Extreme Integrity in Decentralized World
A Blockchain Vision That Would Impress Narnia’s Creator, by Eli Ben-Sasson
- CS Lewis said integrity is ‘doing the right thing, even when no one is watching.’
- Cutting-edge cryptography will empower blockchain to manage everyone’s data in accordance with this ideal.
I’m busy solving a problem that doesn’t need solving. That’s what people often say, upon realizing that I left the university to work in blockchain.
Surely a sensible academic should know better than to get swept away in this craze! I’ll say up front that I was lured out of the university by a conviction that blockchain will grow significantly , and a belief that I can enable it to operate with computational integrity at large scale armed with just math research. What is more, this is no abstract prediction: I’m a co-founder of StarkWare, where colleagues and I have built a range of advanced blockchain technologies from this math.
The reason for this career change was that I want to see blockchain deliver something that will make a world of difference to the human condition. I want it to replace the centralized institutions that intermediate all our financial transactions with a new system that is more transparent, fair and democratized, while operating with the same level of integrity promised by mainstream financial corporations (or even an increased level of integrity).
The great C. S. Lewis, who wrote at length about integrity and other lofty values for adults — and via his children’s characters in The Chronicles of Narnia — captured the power of the word integrity. He defined it as “doing the right thing, even when no one is watching.” This is precisely what I would hope of anyone handling my funds or any calculations related to them: That everything lives up to the standards of what I call computational integrity.
Computer scientists have been aiming at this since long before blockchain, albeit using different language. In a seminal 1991 article, four theoretical computer scientists — László Babai, Lance Fortnow, Leonid Levin and Mario Szegedy — foresaw a situation in which “a single reliable PC can monitor the operation of a herd of supercomputers working with possibly extremely powerful but unreliable software and untested hardware.” To rephrase the challenge with Lewis’ phrasing, I want to ensure that when it comes to the myriad computations that facilitate our financial transactions, the “right thing” is always done.
But some very serious figures have advanced an argument, important to consider, that blockchain is change for the sake of change — that it delivers no great benefit; that the current system is just fine, and “If it ain’t broke don’t fix it.” This argument, and the current system it favors, are worth considering here.
1. Reputable Trusted Parties Play Repeated Games
Over the past century, we have grown accustomed to trusted institutions like banks handling and authorizing our financial interactions. Today there is a wide range of such institutions, including Visa, SWIFT and many exchanges.
The upside is that these institutions take on the hard work and the headache of all the computation and record keeping. The major downside is that we are all expected to place total trust in them, without any oversight of our own. Why should we settle for this in an era when technology heralds a far more transparent solution, namely blockchain?
The Nobel Prize-winning economist Paul Krugman gives an interesting answer. He says that there is already a “technology” that allows the general public to be confident that trusted institutions are acting with integrity.
He is using the word “technology” creatively, to talk about reputation. “One way to think about that is reputation is a technology,” he said. “We solve a lot of problems in the economy by turning what could be one-shot games in which people literally take the money and run, and turning them into repeated games in which people have an incentive to behave well in this period so you trust them for the next period, and so on into the future.”
In his view, banks and other trusted institutions serve us well. Proponents of a shift to cryptocurrency are saying: “Let’s throw away the social technology of repeated games and reputation, and try and build a system that is going to operate purely on the basis of an algorithm that assures us we have what we need.”
This is an important argument, but to my mind it is one that does not stand up to scrutiny. Blockchain heralds too much promise to be dismissed. And it is simply not true that the situation today serves us well. If banks are the epitome of a trusted institution (and some may dispute that claim), let’s remember that at least around 1.7 billion adults around the world are still unbanked — with no access to a bank or to a financial institution. They are slowly discovering cryptocurrency. In Africa, 1.4 million people hold cryptocurrencies, and the figure is constantly growing. Additionally, up until a few decades ago, nearly all financial transactions among people and small businesses were done with no intermediation of banks. The modern transition to electronic money has channeled nearly all transactions through a small group of too-large-to-fail institutions, allowing them to reap huge and undeserved profits. So as I see it, the existing system of trusted institutions leaves room for significant improvement via blockchain.
2. Embrace Blockchain As Is
Blockchain opens up a whole new world of financial transactions. It’s one that relies on the idea of “distributed ledgers,” instead of trusted institutions. These ledgers achieve computational integrity by virtue of the fact that they are widely shared and scrutinized. In other words, the transactions aren’t verified by a banker or other “trusted” party, but rather by strength in numbers.
This is a remarkable advance. So why can’t I be satisfied with this and embrace blockchain as it is, without wanting to change the way it works?
The answer is that a large hurdle stands in the way of blockchain — it needs to scale up. Blockchains can typically only handle 10 to 15 transactions per second, which means they are simply too puny to become ubiquitous.
Most people aren’t aware of the blockchain scaling crisis, but it actually affects everyone. After all, why aren’t we seeing the development of crypto apps for everyday use, and having tech delivered to us that lets normal people take full advantage of the power of blockchain? When blockchain is straining under the weight of current demand, which makes it slow and sends transaction fees sky-high, the situation hasn’t been conducive to innovation we’ll all benefit from. When scaling creates breathing space on the blockchain, we’ll see a building boom of crypto apps.
Let’s look at the nuts and bolts of the system to understand what is preventing blockchains from scaling.
Blockchains are actually establishing integrity the same way that you do with your waiter in a restaurant. He or she presents a check with the food you ordered, taking up the role of “prover.” You verify the calculation — making you the “verifier,” and you verify the integrity of the computation by naively replaying the very same computation done by the prover. Henceforth you are establishing integrity by “naive replay.”
Blockchains work similarly. Each transaction submitted to the blockchain is treated like a restaurant check and every node of the blockchain must inspect these transactions by naively replaying their computation. The upside of this is that no “trusted parties” are needed: If anyone is cheating, every single node sees.
The downside is that lots of nodes are doing a lot of computation. What is more, this computation-heavy model is also limiting the scale of blockchain, with its low transactions-per-second ceiling. This could be rectified if it was decided that all machines on the blockchain need to be supercomputers with many cores and huge disk space. But this would quickly make blockchains similar to the old system they sought to disrupt, replacing banks with a small set of supercomputers and the companies running them. To prevent that, a key principle hailed by truly decentralized blockchains is inclusive accountability, which says that you or I must be able to use our meager laptops to verify the integrity of the whole blockchain.
So the great strength of blockchain, the fact that the record-keeping is utterly reliable thanks to the inclusive nature of verifying its integrity, comes at the cost of throughput. In a similar vein, a democracy where every decision is taken by a referendum achieves a very inclusive process, but one that is taxing in terms of time, energy, and throughput.
That’s why there is discontent in the blockchain community, and huge interest in scaling solutions. In the lively discourse that is underway on how best to do this, my team and I are known as huge proponents of scaling — but huge opponents of any compromises to security, speed, or other benefits currently associated with blockchain. The StarkWare ethos is to scale while retaining full computational integrity.
The question of how, exactly, to scale blockchain, will seem like an irrelevant technicality to many today. But like other big infrastructure choices in society, like how we organize a democracy or structure tax and welfare systems, is likely to have a significant impact on us all.
3. You’re Overcomplicating — Just Trust a Chip
Isn’t a solution staring us in the face? Blockchains free us from the need to trust human-run entities like banks. In this spirit, if we want to scale them, perhaps we can do so without human involvement, and put our trust in hardware.
Chips called trusted execution environments (TEEs) offer such a solution. If you want to write many transactions to the blockchain, feed all their inputs to a TEE, which spits out a signed key that is written to the chain and implies the TEE has processed all of them correctly. As such, the nodes of the chain don’t need to verify long computations, but rather short signed keys, which attest to the integrity of many transactions. Less data is added to the chain, less computation is needed to verify integrity, and by virtue of this, blockchain can be scaled without needing to replace the laptops that verify it with supercomputers.
This solution sounds perfect, but it’s not. Let’s assume — and this isn’t always true — that the chips are designed and made to the very highest standards, and the security is as high as we can possibly hope. Still, each and every chip relies on a secret key that is physically ensconced inside. Extracting that key is extremely hard and expensive, but if there are huge gains for doing so, there will always be people who will try. To emphasize, once a TEE chip is sent out into the wild it is no longer under the control of the manufacturer, and may fall into malicious hands, along with the secret key on which its security is premised. That means that even if an attack isn’t viable now, it may well become viable in a year or two, and then the system will be compromised.
In 2010, it was a former US military security specialist, Christopher Tarnovsky, who identified a weakness in Infineon’s “un-hackable” SLE66 CL PE chip. He used an electron microscope, acid and other tools. While these are not household items, they are certainly within the reach of anyone who wishes to compromise a financial system.
As technology advances, so does technology for malicious use, and it is safe to assume that it will get easier and cheaper to break these chips. The higher the value of transactions that hinge on their use, and the lower the cost of breaking them, incentives will rise.
4. Trust Math
The ideal situation for blockchain is that its nodes should be able to vouch for everything that is being added to the chain — but do so by exerting minimal computational effort. If this combination is reached, it means they will have the capacity to add more items to the chain, and blockchain can be massively scaled up.
The research branch I’m focused on provides a way for math alone to generate a “proof” to attest to the integrity of many transactions. Instead of sending those transactions to be checked by all nodes of the network, a single prover will process them and submit a succinct proof of the integrity of its computation to the blockchain.
Talking about proofs sounds abstract, so let’s be more specific. They are protocols designed to convince anyone who observes them that the claims in question are correct, much like the public and transparent protocol carried out in a court of law is designed to convince us that justice has been done. The proof system that I co-invented, STARK, requires the prover to submit a proof that is an annotated log of the computation performed, to attest to the integrity of many thousands of transactions.
For the verifier to check that the computation is valid, there is no need to repeat the computation conducted by the prover, nor read the submitted log. Rather, the verifier conducts random sampling of entries from that log — a few kilobytes — and the number patterns in those samples provide all the information that is needed to ascertain computational integrity. If the computation is valid, and only if it is valid, the verifier will deem the proof legitimate and agree to accept the transactions to the blockchain.
There is no hardware that can be hacked, just published, peer-reviewed and publicly-scrutinized math and its implementation in publicly-available software code. This software alone verifies the proof, and computational integrity holds even if the proofs are produced by malintented parties using faulty hardware.
I long dreamed of using the “truth” of math underlying these marvelous proof systems to allow people to feel more confident about the systems that run modern life including, but not limited to, financial systems. STARK proof systems make truth as untamperable as the laws of nature. Like gravity forces objects to the ground, STARK proofs force computational “impurities” into the open.
The theoretical predecessors of STARK systems have been studied vigorously since the 1980s, but initial constructions were too inefficient to use in practice. A full decade of my research career was devoted to overcoming this barrier, first theoretically, then practically. And I was unsure exactly how I would apply my research in the “real world.” It wasn’t research designed for blockchains, but in 2013 I attended a Bitcoin conference in San Jose and it started to dawn on me that it is a perfect fit for their challenges. Today, math-based blockchain scaling is being advancing rapidly thanks to the effort of many excellent teams (Zcash, Aztec, The Matter, Hermez and Miden are notable examples), and I have the exhilarating experience of working with a brilliant team at StarkWare that is not only bringing our research to life, but expanding and innovating on it, in ingenious ways I couldn’t have imagined.
