Page 28 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 28
oped by inexperienced developers, and third-party 8.2.3 Issue: Longevity of the security of DLT-
dependencies. based data
These create an opportunity for design ‘bugs’ The issue of longevity of the security of block-
where, although the functionality works as intend- chain-based data may also be an issue. For example,
ed, they can be abused by an attacker. These further the possibility of ‘old’ transactions on a particular
allow software bugs, which are software errors allow blockchain may be vulnerable to advances in cryp-
the DLT – possibly a smart contract - enter an inse- tography over a period of years or decades such that
cure state, unintended by the designer or design. ‘old’ transactions can be undetectably changed. 151
Security audits before deployment are critical to the Thereto, quantum computing is the use of quan-
safe functioning of DLTs. tum-mechanical phenomena such as superposition
While many enterprises are developing consor- and entanglement to perform computation. A quan-
tia DLTs within the confines of their specific design tum computer is used to perform such computation,
goals, for many public DLTs the underlying tech- which can be implemented theoretically or physically.
nologies – ‘Layer 1’ technology – in use are open The advent of quantum computing could potential-
source, enhanced primarily through the ‘wisdom of ly defeat the security of asymmetric cryptography
152
the crowd’ and unidentified coders. The review of as a result of potentially superior computing pow-
code and performance of the system often includes er which could crack existing ciphers, including RSA
assistance of the system stakeholders, such as com- encryption. Table 4 illustrates the potential effect of
mercial service providers, mining pools, commercial quantum computing on current cryptography
153
security service providers (which often provide pub-
lic monitors), miners/validators and the token hold- Risks:
ers who watch publicly observable activities on pub- ‘Download and Decrypt Later’ breaking of private
lic DLTs and blockchains. keys; transaction accuracy; and leakage of private
Smaller systems - fledgling protocols and data.
third-party tools - documentation is often sparse That is, the issue of longevity of the security of block-
in many popular public, permissionless blockchains, chain-based data may also be an issue. For example,
and are often be targeted for attacks. .Commercial the possibility of ‘old’ transactions on a particular
146
DLTs and private blockchains then may have superior blockchain may be vulnerable to advances in cryp-
financing and provide better organization, incentives tography over a period of years or decades such that
and stability to a development team. ‘old’ transactions can be undetectably changed.
155
The question also arises in relation to governance The ability then to upgrade the cryptographic tech-
of DLs, as to who and how changes to the consensus niques used for ‘old’ transactions should be consid-
protocols/software are agreed to in the face of secu- ered in DLT designs.
rity bugs, and changes to commercial environments,
and regulatory changes. Does the (consensus) val- Mitigation and Recommendations:
147
idation method adopted allow for manipulation by Use and implement quantum resistant ciphers and
a majority of authenticators or an undisclosed con- wrappers. With the rapid evolution of quantum
156
sortium? 148 computing power – some systems have over 5000
qubits of computing power – administrators should
157
Risks: begin to prepare for the download-now-decrypt-lat-
Without adequate developer support, development er types of attacks, if not already use post-quan-
growth and maturity stagnate, and bugs will not be tum wrappers being developed to protect existing
fixed. ciphers. 158
Mitigation and Recommendations: 8�3 Transaction and Data Accuracy
Mitigation can be affected by bug bounty programs
which have risen in popularity with the goal of 8.3.1 Issue: Finality in Transaction Settlement
discovering and avoiding bugs well prior before they Key to financial transactions is transfer of assets to
are discovered by hackers, such as Hackerone and a counterparty, to the extent that all right, encum-
149
individual project/entity programs such as those list- brances attaching to that asset are extinguished
ed at Github. Regulators after transfer. There are large, and emerging differ-
150
ences between legacy systems of clearing, netting,
26 Security Aspects of Distributed Ledger Technologies
