Blockchain is widely hailed as one of the next breakthrough technologies, a technology that is poised to change the world of commerce within the next ten years. For sure, it offers great opportunities to optimize transactions and processes, and to cut losses caused by inefficiencies and fraud. But trying to see through the hype, many companies are wondering how they may start exploring this technology and how their business logic is best translated into this new technology. “Blockchain is a method of working and a toolbox, not a ready-to-use product,” explain Wouter Joosen and Bart Preneel, directors and security gurus at imec. “So it is key to explore - and get a good grip on - the many options of the technology, establish ground rules for privacy and security, and examine possible legal implications.”
Secure, shared record keeping
Since the beginning of commerce, people have always recorded transactions and agreements. And when more parties got involved and values increased, rules were agreed and trusted institutions started keeping records. A simple money transfer e.g. between your company and another one will involve actions and information exchanges by two banks and probably also an interbanking institution. And each of these institutions has to keep records, build an extensive security infrastructure, and guarantee fast and reliable communication.
Wouter Joosen: “The globalization of manufacturing and trade has accelerated this need for record keeping. This has spawned a multitude of disparate ledgers and institutions that have to prevent errors, fraud, and misinterpretation. Today, each company partakes in a number of networks and logistic chains and is frantically trying to keep its records correct and updated. And even as an individual, you may be at a loss as to how to keep your digital identity updated: your passwords, living address, work history records, and so on.”
Blockchain technology promises to replace much of by using distributed software: it supports transactions, agreements, and smart contracts between two parties while avoiding the need for a trusted third party.
Take an example from the world of trade: When you buy a diamond, you may want to establish that it is real, that it has not been stolen, or that is has been ethically mined. The seller may give you a certificate, but how can you, or even the seller, be sure that anything on the certificate is real? A blockchain application might solve this conundrum. Any diamond that is mined could be entered in the electronic ledger, together with a unique high-resolution digital picture and an indication of the provenance. Later, every time the diamond changes hands, a new record is added. Before being written on the ledger, the information is verified by a number of parties. The ledger doesn't have to be administered centrally; all parties have a copy. That way, tampering with the chain becomes practically impossible. So if you finally get hold of that precious stone, you can unequivocally follow its whole history from the moment it was mined until it got into your hands.
From Bitcoin to your application
“Many companies see the advantages and opportunities of Blockchain, but they are at a loss of where to start,” adds Joosen.
“Blockchain is not a ready-to-install product. It is a technology toolbox that allows for a new way of working, a way of establishing and storing reliable, timestamped information between parties without relying on a middleman or central authority.”
At heart, as the name suggests, a Blockchain application is a chain of digital blocks. Each of these blocks contains a number of verified transactions, e.g. a number of payments or changes in the ownership status of an object. Participants have copies of the chain and may access it to add more blocks or to consult the information in the chain.
The best-known implementation of Blockchain technology is Bitcoin, the digital currency that is not issued or guaranteed by an authority. Bitcoin shows the strengths of the technology and how you could use it. But at the same time, it also illustrates some issues that may not fit your bill.
Joosen: “For starters, Bitcoin is a public ledger. Anyone can participate, buying Bitcoins, paying with them or even verifying and adding blocks to the chain, which is called ‘mining’ and which is a peculiar business model in itself. But most use cases of companies are not public; many involve a limited number of parties that want to share data. That has important consequences for the way the data access and security will be set up.”
Or take privacy and traceability. In principle, everyone who gets hold of a Bitcoin address is able to look into the Bitcoin block chain and see the history and ownership of that Bitcoin. Once you know your way around the block chain, it’s possible to extract much detailed information about what is going on. So, there is no real privacy built in, although privacy preserving practices can be defined and encouraged (e.g. decoupling Bitcoin addresses and identities). This may be ok for Bitcoin or the diamond example, but if your application involves e.g. medical data, you may need to add more strict access controls and privacy measures.
“Still, Bitcoin is a great example,” says Preneel. “It is a public laboratory, allowing us to study all the possibilities and challenges related to Blockchain-based applications. That is why our researchers keep a close eye on Bitcoin.”
“The origin of Bitcoin is shrouded in mystery, but it is a very clever system. Its inventor created a distributed, consensus-building software from existing network and cryptographic technology, something that nobody had been able to do before. But that doesn’t mean there are no challenges. There has e.g. been a discussion on the most efficient size of the blocks. So it is interesting to see how a network of parties gets to agree on changes to the system itself. What also interests us, are the privacy techniques and strategies with which people try to stay anonymous in this very public system.”
“Our scientists have already published a number of studies and in one case, we’ve even seen that a publication of ours has changed the consensus voting in Bitcoin. It is deeply interesting to see how such a complex implementation as Bitcoin functions. And it also teaches us a lot that we can apply to other use cases.”
Going on an exploration
To help companies get a head start with Blockchain technology and see how they could apply it, imec has set up a project with six companies that are interested to apply the new technology to their specific uses cases.
Joosen: “There is, for example, a fintech company that wants to study Blockchain as a means to organize reverse factoring and keep track of hypothecated invoices. So this will probably be an application with a restricted number of participants. Then there is a health tech company that would like to look at decentralized patient files. That of course is a case where strict privacy rules should be upheld. And a third company deals with design and simulation data for vehicle and airplane parts. There we are rather looking at a supply chain type of application. Then there is also a telecom company that wants to set up a system to trade IoT data. What connects all these examples and makes them different from e.g. Bitcoin is the need to establish and implement strict security and privacy measures. These must be chosen, defined, and subsequently supported in combination with the selected technology platform, e.g. as plugins or extra layers.”
The project is an imec.icon initiative, an initiative for demand-driven, cooperative research. Over a period of typically two years, multi-disciplinary teams of scientists and industry partners will work together to develop digital solutions. The icon initiative has already resulted in over 100 completed projects in a wide range of ICT-related application domains and markets.
“Next to this project, we’re also offering industrial consultancy,” says Preneel.
“Whether a company is just looking into the options, or whether they are already developing an application, our researchers have the expertise to help them make the right decisions, have the legal issues covered, and consider privacy and security from all angles.”
“We feel there is a real need in companies to get independent advice on Blockchain,” adds Joosen. “The news is out there that Blockchain will change the world and that everyone should invest in it rather sooner than later. So companies want to know how they can benefit from it and if they should start investing and building expertise now. We have the knowledge and the experts to help them with these questions.”
Want to know more?
- secappdev.org lecture of Bart Preneel, explaining the nuts and bolts of Bitcoin.
Biography Bart Preneel
Bart Preneel heads the COSIC research group at imec - KU Leuven and is professor at the KU Leuven (Belgium). His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations. He also does industrial consulting for major players in the finance, telecom and hardware industry. Bart has co-designed the Belgian eID and e-voting scheme and is active in international standardization. Professor Preneel is a fellow of the International Association for Cryptologic Research (IACR), which he served as director, (1997-present), vice-president (2002-2007) and president (2008-2013). He is a member of the Permanent Stakeholders group of ENISA (European Network and Information Security Agency) and of the Academia Europaea. In 2014 he received the RSA Award for Excellence in the Field of Mathematics.
Wouter Joosen is head of the DistriNet research group at imec - KU Leuven and professor at the KU Leuven (Belgium). His research interests include software engineering and architectures for secure distributed systems, security middleware, and security solutions for IoT and cloud computing, covering subdomains such as IAM, DevOps, SecDevOps, Privacy-by-Design, and GDPR. Wouter is co-founder of the KU Leuven spinoff Ubizen (now part of Verizon Business Solutions), where he was the CTO from 1996 till 2000, and COO from 2000 till 2002. He also cofounded a number of other KU Leuven spinoff companies including Inmanta and Elimity.