Posts Tagged ‘ Blockchain ’

Why it is possible for cryptocurrencies to gain and sustain value

This text is in large part based on the arguments from the NPR article for why gold historically has become the standard currency, “A Chemist Explains Why Gold Beat Out Lithium, Osmium, Einsteinium”, and on my own comparison between the valuable properties of gold and the equivalent properties of Bitcoin and other cryptocurrencies.


So why DID gold win thousands of years ago over other forms of money and stay popular until now?

There’s a few basic properties which is necessary for something to useful as money: It is easy to store, easy to move, it is easy to accurately divide in parts, it doesn’t corrode and isn’t otherwise fragile or deteriorate over time and it isn’t dangerous to handle. Those are the basic physical properties, and without those nobody will want to use it.

And for the economic properties: It is scarce (unlike sand and practically all relevant metal alloys), it is hard to forge (or else you’ll get counterfeits everywhere) and supply is reasonably predictable and don’t increase too fast (something which is scarce on a global scale but doubles every month isn’t useful as money, and something you don’t know the supply of is too uncertain). Another important property is fungibility, that the majority of samples of it is similar enough to be interchangable – which gold fulfills since it is an atom that allows you to purify a sample of the metal by melting it and clearing out the unwanted elements, leaving you with pure gold which always will be the same (without fungibility every sample needs to be valued independently, which is a major PITA).

And since gold has fulfilled all those requirements better than the alternatives (as an example, it is more scarce and corrodes much less than silver), it has become highly valuable. You can with relative ease melt it into whatever shape and size you want, divide it in chunks of arbitary size and store it safely for centuries without it going bad. And you could fairly easily verify that the gold indeed is real gold. So when people wanted to make trades with each other for valuable items, gold was one of the simplest options because there’s always somebody willing to accept it. All the other options were lacking in one or more of these properties compared to gold.

So how does cryptocurrencies like Bitcoin compare?

The comparison is quite straightforward: Scarcity is guaranteed by the blockchain (ledger of transactions) and the accompanying rules which all miners and Bitcoin wallets obey (anybody breaking the rules will be detected and ignored!), the rules of Bitcoin guarantee a maximum of just below 21 million coins and there’s no way around it. You can trivially confirm if the “coins” somebody claims to have is real by looking at the blockchain to see if the referenced transaction is there or not, and if it has been moved away or not. And fungibility is provided as well since on the blockchain all “coins” are essentially equivalent, they are all a form of “statement” in the ledger/database which the blockchain is (“X coins belongs to address Y”). The divisibility goes down to 8 decimals, making for a total of 2,099,999,997,690,000 subunits (that’s two thousand trillion) and more decimals can be added if necessary.

To pay with gold you need to make sure it already is divided in parts with equal value to what you’re buying. No such need with Bitcoin, the software takes care of it automatically. Verifying that the gold is real is much harder than to verify Bitcoins. Bitcoins are far more lightweight – you just need to store the private keys that your addresses are connected to (using public key cryptography) and that can be done on paper, which means storage is far easier by a huge margin once you reach larger values. Like gold, Bitcoins which you hold don’t deteriorate over time. The supply for Bitcoin is highly predictable, scarcity is certain, similar to gold (it is actually far less certain for gold, with the potential for asteroid mining in the future).

Using a Bitcoin wallet is simple. Some of the most common ones are Electrum or Bitcoin Core on computers, Mycelium and Schildbach’s Bitcoin Wallet on Android, and Breadwallet on iOS. None of them need any registration of any kind to use and they can all verify that the “coins” sent to you is real with no extra work required on your part. To send a transaction all you need is an internet connection. Making transactions takes merely seconds, and you can send money globally without a problem. Receiving coins is equally simple, just install one of those wallets and start it, and give the sender the address which your wallet just automatically generated – you don’t even need to be online when recieving! That’s all you have to do, and the wallet tells you when the “coins” is yours to spend. The “coins” will stay there forever if you don’t touch them, and with the high divisibility of Bitcoin you can easily send exactly the sum you want (one thousandth of a dollar? no problem!). No third party needs to be involved, neither part needs to trust the other anymore than they normally would if it were a cash payment or if gold was used to pay.

