On September 5, 2018, the POD conference hosted by Odaily and strategically co-organized by 36Kr Group was held in Beijing. In the roundtable forum themed "The Future of Secure Computing", Yu Di, the founder of WXY, served as the moderator, and Zhang Lei, co-founder of ARPA, Zhang Jiachen, founder of Points, TF Guo, founder of Taxa, Wei Ming, TRIAS CTO, Netta Discuss several issues of blockchain security with Yang Zijiang, co-founder of FractalNets.

1. What are the blockchain security issues?

2. The security issues that were originally solved by means of Internet centralization may be solved by blockchain in the future. Will there be some contradictions between the two? How will they survive and cooperate with each other?

3. There are many security solutions in the entire blockchain system, how should they coordinate with each other? How to unify?

The issue of secure computing involves various aspects, mainly including the security of the blockchain software itself, the security of storage, and the privacy and security of data transactions. There are many kinds of implementations, including software and hardware architectures constructed with chips and trusted environments, as well as pure software protocols. In contrast, chip protection is safer, and software solutions are more intuitive and transparent, and it is easier to increase credit.

Blockchain security is more efficient and secure than traditional security. The efficiency of blockchain security can make the loss from the 5-6th power of 10 in the past to only 10 calculations, and the effect is the same. It is safer because there is a lot of money in it; and it is a decentralized system, unlike the traditional money that can be found back if it is lost, it is lost if it is lost, so its security level is even the most basic. It is also very demanding.

Blockchain security also follows traditional PC and mobile security, and the biggest problem generally lies in people and operations. We can't expect ordinary developers to have high security knowledge, so each underlying project should customize its own security protocol. You must use the most mature things, this is safe.

Where should the decentralized system advocated by the blockchain start? We should pay attention to the incremental market, and some places where the centralized system has not yet formed a monopoly, and there is a great need for decentralization.

————————————

The following is the discussion forum discussion, enjoy:

Moderator - Yu Di

Let me introduce myself first. I am Yu Di, the founder of WXY Group. WXY is mainly engaged in brand management, investment banking, and investment business in the blockchain field.The first question I would like to ask the experts here today is that there are frequent security issues in the blockchain field. What do you think these security issues are divided into? Which ones are underlying? Which ones are at the operational level? And what problems are you all solving?

TRIAS CTO——Wei Ming

Hello everyone. TRIAS is a public chain based on TEE (Trusted Execution Environment), and its main functions are anti-tampering and anti-data leakage.

General governments and enterprises may buy anti-tampering systems like BAT and security companies. These systems must have an account system, the so-called God, which is also what customers want. But having a centralized administrator means that it is easy to tamper with. So we made the anti-tamper system first.

The second is data breaches. We didn't want to do this at first because it's not as straightforward as wallets that everyone cares about. What we thought at the time was to use the tamper-proof system for data storage and traceability.

But at that time, the several large hospitals we contacted to upload data to the cloud faced a problem, that is, no one wanted to share their precious medical data with others, and they did not trust any public cloud. Even if there is a private cloud with a data exchange area in the middle, they don't quite recognize it. It is easy for him to suspect that the exchange party has come to him to do something he shouldn't do, such as secretly sending the private information of his operation to others for analysis.

So for this business, we have made a hardware equivalent to the data exchange area, so that the entire environment is protected by security measures such as TEE. In addition, all the terminals of the enterprise also use our smart contracts, which can ensure that all its programs are executed transparently, and it is difficult for third parties to add scripts to them.

Founder of Taxa - TF Guo

Taxa is a Layer 2 off-chain network that also uses TEE technology. Through our platform, decentralized applications will be able to run smart contracts with strong privacy on Layer 2. The lack of privacy limits the large-scale application of public chains to a certain extent, so Taxa wants to solve this problem off-chain.

Co-Founder of Netta and FractalNets Professor of Computer Science, Western Michigan University - Yang Zijiang

Hello everyone. The mechanism used by Netta is very different from the current blockchain mechanism. For example, the high concurrency we are doing now has a speed of 100,000 TPS under 3,000 nodes. This can be done because we have made a data flow instead of ordinary data and chains, so it is very important to ensure its security.

This is how we understand security. First of all, the blockchain itself is a software project, so it also has problems faced by other software, such as many bugs. Bill Gates once asked a question, what do you think is the most complex thing that humans have ever created? Many people say spaceships, many people say high-speed rail, aircraft carrier, he said neither, in fact it is software, software is the most complex thing in man-made objects, so that no one can guarantee its correctness.

Looking at the current industrial software, there are 7 errors every day, why not eliminate these errors? Because it's too complicated. We can constantly test it with various tools, but this only proves that the software is wrong, not a guarantee that it will always be correct.

