Breaking News

Technology Salon Phase II Shanghai Station - blockchain really safe?

On December 2, the second phase of "Chainge" Technology Salon co-sponsored by Babbitt and COCOSPACE was held in Shanghai. Sharon invited CTO Chen Hao from Yuanjian, who than Zhu Yuanqi, the core chain developer, Ma Bao Chun, founder of μMatrix, 5miles CMO George Chen and other guests, with the theme of "Blockchain really safe?", Shared and discussed their understanding of blockchain safety and the development of blockchain projects.

Yuan Hao CTO Yuan Hao

Yuan Hao CTO Chen Hao from the perspective of digital identity of the blockchain safety considerations.

First, the definition of digital identity. Usually when we are asked "who are you", we will present our account or ID card to prove our identity, but ID card or account book does not really represent the individual identity, it is only to prove the identity of the individual. Identity should be the collective term for all the objective and ordered episodes of an individual or institution occurring in a natural time series. The collection possesses one or more characteristics and possesses two core functions that can be verified and can be authorized. Further extended, digital identity is the identity of the above concepts occurring in computer systems and networks. The digital identity on the blockchain refers to the collection of records on the blockchain of identity books made up of different characters, and has a unique identifier (DID) that can be identified.

Second, user privacy and anonymity. Chen Hao believes that user privacy and anonymity can not be confused, user privacy is a concept that is formed by the social and cultural description of the personal boundaries, is a kind of data. Such as our kinship, phone number, etc. are considered as personal privacy. Anonymity refers to a function that indicates that our privacy data is anonymous.

In the relationship between user privacy and anonymity, Chen Hao believes that anonymity does not necessarily represent digital identity, and digital identity must have anonymity, that is, the former is the necessary and sufficient condition of the latter. Therefore, the concept of anonymity to be extended to identity must have its own boundaries, that is to form a data set, similar to the Personally Identifiable Information in the United States. For sensitive information, Chen Hao does not recommend that they be placed on the blockchain, but on the identity terminal, the so-called identity terminal refers to the user into the blockchain network of agents (such as blockchain wallet, hardware devices, etc.) , The agent has the ability to verify identity and validate the data and capabilities of the blockchain's digital identity once it has been authenticated.

Finally, digital identity and anonymity. After comparing the three anonymous digital currencies of Dionysian, Monroe and Zero, the elemental world chose to consider the use of Monroe and the anonymous method of the zero currency. The anonymity of Monroe is reflected in the hidden address -stealth address and ring signature-ring signature, zero support zero knowledge proof-ZKPs.

Digital identity not only refers to the person's digital identity also includes things such as Internet of things. As an agency dataset, public scrutiny is required and absolutely open; data sets can be completely or partially shared between trusted digital identities; and most importantly, digital identities build new BaaS applications based on trust.

Than the original chain core developer Zhu Yi Qi

Zhu Yiqi first introduced than the original chain, than the original chain is a multi-bit asset chain block interaction agreement, run on the original chain than the different types of assets can be exchanged through the agreement, betting and intelligent contract-based complex Sexual interoperability. Popular is a blockchain asset management tool. Such as C2C's currency trading tools that do not require credit endorsement, referees that guarantee fair execution of gambling agreements, managers of corporate option assignments, and more. Anyone can issue an asset over the original chain and use the ODIN technology to provide the company / individual with "blockchain CA certification" over the original foundation to ensure the authenticity of the asset.

In terms of security and privacy, the design is more than the original chain: the account is only locally visible, and only smart contracts are recorded in the blockchain; the account derives the contract but the contract can not be pushed back into the account; every transaction under the account Automatically generate a new contract, so that the whole transaction is a tree, not a ring, no one can find the relationship between the transaction chart.

In addition, Zhu Yiqi put forward the concept of implicit contracts , that is, for example, you write smart contracts, but do not want others to know the specific content of smart contracts, you can use the smart contract hash lock assets, unlock assets and then smart The contract is open. The point here is that no one can be sure that the smart contract he wrote himself is safe, such as The DAO, a hacker who discovered an exploit for a smart contract and would not attack if no one could see the smart contract A similar tragedy occurred.