So then we have established that Bitcoin can match the properties which enabled gold to gain and sustain value, but why would it gain value in the first place? Why do people want start to use it, where is the demand coming from?

I have already mentioned some of the first reasons above – it can be used globally without any need for shipping anything around, it is easier to verify and it is easier to store. But that’s not all, far from it. Thanks to the combination of the blockchain and proof-of-work mining, Bitcoin had the ability to introduce a bunch of new features which are unparalleled – Bitcoin has a scripting language, making it programmable money! It is the first truly decentralized cryptocurrency, all the predecessors relied on central servers and was under the control of a third party.

Can you imagine being able to program a piece of gold to teleport back into your vault if the seller didn’t fulfill the terms you agreed to? With Bitcoin you can do something with just that effect that using 2-of-2 multisignature escrow. Can you imagine being able to securely ensure that something like 3 of 5, or 7 of 10 (or any other combination of numbers you like), people on the board of a company MUST sign all transactions that spend money from the reserves of the company, as if a bar of gold would refuse to move unless enough board members agreed? With Bitcoin you can achieve just that using m-of-n multisignature transactions. Can you imagine being able to prevent a sum of money to be spent before a certain date, as if you could make a bar of gold refuse to move until a given day? With Bitcoin you can do that using timelock transactions. And that’s just the beginning!

So not only does Bitcoin match the properties of gold which enabled it to gain and sustain value, it also provides entirely new and unmatched incentives to use it. If you are involved in just about anything where you want to enforce a certain set of rules on how the money can be spent, Bitcoin can make your life much simpler. If Bitcoin is the best option available to achieve a goal, then there also exists demand for it. And when there’s both demand and a limited supply, it gains value and will have a market price.

What about altcoins (“alternative coins”, other blockchain based cryptocurrencies), why wouldn’t one of them replace Bitcoin? That answer could fill an entire book, but the short answer is that because of the network effect most people will want to use the most popular cryptocurrency, a spot that Bitcoin holds and has held since shortly after its release.

Cryptocurrencies become exponentially more useful the more people that accepts it. It’s the same reason for why there’s usually just a few social networks that’s big at a time, being considered the place to go for discussions and organizing events, and so on. It is the same reason for why the phone networks of most countries are compatible and interconnected. Bitcoin was both first out and good enough to make sure that any competitor needs to be substantially better to be able to beat it. Any competitor would need features that Bitcoin is unable to replicate, but since Bitcoin fundamentally is a computer protocol implemented in software it can also be updated to replicate any features of a competitor before that competitor would gain momentum. So the probability that an altcoin would overtake Bitcoin is very slim, and any software developer capable of creating a better altcoin likely would gain more from working on improving Bitcoin itself instead.

Then there’s the question of how valuable it will become. Since the demand on global markets is inherently unpredictable (you can never be certain that current trends continue), nobody can possibly know for certain. There’s no guarantee it will ever go up from here, because for all we know it might already have found its niche in the market. My personal opinion is that what it offers is so much better than the current options (mainly fiat currencies, also known as state issued paper money) and payment mechanisms (such as credit cards and paypal) that the demand should grow in the future when other people takes a closer look and decide that its features is desirable.

One thing we can know for certain is that it will be interesting to follow its progress in the future, no matter where it goes.

If you have any questions, feel free to ask below. I’ll try my best to answer most questions, anything from questions about the technology to the economic incentives and how to use it.

An MPC based privacy-preserving flexible cryptographic voting scheme

There are various reasons for why electronic voting isn’t widely used, and some of their biggest problems are to ensure anonymity for the voters, ensuring that votes can’t be manipulated or otherwise tampered with, that you can be certain your vote has been included and counted correctly, that the full vote count is performed correctly, that the implementation is secure, that votes can’t be selectively excluded, that fake votes won’t be counted, etc…

That’s a pretty long list of dangers!

My own idea for a cryptographic voting scheme below attempts to account for all these problems, as well as some more. Originally I posted about this idea on Reddit here.

This voting scheme relies on the usage of a variety of cryptographic primitives, including symmetric cryptography like key derivation functions (KDF, like HKDF) and encryption (such as XChaCha20+Poly1305), public key encryption / asymmetric encryption (ECC / ECIES), Secure Multiparty Computation (MPC, like SCALE-MAMBA), Shamir’s Secure Sharing Scheme (SSSS), Zero-knowledge proofs (ZKP, like ZK-STARKs) and personal smartcards to implement signing and encryption of the votes.

As a fundamental requirement every voter must have their own personal cryptographic asymmetric keypair on a smartcard. This card could for example be integrated in a state issued ID card, like they do in Estonia. As a simple way of improving the security margin for these keys (to avoid risks like insecure key generation), a new keypair is generated on the card when the owner has received it, and they digitally sign a notification to the issuer to replace the old keypair and register the new one. The card issuing entity verifies the identity of the voters and thus of the card owners, and tracks which public key is linked to each card.

Secure Multiparty Computation (MPC) can described as a way of letting several entities create a shared “virtual machine” that nobody can manipulate or see the inside of, in order to simulate a secure trusted third party server. Thanks to advanced cryptography, we can use distrust to our advantage since strong implementations of MPC can’t be exploited unless the majority of the participants collude maliciously against the rest.

The MPC participants would include a number of different organizations involved in the voting process which has conflicting interests (to prevent them from willingly collaborating), such as the major parties (as an assurance for them), civil organizations like EFF and ACLU (as an assurance for the people), federal agencies like NSA, FBI and the White House (as a assurance for the government), the department running the election, and more.

Because they all only runs one node each following the MPC protocols, they know nothing more than what they put in and what they are supposed to get as an output from it – and because they DO NOT want to work together (due to conflicting goals) to spy on or alter the result, it’s safe*!

  • For various probabilities of safe. You also have to assume nobody’s able to hack a majority of the participants, or blackmail enough participants, or break the cryptography.

As a part of the initial setup process, they all create a random “seed” each (a large random number) that they provide as input to the MPC. First of all, when the MPC system has the random input seeds, it combines them with a HKDF to ensure the output is properly random – this means that only one participant needs to be honest and use a true random number, in order for the result to be both unpredictability random and secret from all the participants. This result is the MPC seed.

Then that output is used as the seed for generating secure keys and random numbers, including the main MPC voting system’s main keypair. The MPC participants also provides a list of the registered eligible voters and their respective public keys. All participants must provide IDENTICAL lists, or the MPC algorithm’s logic will detect it and just stop with an error. This means that all MPC participants have an equal chance to audit the list of voters in advance, because the list can’t be altered after they all have decided together on which version to use. Something like a “vote manifest” is also included to identify the particular vote and declare the rules in use.

The MPC system will then use its main keypair to sign the voter list and the manifest, and then it will use Shamir’s Secure Sharing Scheme (SSSS) and encryption to split it’s private key into one part for each MPC participant (more on this below), and provide each MPC participant with the MPC public key, the signed manifest, the voter list and an individual share of the main keypair’s private key.

SSSS is a method of splitting up data so that it only can be recovered if you have enough shares (reaching a defined threshold), which in the case of the vote system would be all all the shares of all the MPC participants (if you don’t have enough shares to reach the threshold, the key can’t be recovered). Setting other tresholds is possible, such as 2 of 3 or 45 of 57 or anything else you need.

Time for voting. The public MPC key is now distributed EVERYWHERE. On every advertisement about the vote, the key is there (maybe in Qr code form). This ensures that everybody knows what it is, and thus we prevent man-in-the-middle (MITM) attacks against voters (which would be somebody swapping out the MPC key to find out what people voted for).

Now, the voter makes his vote. He generate a nonce (unique number used once), makes his vote, signs it with his keypair, and encrypts this with the public MPC key (the signing and encryption is both done on the personal smartcard in one go). This vote is now sent to the voting management organization (maybe this is done on-the-spot if the voter is at a voting booth).

