译文/Translated:
区块链技术促成了一系列数字货币和智能合约平台,它还有希望在稳定社会最关键的两个层面带来自由市场解决方案,从而避免政府在这两层面的干预:其货币和合约。过去十年业内的挑战是了解中本聪创立的这项技术的用途和限制。在我之前的文章《理想的加密货币》中,我提到我不相信比特币和其它区块链技术能解决大规模的自由市场金钱的问题,因此提出了理想加密货币的新标准。因为无法不依靠中心化实现规模化,所以像比特币这样的货币会遇到金币和银币一样的命运。
理想的加密货币应该就像一个铜币一样,你可以在世界任何地方马上转移,但不需要支付任何费用。我会用铜币进行类比,因为金币和银币,如果不通过金融中介,即银行,是不能够充分分割的。所以,除非比特币交易费用能够大幅下降,否则比特币比金、铜更难分割。
我一直在研究这个问题的解决方案,我也相信我们很快就会得到技术上的解决方案。想象一下,,你不再需要私钥签署交易转移比特币,而只需要把你的私钥给某人,并知道,确切地知道,另一方不能保留私钥。如果有软件能够实现这样的交互,那么,每秒就可以实现几百万个这样的交易,且都是完全私密地进行的,遇到假币的风险比我们几百年来用现金的风险要小得多!
再想象一下,你什么时候怀疑你是不是这个私钥的唯一拥有者,那你可以支付一笔费用,把代币转移到你信任的密钥中。这就好像你怀疑一张纸币是假钞,那你就带去银行,付费重新拿一张一样。
当代的智能手机和Mac的M1系列都包含secure enclave安全技术,通过密钥证明验证。这就让第三方能允许secure enclave管理某个密钥,尤其重要的是,让第三方能知道它被用来签署东西的次数。这就是一个很强大的基元,本文将探讨这个基元如何应用于加密货币。通过几个新增的硬件基元,我们最终能够创造更加强大、更加安全的解决方案。
数字现金
运行在安全的操作系统的已经签署过的应用可以利用认证过的硬件密钥产生和加密私钥。利用苹果的认证功能,其它应用可以获得私钥副本,并(自信地)知道发送方已经删除密钥了。这是怎么实现的?发送方的设备要求来自接收方设备的公钥,接收方的设备已经受验证确实属于某一个特定应用。发送方重新为接收方的公钥加密私钥,然后删除发送方的私钥和硬件密钥。接收方获得私钥,然后可以选择是否验证代币是否存在于某个公链上。
私钥一被浏览,应用就会执行程序,保证私钥不会再被发送给其他任何人。
很明显这个系统也不完美。足够厉害的黑客能够从自己的本地设备用提取私钥,而应用可能还不知道私钥被浏览过了。这样,黑客就会把私钥发送给多方发起双花攻击,然后利用私钥,在接收方注意之前,就把代币转移到区块链上。
有了在Yubikey这类设备上的正确的固件以后,这样的攻击只会是国家行为,而成本也会非常高。每个私钥就像是固定面额纸币上的序列号一样。考虑到攻击者的成本比每个私钥的价值要高得多,他们就没有这么做的经济理由。
幸运的是,99.99%的人并不是厉害的黑客。这就是说,获得私钥控制某些区块链代币还是比获得纸币安全得多。这就是说,交易完成可以光速完成,而不用等待区块确认。这就意味着交易离线、完全隐私地完成。这还意味着没有交易费用。
安全的最终层会集成一个去中心化的信任网,每个私钥会保留“所有人”的历史,而只有应用知道,用户也不知道。这个历史就可以被用来创建自动化的风险评分。只要密钥密钥只在你本地的信任网转移,那么,遭遇攻击的风险就会非常低,哪怕你没有任何固件。
Block.one内部有创新的实验室,我们会尝试诸如这样的各种想法。我们构建了一个叫做Mojey的应用,它能让你通过蓝牙和Messages转移数字代币。不需要联网。这个应用利用白箱加密、苹果的密钥验证、以及各种代码拌码技术、越狱检测算法,从而保证应用安全。因为各种原因,block.one从来没有把应用上到应用商城,所以它是以开源软件的形式发布的。我像感谢Todd和Thomas,感谢他们为构建这个类型做出的努力。
局限性
尽管数字现金有很多好处,但是它还是缺少了很多人依赖的一个属性:备份代币的能力。因为软件执行的是私钥一次只存在于一个地方,你有丢失设备的风险。这时候,它和纸币及硬币就很像了。
Mac的M1系列发布以前,整个系统倚仗的都是苹果公司善心允许这样的应用出现在商城里。这个系列发布以后,我们有了一个(相对)开放的平台,但是这种相比iOS的相对开放还是少了一些iOS能带来的保护以及手机的舒适性。
很明显,这么执行的数字货币不像确认的比特币交易那么安全,但是它还是可能比未确定的交易更安全。甚至它还可能比纸币交易安全。如果你和认识的群体做生意,他们给了你“假钥”,你可以联系他们,让他们支付费用。这样,使用数字现金唯一的风险来自接受匿名来源的付款。
我相信,探索不够“完美”的解决方案还是值得的,只要它们能够带来强大的新用例且风险/奖励水平也在可接受范围内。我们在过去几千年里都是用的是不够完全安全的货币,那么,为什么要忽视这种由稍微不够完美的交易方式带来的潜在可能的交易?毕竟,很多人也不锁门,或者就用个半英寸的门栓、很容易就被闯进来了。我们不要让完美成为“足够好”的敌人。
原文/Original:
Blockchain technology has enabled a host of digital currencies and smart contract platforms with the promise of bringing free market solutions to government interference in the most critical components of a stable society: its money and contracts. The challenge of the past decade has been to understand the uses and limitations of the technology that Satoshi introduced. In my previous article on The Ideal CryptocurrencyI documented my belief that Bitcoin and other blockchain technologies are unable to solve the problem of free market money at scale and set a new standard for an idealized cryptocurrency. The inability to scale without centralization means currencies like Bitcoin will suffer the same fate as gold and silver coins.
An ideal cryptocurrency should act like copper coins that you can transmit instantly anywhere in the world without a fee. I use copper in the analogy because gold and silver are not sufficiently divisible without adoption of financial intermediaries, aka banks. Unless Bitcoin transaction fees fall substantially then Bitcoin is far less divisible than gold, silver, and copper.
I have been investigating solutions to this problem and believe we are on the cusp of a technological solution. Imagine for a moment that instead of using your private key to sign a transaction to transfer your Bitcoin you could just give someone your private key and know, with a very high degree of certainty, that the other party does not retain a copy of it. With software tools that enable this kind of interaction millions of transactions per second could occur in complete privacy with a potentially lower risk of counterfeit than the paper money we have used for centuries!
Now imagine that if at any time you have any doubts as to your sole possession of the private key you could pay a fee to transfer the token to a new key you do trust. It would be like taking a suspect bill to a bank and paying a fee to mint a fresh bill.
Modern cell phones and M1 Macs contain secure enclaves with key attestation. This allows third parties to validate that a particular key is managed by the secure enclave, and critically, to know how many times it has been used to sign something. This is a powerful primitive and this article will demonstrate how that primitive can be used for cryptocurrencies. With a few additional hardware primitives we could eventually create even more powerful and secure solutions.
Digital Cash
A signed application running on a secure operating system can generate and encrypt a private key using an attested hardware key. Using Apple’s attestation features other applications can receive a copy of the private key and know (with high confidence) the sender has deleted the key. How does this work? The sender’s device requests a public key from the receiver device that is attested to belong to a particular application. The sender then re-encrypts the private key to the receivers public key and then deletes the senders private key and the hardware keys. The receiver gets the key and optionally verifies that the coins exist on a public blockchain.
The application would enforce that a private key could not be sent on to any other user once it had been revealed.
This system is clearly not perfect. A sufficiently advanced attacker would be able to extract the private key from their local device without the application knowing it had been read. Then they could use this to attempt a double spend attack by sending the private key to multiple parties and then use the private key to move tokens on a blockchain before the receivers notice.
With the right firmware on a Yubikey like device such attacks could be limited to state actors and would be incredibly expensive. Each private key would be like a serial number on fixed denomination paper bills. Given the cost of the attack is much greater than the value of an individual private key there is no economic incentive to even attempt it.
Fortunately, 99.99% of people are not sufficiently advanced attackers. This means that receiving a private key controlling some blockchain based tokens could be safer than receiving a paper bank note. It means that transaction finality can be at the speed of light instead of waiting for a block confirmation. It means transfers can occur without the internet and with complete privacy. It means no transaction fees.
A final layer of security is to integrate a decentralized web of trust and every private key would retain a history of “owners”, known only to the application and not to the user. This history could be used to create an automatic risk score. As long as the key is only being transferred among people in your local trust network then the risk of an attack can be quite low even without any hardware based security.
Inside block.one there is an Innovation Lab where we play with ideas like this. We built an application we call Mojey which allows you to transfer digital tokens via bluetooth and Messages. No internet connection is required. The application is secured using Whitebox crypto, Apple’s key attestation, and various code scrambling techniques and jail break detection algorithms. For various reasons block.one will never publish this application to the app store, so it was released as open source software. I would like to thank Todd and Thomas for their effort in building this prototype.
Limitations
Despite the many great things about digital cash, it does lack one property that many people rely upon: the ability to backup your tokens. Because the software enforces that your private key exists in only one place at a time you run the risk of losing your device. In this situation it really is like cash and coins.
Until the M1 Macs were released this entire system depended upon the good graces of Apple allowing such an application in their store. With the M1 Macs we now have a (relatively) open platform, but that relative openness compared to iOS also reduces some of the protections provided by iOS as well as the conveniences of a mobile device.
Clearly digital cash implemented in this manner is not as secure as a confirmed Bitcoin transaction, but it just might be more secure than an unconfirmed transaction. It may even be more secure than dealing with paper money. If you are doing business with known parties and they pass you a “counterfeit key” then you can simply contact them and ask them to make good on their payment. This leaves the only risk to using digital cash to those accepting payment from anonymous sources.
I believe that it is worth exploring less than “perfect” security solutions if they enable powerful new use cases with acceptable levels of risk / reward. We have thrived for thousands of years with less than perfect security on our money, why should we ignore the potential practical trade offs made possible by slightly less than perfect security? After all, many people leave their doors unlocked or secured by a half inch of pine that is trivially kicked in. Lets not let perfect be the enemy of good enough.
原文链接/Original URL:
