchronous. What is the number of current and planned validators? At leas t o ne p er c hai n. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? In a Cassandra type deployment, the system will cannot be reached.
stop acceptin g writ es if quor um (n/2 + 1)
Is there a forking vulnerability? The organiza tion t hat deployed a given chain can for can't.
k it if n eeded, e xternal particip ants
How are the incentives defined within a permissioned system for the participating nodes? The organization th at deploy ed the chain is incentivized to keep the chain run ning and validating t ransaction because their own service generally relies on it. What process does the system follow when it receives data? New transactio ns are rela yed to the validating n ode, then the va lidating node wil l validate it and broadcast to subscriber participants assuming it passed validation. How is data currently stored? Multipl e storage engines are available (S QL Lite, SQ L Server curr ently su pport ed, MongoDB, and Ca ssandra on t he roadmap). A chain c an have nodes with mixed sto rage engines. Ea ch no de has its own co py of th e chain.
94
How does a party take ownership of an asset? Generally, the asset is sent
to t heir addr ess.
Governance, Risks and Contro l How is governance / controls enforced? Every chain is full y governed by the organization that deployed that given chain. Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? The administ rator of the chain can act as a third party tru sted by all particip ants and can therefore mediate a ny dis pute between different particip ants on th e chain. I f the administrator of the chain is the source of the malicious actions, legal action must be taken aga inst t hem, and th e chain itself can be used as e vidence in cou rt as it wil l cont ain the signatures from the administrator for these illegitimate actions. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? The consensus is fully under control of the administrator. Penalty against the adminis trator in volves taking l egal action s against th em. The chain itself can be used to incr imin ate them, a nd pro ve a breach of contract for i nstance. How does the consensus mechanism restrict access, concerning malicious activities? OpenCha in has an e laborate acce ss contr ol permis sioni ng system. The administ rator is the root us er, and can de legate pe rmis sions d own to ot her users. What is the permission management process? What is the process for adding or deleting nodes? An yb od y c an j oin t he netw or k as a no n–v ali dat in g f ull n od e as lon g as they have ac ces s to another no de on the ne twor k. How does the protocol assess the trustworthiness of other participants? By default, no partici pant is trust ed, except the administ rator. T he administr ator can delegate permissions to normal users. Are there separate admin / administrator privileges? Who manages them? The admini strator i s defined dur ing t he deployment of an ins tance of OpenC hain. T hat can be changed late r on assumin g physi cal acce ss to the validating no de.
95
Are there restriction / privacy rights defined and enforced by node? This can be impl emente d on top o f OpenCha in. Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., back–office outsourcing) The permiss ion syst em on Ope nChain is very flexible and granular and any combinatio is possible.
n
What are the measures in place to reduce risk? The administ rator of the chain has full co ntrol o n the chain, a nd can manage risks as needed. In case of permissioned systems, who manages the KYC/AML process and where is the data stored? The admin istr ator woul d generally have a n onbo arding process fo r AML/KYC . The data can either be stored on-chain but mor e likely off-chain for pri vacy. How is counterparty risk / settlement risk addressed? The asset issu er is a counterparty in
every transaction wh ere that given asset is inv olved.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Transactions validation
(and con sensus) take s generally about 10 milli seconds.
Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) A s tan dar d l apt op us ed as a valid ating no de can ac hi eve sever al t hous and s o f transaction s per second. A Cassandra- type clust er shoul d in th eory be able to a chieve hundreds of thousands transactions per second. Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) There is no li mit to th e monetary amount of t ransactions. How do you measure scalability? Transactions p er second (several thousand).
96
Is there a limitations on the number of fields within a transaction? No limitatio n, the data model is extr emely extensibl e and can be modeled for any us e case. Is the speed of the system impacted if the system is made more scalable? No. Does synchronization have any impact on scalability? No as OpenC hain uses a publisher/subs criber mod el, and subscr ibers don 't have to be perfe ctly in sync for t he syste m to function.
Security How is transaction activity monitored? Every node monitors all the transactions. Does the consensus mechanism utilize Digital Signatures? Yes. How does the consensus mechanism address an assumed industry standard? OpenChain is self-sufficient, and can and will continue functioning regardless of an industry standa rd. Which risk/security issues are currently being worked on? Better tooli ng supp ort for m ixed transparency chains (i.e. , chains only available on protected VPNs) Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? No How are you planning to implement/integrate Digital wallets? (Including private key management) We have a developer wallet, but wallet infrastruct client-sid e appli cations fo r OpenC hain.
ure shoul d be implemented as part of
In case of a breach, what data is at risk?
97
The data that coul d be leake d is t he data that is stor ed on the ch ain; however, all the partici pants already have full access to that data. If private information sh ould b e stored on the chain, it should be encrypted by participants. How does the system prevent signature fraud (e.g., stolen keys)? Keys can be reset by the a dmin istrator of the chain if n eeded. Does the consensus mechanism have full documentation in place? Yes (https://docs.openchain.org
)
How does the consensus mechanism address the risk of "double spending"? The sta te of the chain prevents d ouble spendin g. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? The system doesn't make assumptions on synchronicity. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? The cloc k of the validator is th e author itative time. What is the process for disaster recovery? Provided b y the und erlying storage engine. F or i nstance, S QL Server has decades of production use and well defined processes for disaster recovery.
Privacy How does the system ensure privacy? Ad dr ess es c an b e ps eudon ym ou s. Does the system require verifiable authenticity of the messages delivered between the nodes? Yes all messages must be signed. Do all nodes have visibility into all other transactions? Yes How does the data encryption model work? End to end encryp tion c an be used.
98
If consensus happens in a permissioned network, are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? Public keys can either be regenera ted on every transacti on, or can be reused if neede d. This depends on the business requirements of the organization deploying the chain. Are participants' identities hidden from one another? (e.g., Blackpool) Yes, they can be . Again this depends on how t he administr ator decides to confi gure their OpenCha in instance.
Cryptography/Strength of Algorithm How are the keys generated? Currently, OpenCha in on ly su pport s ECDSA. The range of valid private keys is g overned by th e secp25 6k1 ECDSA standard. We might supp ort RSA crypt ography in th e future. What does the key life cycle management look like? Private keys a re used to sig n transactio ns and must be kept securely. P rivate keys should be rolled over regularly. What is the library approach? An y c ry pt ograp hi c lib rar y s up po rt in g ECDSA wi ll wo rk wi th Open Chain (t hat in cl ud es any lib rary made for bi tcoi n-type crypto graphy as Ope nChain uses the sa me ellip tic cur ve and k ey size). What is the HSM integration approach? An y HSM s up port in g ECDSA will work wi th Open Chai n (t hat in clud es any HSM that wo rk s with bitco in/Ethereum, since OpenCha in us es the sa me crypto graphy).
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology As set ty pes can be d ynami cally cr eated , and are i denti fi ed b y a path . It is pos si bl e to create sub assets, for example a T -Bonds c ould be a gene ric asset types, with subty pes for each maturi ty date. Which security mechanisms are assigned to the tokens? A p art ic ip ant mu st hav e is su anc e ri gh ts to is sue a gi ven ass et typ e. Partic ip ant s m us t also have a specific righ t to either receive it or send it . The ledger can be se tup i n many diff erent wa ys, with different level of users, depending on th e business requir ements.
99
Briefly described the life cycle management process for the tokens Tokens are generally first is sued by an issuer (which may or may not be the a dmin istrator of th e chain), exchanged by diff erent participants, and fin ally redee med back at the issuer. Does the consensus mechanism utilize transaction signing? Transactions are all sign ed usin g EDCSA signatur es.
Implementation Approach What is the implementation cost? Depends larg ely on th e scale of the project. What is the time required to implement? Some companies have implemented OpenCha
in i n as litt le as two days.
Who are you currently working with? (e.g., venture capitalists, banks, credit card companies, etc.) Banks, accountin g companies, startups in energy, suppl document archiving.
y chain, we alth manageme nt,
100
13. PoET by Int el Source: KPMG Research
Contact name: See Contact Us below
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? Sawtoo th Lake is architected to be a modul ar solutio n. The consensus mod el is expli citly plug gable. It is distri buted with a voti ng con sensus as well as our Proof of Elapsed T ime. Sawtoo th Lake abstracts the core concepts of cons ensus, isolates consensus from transa ction semantics, and provides two consensus protocols with dif ferent performance trade-offs. T he first, called P oET for “ Proof of Elapsed Time ” , is a lottery pr otoco l that buil ds on tr usted execution enviro nments (T EEs) provid ed by Inte l’s SGX to address the needs of large populations of partici pants. T he second, Q uoru m Voting, is an a daptation of the Ripple tellareconsensus proto cols and to addresson the needs applicatio ns and that S requir immediate transaction fin serves ality. Information POET of are here:http://intelledger.GitHub.io/introduction.html#proof-of-elapsed-time-poet. How many nodes are need to validate a transaction? (percentage vs. number) PoET consensus is a 51 percentage mod el. The architecture is designed to support pluggable consensus so other models can be used in li eu of PoET (for example we include a voting c onsensus as well.) Do all nodes need to be online for system to function? No. It's b yzantine fault tol erant. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? No. That depends on whi ch con sensus you plug i n, but that is no t a requirement of PoET . Who has ownership of the nodes? (e.g., consensus provider or participants of network) Participants, though again you can choose to p with that requirement.