Since the vote wasn’t encrypted with his own keypair, he CAN NOT decrypt it which means that nobody can prove what he voted for using just the encrypted message (for as long as the MPC remains secure!). To know what a person voted for, you need to physically watch him vote!

To add a level of transparency in the vote submission process, all votes are registered on a blockchain or similar timestamping mechanism such as through Bitcoin, and they are digitally signed by the voting management organization to that prove they too have seen them. This means that you can nearly instantly verify that your vote is going to be included unmodified in the count. Attempts at excluding votes from certain areas or certain users would be obvious and provable as soon as the voting result is published.

Encrypted votes can’t be modified without detection, and once timestamped they can also NOT be modified in a way which would change what it would count towards and yet remain valid – any modified votes WILL be detected by the MPC system and rejected. Fake votes will also be detected and rejected. To make sure your encrypted vote will be counted, you just need to make sure it is included unmodified. When the time to vote ends, new submissions is no longer accepted or signed by the vote management organization. After the deadline, a final list of encrypted votes is signed and published.

For efficiency in the MPC counting and for transparency, the voting management organization gathers all the encrypted votes that was signed and registered in the blockchain, takes the hash of the last block and generates a Zero-knowledge proof of that all votes submitted before that last block, with the given hash, is included in the vote list. The signed vote list is published with the Zero-knowledge proof.

Then it is time for the vote counting. The MPC participants then hands the MPC their individual SSSS shares for the master keypair, the signed vote list with the blockchain hash and the Zero-knowledge proof, the manifest and list of voters, the counting rules, and random seeds, and all other data it needs.

The MPC keypair is reassembled and decrypted inside the MPC system. It verifies the Zero-knowledge proof of the vote list being complete, decrypts the votes, verifies all votes (checks signatures, syntax and that it follows the rules from the manifest), checks that no voter’s key is used more than once (duplicates are discarded; alternatively a more recent vote in the blockchain could replace previous ones), and counts them according to the chosen method of vote counting.

When it is done it generates the voting statistics as output where each vote option is listed together with all vote nonces listed next to it, it specifies which blockchain hash it was given (to show it has processed all votes registered in the blockchain), references the manifest, and the MPC then signs this output. Except for the vote result itself, the statistics could also include things like the number of possible voters (how many there was in the voting list), the number of votes, how many parties there were, how many votes each party got, etc…

So now you search for your nonce in the output and checks that the vote is correct. The nonce CAN NOT be tied to you, it’s just some random number. You can lie that yours belongs to somebody else, you can pretend to have another one. The number of votes can be verified.

However, done in this way we’re vulnerable to a so called “birthday attack”. The thing is that if there’s been 20 000 votes for political party X and their followers threaten 5 000 people, chances are that more than one voter will claim the same nonce voting for party X is theirs (roughly 22% risk per-voter). So how do we solve this? Simple: Let the voter make both one real vote and several fake votes (“decoy votes”). Then the voter has several false nonces that he can give, including one that says that he voted for party X. Only the voter himself can know which nonce belongs to the real vote! To prevent the adversary that threaten him from figuring out if and how many false votes the voter made, the size of the encrypted voting messages should be static with enough margin for a number of “decoy votes” (if there’s several possible adversaries that could threaten you based on your vote). Now these guys could threaten 30 000 people, but even if there’s just 20 000 voters for their party they still can’t say which 10 000 (or more) it was that voted for somebody else or prove anybody wrong. (The MPC would then also report the total number of decoy nonces vs real ones).

The best part? We can use ANY type of voting, such as preferential, approval, wheighted, ranked, etc! It’s just a piece of text anyway that allows for arbitary syntax, and you can “encode” ANY kind of vote in it! You can use a simple most-number-of-votes, or score from 1-10, etc…

In the end, you know that your vote has been counted correctly, everybody knows no fake votes have been added, that none has been removed, it’s anonymous, and the only way to force individual voters to vote as you wish is to physically watch them vote.

