Blockchain: The Long-term Perspective
Will contracts kept in the blockchain still be valid in decades and centuries?
▽Feb. 28, 2020|Bernhard Kauer
We visited the Historical Museum in Frankfurt the other day. There is a unique coin collection, which pieces dating back to the Romans and Greeks. If you look at the old gold and silver coins, they have kept their value over two millennia. Nowadays they often even cost a multiple of their raw material value, since they are rare collector’s items.
With banknotes this usually looks a little worse. Nevertheless, you can convert the Deutsche Mark into euros for free, and thus in gold, at the Bundesbank (German Central Bank) for 70 years now officially without any time limit. If one thinks of old books and documents, it becomes clear that paper, if stored well, can indeed retain its value for several centuries. However, as the trillion dollar bills of the hyper-inflation show, it can also become worthless within months or even days.
What about currencies and contracts that you will store digitally in a blockchain in the future? Will they still be valid in decades and centuries to come? Or is gold or even paper more suitable for the long-term storage of values?
I already wrote about the suitability of the blockchain as a daily means of payment in a previous article. This one is about the often ignored long-term durability of the blockchain.
1. Extreme redundancy
An advantage of any public blockchain is its extreme redundancy. All participants can store all transactions that have ever been registered on the chain, themselves. This provides the perfect protection against all physical events.
Paper can be replicated in a similarly easy way, although this is somewhat slower and regularly more expensive than a digital copy will be. This makes it quite easy to protect contracts against disasters. However, this approachh does of course not apply to paper money.
Banknotes and gold can only be kept in one single place. And there they can be forgotten, lost or in extreme cases, as James Bond prevents in Goldfinger, rendered unusable. Although the Bundesbank changes damaged money for free, this service does not help against any losses.
So all in all, the public blockchain has a clear advantage in terms of redundancy. Even though digital preservation has several pitfalls, mankind will never forget the information that is saved today in a public blockchain like bitcoin.
2. Faster aging
As a precious metal, gold practically does not age. On the contrary. Old mintages can have a scarcity value with which may lead to an unexpected increase in value.
Paper, on the other hand, ages. Anyone who has ever held any 50-year-old paperback in his or her hands will be able to confirm this. Nevertheless, with the appropriate production method and perfect storage conditions, good paper can be preserved for several hundred years.
The security of the blockchain does not depend on physical aspects, but on the underlying cryptographic methods. And interestingly, they age much faster than any paper.
So there are only a few algorithms, which are information-theoretically secure, i.e. they can keep a secret regardless of the strength of an attacker. An example of perfect security is the one-time pad method, for which, on the other hand, you also need the perfect random numbers, which constitutes a problem in itself.
Instead, cryptographic methods are usually developed as a trade-off between speed and security. Here you make assumptions about how strong a current attacker might be and then suggest a sufficiently large security buffer.
However, the exponential increase of the computing power provided by Moore’s law and advances in cryptoanalysis will use up this buffer within 30-40 years, as is also shown in the examples in the annex.
In addition, there are unplanned developments that can considerably shorten this time. For example, the availability of cloud computing has led to the fact that the costs of attacks have fallen considerably in recent years. Attackers no longer need to purchase expensive hardware, but can rent the computing power they currently need for a single attack for a limited time.
In future a breakthrough is expected in quantum computers, which will render current asymmetric encryption methods such as RSA and Eliptic-Curves unusable. The effect on symmetric encryption and hash functions is not as clear. Here the expectations range from irrelevant to halving of the security level.
Thus we can state: On the one hand, the blockchain ages faster than the paper on which you sign contracts. On the other hand, this will probably happen more slowly than the devaluation of banknotes in hyper-inflationary times. When it comes to aging, gold clearly has the edge.
How can gold, paper and the blockchain adapt to the changes of time?
With gold this is possible quite easily. In extreme cases, it can be melted down and re-minted into current coins. In the case of paper money, for example after a currency reform, old money will be exchanged for new money in order to maintain its value in the long term.
The blockchain will also have to be continuously adapted to the improved capabilities of attackers by modernizing the cryptographic methods, so as not to become irrelevant at some point. The contracts and values that the bits represent in the blockchain will thus have to be renewed repeatedly. However, this adjustment cannot be done centrally, as is the case for bank notes, for example. Instead, similar to changing paper money, it will only be possible decentrally and with the collaboration of the owners.
This also means that lost bitcoins will ultimately reemerge. However, this will not benefit the original owner, who e.g. accidently disposed of bitcoins in the trash, but to any attacker, who is able to break their public keys as a result of advances in cryptanalysis.
The easy exchangeability into normal currencies even makes this recycling of old into new coins an interesting business model.