lug in a permissione d consensus modu le
101
What are the different stages involved within the consensus mechanism? It randomly distrib utes lea dership election across the entire population of valida tors with distribution that is similar to what is provid ed by other lottery a lgorithms. The proba bility of election is proportional to the resources contributed (in this case, resources are general purpose processors with a trusted execution environment). An attestation of execution provides information for verifying that the certificate was created within the TEE (and th the validator th e allot time). Further, the low cos t of the p articipatio n increases theatlikelihood thatwaited the population ofted validators will be large, increasing robustness of t he consensus algorithm. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? For the purpose of achieving distributed consensus efficiently, a good lottery function has severa l characteristics: Fairness: The function sh ould d istri bute lea der ele ction acros s the broadest possibl e population of p articipa nts. Inve stment: The cost of contr
olling the lea der ele ction p rocess should be proportional to
the value gained from it. Verifi cation: It shoul d be relatively simple for all partici legitim ately selected.
pants to verify th at the le ader wa s
If applicable, what is the voting process after the "propose" stage? Basically, every va lidator r equests a wait time from a trusted func tion. The validator wit h the short est wait time for a particul ar transaction bl ock is elected the leade r. One func tion , say “ CreateTimer” c reates a timer for a transaction bloc k that is guaranteed to have bee n created by the T EE. Another fun ction , say “ CheckT imer” verifies that the tim er was created by th e TEE and, if it h as expired, create s an attestation t hat can be used t o verify th at validator did, in fact, wait the allotted time before claimin g the leade rshi p role. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? No How much time is actually needed to build the consensus until a new block is added? Configu rable see P oET de scri ption .
102
What is the number of current and planned validators? PoET is desig ned to supp ort a large number of n odes, well beyond what PBFT mechanisms are designed to su ppor t. PBFT is design ed to suppo rt a dozen to 10 s of validators . PoET is designed to supp ort 100x that. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? 0.51 Is there a forking vulnerability? Two different deployments . You can deploy as a public sys tem or deploy as a restrict ed system with permissione d ho sts.
Governance, Risks, and Contro ls How does the protocol assess the trustworthiness of other participants? Facilitated by the consensus protocol. Are there separate admin. / administrator privileges? Who manages them? Sawtoo th has an opti onal adminis tration k ey for certain messages. For example a test network c an be shutd own wit h an administr ation key. T his is an opti onal feature. Can a node or a user have only "Read" or only "Write –access? Is specific node access required if only performing one functionality? (e.g., Back Office outsourcing) Sawtooth supports different actor types such as validator, transactor and observer. In case of permissioned systems, who manages the KYC/AML process and where is the data stored? Questions o n stuff like KYC/ AML, fraud, privacy all relate to a specific d eployment of the system. The system itself is designed to provide underlying functionality for a range of deployments (financial, IOT, etc.)
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Inte rblock time is configu rable from seconds to usage area.
minutes or whate ver is desirable for the
103
Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) Volume depends on transaction complexity. How do you measure scalability? Number of validator nodes and transactions per second under some normalized transaction complexity are relevant metrics.
Security Does the consensus mechanism utilize Digital Signatures? ECDSA si gnatures are used extensiv ely in the syst em. What are the infrastructure hosting options? (e.g., cloud, hosted in a datacenter, etc.) Designed for public and permissioned systems. How are you planning to implement/integrate Digital wallets? (Including private key management) Intel has hardware se curi ty mechanisms t hat can be leve raged for client s ecurity. In case of a breach, what data is at risk? Validity controlled by consensus. A compromised host can't inject bad data because other hosts will reje ct it. How does the system prevent signature fraud (e.g., stolen keys)? Some keys protected in hardware. C ustom er (end user in pu blic, or enterpri se user/system in private) application will likely have keys specific to adjacent applications that need to be properly controlled. Does the consensus mechanism have full documentation in place? Documentation at GitHub link
above.
How does the consensus mechanism address the risk of "double spending"? Doubles pending controlled by consensus. The validators validate the transactions so they can't create invalid operation s like spendin g the same va lue twice, and that's enforced by co nsensus th at the va lidator s all agree on some transaction o rdering ...
104
How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? For synch rony th e network can be tuned to dif ferent I nterbloc k times. I n the tutori al, consensu s set to a matter of seconds. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Mechanism i sn't ti me depe ndent.
Privacy Does the system require verifiable authenticity of the messages delivered between the nodes? Messages are all sign ed and must be verified befor e use. Do all nodes have visibility into all other transactions? Transaction transparency is default. Transaction privacy isn't disclosed yet. If consensustohappens a permissioned network are random public keys issued fortake every single transaction increaseinthe privacy? Or does randomized CUSIP translation factors place? System has plug gable transaction m odel. The open so urce release incl udes an example " marketplace" transactio n family. In that e xample, transaction family partici pants are prov isio ned with a 1:1 partici pant: key. T hat could b e adapted to generate a diff erent key or parti cipant for every transactio n. Probably i n a private de ploym ent, that would not be desirable.
Cryptography/Strength of Algorithm How are the keys generated? The PoET keys are generated in the SGX Enclave Parti cipant keys are generated using a keygen method in th e python . The latter is a conveni ence method so can be re placed with other key provisi onin g systems in an enterprise. Does the consensus mechanism require a leader? Yes
105
Implementation Approach What is the implementation cost? Cost/time depends on complexity of deployment, e.g. for adding domain specific logic. However the existing op en source system has been te sted with co mplex deploym ents requiring o nly nomi nal customiza tion tim e. What is the time required to implement? Cost/time depends on complexity of deployment, e.g. for adding domain specific logic. However the existing op en source system has been te sted with co mplex deploym ents requiring o nly nomi nal customiza tion tim e.
106
14. RAFT Source: KPMG Research
Contact name: See Contact Us below
Questio nnaire r esponses Consensus Methodology How many nodes are need to validate a transaction? (percentage vs. number) Logs n eed to be propagated to an a bsol ute majority of th e networ k (includi ng the leade r itself), i.e., strictly more than a half, i.e., >50 percentage. 50 percentage itself is insufficient. Do all nodes need to be online for system to function? No a majority o f the nodes. Typically 5. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? There are extension s to the Ra ft algorit hm that allow for addi ng or removi ng nod es from a clus ter. T his is d escribed in t he PhD thesis on Raft. Who has ownership of the nodes? (e.g., consensus provider or participants of network) Raft is a centralized transaction processor contrasting distributed. What are the different stages involved within the consensus mechanism? Each server stores a log con taining co mmands. C onsensus algo rithm ensur es that all logs contain same commands in the same order. S tate machines always exe cute comm ands in the same log or der. They will remain consi stent as long as command executions have deterministi c results. Client sends a command to on e of the se rvers. Server adds th e command to its l og. Server forw ards new log entry to the oth er servers. Once a consensus h as been reached, e ach server state machine process t he command and send its replies to the client. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? Followers on ly respond t o requests from ot her servers. If a foll ower receives no comm unicatio n, it becomes a candidate a nd ini tiates an e lection . A candidate that receives votes from a majorit y of the ful l clust er becomes the new lea der. Lea ders
107
typi cally operate until th ey fail. H eartbeats sent out to m ake sure le ader is still t here, if noth ing received a ne w election t akes place. If applicable, what is the voting process after the "propose" stage? Leader e lection: Raft uses r andomized timers to elect lea ders. T his adds only a small amount of m echanism to the heartbea ts alrea dy requir ed for any consensus algo rithm , while resolving conflicts sim
ply and rapidly.
When is a transaction considered "safe" or "live"? When a majority has been achieved. How much time does a node need to reach a decision? You'll need to be clearer on what decisio n you mean. I n nor mal operation, the node will apply i tems to it s FSM and read from i ts FSM. You co uld (wit h approp riate timeouts) have each of t hose take one se cond . This wo uld, however, invol ve setting an election timeout an order of magnitude higher. How much time is actually needed to build the consensus until a new block is added? Bloc ks are not a raft concept. It ta kes about 10– 80 micr oseconds t o form a consensus on optimized networks, but you can add multiple records pro cesse d concu rrently. Does system contain synchronous node decision –making functionality? Yes What is the number of current and planned validators? 1-Stron g leader does most of th e work issu es all l og upd ates. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? If half or more of the nodes are down, the cluster will no lon ger be a ble to prog ress new log writ es. Reads t o the FSM ma y wor k if stale reads are pe rmitt ed. If yo u really m eant “ compromised” in the se nse of ” hacke d” , A single node be ing compromised could be sufficient to DoS the syste m with out furt her protection. Is there a forking vulnerability? No
108
What process does the system follow when it receives data? Replic ated state ma chin e architecture. The data comes from c lients of the Ra ft clu ster, who send requests to the leader. The lea der replicates these requests to t he cluster, and respond s to the client when a quorum i s reache d in the clust er on that request. What constitutes a "request" is system-dependent. How is data currently stored? How data is stor ed is system-depe ndent. It's important for s tate to persis t to disk so t hat nodes can recover and remember information t hat they have commi tted to (which no des they voted for , what log entries they have committ ed, etc.). The protoc ol can't wo rk without this. How does a party take ownership of an asset? I think this d epends on asset ( digit al or physi cal).
Governance, Risks and Contro l How is governance / controls enforced? " This is outsi de the scope of R aft. Like Raft, BFT Raft us es randomi zed ti meouts to trig ger leader elections. The lea der of each term periodi cally sends heartbea t messages (e mpty AppendEntri es RPCs) to maintain its autho rity . If a foll ower receives no communi cation fro m a leader over a randoml y chosen period o f time, the election timeout, then it becomes a ca ndid ate and init iates a new election." Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Raft do esn’t cater for B yzantine failure – it assumes perimeter based securit
y.
How does the consensus mechanism allow access? Complete Raft supports on dynamic reconfiguration. In practice we support some downtime to r econfigure the number of nodes. How does the consensus mechanism restrict access, concerning malicious activities? Raft do es not specify a transp ort layer, a nd authentic ation / authorization is a matter for the transp ort l ayer. H ashicorp /raft from m emory us es TLS a s can Etcd/Ra ft. However, this is o utsid e the spec of raft. Whe n raft gets t he message s, it is assum ed they have bee n authenticated / auth orized.
109
What is the permission management process? What is the process for adding or deleting nodes? " Epochs of arbitrary lengt h. Starts wit h a leader being elected ends when no leader can be selected (split v ote) or leader becomes un available ( offli ne). Raft's mechanism fo r changing t he set of serve rs in th e cluster uses a new joint consensus approach where the ma jorities of two different configur ations overlap during transitions. Th is allows the cluster to continue operat ing n ormally during configuration changes." Are there separate admin. / administrator privileges? Who manages them? Built into Raft. Are there restriction (/) privacy rights defined and enforced by node? This is ou tsid e the scope of Ra ft – Raft is p urely a consensus system. Can a node or a user have only "Read" or only "Write access”? Is specific node access required if only performing one functionality? (e.g., back–office outsourcing) Use RPC (Remote pr ocedure Call) to com munic ate Lea der ini tiates AppendEntr y to replic ate log entri es and lea ders pro vide a hea rtbeat (lets other know th ey are still o nlin e and updatin g log ) remain as lon g as they send valid RPC 's, afte r a period of tim e if no "heartbeat", election process starts.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? " Raft comm unic ation is u nicast. Under normal operation t he leader makes R PC calls to the follo wers, which means communi cation is O(n). As the cluster gets larger, there is more chance of an individ ual node failing in a given time interval; how ever, it takes more indi al nodes to to break atheir quor When nod come onli vidu ne (assuming nofail reelection) logsum. need to beindiv “idual caught up”es. fail Theand failure of back the network f abric is also goin g to have some relationshi p with t he size of nod es. There a re some studi es on raft scaling in bo th papers – particu larly in as it affects ele ction timeout s. In general, the number of no des is not goi ng to be the key de terminant of transa ctions per second. T he practica l limit in most scenarios is likely “ a few hundred” though doubtless the algorithm could be tuned. M any use ca ses with more “ nodes” have a small subs et participatin g in r aft (a nd sh aring th e FSM) and a larger subset th at are nodes but n ot raft nodes (e. g., consu l). The number of transaction s per second is goi ng to depend mo re on network l atency and ti me to apply to t he FSM than numb er of nodes. Remember that whils t each fol lower pr ocesses eve ry lo g entry, they can do so in parallel. 1000spe r second
110
In a three node clu ster ~ 8 0 micro secon ds + 2 x record wr ite time + la tency lon g tail overhead." Is the speed of the system impacted if the system is made more scalable? Yes. More transactions = mor e processing / writes. Thre e, five or seven N odes pr ovides diff erent re liabili ty const raints and dif ferent rea d (/) write beha vior. You use more nodes for greater availability so you get a slight write slow down as the quorum requirement goes fr om th ree-five-seve n no des. Does synchronization have any impact on scalability? Yes – you have to go thr ough a strong l eader and you get queuin g behavior.
Security How is transaction activity monitored? We built a TPM ( Transa ctio n pr ocessing Monitor). Does the consensus mechanism utilize Digital Signatures? No Which risk/security issues are currently being worked on? Out of scope of raft impl ementation dependent. In case of a breach, what data is at risk? Implementation d ependent. How is the system expected to address general server issues? No How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? It is the leade r who synchr onizes and sends out a replicated log
.
Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Clock is m anaged by th e central node. R aft’s noti on of a term does away with havin keep centralized clocks.
g to
111
Under which conditions does a lock/unlock happen? (i.e., what is the proof safety?) Raft uses a replicated finit e state approach to tr ansactions r ather than lockin g. We model our tr ansactions o n this basis. What is the process for disaster recovery? Read the ra ft papers sea rchi ng for “ stable store” or sim ilar. T he whole point is t hat the raft lo g items, on ce accepted, are guarantee d to be on s table storage. So, in the event of a total outage, the clust er should j ust com e back alive. Similarly yo u only need one copy of the FSM to restore the whole lot. The de tails of th e process will depend both o n the impl ementation and on operation al procedures by t he end user (e .g., how backups are taken). Note the fact that Raft is d esigned to operate betwee n d ata ce nters makes thi s easier. One minor ch allenge is that the state of th e peers is i tself in the FS M, so if you lose a lot of peers, adding back peers to form a quor um needs though t. From memor y this i s covered in ch apter 4.
Privacy Does the system require verifiable authenticity of the messages delivered between the nodes? Note that T CP itself wil l prevent most co rrupt ion and ensure retransmissi on, and most users use TCP (with or wi thou t encrypti on on to p). Note that Ra ft does not have to run over TCP (I submi tted a UD P version fo r ins tance, a nd ru nnin g over say ZeroMQ would be quit e feasible). How does the data encryption model work? While encryptio n is out of Raft’s scop e – yes you can encrypt. Are participants' identities hidden from one another? (e.g., Blackpool) No
Cryptography/Strength of Algorithm Does the consensus mechanism require a leader? Yes How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) " Not 10 0% on what you mean by ’stric tness‘. Ra ft co nsensus i s achieved by majority f or a transaction al write a nd is desig ned to provi de hard guarantee s.
112
Implementation dependent. Many impl ementation s are inherently flexible (see E tcd/Ra ft / Hashico rp/Raft). I'm sure it would b e possible to design s omething g ross th at is hard coded." How is node behavior measured for errors? The ra ft specs do not specif y measurement. Most implementation s measure some aspects (e. g., with mono toni c coun ters), a nd of ten send them off to a stats server. Grep for “ stats” in Hashicorp/ Raft for instance . If you mean “ How does the a lgorithm tell whether a node has errored?“ it simply looks for either the absence of a valid reply or heartbeat withi n a timeout, or the prese nce of an invalid reply or h eartbeat ( where “ valid” and “ invalid” are de termine d by t he spec) .
Tokenization (if used) Does the consensus mechanism utilize transaction signing? No
Implementation Approach What is the implementation cost? Transport Dependent. What is the time required to implement? Transport Dependent.
113
15. Rip pl e Source: Interview / Questionnaire
Contact name: Bob Way (
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? The Rippl e consensus algor ithm (RCA) , is applied every few seconds by all no des, in order to maint ain the correctness and agree ment of the network. Once consensu s is reached, the current ledger is consid ered “ closed” and becomes the last-closed ledger. As sumi ng th at t he c onsen sus al go ri thm is s ucces sf ul , and th at ther e is no fo rk in th e network , the last-closed ledger maintained by all nodes in the network wil l be identical. How many nodes are need to validate a transaction? (percentage vs. number) A s up erm ajo ri ty whic h i s 80perc ent . Do all nodes need to be online for system to function? No Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? No Who has ownership of the nodes? (e.g., consensus provider or participants of network) Ripple is an open network . Anyone can run a node. Anyone can partici consensus process.
pate in the
When is a transaction considered "safe" or "live"? A t ran sacti on is “ saf e” aft er it h as been v ali dat ed b y y ou r rip pl ed serv er. Th is pr oc ess normally takes around five seconds. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? Yes
114
How much time does a node need to reach a decision? This process normally takes around five seconds. How much time is actually needed to build the consensus until a new block is added? Consensus is r eached about every five seconds. Ripple uses a process called “ cont inuo us ledger close” . That mea ns once consensus h as been reached, if any server has received new transactions, they can start the next ledger close proc ess immediately. There is no need to wait f or a pre–specified timeout . Does system contain synchronous node decision making functionality? Yes, all nod es reach consensu s at the same time. What is the number of current and planned validators? This is flexibl e and op en. Partici pants determine indivi dually if th ey want to act a s a validator. Currently t here are around 40 known valid ators on th e networ k. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? 0.2 Is there a forking vulnerability? If there are no restr ictio ns on the membership of th e UNL, and th e size of the UNL is not larger than 0.2 ntotal where ntotal is the number of nodes in the entire ne twor k, then a fork is possible. How are the incentives defined within a permissioned system for the participating nodes? There are no incentives for validation t he ledger. P rofi table entities relying o n the ledger for b usiness will choo se to validate the ledge r in order to guarante e its continued operation. What process does the system follow when it receives data? Rippled servers only receive “transactions”. They do not provide a generalized messaging capability. When a transaction i s receive, ripp led: 1) Checks the signature of th e transaction. (Authentication)
115
2) Verifi es the transaction by attempting to appl (Authorization) 3) If the transaction is authentic and corr for co nsensus. (V alidation)
y the transaction to i ts local ledger.
ect, the rippl ed server broadcasts it to its peers
How is data currently stored? Al l Ripp le d ata i s stored in an i nt ern al datab ase t hat is man aged by and acc ess ed t hr ou gh the ripp led server. How does a party take ownership of an asset? The Rippl e ledger manage s accou nt balances between parties. If a party wants t o settle their accoun t (return the balance to ze ro) then those arrangements must b e agreed upon prior to establishing the account r elationship.