Formal verification is very popular now. But can formal verification guarantee the correctness of the program? Can you prove the correctness of the program mathematically? In practice this is impossible, because you cannot use one algorithm to prove the correctness of another.

This is a problem that all software faces. So what is the difference between blockchain software and other software? I think it is, because there is a lot of money in it, so most blockchain projects (should) pay more attention to security. We have to do more testing, verification, and minimize its errors.

Founder of Points - Zhang Jiachen

Hello everyone. What Points wants to implement is a blockchain-based secure multi-party computing protocol. What application scenarios does this protocol support?

It may be different from many projects that start from the bottom. We aim at very specific application scenarios. For example, the first application scenario is the scoring and evaluation of personal credit.

This scenario has several issues related to data security, the first one is storage securitythe second is

the second isdata exchange. How can real data flow between the various islands? What we think is whether we can collect more authentic raw data from the device itself, and verify the authenticity of the data through cross-validation.

A bolder idea is how to allow dozens, hundreds or even thousands of data sources to collaborate on comprehensive data calculations without exposing the original data. For example, calculating a person's personal credit score will use multiple data including education, income, and behavior. So how can data sharing be achieved without exposing the original data?

That's what Points is trying to solve. Now we have access to the ID verification data related to more than 1 billion users, and the data covering the credit variable part of 500 million users, so it is a project that pays more attention to the implementation of the scene.

Compared with many projects that use hardware architecture, including chips and trusted environments to construct secure multi-party computing protocols, we use pure software algorithms. Although the hardware solution has many advantages, from the perspective of increasing trust, the software solution can easily allow an ordinary programmer or ordinary user to observe which codes are being executed. If calculations are performed at the chip level, it will be a little more difficult for ordinary ecological partners and users to understand. So we choose to use a more intuitive and transparent solution.

Co-founder of ARPA——Zhang Lei

Hello everyone! I'm Zhang Lei, co-founder of Oasis Labs. Oasis Labs also does secure and private computing. Some guests also introduced the security issues of commercial data exchange, how to allow high-value and high-privacy data to be traded and circulated.

We also use MPC (secure multi-party computing) technology. Just now, many guests mentioned that many points are very good. What I want to explain is, what are our advantages?

What we want to achieve is that any function and any equation can be compiled and calculated in this space. Moreover, the calculation result can be verified. From a mathematical point of view, this verification can verify that it has done the calculation with the original equation, output the result honestly, and did not steal the data used for the calculation.

This is very important in a Blockchain project, because anyone can join your computing network to earn computing fees, and it has a particularly strong motivation to deceive you, so how can you easily prove that you did? This matter is very important. We mainly solve such a problem.

Moderator - Yu Di

Well, you guys just mentioned the issues that you're addressing. Here I have a question,Data and privacy issues also existed in the classical Internet era, which were solved by some centralized methods at that time. In the future, it is possible to use a decentralized method such as blockchain to realize it. Are there any contradictions between the two? How to continue and cooperate with each other?I don't know how you think about this issue, and how to coordinate such contradictions in your respective projects?

Founder of Taxa - TF Guo

Generally speaking, security is divided into two parts: the security of preserving value and the security of creating value.

The smart contract security we mentioned earlier belongs to the security of preserving value. Everyone knows that security is a wooden barrel principle. The security of your entire system depends on its shortest boards. These boards may include the underlying cryptographic algorithms, the entire public chain architecture, the application of upper-level smart contracts, and the human resources in operations. factor.Of course, blockchain security also follows traditional PC and mobile security, and the greatest security generally lies in the security of people and operations.

The security of this part of the smart contract is safer than that of traditional applications, because it is too close to money, and it is a decentralized system. If it is lost, it is lost. In this field, indeed we have higher requirements. This is the part that preserves the value.

Then let’s talk about creating value. Traditional security is a performance indicator, while blockchain has an additional functional indicator, which means that things that could not be done before can now be done. Although the current smart contract can only process some open and transparent data, after research, we can put some data into the smart contract in a private state, which is bound to bring more application scenarios. This is created in the blockchain. part of the value.

Taxa is mainly aimed at the latter. We can enable smart contracts to execute some business logic that guarantees privacy.

Founder of Points - Zhang Jiachen

Just now the host asked us how to see the relationship between blockchain and centralized system giants. This reminds me of another question, like this, let me talk about the conclusion first, I think the selected entry point is particularly important, not all entry points are the same.

Where can we get our inspiration?

We all know that the development speed of China's e-commerce, including the speed and degree of its replacement of offline channels, is unprecedented in other countries in the world. Why is this? Of course, many of them are the ingenuity of Chinese e-commerce companies. In addition, it is also because China's traditional offline retail is very weak, which can be seen in the influx of venture capital and Internet companies into offline and investment in new retail. There are many problems with their retail efficiency, so China's offline retail has never seen a giant like Costco.

So, today we look atWhere should the decentralized system advocated by the blockchain start? We should pay attention to those incremental markets, as well as those places where the centralized system has not yet formed a monopoly and needs to be supplemented by the decentralized system.

We did Points, and many people asked me, when you do this project, don’t you think that Ant Financial and Sesame Credit are already very good?

But what many people don't know is that,Even today, the Bank of China’s credit investigation only covers 380 million people, while China has 1.4 billion people, Ant Financial only covers 400 million users, and China’s credit investigation users only cover 500 million people. There are still a lot of them incomplete.For companies like our shareholder Zhong Chengxin, we also really want to see a decentralized system to supplement and improve it.

Medical research is also a direction of SMPC (secure multi-party computing) that I am very optimistic about, because China's CRO (clinical trial business) was also very imperfect before, and now it is undergoing a lot of reconstruction. In such blue ocean places, I believe it will be easier for start-ups to collaborate with institutions that already have data to recreate a platform.

Co-founder of ARPA——Zhang Lei

The MPC technology was originally developed by a few professors, but now it has become a global collaborative development of hundreds of people. Its efficiency is to make the loss from 10 to the 5-6 power in the past, now you only need 10 calculations to achieve the same effect. So it is both safe and efficient.

These scholars who study MPC are concentrated in Europe, Belgium, Israel and other places. Including two leading masters, their PHDs have contributed to our cryptography in our community, so we will go a little lower, modify the cryptography protocol, improve the efficiency of the bottom layer, and make it more practical and commercial.

This trend is becoming more and more obvious,At the largest cryptography conference in the United States this year, we saw that half of the topics were about this direction, so we will soon see that the technology in this direction will be implemented, and its very natural combination with blockchain development.

Moderator - Yu Di

The next question, there is a common metaphor in the blockchain field, that is, if each public chain is viewed as a country, there will be many cities on this public chain, and I will add another metaphor to it, that is Security should be the defense force of this country.

because

becauseThere will be more and more security solutions in the entire blockchain system, how should they coordinate with each other? How to unify?

TRIAS CTO——Wei Ming

I'll tell you what I think, at leastAll the public chain projects I see now, including our own, I don’t think they can be regarded as the National Defense Forces for their own security. This is the truth.Judging from the current operation of the actual chain, if you want to rely on an organization to take care of this matter, I think it is still relatively difficult. It is difficult to be a security family. I suggest that we work together and work together.

Founder of Taxa - TF Guo

Let me give you an example,OpenSSL (Open Secure Sockets Layer Protocol)It is the cornerstone of Internet security and has crossed many platforms. Whether it is an operating system or hardware, this security bottom layer already has a mature unified standard.We can't expect ordinary developers to have high security knowledge, so more projects need to customize some low-level protocols related to security. You must use the most mature things, which are safe. Instead of writing it yourself, it is better to use some battle-tested ones. I think from a security point of view, the lowest level of security must have a unified standard.

Co-Founder of Netta and FractalNets - Yang Zijiang

Regarding this question, you may infer that everyone should build a joint force and use a general tool to solve all problems, which is precisely wrong.Every public chain should have its own solution. There are two reasons for this:

• You have to keep finding errors in it, which means you have to do a lot of calculations, and put a lot of cost in it, which is why testing accounts for 50% of the cost in software. Testing is a very important process. For each specific project, you have to design your test according to the characteristics of the project and dig out the loopholes in it, which is the most useful. In other words, you cannot use a common tool for all tests. Of course, the technology in it may be universal.

• Every project has different security requirements. For example, if a software is used in autonomous driving, an error in the autonomous driving software will be fatal; but if you use a Microsoft operating system and it makes an error, you can just restart the machine. Therefore, each software has different security requirements, and on top of this, the price you pay is also different. For autonomous driving, safety issues must be resolved at any cost.

Founder of Points - Zhang Jiachen

Security can also be viewed from two dimensions, horizontal and deep. To give an example in the real world, each country will have its own military, and they have different layers, including police, armed police, and national defense forces; when it rises to the United Nations, there may be a Security Council, peacekeeping forces, etc., to solve different problems at different levels. question. At the same time, at a similar level, the security guarantee itself must be undertaken by a dedicated person, so our goal for ourselves is to provide configurable solutions to common problems.

Co-founder of ARPA——Zhang Lei

I think everyone needs to distinguish two points. Security includes network security, data security, and privacy security. So when we talk about security, we need to know what we mean.

Back to the host’s topic, our OasisLabs is an underlying protocol for secure and private computing. It can be used on any Blockchain, allowing it to have private computing capabilities from 0 to 1. For those who need this function , he has one more choice.

To give a practical example, before we had no way to put our personal privacy data into online transactions, and we also had no way to anchor real personal data with a virtual Blockchain, because it was too insecure. But with privacy computing, this problem can be solved.