Enterprise Readiness of Permissioned Blockchain

Harika Narumanchi and Nitesh Emmadi, TCS Innovation Labs, India

IEEE Blockchain Technical Briefs, December 2018

 

Blockchain is an immutable shared ledger that enables mutually distrusting parties to transact with each other without any central authority. The parties together form a peer-to-peer network of nodes and enforce a common ledger. Blockchain is broadly categorized into permissioned and permissionless. In permissionless blockchain there are no restrictions on entities joining or leaving the network  whereas in permissioned blockchain the entities are verified identities and the entities go through identity verification process before joining the network that enables non-repudiation and accountability. In this article, we focus on permissioned blockchains as they are more suitable in enterprise environments. Blockchain is being leveraged in supply chain, IoT, finance and several other business use cases. A survey by Wikibrands suggests that blockchain is one of the top 30 emerging technologies that will impact us the most over the next decade [1]. A report by world economic forum predicted that 10% of global GDP would be stored on blockchain technology by 2025 [2]. Considering this importance of blockchain, we emphasize on the features and challenges involved in making permissioned blockchains deployable in practice.

To make permissioned blockchain suitable for use in enterprises, there are several features that are not present in permissionless blockchains. These features include:

• Privacy and Security: Enterprises require that the transactions on blockchain to be private and confidential. This is achieved by submitting encrypted transactions pseudonymously to the network. Blockchain platforms provide mechanisms to ensure privacy and confidentiality of the users.
• Smart Contracts: Enterprise applications need to calculate and validate data before writing it to the ledger. Smart contracts enable embedding this logic to operate on the data. Smart contracts handle reading or writing data on the blockchain. Smart contracts are executed by one or more parties independently to ensure the correctness of data processing, and to impart trust to the system. The results of the smart contract execution from various parties are used for consensus purposes.
• Attribute based access controls: Attribute based access controls is a security mechanism that provides access based on the attributes of the requester. Most enterprise applications are modeled with attribute based access controls for flexibility and granularity. In the permissioned blockchains, these access control mechanisms are embedded into smart contracts.
• Auditability: Authorized parties should be able to audit the blockchain either temporarily or on a continuous basis. To enable the audit facility, auditors should be able to link the pseudonyms to the user's identity and decrypt a transaction. To achieve this the auditors (both external and internal) should be given access to user specific or transaction specific keys during the audit period.

There are several non trivial challenges that prevail to practically deploy permissioned blockchains in present state. Some of them are as follows:

• Throughput: Blockchain is inherently slow because of the complex process of messages going back and forth between several peers in the consensus mechanism in the place of simple read or write operations in centralized databases. The throughput also depends on the choice of tunables such as payload size, batch size, block latency and so on. Thus blockchain is ideal for use cases that require low throughput and dealing with high value transactions. There is a need to improve throughput for making blockchain deployable in a wider range of applications.
• Consensus: Consensus mechanisms impact application throughput due to their message complexity and communication rounds between the nodes. It is infeasible to design a single consensus mechanism that can be used in all use cases. Thus designing a pluggable consensus framework with automatic suggestion on consensus algorithms and parameter tuning such as computational or message latency is a challenge.
• Query Efficiency: Efficient query on the blockchain data that is encrypted under different keys is a challenge. Searchable encryption can handle queries encrypted under single key but there is a need to design efficient schemes that can handle queries encrypted under multiple keys.
• Privacy and Confidentiality: Privacy and confidentiality solutions in the current blockchain systems depend on standard cryptographic primitives such as encryption and cryptographically pseudonymous identities but during transaction verification and audit user's credentials are completely disclosed. To achieve anonymous credentials solutions such as identity mixer [8] and privacy preserving smart contracts [9] can be used but using these novel and not yet widely deployed algorithms have open issues such as scrutiny by crypto community before deployment in practice, efficiency and so on.
• Compliance with the privacy regulations: Compliance with privacy regulations can be more challenging in the blockchain world. For instance, General Data Protection Regulation (GDPR) mandates a “Right to Forget” feature for customers. The immutable nature of blockchain is contrary to this requirement. There are mutable blockchain solutions [3] which can cater to these needs, however they call into question the very basis of what makes a blockchain attractive for given use. Thus, more research is needed to make blockchains compliant with regulations.
• Migration: Data model of the existing systems differs from that of the blockchain systems. The challenge is to seamlessly migrate the existing systems to the blockchain and ensure that there is no disruption in the services.
• Certificate Authority and Revocation Lists: Eventhough the blockchain is decentralized the current certificate issuing authorities and certificate revocation use traditional public key infrastructure (PKI) and are centralized. This can lead to issuance of spurious certificates that can be used to gain unauthorized access to the network. There are solutions such as certificate transparency [5] and decentralized PKI [4] to provide transparency but steps are to be taken to integrate them with permissioned blockchains.
• Smart Contract security: Recently, security vulnerabilities have been detected in smart contracts on blockchain platforms such as Ethereum. As security vulnerabilities in any application are inevitable, the immutable nature of blockchain makes it challenging to deal with their consequences.
• Inter-blockchain communication: Enterprise applications involve various components interacting with each other at various levels. To accommodate this, applications are being visualized in a multi-blockchain model. The challenge is to establish a cross blockchain communication without compromising integrity, privacy and confidentiality.
• Key Management: Considering the immutable nature of data on a blockchain, managing the lost and compromised keys as well as key rotation is a challenge. It is infeasible to re-encrypt data on the blockchain with new keys but key compromise makes the data accessible to unauthorized parties. Sharing the secret key of the users to de-anonymizing and de-classify transaction data during audit also hampers the privacy and confidentiality of users. There is a need for a feasible key management and audit management schemes for blockchain.
• Oracles: In most use cases, smart contracts require data from the external systems called oracles. Relying on oracles for such information is a necessary risk. There is a need to mitigate the risk by ensuring the authenticity of information transmitted to the blockchain. Another important challenge is confidentiality and privacy of oracle queries. Some solutions like Town Crier [6], Oraclize [7] explore oracles in context of decentralized applications.
• Standardization: Standardization is also an important challenge in blockchain. Now that there are various blockchain platforms in existence, there is a need to ensure a standard model for blockchain to be able to deploy in practice robustly.

We conclude that it is important for organizations to be aware of their practical challenges before deploying them in real world applications. We believe that there are many long term issues that are to be addressed to adopt blockchain and its operating model and make it enterprise ready.

 

Acknowledgement

We thank our colleagues at TCS Innovation Labs for insightful discussions on this subject.

 

References

[1] The Emerging 30 Technologies – What Will Impact Us The Most Over the Next Decade: http://wiki-brands.com/the-emerging-30-technologies-what-will-impact-us-the-most-over-the-next-decade/ (Accessed on 6^th Aug 2018)

[2] Deep Shift Technology Tipping Points and Societal Impact: http://www3.weforum.org/docs/WEF_GAC15_Technological_Tipping_Points_report_2015.pdf (Accessed on 6^th Aug 2018)

[3] G. Ateniese, B. Magri, D. Venturi, E. Andrade, “Redactable Blockchain -or- Rewriting History in Bitcoin and Friends,” IEEE European Symposium on Security and Privacy (Euro SP), 2017.

[4] Conner Fromknecht, Dragos Velicanu, Sophia Yakoubov, “A Decentralized Public Key Infrastructure with Identity Retention,” https://eprint.iacr.org/2014/803.pdf .

[5] Certificate Transparency, https://www.certificate-transparency.org/.

[6] Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels and Elaine Shi, “Town Crier: An Authenticated Data Feed for Smart Contracts,” ACM SIGSAC Conference on Computer and Communications Security(CCS), 2016.

[7] Oraclize, http://www.oraclize.it/#projects.

[8] Identity Mixer, https://www.zurich.ibm.com/identity_mixer/.

[9] Ahmed Kosba, Andrew Miller, Elaine Shi, Zikai Wen, Charalampos Papamanthou, “Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts,” IEEE Symposium on Security and Privacy (SP), 2016.

 

---

 

Harika Narumanchi is a researcher in Cyber Secuirty and Privacy Group at TCS Innovation Labs, India. Her research broadly focuses on applying cryptography and blockchain solutions to business oriented scenarios. She graduated from Jawaharlal Nehru Technological University, Hyderabad, India with Master’s degree in Information Technology specialized in Information Security.

 

 

Nitesh Emmadi is a Researcher in Security and Privacy Group of TCS Innovation Labs, India. His areas of research mostly includes computations on encrypted data, with broader interest in application security, applied cryptography and blockchains. He looks closely into practical side of novel systems and provides consulting services for evaluating and building products for his organization. Prior to joining TCS, Nitesh received his Masters degree in Information Technology, specialized in Information Security, from International Institute of Information Technology, Hyderabad, India.

 

Editor:

Chengnian Long is a full professor of Department of Automation, School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University. His research interest mainly focuses on the Cyber-Physical Systems (CPS), including:
1) Cyber-Physical Systems (CPS) Security: security estimation and control of CPS, intrusion detection system, blockchain security; 2) Internet of Things (IoT): crowd sensing, fog computing, internet of vehicle, wireless MIMO system and 3) Distributed Intelligence Systems: embedded computer vision for smart devices (UAV, Autonomous vehicles), blockchain.
First, many current critical infrastructures such as power grids, transportation systems, and medicine systems are emerging with the tight integration of physical processes and cyber world. Due to the crucial role of cyber-physical systems in everyday life, cyber-physical security needs to be promptly addressed. Particularly, his research group is focus on the security estimation and control of power grids and industrial control systems.
Second, he has a long-term concern on the fundamental networking problem in Internet of Things, such as crowd sensing system, fog computing of intelligence gateway, MIMO wireless technology for smart devices. Particularly, his research group is focus on the sensing, computing, communication, and control integration of Internet of Vehicles (IoV).
Third, the long-term view is to develop system intelligence for both CPS and IoT. An emerging trend is data-driven distributed intelligence system. Thus, the large-scale trust and reliable data is the power source for intelligence system. Furthermore, to apply the AI technology (deep learning and computer vision) from the laboratory to the real world that require a new approach to supporting the associated power, weight, space, and real-time constraints. Particularly, his research group is focus on investigating the blockchain technology to construct distributed intelligence system and developing the embedded computer vision and deep learning technology for UAV and autonomous vehicles.