Governance, Risks and Contro l What is the permission management process? What is the process for adding or deleting nodes? An yo ne c an ad d a new nod e to th e RCL netw or k. All yo u n eed t o d o is i ns tal l t he r ip pl ed package and run it . An yo ne c an c on fi gu re t hei r r ip pl ed s erv er t o act as a valid ating no de. No per mi ssio n i s required to do so. Va lidating nodes broadcast “p roposals” as pa rt of the consensus process. It is up to the other nodes whethe r or not they wish to con sider your proposals as part of their local decision– making process. Rippled opera tors individually co nfigure the no des whose validation proposals they will consider. T his confi guration is refe rred to as th e “ Unique N ode List” (UNL). An op erat or ’seedec io n w hi ch valid ati on no des to co nf ig ur e on th e UNL is deter mi ned based on thr keyisfactors: 1) Do I know who is o perating the validator? (Validators cannot
be anony mous)
2) Is the valid ator reliable? (Is it o perated 24 /7 and u pgraded co nsist ently) 3) Does the validator stay sync hron ized? ( Are the validators’ pr opos als regularly adopted by the rest of the network?) Ripple (the company) is buildin intelligent decisions.
g tools t o help others mo nitor t he above so they can make
116
In case of permissioned systems, who manages the KYC/AML process and where is the data stored? “ Permissioned system” is a term genera lly u sed when talking about private Blockchain. KYC/AML (anti–money laund ering) seems at a di fferent level. In general, the Ripple Consensus Ledg er (RCL) is not a permissi on–based or pr ivate system. Each validator individually determines what other validators they wish to stay in consensus with. Overlapping relationship decisions assure the federated ecosystem stays in con sensus as a whol e. How is counterparty risk (/) settlement risk addressed? The Rippl e ledger manages both th e entiti es and the a ccoun ting relationshi ps between those entities. This allows the system to support multi–party atomic payments. (Rippling payments). The accoun ting r elationship s can be a rranged to pro vide instant settl ement. Or the relationsh ips can be arranged to a ccoun t for deferred net settleme nt. The choi ce is up to the partie s who wish to do busi ness. As a rule, eac h enti ty mu st eval uat e their di rec t c ou nt erp art ies bef or e est abl is hi ng an account ing arrangement. T his i s just a generalized ca se of “ evaluate your bank before you op en an a ccount."
Performance How long does it take for transactions to be validated and/or consensus to be achieved? The ledger close interval looks l ike about 3.5 seconds p er ledger at the moment. Depending o n timi ng, a transaction w ill no rmally make it into the curr ent or next ledger. Norma lly avera ge it to “ within about 5 se conds” . Provide some general measures of volume that the consensus mechanism can or will handle (e.g., # of trades) Unlimited. Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Unlimited. Is the speed of the system impacted if the system is made more scalable? No
117
Security How is transaction activity monitored? We have a da ta tea m that keeps watch o ver the network f or ou r own interests and n eeds. An yo ne el se c an do t he s ame. You can watch transactions scroll by here. https://www.ripplecharts.com/#/transactions Does the consensus mechanism utilize Digital Signatures? Yes, all transaction s must be signed to make it into a ledger. W e use the same signature scheme as bi tcoi n, plus we have added an ED2 5519 signature m echanism. Which risk/security issues are currently being worked on? The system has bee n stable and operational for almost fou r years. W e monito r for potential security issues and submit open source patches as when prudent. Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? Working on some syste m and corpo rate ce rtifications, but it is mechanism specific.
not consensus
Briefly describe the security testing performed till date (if any) Ripple’s op en source code and ru nnin g network h as bee n reviews by NCC Group. https://ripple.com/insights/ripple-eff-open-approach-to-security-will-define-next-chapterof-finance/. How are you planning to implement/integrate Digital wallets? (Including private key management) Private Key management is done using our suite of banking products. We don’t currently support a consumer wallet. In case of a breach, what data is at risk? There is no data to brea ch. Anyon e can connect a rippled server to the networ all transactio n data. Bank customer information
is never included in
k and view
ledge r transactions.
118
How does the system prevent signature fraud (e.g., stolen keys)? We have ce rtain op erational practices that we recommend to m itig ate the loss o f a private key. ( Issuing v s operational addresses) We are also cu rrently addi ng a multi sign capability to each Ripple address. However, in general, users of the Ripple network are re spon sibl e for protectin g their own pri vate keys. Does the consensus mechanism have full documentation in place? Yes https://ripple.com/build/ How is the system expected to address general server issues? The Rippl e consensus ledger is a dist ribu ted pee r to p eer network. Each pee r is responsible for the operation of their own rippled server. Open sourc e patches are made a s GitHub pu ll r equests. Ne w release builds are made available regularly . Each pee r is respon sibl e for updating th eir own servers. How does the consensus mechanism address the risk of "double spending"? “ Double spe nding” is a bitcoin–specific concept. “over-drafting your account”.
In the ba nking world it would be ca lled
The Rippl e ledger allows each particip ating entity to set specifi c limit s and rules for each of their accou nt relationshi ps. The entire Ripple system is dedicated to validating these rules prior to applying any tr ansaction. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Nodes sync the most recent ledger first, then they work backwards to d ownl oad as much history as they wish. T here is no requireme nt to download the entire “ Blockchain” as there is with bitcoi n. It genera lly on ly takes a fe w min utes for a newly spu n up ri ppled server to reach synchronization with the current ledger and to begin processing transactions. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Each no de maintains their ow n internal clo ck. The RCL as a whole rea ches cons ensus on the time as it r eaches cons ensus on each ledger.
119
Under which conditions does a lock/un–lock happen? (i.e., what is the proof safety?) I don’t kno w what a lock/un-lock i s. We don’t have this concept in Rippl
e.
What is the process for disaster recovery? The Rippl e RCL is a pee r to peer distr ibut ed system. E ach operator is respo nsibl e for their own disaster recovery process. Ripple (the company) has our own disaster recovery process documented internally for the servers we operate. What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? Like with bi tcoin , Ripple is an open distr ibut ed system that a nyon e is free to attack as they see f it. We consider this “ normal” . Ripple (the company) has data and compli ance tea ms th at monito r the networ k. Howe ver, this is for our Ripple (the company’s) own interests. Anyone else is welcome monitor the network for fraud or anything else they find interesting.
Privacy How does the system ensure privacy? At th e led ger (Bl oc kc hai n) l evel all tr ans actio ns are p ubli cl y vis ib le. The Rip pl e paymen t solution provided to banks handles customer privacy at anothe r commun ication leve l, without requiring personal information to move across the Blockchain. Does the system require verifiable authenticity of the messages delivered between the nodes? Al l t ran sacti on s ar e authen ti cated b y dig it al s ignat ur e. Do all nodes have visibility into all other transactions? Yes How is privacy defined and ensured between applications? See below. How does the data encryption model work? Communi cation between nodes is encrypted usin data is not tampered with in transit .
g SSL. However, this is only to assur e
120
No encryption is pr ovided with the intention of the ledger are public.
data priva cy. All transactions applie
d to
Ripple transaction provide a “memos” field for user determined data. If necessary, this field can be pre-encrypted by th e user before a transaction i s sent.
Cryptography/Strength of Algorithm How are the keys generated? Each entity on Ripple is represented by a Ripple address. T his address i s identic al in concept to a bitcoin address. It is simply an encoding of a public key. Of cour se being a publ ic key, it must also have a corr espondin g priv ate key. Cryptog raphic keys must b e generated in private by the owner. Doing so do esn’t require a ledger, nor does it touch the ledger durin g generation. Key genera tion can be done by calling an API on your o wn loc al rippled server. O r it can be done by runnin g the key generation code in our Ripp le JavaS cript l ibrary. The re are other known im plementations for t he key gene rator as well. Basically the process starts w ith a large random nu mber (the se ed) that is then algorit hmicall y transform ed into a point on t he elli ptic cur ve. What does the key life cycle management look like? A Ri pp le ad dr ess on ly bec om es k nown to th e ledger wh en it i s fun ded with XRP. At th is poin t it becomes a n “ entity” entry in the R ippl e ledger. E ach entity entry can also manages some addition al meta- data. T his i nclud es a secondary, rotatable, signing k ey. To rotate a signi ng key, the user first generates a ne w key offli ne using o ne of the above methods. Then the pass the new ke y to the Ripple ledger in a transaction s igned wi th the old key. T he ripp led server takes care of th e rest. Private keys must always be managed by th never touch es private keys.
eir owners o ff of the Ripple ledger. The ledger
What is the library approach? Rippled is accesse d via RPC or We b so cket APIs. W e also pro vide a JavaS crip t li brary to assist those writing c lient software which calls rippled. What is the HSM integration approach? Ripple doesn’t p rovi de a hardware security mo dule, but any HSM that can manage bitco in keys can also b e used to manage Ripple keys. Does the consensus mechanism require a leader? No
121
How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) Hardcoded How is node behavior measured for errors? Nodes are monitored to see how successfully they stay in sync with the network over time. They a re also monit ored to see if their validation network.
prop osals are a dopted by the rest of the
These two parameters provid e a metric to help ot hers decide if a node is wor th reaching consensus with.
Implementation Approach What are the current uses cases being explored, tested or implemented? Payments, correspondent banking. Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? Information is available on the http://rippl
e.com websit e.
Who are you currently working with? (e.g., Venture Capitalists, Banks, Credit Card companies, etc.) Yes
122
16. Steem Source: Interview / Questionnaire
Contact name: Ryan R. Fox (
[email protected].)
Questio nnaire responses Consensus Methodology What is the underlying methodology used by the consensus mechanism? A h yb ri d DPOS that adds a Pr oof of Work qu eue t o fil l o ne of t he w it nes s nod es of eac h round. Page 22 @ https://steem.io/SteemWhitePaper.pdf How many nodes are need to validate a transaction? (percentage vs. number) 21 total witness, fixed: 19 elected witness nodes pl us the next 1 Proof of Work mi ner from the top of the queue plus on e random un electe d witness. This hybrid appro ach allow s blocks to be produced at a predicta ble timeslot and is open to Proof of Work miners comp eting to s olve enough s epara te Proof of Work puzzles to be adde d to th e queue of futu re block pr oduc ers. The diffi culty o f the puzz le is relative to the length of th e queue , to ensure a constant prod ucti on of bl ocks at a given timeslot. F urth er, anyone may be selected a t random, weighted by their appro val ranking. Do all nodes need to be online for system to function? Same as Graph ene. See a bov e. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Same as Graph ene. See a bov e. Who has ownership of the nodes? (e.g., consensus provider or participants of network) Same as Graph ene. See a bov e. What are the different stages involved within the consensus mechanism? Same as Graph ene. See a bov e. When is a transaction considered "safe" or "live"? Same as Graph ene. See a bov e.
123
Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? Same as Graph ene. See a bov e. How much time is actually needed to build the consensus until a new block is added? Same as Graph ene. See a bov e. Does system contain synchronous node decision making functionality? Same as Graph ene. See a bov e. What is the number of current and planned validators? 21 What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? Same as Graph ene. See a bov e. Is there a forking vulnerability? Same as Graph ene. See a bov e. How are the incentives defined within a permissioned system for the participating nodes? Same as Graph ene. See a bov e. What process does the system follow when it receives data? Same as Graph ene. See a bov e. How is data currently stored? Same as Graph ene. See a bov e. How does a party take ownership of an asset? STEEM is the to ken.
Governance, Risks and Contro l How is governance/controls enforced? Same as Graph ene. See a bov e.
124
Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? Same as Graph ene. See a bov e. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Same as Graph ene. See a bov e. How does the consensus mechanism allow access? Same, but adds th e Proof of Work q ueue for one sl ot as well. How does the consensus mechanism restrict access, concerning malicious activities? Same as Graph ene. See a bov e. What is the permission management process? What is the process for adding or deleting nodes? Same as Graph ene. See a bov e. How does the protocol assess the trustworthiness of other participants? Same as Graph ene. See a bov e. Are there separate admin. (/) administrator privileges? Who manages them? Same as Graph ene. See a bov e. Are there restriction (/) privacy rights defined and enforced by node? Same as Graph ene. See a bov e. In case of permissioned systems, who manages the KYC/AML process and where is the data stored? Same as Graph ene. See a bov e. How is counterparty risk (/) settlement risk addressed? Same as Graph ene. See a bov e.
Performance
125
How long does it take for transactions to be validated and/or consensus to be achieved? Same as Graph ene. See a bov e. How do you measure scalability? https://steemle.com/stats.php Is the speed of the system impacted if the system is made more scalable? Same as Graph ene. See a bov e.
Security How are you planning to implement/integrate Digital wallets? (Including private key management) Named Acco unts contain a hierarchy of keys: Owner, Active, a nd Memo. W itness Ac coun ts als o have Sign in g k ey. The Own er key i s at th e top and m od if y t he as soci ated keys below. T his is th e most impor tant key to maintain safe ly offl ine. Users can sign transaction s using t heir Owner key. This is the key that will b e used with in the wallet softw are. Witnesses nee d onl y their Signin g key to produ ce blocks. In case of a breach, what data is at risk? Same as Graph ene. See a bov e. How does the consensus mechanism address the risk of "double spending"? Same as Graph ene. See a bov e. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Same as Graph ene. See a bov e. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Same as Graph ene. See a bov e. Under which conditions does a lock/un–lock happen? (i.e., what is the proof safety?) Same as Graph ene. See a bov e. What is the process for disaster recovery? Same as Graph ene. See a bov e.
126
What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? Same as Graph ene. See a bov e.
Privacy How does the system ensure privacy? Same as Graph ene. See a bov e. Does the system require verifiable authenticity of the messages delivered between the nodes? Same as Graph ene. See a bov e. Do all nodes have visibility into all other transactions? Same as Graph ene. See a bov e. How is privacy defined and ensured between applications? Same as Graph ene. See a bov e. How does the data encryption model work? Same as Graph ene. See a bov e. If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? Same as Graph ene. See a bov e. Are participants' identities hidden from one another? (e.g., Blackpool) Same as Graph ene. See a bov e.
Cryptography (/) Strength of Algori thm How are the keys generated? Same as Graph ene. See a bov e. What does the key life cycle management look like? See Bit Shares colum n. Substit ute STE EM for BTS.
127
What is the library approach? Same as Graph ene. See a bov e. Does the consensus mechanism require a leader? Larimer i s th e lead De v fo r Steemit, Inc. How is node behavior measured for errors? Same as Graph ene. See a bov e.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology The tok en is STEEM. Which security mechanisms are assigned to the tokens? Same as Graph ene. See a bov e.
Implementation Approach What are the current uses cases being explored, tested or implemented? Same as Graph ene. See a bov e. What is the implementation cost? Closed lic ense held by Steemit, Inc. What is the time required to implement? Ac ti ve Who are you currently working with? (e.g., Venture Capitalists, Banks, Credit Card companies, etc.) As k St eemi t, Inc.
128
17. Stell ar Source: Interview / Questionnaire
Contact name: Jed McCaleb / Joyce Kim (
[email protected] /
[email protected])
Questio nnaire r esponses Consensus Methodology What is the underlying methodology used by the consensus mechanism? The Stellar Consensus Protoc ol (SC P) provi des a wa y to reach cons ensus wit hout r elying on a closed sy stem to accurately record fi nancial transactio ns. SCP has a set of pro vable safety properties that opti mize for safe ty over liv eness— in the eve nt of partit ion or misbehaving nodes, it halts progress of the network until consensus can be reached. SCP simultaneously enjo ys four key properties: decentralized control , low latency, flexible trust, and asymptotic security. https://www.stellar.org/papers/stellar-consensusprotocol.pdf. How many nodes are need to validate a transaction? (percentage vs. number) It depe nds on the network topology but likely around 67% for a ne nodes or 51percent for trust ed nodes.
twork with untrusted
Do all nodes need to be online for system to function? Not all but at lea st th e percentage s dis cussed above. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? No Who has ownership of the nodes? (e.g., consensus provider or participants of network) Flexible. What are the different stages involved within the consensus mechanism? SCP depe nds o n each node in the network h aving a list of o ther nodes in t he network that it li stens to. It doesn't have to trust t hese nodes, it ju st has to believe these nodes won't coll ude to cheat it. T hese other nodes form wh at is called the quoru m set of the nod e. Each no de can have its own quor um set. SC P shows th at as long as there is s ome degree of overlap that the network wi ll con verge on the sa me value duri ng cons ensus.
129
Phase s of the pro tocol : Nominatio n, Ballotin g (Prepa re, Confi rm, Externalize ). Nomination : Because slots need only be partially ordered, some a have only One plausible ballot per slot. For example, in certific
ppli cations of SCP will
ate transpare ncy, each C A may
have its own s eries of slots and si gn exactly one certifi cate tree per slot. Howeve r, other applications admit many plausible values per slot, in which case it is helpful to narrow down t he possible input values. O
ur strategy is to begin with a synchronou
s
nomination pr otocol that achieve s con sensus under certain timing assumptions, and feed the output of the nomination protocol into
an asynchronous ballot protocol whose
Safety does not depend on tim ing. Balloti ng: Once nodes have a composit e value, they e ngage in the ballot proto col, thoug h nomination May continue to update the composi te value in parallel. Ba llot ing i nvolves thr ee phases for a giv en value. First a node " prepares" th e value. T his means it essentially anno unces to the world that it wil l go wit h that value if a quorum sl ice of its also is willi ng to accept that value. If that happe ns, then in " confi rms" the value. If a quor um slic e does in fact also conf irm th e value then the node can externalize the value and it is now consi dered valid. There a re more details of cour se in the paper. When is a transaction considered "safe" or "live"? It is considered valid after a quorum slice has all confirmed the transaction. At this point you externalize the transaction . Are thereround multiple rounds of vetting to decide which set of transactions are going to make it into the next of consensus? Al l w ell-fo rm ed t ran sac ti on s ar e in clud ed i n t he s et of t ran sac ti on s. How much time is actually needed to build the consensus until a new block is added? Varies dependin g on the latency between nodes in t shou ld be < 2 sec.
he network. On the open Internet, it
130
What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? Maximu m theoretically po ssib le N=3f+1 where f is the numb er of faults yo u want to allow and N is the number of no des in the networ k. Is there a forking vulnerability? No How is data currently stored? SQL DB and in fl at files that can be stored wherever for easy archival of hist
ory.
Governance, Risks and Contro l Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? The network i s really ju st a messaging standard so legal action can and would sti taken in the same way it is done tod ay.
ll be
Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Node operators would si mply sto p listeni ng to the SC P messages of the offending no des. What is the permission management process? What is the process for adding or deleting nodes? It is an open ne twor k; anyone can join or leave. Howeve r, it is possi ble to const ruct pri vate networks usi ng the stellar software that need some process for jo inin g. Are there separate admin. (/) administrator privileges? Who manages them? Not in the publi c network. But thi s coul d be added to a private one. Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., back–office outsourcing) Nodes can be either validating o
r not . So yes nod es can be read only.
In case of permissioned systems, who manages the KYC/AML process and where is the data stored? This is managed by the inst ituti ons co nnected to Stellar, but we ha ve crea ted a compliance protocol to allow them to easily communicate.
131
Performance How long does it take for transactions to be validated and/or consensus to be achieved? Consensus is r eached every five seconds. This leads to three to five seconds to validate a transaction depending on where in the ledger close cycle the transaction is introduced to the network. Provide some general measures of volume that the consensus mechanism can or will handle (e.g., number of trades) Highly d ependent on the hardware you are runnin g the nodes on , but we have achieved 3000/second on modest hardw are. There is stil l a lot of ro om for optim ization and the upper bound i s still much higher than this number. How do you measure scalability? The number of transactions per second depends only marginally on the number of account s in the system. T he system scales to 5 00 milli on account s witho ut much effect on maximum transactions/second.
Security Does the consensus mechanism utilize Digital Signatures? Yes all th e transaction are sign ed and all the SC P messages a re also sign ed by the validator. How are you planning to implement/integrate Digital wallets? (Including private key management) This is something that is being done by third rd parties. W e are building the core protocol and the more user–fa cing features are left for int egrators and people connectin g to the platform. In case of a breach, what data is at risk? There a re no br eaches at the Stellar protoc ol level sin ce eve rythi ng is publ ic. There can certainly be encrypted pieces built on top of Stellar but that will be implementation specific. Does the consensus mechanism have full documentation in place? Yes How does the consensus mechanism address the risk of "double spending"? The consensus mechanism is designed to prevent double spending.
132
How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? This varies depending on ho w long t he node has be en offline and the a mount of data in the curr ent ledger. F rom in stant to a few hours.
Privacy How does the system ensure privacy? This is handled in a layer above the s network.
tella r protoc ol thro ugh systems like the lightning
Does the system require verifiable authenticity of the messages delivered between the nodes? Yes Do all nodes have visibility into all other transactions? Yes, all transactions on the network are publi c but t here can be encrypted metadata attached to transactions which would be private. And there are also protocols for keeping the bulk of th e transactions off th e public ledger so they can remain private. Are participants' identities hidden from one another? (e.g., Blackpool) There is no i nherent conn ection between names a nd accoun ts.
Cryptography / Strength of Algorithm How are the keys generated? The keys are e d25519 keys s o can be g enera ted with standard li braries or by t he stellar software. What does the key life cycle management look like? This isn't d ictated by Stellar, but stellar is very flexibl e on how you want to handl e this. You can have multipl e signers on an accoun t. You are able to change the ke ys on y our account. Does the consensus mechanism require a leader? No
133
How is node behavior measured for errors? You can easily detect if a nod e is misbehavin g sin ce all SC P message s are broadcast to everyone in the network you wou ld be able to see conflict ing or i nvalid messages and the signature would tell you who sent them.
Tokenization (if used) How are the asset tokenized (if applicable)? Briefly describe the tokenization concept and terminology The Stellar distr ibut ed network can be used to track, hold , and tr ansfer any type of asset: doll ars, euros, bitco in, stocks, gold, and other tokens of value. Any asset on the ne twor k can be traded and exchanged with any other. When you hold assets in Stellar, you're a ctually ho ldin g credit fro m a parti cular issu er. The issuer has agree d that it wil l trade you its c redit on the Ste llar networ k for th e corr espondi ng asset–e .g., fiat curr ency, precious metal–outsid e of Stellar. Let's say that Scott issu es oranges a s credit on th e network. If you hold or ange credits, you and S cott have a n agreeme nt based on tru st, or a trust lin e: you bot h agree that when you give Scott an or ange credit, he gives you an or ange. When you hold an asset, you mus t trust t he issuer to prop erly redee m its credit . Since users of Stella r will not want to t rust just any issuer, a ccounts must explicitly trust an issu ing accou nt before they're able to hold t he issuer's credit . In the exa mple above, you must explicitly t rust Scott before you can hold orange cre dits. To trust an issui ng account , you crea te a trust l ine. Trust li nes are entries that persist in the Ste llar ledge r. The y track the limit for which your account tru sts the issuing account and the a mount of cr edit from the issuing account that your account curr ently holds. Does the consensus mechanism utilize transaction signing? As set tr ans fer and exchan ge w or ks li ke oth er t ran sac tion s in St ell ar. They m us t b e sign ed by the public k ey or keys that own the a sset.
Implementation Approach What are the current uses cases being explored, tested or implemented? Open payment standard. But the consensus mechanism could be used for lots of things. What is the implementation cost? ~one to two w eeks of d eveloper time.
134
Is there a reviewed business case to compare the implementation costs (including cost of the solution) to the current as-is process? (No response). Who are you currently working with? (e.g., venture capitalists, banks, credit card companies, etc.) Deloitte, Mifos, Oradian, Tempo, Parkway, several other banks.
135
18. Tangaro a Source: KPMG Research
Contact name: See Contact Us below
Questio nnaire r esponses Consensus Methodology How many nodes are need to validate a transaction? (percentage vs. number) In standard Ra ft, you need to replicate a log entry to a majorit y of nod es in the clust er before committing it. For BFT consensus algorithms, including Tangaroa, the required quor um size is 2f + 1, where f is the numb er of failures yo u want to tol erate (includ ing both crashed nodes and compromised nodes). Do all nodes need to be online for system to function? No. Implementation Dependent. Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? There are extension s to the Ra ft algorit hm that allow for addi ng or removi ng nod es from a clus ter. T his is d escribed in t he PhD thesis on Raft. Who has ownership of the nodes? (e.g., consensus provider or participants of network) Implementation d ependent. What are the different stages involved within the consensus mechanism? In BFT R aft, e ach node is in o ne of th e three state s: l eader, follow er, or candid ate. Similar to Raft, BF T Raft divides tim e into terms, which s tart with an election. The winner of the election serves as the lea der for th e rest of the term. S ometimes, a n election wi ll result in a split vo te, and the term will end with n o leader. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? The ca ndid ate continues in t he candidate state until one of the thr ee thin gs happens: (a) it wi ns the election, (b) another nod e establishes it self as a lea der, or (c) a period of tim e goes by wi th no w inner (i.e. , it expe riences another election ti meout). A candidate wins an election if it receives votes from a quoru m of the nodes. T he candidate then promotes itself t o the leader state a nd sends heartbea t messages with t he votes and the upd ated
136
term numb er to esta blish its author ity and prevent new elections. T he signed votes effectively prevents a byza ntin e node from arbitrarily promo ting it self as the leader of a high er term. F ollow ers that receive this h eartbeat message will up date their leader ID and term if the leade r presented enough sign ed votes for the matching term. If applicable, what is the voting process after the "propose" stage? To begin an election, a follo wer incr ements its cur rent term and sends RequestVote RP Cs in parallel to each of the other no des in the clust er asking for their vote. Re questVote RPCs themselves work s imilarly t o Raft. The modifi cations co me primarily in t he recipient of a RequestVot e RPC. When a node receiv es a RequestVot e RPC wit h a valid s ig natur e, it gr ants a vote only if all fi ve conditi ons are true: (a ) the node has not handled a heartbeat from it s current leader within it s own tim eout (b) the new term is betwee n its curr ent term + 1 and curr ent term + H, ( c) the request sender i s an eligi ble candid ate, (d) the node has not v oted for anoth er lea der for the pr opos ed term, and (e ) the ca ndid ate shares a log pr efix with the node that cont ains all committed entries. A node always rejects the request if it i s stil l receiving h eartbeat messages from the current l eader, and it i gnor es the Re questVote RP C if the prop osed term has already begun. When is a transaction considered "safe" or "live"? Af ter leader rep li cates log to all th e no des and th ey agree, a com mi t to t he l og hap pen s. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus? No How much time does a node need to reach a decision? It depe nds on m any factors, but it's a little uncl ear on what you mean by " reach a decisio n" . The Raft pape r has an a nalysis on h ow qui ckly leader e lection c an occur onc e the current leader is found to b e unresponsi ve. What is the number of current and planned validators? The Leader. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? " In standard R aft, you nee d to replic ate a log e ntry t o a majori ty of nodes in th e cluster before committing it. For BFT consensus algorithms, including Tangaroa, the required quor um size is 2f + 1, where f is the numb er of failures you w ant to tolerate (includi ng both crashed nodes and compromised nodes). Yes. A BFT R aft clust er that tolerates f Byzantine failur nodes, where n − f nodes form a quorum."
es must co ntain at le ast n ≥ 3f + 1
137
Is there a forking vulnerability? No What process does the system follow when it receives data? Each repli ca in BFT R aft compu tes a cryptographi c hash every time it appends a new entry to it s log. The hash is comp uted over the previous hash and the newly appended log entry . A node ca n sign i ts last hash to prov e that it has re plicated the entirety of a log, and other servers can verify this qu ickly u sing th e signature and the ha sh. What process does the system follow when it receives data? The data comes fro m cli ents of th e Raft clu ster, who send r equests to t he lea der. T he leader replicates these requests to th e cluster, a nd respo nds to the client when a quoru m is reached in the cluster on that request. W hat constit utes a " request" i s systemdependent. How is data currently stored? How data is stor ed is system-depe ndent. It's important for s tate to persis t to disk so t hat nodes can recover and remember information t hat they have commi tted to (which no des they voted for , what log entries they have committ ed, etc.). The protoc ol can't wo rk without this.