One such recent innovation is StarkNet, an open network that allows scaling up capacity for all software developers who build on Ethereum. Anyone can use it today to deploy any “smart contract,” the term used for computer programs that run over blockchains. And any user can send transactions to those smart contracts. StarkNet is but one of several solutions using math and cryptographic proofs to validate the integrity of blockchains, forming a class of scaling solutions called Validity Proofs.
5. The Optimistic Approach
There is another interesting approach to scaling blockchains, based on Fraud Proofs rather than on Validity Proofs. Like the STARK approach, the Fraud Proof approach frees the nodes of the blockchain from having to carry out “naive replay” for each and every transaction, by creating batches of transactions that are optimistically assumed to be correct. All raw inputs needed to verify the transactions are uploaded, or “rolled up” to the blockchain, leading to what we call Optimistic Rollups.
In systems based on Fraud Proofs, Optimistic Rollup nodes monitor the processed transactions and can mount a challenge if there seems to be a problem with a proposed update to the blockchain.
If this happens, and the challenge is correct, inaccurate computations are invalidated and the clock is wound back to the last moment when all those nodes agree that all computations are valid (the offending party pays a fine, and the detecting party is paid a reward).
Optimism leads to efficiency. As transactions are assumed valid, little computational effort is expended on each, meaning Fraud Proofs are a seemingly good fit for a scalability-constrained environment.
But optimism can have disastrous consequences, if it leads to an immutable ledger bearing a false statement, whether as a result of a mistake or malice.
If an incorrect state is either genuinely overlooked, or missed because an attacker manages to silence users who are attempting to report fraud (by mounting what are called denial-of-service attacks), it can end up being written to the blockchain with no redress. This means a known false statement (e.g., “Eli Ben-Sasson is now the owner of all the cryptocurrency in the world”), can be accepted as true. Optimistic Rollups allot a timeframe — the Dispute Time Delay (DTD) — to dispute a state before it is considered finalized on the blockchain, and the longer the DTD, the safer the system should be.
Of course, one can recommend a very long DTD, but every hour of the DTD is an hour in which a transaction’s finality — its recording as an immutable record on the blockchain — is delayed. Currently, Optimistic Rollup systems that are undergoing testing have suggested using a DTD of one week. Users have to wait this long, for example, to withdraw assets such as funds or NFTs. Alternative liquidity can be offered to them by “liquidity providers,” though this is like borrowing from a payday lender — costs are high.
I place my confidence in the STARK Validity Proof approach outlined above over Fraud Proofs, because it delivers blockchain scaling without the DTD, and verifies every transaction instead of relying on optimistic assumptions. This approach is also in line with the core principle of blockchains, which says: “Verify, don’t trust.”
It’s clear the blockchain is going to shape our future, but it’s also clear that for its full global potential to be achieved, blockchain needs to scale. Figuring out how to do this with computational integrity and without compromising the core principles of blockchains is one of the big contemporary challenges.
As our team receives messages daily from people around the world who are experimenting with StarkNet, executing contracts that operate with absolute integrity using STARKs, I think about where this project will lead us.
Around 15 years ago, we had a sense of the potential of smartphone apps but we were unable to imagine the multiplicity of uses, the range of benefits they would deliver, and the social and economic change they would unlock. This is where we stand now with blockchain, and scaling is the missing link which means the potential of blockchain can be achieved and experienced by all.
This will almost certainly mean access to finance for the unbanked and more opportunities for them, but it could also give a new lease of life to art and design via NFTs, and give health record-keeping the update it desperately needs before the next pandemic. Deployed for electoral systems it can make them easier to use to steer government in a more finessed way than bulk voting once every four years, and in the battle to safeguard our personal data and records, it can be transformative.
But I’m almost sure that in a decade or two I’ll reflect on the great advances blockchain was able to deliver after scaling, and it will be something that came out of left field — something I can’t yet even conceive of. And that is why working in innovation is both thrilling and extremely humbling, as we wait to see what others will achieve with technologies we helped unleash.