How to make contract calls more safely? Zhu Yiqi took the Ethereum parity wallet vulnerability that took place in November as an example, and the incident caused 511,700 ether to be frozen so far. Zhu Yiqi said that the loophole is not the problem of the wallet, but in a library called wallet, Ethereum contract address pointer when used as a result of a programmer inadvertently ruined the underlying database, resulting in all The assets of the multi-sign wallet are frozen. Contrary to the design of the original chain, the contract call uses a prudent method. When a smart contract is created, it is added as a subcontract to ensure that the contract will not be invalidated due to any external factors after it is written.

Ma Bao-chuen, founder of μMatrix

Today's Internet trust system is based on PKI (Public Key Infrastructure), but not secure, such as the existence of centralized, abusive, misappropriated, basic open source library maintainers did not get the due benefits. Some of the big names we know are hard to come by. For example, Apple has portrayed itself as the world's most secure operating system and on the official website, but now we can not find it on Apple's Web site . Affected by the ROCA loopholes in the world-renowned semiconductor maker Infineon in October this year, 760,000 ID-cards using Infineon's chip encryption keys were suspended in Estonia. The security implications of these big companies have a profound impact.

Blockchain What are the safety aspects worth learning? This should start with the characteristics of the blockchain. For Ma Baochun, firstly, the blockchain uses the consensus mechanism, P2P technology, and cryptology to replace the trust of third parties in the community, so it can be regarded as the chain of trust. Second, the blockchain uses cryptography algorithms such as ECDSA, EdDSA, SHA and Merkle Tree. Thirdly, blockchain adopts consensus algorithms such as PoW, PoS, dPoS and xBFT. In addition, light nodes and full nodes are also related to security , Because the light node in addition to doing cryptography operations, but also the entire node database to do some data interaction, the process is used in plain text or encrypted transmission.

Blockchain wallets need to pay attention to what safety issues? There are two main points: how to prevent being attacked and how to prevent it from being lost. Ma Baochun lists some common ways to avoid the above problems, such as brain purse, paper wallet, multiple signatures, hardware wallets, hot / cold wallets, wallets with smart contracts and so on. These methods have their own advantages and disadvantages, such as paper wallet is relatively safe, but the problem is easy to lose and damage. Multi-signature wallets are suitable for corporate use to prevent embezzlement, and use of multi-signature wallets among family members is not significant. Hardware wallet is actually not as safe as publicity, because it is not only about curves, but also about people who make hardware wallets. Before using it, understand how its system logic is implemented. Wallets with smart contracts are also less secure, as parity was created by a team of Etoufang former CTO Gavin Wood, but major security holes can still occur.

How to do more secure? Ma Bao-Chun from the root of trust, random numbers, Bottom to top, patch, code security audit, smart contracts, multiple signatures, offline signatures, hardware wallets, biological information, unexpected situations and share their own thinking. In particular, Ma Baochun pointed out "who is on the bottom who has a better chance of doing a good job of security," that is, who has done more bottom-up opportunities to get the data, who has a better chance of sabotaging security and getting better chances for safety. In addition, the smart contract should not be too complicated, the simpler the better, the biological information should be used as a personal ID but not as a password.

5miles CMO George Chen

5miles is a US local c2c trading platform established in 2015. It is exploring the combination of blockchain technology and e-commerce in hopes of creating a decentralized e-Commerce + platform that focuses on e-commerce, local taxonomy information, and commercial applications of c2c Scenes. George Chen talked about 5miles security measures from five aspects: cold address protection, server protection, back-end system protection, website protection and security system monitoring. For example, the private key and the password are kept by different personnel. The cold address is set outside the company's office. The login requires VPN + Google secondary authentication, and the dedicated 4G router is used. The key block chain node server uses an independent security group, Seek white hat companies to do system vulnerability verification.

Finally, during the Roundtable Forum, guests discussed the choice of consensus algorithms, the influence of quantum computers on cryptography, the necessity of opening up the blockchain and the talents in the blockchain. Yuan Yuan and than the original chain POW consensus algorithm, Ma Baochun that the choice of what consensus algorithm to choose according to the scene, rather than holding a nail to find a nail. Attendees agreed that the timing of the commercialization of quantum computers is not yet ripe for a short period of time. The blockchain must be open sourced. In terms of personnel, many guests said that the all-round talents who write code and have good communication skills are scarce, and some guests said Not lack of skilled personnel, but hope to find the scene for the development of POC business and optimistic about the blockchain with all sectors of the industry to join investors.