Governance, Risks and Contro l How is governance / controls enforced? " BFT Raft allows cli ents to interru pt the current leadership if it fails to m ake prog ress. This allows BFT Raft to pr event Byzantine lea ders fro m starvi ng th e system. Like Raft, BFT Raft us es randomi zed ti meouts to trig ger leader elections. The lea der of each term periodi cally sends heartbea t messages (e mpty AppendEntri es RPCs) to maintain autho period rity . If oa foll owerthe receives notimeout, communi fro m a leader over randoml yitschosen f time, election thencation it becomes ca ndid atea and init iates a new election. I n additio n to the spont aneous follow er-tri ggered ele ctio ns BFT Raft also allows cli ent intervention : when a client observes no progr ess with a lea der for a period o f time called the pr ogress ti meout, it br oadcasts UpdateLea der RPC s to all nodes, telling th em to ignore futu re heartbeats from wh at the client believe s to be the curr ent leade r in th e current term. The se follow ers will i gnor e heartbeat message s in th e curr ent term and time out as thou gh th e current leader had fa iled, starting a new election." Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Heartbeats
138
How does the consensus mechanism allow access? A B yzanti ne nod e can dec id e to arbit rar il y i ncreas e th e comm it in dex of ot her no des before log entries have been sufficiently replicated, thus causing safety violations when nodes fail l ater on. BF T Raft shifts t he commit r esponsi bilit y away from the leade r, and every node can verify for itself that a log entry h as been safely replicated to a quoru m of nodes and that this q uorum agrees on an ordering . How does the consensus mechanism restrict access, concerning malicious activities? BFT Raft allows cl ients to interr upt the curr ent leade rshi p if it fails to make progr ess. This allows BFT Raft to prevent Byzantine leaders from st arving t he system. What is the permission management process? What is the process for adding or deleting nodes? Raft's mechanism fo r changing t he set of serve rs in th e cluster uses a new joint consensus approach where the ma jorities of two different configur ations overlap during transitions. Th is allows the cluster to continue operat ing n ormally during configuration changes. How does the protocol assess the trustworthiness of other participants? Election l eader timeout . Are there separate admin / administrator privileges? Who manages them? No Are there restriction (/) privacy rights defined and enforced by node? Nodes can stop byzantine lea ders from co mmitt ing to th e log. Can a node or a user have only "Read" or only "Write access? Is specific node access required if only performing one functionality? (e.g., back–office outsourcing) Leade r App end-O nly everyone can write but l eader approves lo g, replicates log and sends it out t o all nodes. What are the measures in place to reduce risk? Tangaroa has used BFT with r aft to stop b yzantin e leaders from s tarving th e system.
139
Performance How do you measure scalability? This depends a lot on th e system's characteristics . In general though , the more nodes you h ave in a clust er, the more work t he leader has to do to commi t each log entry, because it must always be replicated to a majority o f the clust er. Is there a limitations on the number of fields within a transaction? No Is the speed of the system impacted if the system is made more scalable? Slow nodes do not slow the system.
Security Does the consensus mechanism utilize Digital Signatures? Yes R aft tal sig anatures extensively authmodi enticate s andcontents verify or theirBFT integri ty.uses Thisdigi prevents Byzantine le adertofrom fying message th e message forging messages. In case of a breach, what data is at risk? Implementation d ependent. How is the system expected to address general server issues? No How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? It is the leade r who synchr onizes and sends out a replicated log. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Clock is m anaged by th e central node. R aft’s noti on of a term does away with havin keep centralized clocks.
g to
Under which conditions does a lock/un–lock happen? (i.e., what is the proof safety?) Raft uses a replicated finit e state approach to tr ansactions r ather than lockin g. We model our tr ansactions o n this basis.
140
What is the process for disaster recovery? Read the ra ft papers sea rchi ng for “ stable store” or sim ilar. T he whole point is t hat the raft lo g items, on ce accepted, are guarantee d to be on s table stor age. So, in the event of a total out age, the cluster sho uld ju st come back alive. Similarly, you onl y need one copy of the FSM to restore the whole lot. The de tails of t he process wil l depend both on the impl ementation and on operatio nal procedur es by the end user (e .g., how backups are taken). Noteminor the fact raft i issthat design ed to of optherate be tween datai centers makes easier. One ch that allenge the state e peers is itself n the FSM , so ifthis y ou lose a lot of peers, adding back peers to form a quor um needs though t. From memor y this i s covered in chapter 4.
Privacy Does the system require verifiable authenticity of the messages delivered between the nodes? Note that T CP itself wil l prevent most co rrupt ion and ensure retransmissi on, and most users use TCP (with or wi thou t encrypti on on to p). Note that Ra ft does not have to run over TCP (I submi tted a UD P version fo r ins tance, a nd ru nnin g over say ZeroMQ would be qui te feasible). How does the data encryption model work? Whilst encryp tion is o ut of Raft’s scope – ye s you can encrypt. Are participants' identities hidden from one another? (e.g., Blackpool) No
Cryptography/Strength of Algorithm Does the consensus mechanism require a leader? Yes How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) " Not 10 0% on what you mean by ‘stric tness’. Ra ft co nsensus i s achieved by majority f or a transaction al write and is designed to provi de hard guarantee s. Implementation d ependent. M any imp lementations are in herently fl exible (Se e Etcd/R aft / Hashico rp/Raft). I'm sure it would b e possible to design s omething g ross th at is hard coded."
141
How is node behavior measured for errors? The ra ft specs do not specif y measurement. Most implementation s measure some aspects (e. g., with mono toni c coun ters), a nd of ten send them off to a stats server. Grep for “ stats” in Hashicorp/ Raft for instance . If you mean “ How does the a lgorithm tell whether a node has errored?“ it simply looks for either the absence of a valid reply or heartbeat withi n a timeout, or the prese nce of an invalid reply or h eartbeat ( where “ valid” and “ invalid” are de termine d by t he spec) .
Tokenization (if used) Does the consensus mechanism utilize transaction signing? No
Implementation Approach What is the implementation cost? Transport Dependent. What is the time required to implement? Transport Dependent.
142
19. Tenderm in t Source: Interview / Questionnaire
Contact name: Jae Kwon (
[email protected])
Questio nnaire r esponses Consensus Methodology How many nodes are need to validate a transaction? (percentage vs. number) More than two thirds o f the validators need to be
onli ne.
Do all nodes need to be online for system to function? More than two th irds of the validator s need to be onli ne. (Same as above) Does the algorithm have the underlying assumption that the participants in the network are known ahead of time? Yes and no. Validator sets can change accordin
g to TM SP application l ogic .
Who has ownership of the nodes? (e.g., consensus provider or participants of network) Implementation d ependent. If applicable, what conditions are needed to be met to enter and exit each stage of the consensus mechanism? See spec o n GitHub. http s://GitHub.com/tendermint/tendermint/wiki /Byzantin eConsensus-Algo rith m 1) Propose 2) PreV ote 3) Pre Commit 4) Commit . If applicable, what is the voting process after the "propose" stage? In the ideal case, two ph ases of sign atures (two phase commi t). When is a transaction considered "safe" or "live"? A s ys tem is co ns id ered saf e or li ve… not tr ans act io ns. A tran sac ti on is co ns id ered committed when a block includes that transaction, and the block’s Merkle hash root gets sign ed by > two thi rds of valid ators with a pre-commit vot e, at the sa me height and round number. Are there multiple rounds of vetting to decide which set of transactions are going to make it into the next round of consensus?
143
Ideally happens in one roun d. If the primary propo ser for a block isn ’t onli ne, will need to move onto next round, etc. Otherwise no, not sure what multiple rounds i s referrin g to. How much time does a node need to reach a decision?
Bloc ks commit on th e order of one se cond . Depends on network size, physi cal distance (global vs. loc alized), etc. How much time is actually needed to build the consensus until a new block is added? Depends on parameters, but on the order of one second for typ
ical application s.
Does system contain synchronous node decision making functionality? The syste m is p artia lly synchron ous. It’s mostly asynchronous, with some sensible timeouts built in. What is the number of current and planned validators? One to thous ands, depending on requir ements. A 50-node global ne twor k can still commit blo cks on the order of a second. What is the Fault Tolerance? How many nodes need to be compromised before everything is shut down? "Can tolerate up to one thirds of Byzantine nodes.” Is there a forking vulnerability? Only if BFT threshold is exceeded. How are the incentives defined within a permissioned system for the participating nodes? It’s undefin ed. It can be defined in the T MSP applicatio n (similar to Hyperledger’s chaincode). What process does the system follow when it receives data? Depends. There’s a mempool mod ule for transaction sharing pri or to consensus, as well as a consensu s modul e. These modu les are mult iplexed on the same TCP connection between peers. The consensu s module runs on its own consensus sub–channel. Details can be found here: https://GitHub.com/tendermint/tendermint/wiki/Byzantine-ConsensusAl go ri th m. How does a party take ownership of an asset? Depends on the application.
144
Governance, Risks and Contro l How is governance / controls enforced?
" We’re creating a gov ernance system called Governmint . We’re crea ting a governance system c alled Governmint. ht tp://G itHub.com/tendermint/governmi nt TMS P Governance Layer A simpl e voting sys tem that enables itself to evolve over time. E ntiti es are identifi ed by a pubkey. M embers are entities associated with a gro up; can vot e on prop osals for that group . Groups are collections of members Votes a re cast on prop osals by members pro posal types: Group UpdateP ropo sal: change the group membershi p, etc. GroupCreate Proposal: create a new grou p VariableSe tProposal: set a variable value TextPropo sal: create a human r eadable propos al SoftwareU pgradeProposal: u pgrade softw are TX types P ropo seTx to propose somethin g for a group to vote on Ca stTx to vote on a proposal" Who is responsible and what are they responsible for in case of malicious actions within the network? How does legal action take place? There is a method of determin ing liabil ity in the case of a fork. BFT algorit hms don ’t typi cally guarantee this. Is there an intrinsic penalty mechanism in place for an attempted corruption of the consensus? Yes, for a successful corruption. How does the consensus mechanism allow access? Currently each node is confi gured manually, but later we’ll re–introduc e peer-exchange func tionali ty. It’s ba sed on gossip , like Bitcoin. Nodes don’ t have to be (active signin g) validators, they can still help with block/vote propagation. How does the consensus mechanism restrict access, concerning malicious activities? " Several mechanisms. In the p2p networki ng layer, a system of mul tiplexin g many connectio ns wit h fairness. I n the mempool layer, C heckTx TM SP messages to check fo r transactio n validi ty befor e prop agation to peers. In the consensus layer, publ ic key infrastr uctur e to ensur e that correct valida tors sign blocks." What is the permission management process? What is the process for adding or deleting nodes? TMSP has basic notio n of validator set changes, but other permissi ons are handled by the app. S imilar to addin g a Bitcoin n ode, except every validator nee ds its p ubli c key added to th e validator-set of the Blo ckchain f rom t he TMSP app. How does the protocol assess the trustworthiness of other participants?
145
Pubkey infrastructure. Are there separate admin. (/) administrator privileges? Who manages them? No, de pends on t he application. Are there restriction (/) privacy rights defined and enforced by node? Depends on the application. Tendermin t Core has no assets besides validator voti ng Proof of Worker, which isn’t natively fungible.
Performance How long does it take for transactions to be validated and/or consensus to be achieved? " - Transaction s are pushed asynch rono usly via TMS P to the a pp. Unix sockets are ve ry fast, so the bottleneck is mostly in the a ppli cation. Tendermint Core ca n handle a roun d 10k TXs/se c for 250byte size transaction s.” Provide some general measures of volume that the consensus mechanism can or will handle (e.g., number of trades) Depends o n th e app. T endermint Core can handle around transactions.
10k txs/sec fo r 250byte size
Provide some general measures of the value that the consensus mechanism can or will handle (e.g., $ value of trades) Unlimited. How do you measure scalability? "● Number of validators ● Compute/network limitations of validators ● Number of txs/sec on an empty TMSP application ● Average size of txs"
Is the speed of the system impacted if the system is made more scalable? No. Tendermint is ideal for scaling.
Have as many shards as you wa nt.
146
Security How is transaction activity monitored? RPC APIs Does the consensus mechanism utilize Digital Signatures? Yes. Consensus relies on digital signatures. How does the consensus mechanism address an assumed industry standard? " It’s an optimal BFT algorit hm that can also provid e monetary guarantee s on the security of t he Blockchain. ●For the Bloc kchain to for k, > one third n eed to be Byza ntin e ●When a fork occurs, you can determine liability ●Validators can have collateral posted on aBlockchain or elsewhere (e.g. distributed)"
Which risk/security issues are currently being worked on? Various testing. Are there any plans for getting the application/consensus mechanism certified (e.g., ISO, SOC, etc.)? No, there a ren’t many people that can ce rtif y consensus alg orit hms. We will always be work ing toward for mal proof systems. More academic pee r review. Briefly describe the security testing performed till date (if any) We just fin ished a roun d of network integration tests.
The last test found a subtle bug in
the gossip lo gic in the case of malicious d ouble- signing. In case of a breach, what data is at risk? The pri vate key of a validator. It’s assumed tha t the Blockch ain informatio n is publ ic (e.g. no privacy except what is provided by the application) How does the system prevent signature fraud (e.g., stolen keys)? Outside our sco pe. Complemented with trusted comp
utin g (e.g., Intel S awtooth)
147
Does the consensus mechanism have full documentation in place? No. How does the consensus mechanism address the risk of "double spending"? Tota l ordering of blocks, as in Bi tcoin, exce pt without the nee d for confirmation blocks. How does system ensure network synchronization? And, what is time needed for the nodes to sync up with the network? Depends on the parame ters of th e appli cation, e. g., appli cation co mpute comp lexity, txs (/) sec etc. Do the nodes have access to an internal clock/time mechanism to stay sufficiently accurate? Typical computer.
An accurate clock is not required.
Under which conditions does a lock/un–lock happen? (i.e., what is the proof safety?) " See spec on Git Hub. https://G itHub.com/tendermint/tendermint/wiki Consensus-Algorithm Proof of Safety
/Byzantin e-
What is the threat model being tested? What has been defined as “normal”? How do you monitor fraud? Highest t hreat level.
Privacy How does the system ensure privacy? Up to the applicatio n. Bloc kchain txs a nd application state shoul d be publ ic. Use various encryption techniques, e.g., homomorphic encryption. Does the system require verifiable authenticity of the messages delivered between the nodes? No, message s are signed, sig natures are inclu ded. Do all nodes have visibility into all other transactions? Yes. If consensus happens in a permissioned network are random public keys issued for every single transaction to increase the privacy? Or does randomized CUSIP translation factors take place? Depends on the application.
A TMSP applicatio n can be like UT XO, or not.
148
Cryptography/Strength of Algorithm What is the library approach? Best open-sourc e practices. Does the consensus mechanism require a leader? Round robi n leaders, for every block height and e very round. (Ideally a block is fou nd in one round ). A singl e leade r (proposer) at a time. But everyone is supposed to vote. The leader is not required for aggregating s ignatures. How strict is the consensus mechanism? (Is the system strictness hard coded, or built with code flexibility?) TMSP is a socket protoc ol. It provid es ultimate flexibilit y. We’re also developi ng a few TMSP application s ourselves, but this su rvey doesn’t addr ess those. Does the consensus mechanism require a leader? Consensus has a leader.
Tokenization (if used) Does the consensus mechanism utilize transaction signing? Blockchain solves this problem by Public-Private key pairs for signatures on and verific ation of transaction s. Tangaroa's protocol s pecifies using a simil ar system, but at the cons ensus level as well. T his pr ovid es a means for one nod e to validate that a message ca me from another n ode (so long as keys haven't been comprom ised).
Implementation Approach What are the current uses cases being explored, tested or implemented? Private ne twor ks in enterpris e enviro nments, e ither int ra– or inter–firm. What is the implementation cost? Depends on the domain. What is the time required to implement? Depends on th e domain, but pr etty fast a t this po int.
149
Cont act Us and A ckn owl edgeme nts Bill Cline KPMG LLP Principal - Advisory, Financial Services Strategic Capabilities & Alliances Lead 704-335-5552
[email protected] Sigrid Seibold KPMG LLP Principal – Advisory Capital Markets 917-971-5880
[email protected] George Samman twitter: @sammantic blog: sammantics.com Acknowledgements: We’d like to acknowledge the contributions of numerous people in the Blockchain network, many of whom reviewed and verified portions of this paper: KPMG LLP: Bob Hayward, Kiran Nagaraj, Walter Murphy, Mihai Liptak, Roshan Rao, Burak Karvan and Francis Sam Yesurathinam BigChainDB: Trent McConaghy –
[email protected] BitShares 2.0: Ryan R. Fox –
[email protected] CASPER: Vlad Zamfir –
[email protected] Directed Acyclic Graphs: Aviv Zohar –
[email protected] Distributed Concurrence: Dan Conner –
[email protected] Evernym: Jason Law –
[email protected]; Timothy Ruff –
[email protected]; Drummon Reed –
[email protected] Graphene: Ryan R. Fox –
[email protected] MultiChain: Gideon Greenspan –
[email protected]; Maya Zehavi –
[email protected] OpenChain: Flavien Charlon –
[email protected] Ripple: Bob Way –
[email protected] Steem: Ryan R. Fox –
[email protected] Stellar: Jed McCaleb –
[email protected]; Joyce Kim –
[email protected] Tendermint: Jae Kwon –
[email protected] Note: Ryan R. Fox does not represent Cryptonomex, Inc., Steemit, Inc., nor any other entity within the Blockchain space. His responses are his own informed opinions based upon independent research.
150
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 575202 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will conti nue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
151