For the first time, it is thus possible to directly earn money with successful cryptanalysis. For example breaking the known public key, that is contained in block 10, would bring a return of 50 bitcoins, currently worth about half a million dollars.
Unlike assumed many times, there will therefore not be any long-term deflation in the blockchain.
The aging of the cryptographic methods involves a constant refreshing of the contracts contained in the blockchain.
This makes the discovery after thousands of years, as is possible with gold, rather impossible for the blockchain.
As far as long-term preservation is concerned, bitcoin is therefore not the new gold, but rather plays in the paper money league.
The blockchain is thus neither suitable as a daily means of payment, nor as a long-term investment, which - once acquired - is never touched again. However, crypto currencies seem to be quite suitable as medium-term investments for some years.
The following is a brief overview of the lifetime of various cryptographic methods.
A.1 Symmetric encryption
The 56-bit Data Encryption Standard DES was first published in 1975 and published as the standard of the USA by NIST, two years later. In 1995, a DES-encrypted message was publicly broken. After further attacks, the standard was officially withdrawn in 2005. Therefore, the lifetime of DES can be calculated to a maximum of 30 years.
The life of the 112-bit successor 3DES, which was published in 1995, was quite similar. In 2016, an attack came to be known, with which 3DES can be deterministically broken, once you have seen 785 GB of encrypted data. Since then, this crypto method is considered weak and will be gradually removed from all protocols such as TLS. So here it took just 21 years until a significant attack was known.
The current standard AES was declared the winner of a competition in 1998. Several versions, from 128 bit key length up to a bit stronger 256 bit were defined. With its almost 22 years of age, AES is doing surprisingly well and got no more than a few scratches so far. But even here the impacts are coming closer.
A.2 Hash functions
The Message Digest Algorithm 5, MD5 for short, was developed in 1991 and was subsequently the most widely used algorithm for hashing data for many years. In 2004, it could be shown, that the algorithm has weaknesses. Four years later, SSL certificates signed with MD5, could already be counterfeit. Meanwhile you can cause collisions on normal hardware within seconds. Although the more difficult problem of the complete reversibility of the calculation is not solved yet, MD5 is now considered cryptographically broken. The lifetime of MD5 was therefore barely 17 years.
SHA-1 was defined in 1995, by improving its predecessor SHA-0 of 1993 in terms of a small but important detail. The first, at that time still theoretical, attacks came to be known in 2005. Only in 2017 and also thanks to ‘Moore’s law’, the hardware became fast enough to calculate a collision for the first time. This required computing power worth more than a hundred thousand dollars. Meanwhile you only have to spend about ten thousand dollars for it. Thus, SHA-1 signatures offer virtually no security in practice anymore. Since 2013, i.e. 18 years after its specification, according to NIST, you are no longer allowed to use the algorithm for signing new documents.
In 2001, a different set of hash functions was defined under the name of SHA-2, proceeding from SHA-256, that uses 32-bit values and SHA-512, calculating with 64-bit values. Since the calculation of a SHA-2 hash takes significantly longer than with SHA-1, it took a few years before these algorithms became mainstream. In the meantime, SHA-256 has become the de-facto standard for cryptographically secure hash functions. At the moment it is also used in several blockchains, as for example in bitcoin.
Practical attacks on SHA-2 are not yet known. However, the published partial successes show a certain progress. As is generally known, the attacks of cryptographers are becoming better and better and never worse.
Especially the surprising progress made by cryptographers in 2004 and 2005 induced the American standardization organization NIST to organize a long-term competition for a successor to SHA-2. In 2012, ‘Keccak’ was selected as the winner and in 2015, it was standardized under the name of SHA-3
This way a new hash family could be established before the urgent need for it was really there. It cannot yet be predicted today, how robust SHA-3 will be in practice. However, the conscious turning away from the Merkle-Damgard construction, which, amongst others, was used in MD5, SHA-1 and SHA-2, and made attacks between them transferable, seem to have increased the robustness of SHA-3 significantly.
A.3 Asymmetrical encryption
The RSA cryptosystem is the best known asymmetric encryption method, where messages are encrypted with public keys, which only the owner of the private key can read.
The strength of RSA is based on the fact that large numbers are very difficult to decompose into their factors. The RSA Factoring Challenge offers a good overview of the skills of attackers. Recently, the second 768-bit key on this list was broken.
The increasing computing power of an attacker is handled by RSA with ever longer keys. Whereas 30 years ago, 512-bit key were still considered secure and widely used, nowadays they can be broken via cloud computing for less than $100. Therefore, today RSA keys must have at least 2048 bits. And even this will only suffice for another 30 years.