If you trust that these maybe +10 organizations won’t all conspire together against the voters, you can be pretty sure the voting has been anonymous AND secure. The only way to alter the counting or other computational parts on the side of the voting management requires nearly full cooperation between people in ALL participating organizations that have full access to the machines running the Secure Multiparty Computation protocol – and they MUST avoid ALL suspiscion while at it!


If you can distribute personal keypairs securely to the voters, nobody can alter/fake votes outside the Secure Multiparty Computation system.

  • A majority of the Secure Multiparty Computation participants have to collude and be in (near) full agreement to break the security of the system. If their interests are conflicting, it just won’t happen.
  • The security of the system relies on the cryptographic security + the low risk of collusion among enough MPC participants. If you accept both of these points as strong, this system is strong enough for you.
  • It’s anonymous
  • You can verify your vote
  • You can’t be blackmailed/forced to reveal your vote, because you can fake *any* vote

Potential weaknesses

  • The public won’t fully understand it
  • The ID smartcards with the personal keypairs must be protected, the new personal keys must be generated securely
  • We need to ensure that the MPC and Zero-knowledge proof algorithms really are as secure as we assume they are

I’ve changed the scheme a bit now from the original version. It should be entirely secure against all “plausible” attacks except for hacking all the MPC participants at once or against an attacker that can watch you physically while you make the vote. The latter should not be an issue in most places and can probably not be defended against with any cryptographic scheme, while the first is all about infrastructure security, and also not cryptographic security.

Feedback is welcome. Am I missing anything? Do you have any suggestions for useful additions or modifications? Comment below.

Universal P2P address book software using Namecoin

After having seen numerous social networks and blog hosts and personal website hosts go down over time and old accounts go abandoned, and after coming to the conclusion that the only method of long term addressing that seems secure and reliable has to be based on cryptographic public keys, I’ve thought up a type of address book software that would be independent of servers and yet could always stay up to date in sync, and work in a secure manner.

So lets introduce you to Namecoin. Some years ago a guy called Zooko, who is quite well known in the crypto community, minted the concept called Zooko’s triangle. The idea is that you could only have any two of three of globally unique nicknames, decentralization and rememberability. What he and most of the rest of the world at that point wasn’t yet aware of that you could achieve all three if only you can acheive a global concensus following the same set of rules. And the first system to achieve just that was Bitcoin, which uses a blockchain and proof-of-work to achieve a secure global consensus, used to establish ownership and transfers of tokens of value. And so a few years later Namecoin was born, in which anybody can register names of various types and assign data to them, and where each name only can be registered once, and where the entry owner (the first to register it) can use the same public key he used to register it in order to update it through digital signatures.

So what does that have to do with our address book software? Easy – in order to add your friends to your friend list you do NOT have to enter or remember or verify a long string of random characters (a public key) or trust a server to give you the correct key (GPG key servers, Facebook, blogs) while the username still can be unique. So when you want to add your friend all you need is his nickname, no different than what you’re used to when following somebody on Twitter, Tumbler, Facebook or Reddit or anywhere else. And you do not have to worry about any service shutting down, because the Namecoin blockchain is global and maintained by thousands of “miners” who adds more and more proof-of-work to the chain over time, for numerous reasons. So once you have registered your username, your friends can come back 20 years later and it will still be there, and you will still be able to update it.

So basically, the address book software would be a piece of software that holds a list of the Namecoin registered nicknames of your friends, and which on a regular basis fetches the latest data from the blockchain to look for updates from your friends. The file with this list of yours could also easily be synced between your devices, such as your laptop and phone, etc. This way you ALWAYS know which blog they’re currently using, their current email, which social media they use, etc, and can always contact them, and you won’t be affected by any servers going down. All the data wouldn’t have to be stored in the blockchain either, just an address to a place to fetch your full profile data, and the data there could be signed by the same key used to create the Namecoin registration so that the data can be authenticated (if the data is modified, the signature won’t validate).

(More updates coming later)

%d bloggers like this: