chevron-down Created with Sketch Beta.
August 01, 2023 Feature

Cryptocurrency: A Need for Integrity

Hoyt L. Kesterson II

Digital data is never transferred or moved. Instead, a copy of that data is created. Extra steps must be taken to remove the initial instance, and sometimes a complete deletion of all instances of that data other than the final instance may be very difficult to achieve. This characteristic is what makes the implementation of digital currency so difficult.

For example, Dick has $100 USD in digital currency. He wants to transfer $20 to Jane. Jane receives a copy, but Dick still has his. One cannot build a funds transfers system that is dependent on Dick’s goodwill to not transfer that $20 to someone else.

What’s needed is an authoritative list of each instance of currency associated with the recognized holder of that instance. That could be done in a variety of ways. The issuer, e.g., a government mint, could monitor each instance of currency. It would note that Bill has that $20. Bill’s transferring that amount to Jane would not only notify Jane, but also the issuer, which would then record that the holder of that instance of currency was now Jane. If Bill tried to transfer that instance again, the issuer would block it.

But the community that created bitcoin did not want a digital currency controlled by a central authority such as a bank or government. They chose to implement a ledger that was not controlled by a central authority. They called it blockchain. The two major problems they had to solve were how to maintain the integrity of that ledger, i.e., make it impossible to undetectably change the contents of the ledger, and how to remove the need for a centralized authority to manage the ledger. Cryptographic hashing provided the answer to both.

Cryptographic Hashing 101

A hash function will transform a set of data to produce a fixed string of bits, typically much shorter than the input. If one hashed the video of John Wick, changed one pixel, and hashed the video again, the second hash would be unpredictably different. One cannot extract the original content from a hash. Hashing is used in a lot of ways, and not all hash functions are cryptographically sound. A strong cryptographic hash function has two characteristics:

  • One cannot create two sets of data that would hash to the same result—this is called collision resistance: and,
  • Given a hash, one cannot create the data that would generate that hash—this is called preimage resistance.

The National Institute of Standards and Technology has published several standards for a Secure Hash Algorithm—SHA-2, SHA-3; there are variants that produce hashes in different lengths.

One can assert that a collection of data has not changed by producing a hash of the data and protecting the hash result. When it becomes necessary to verify that the data has not changed, one generates a hash of the purported data and compares it to the previously created hash; if the hash results are identical, the data has not changed.

In 1991 Stuart Haber and W. Scott Stornetta, both of Bellcore, published How to Time-Stamp a Digital Document describing how a chain of hash results could prove the existence of digital data at a point in time. Founded In 1994, Surety offered a time-stamping service in 1995 by rolling a hash of the digital data into a chain of hashes with the last result initially published in the classifieds of the New York Times.

Bitcoin was invented in 2008 and started in 2009. Its innovation is the decentralized method of controlling the building of the chain of hashes and ledger data, now called a blockchain. Essentially, it’s a technical free-for-all in which any entity can gather ledger entries documenting the transfer of cryptocurrency and try to build a hash of all the new entries and of the previous blocks.

To make this difficult, Bitcoin will specify the number of leading zeros that must be present in the hash result. The preimage resistance of the cryptographic hash function makes it mathematically infeasible to produce data that will result in a specific hash. There’s no algorithmic short cut; one hashes a set of values to see if the result has the required number of leading zeros. The cryptocurrency miner changes the result by placing a different value in the nonce field and then recomputes the hash. Repeat until success to win coins or until someone else is successful; then start over. A miner needs to be able to generate a lot of hashes very quickly.

▶ Download—Proof of Work: Hash Must Satisfy Constraint

A major issue with this approach is that an enormous amount of power is consumed by the multiple entities executing many hash functions with all results being discarded until a result satisfies the constraint. That constraint is occasionally tightened, requiring more leading zeroes and thus increasing the need to consume more power to compute more hashes determine the mining entity that wins the right to link that block of ledger entries into the chain.

There is certainly an environmental impact to perform all those computations; since only one computation matters, one might be concerned that so much power is consumed performing computations that are tossed away. Governments must consider and control how cryptocurrency mining affects the power grid. China banned such mining in 2021. The New York Times published an article in April 2023 describing how Texas manages the impact such mining has on its power grid.

To reduce the amount of energy consumed in managing Ethereum’s cryptocurrency switched to a proof of stake method to control the management of the chain in September 2022.

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Hoyt L. Kesterson II

    Security and risk architect

    Hoyt L. Kesterson II is a security and risk architect. He has more than 50 years of experience in information security. For 21 years he chaired the international standards group that created the X.509 public-key certificate, a fundamental component in digital signature and securing web transactions. He is a co-chair and founding member of the ABA’s Information Security Committee. He is a testifying expert. From 2011 to March 2023 he was a PCI Qualified Security Assessor who helped clients meet compliance requirements for ensuring that the integrity and confidentiality of payment card data are maintained. He holds the CISSP and CISA certifications. He authored the article, “What’s Quantum Computing Got to Do with It?” on post-quantum cryptography in the Spring 2022 issue of The SciTech Lawyer.