Although Elixxir was announced last month, I only got around to reading the technical brief today. The project stands out owing to its leadership, being spearheaded by a man variously labelled as the ‘Father’, ‘Grandfather’ or ‘Godfather’ of crypto, David Chaum.
Chaum has been contributing to the sector since well before the birth of most in crypto, conceiving of eCash in the 1980s before subsequently founding DigiCash to realise his vision in 1990. DigiCash allowed for anonymous transactions which were untraceable by both issuing banks and any third party. It also targeted web-based micropayments. However, despite a number of high profile deals with the likes of Deutsche Bank and Credit Suisse the company failed owing to a lack of demand from consumers combined with resistance from other parties such as banks and merchants.
Nearly two decades after DigiCash was sold off, Chaum has returned with a new project known as Elixxir. Although the whitepaper is yet to be released, the team have released a technical brief which provides some guidance as to the aspirations and technical foundations of the project. The brief also sets out its ideological stall with the republication of a 1987 essay in which Chaum notes, amongst other things, that:
- Large-scale automated transaction systems are imminent. As the initial choice for their architecture gathers economic and social momentum, it becomes increasingly difﬁcult to reverse. Whichever approach prevails, it will likely have a profound and enduring impact on economic freedom, democracy, and our informational rights
- When information about the transactions of individuals and organizations is partitioned into separate, unlinkable relationships, the trend toward large-scale gathering of such information, with its potential for manipulation and domination of markets, can be reversed
- Additionally, the same sophisticated data acquisition and analysis techniques used in marketing are being applied to manipulating public opinion and elections as well
- The new approach provides a practical basis for two new informational human rights that is unobtainable under the current approach:
- The right of individuals to parity with organizations in transaction system use
- The right of individuals to disclose only the minimum information necessary: in accessing information sources and distribution channels, in transactions with organizations, and–more fundamentally–in all the interactions that comprise an individual’s informational life
The subsequent 30 years have proven him correct on many , with his prescient comments about data acquisition manipulating public opinion and the current lack of individuals parity with organisations particularly problematic.
It is easy to write something that sounds ‘good’, but what sets Chaum apart is that his whole life has been dedicated to realising such words. It is hard not to admire someone who has worked so steadily and persistently towards these goals, and who has been championing them well before they rose to public consciousness. It is for this reason that Chaum has been such an important figure in the cypherpunk movement.
A brief reminder before I get onto Elixxir itself, I will write most of this as I read the whitepaper for the first time myself and as such concentrate on the bits that stand out/are interesting rather than going through everything. I am also not validating a team’s claims, simply trying to explain what it is they are saying they will do. Finally, the technical briefing is just a precursor to the whitepaper. As such there will likely be plenty that needs to be updated at a later date because either the full technical details aren’t wholly fleshed out at this point or I may misinterpret elements of it.
Why should I care about Elixxir?
The technical brief opens with the same old spiel that to achieve mainstream adoption we need scale, high performance etc — so naturally Elixxir is promising speed and scale. It is a rather inauspicious start given that is what basically every single other project now promises.
The executive summary highlights the provision of both transactional and communication privacy, noting that “only senders and receivers can review and prove payment history” before explaining that “transaction data is not stored on the blockchain”. This obviously puts it more in line with other privacy focused cryptoassets which similarly don’t allow users to browse transactions or messages they were not involved in.
The summary also raises a few interesting points, namely:
The platform does not store transactions on the blockchain, only tokens, further protecting user privacy
I’m not sure quite what this means at the moment, perhaps similar to MimbleWimble where as long as everything sums to 0 then that is all that matters?
Payments use a faster hash-based ownership mechanism instead of digital signatures
This is interesting. I won’t go into it too much but if you don’t know what digital signatures are I would recommend reading my introduction to them here.
Essentially digital signatures are used by the likes of Bitcoin because they allow us to determine authenticity (because they are very hard to falsify, if I sign a transaction with a private key only I control then the recipient knows that the transaction is from me), non-repudiation (because it authenticates me as the sender, it also proves I sent the transaction at a certain time — I can’t later claim I didn’t send it then) and integrity (because they can be used to verify that the file I sent hasn’t been altered).
Digital signatures rely on hash functions and public key cryptography. Again, I won’t go into these here, but I have also written introductions to both which may be useful to better understand them. I’m guessing Elixxir are claiming that the processes of both hash functions and public key cryptography are what slow down digital signatures.
The Elixxir consensus requires nodes work in teams that are sequentially assigned the task of generating blocks as opposed to requiring all nodes to compete individually
Proof of Work is inherently competitive; miners work towards finding the same solution but only one can find it. The rest of the computational power is ‘wasted’ (a loaded term, and many would contend that it is not wasted) as it is not a collaborative effort.
The Elixxir model seems at first glance to fit more into some PoS or DPoS implementations, where the various delegates (producers, witnesses — whatever you want to call them) take it in turns to validate blocks. However, nodes are put into teams rather than doing it individually. This seems to be an attempt to take some of the things people would argue for in DPoS (collaboration reducing wasted effort) and combining it with a semblance of decentralization to try and avoid ending up with the oligarchies that DPoS inevitably leads to. I’m sceptical on anything resembling DPoS, so hopefully it is nothing alike.
The Elixxir platform targets verifiability, privacy and digital sovereignty because together they are the digital future
Nothing to add here, but it sets out what the project is concentrating on above all. This digital sovereignty is better explained in the introduction which sets out that:
Elixxir has been built for the user. Users generate and control their own keys. Users control access to all of their conﬁdential interactions. Users have exclusive access to all their digital property. Users control linkage of any personal credentials to their data. Users are in control of their digital future.
Again, this is very similar to what most other projects aim to provide.
How does it work?
Let’s delve into this team-based mining process.
Groups of nodes are organised into pseudo-random and temporary teams which start and end with the generation of a block. Once a block is generated, all nodes go back to looking for a new team. There can be hundreds of teams queued up to generate a block, and this process happens partially in parallel as a bit of each block is pre-computed to speed up the process (we will look at pre-computation later).
As for how these nodes are selected/participate, what is this lurking at the bottom of page 6?
“Nodes must be elected to participate in processing the messages and transactions on the Elixxir network. In order to be eligible for election, a node is required to stake tokens on the network. Once elected, a node is eligible to be placed into an Elixxir team.”
Nailed it. So it does use what seems to be a PoS/DPoS mechanism, albeit with a team twist (although Elixxir are labelling it as a new consensus system).
I guess the question is now, how are the larger stakers prevented from dominating the election process? This is the biggest issue with DPoS — that it leads to the big inevitably getting bigger, until they control the network. And if you make it not based on size, then large stakers can just split up their holdings by different nodes to increase their chances of being selected. Either way leads to block rewards flowing to an ever-shrinking amount of true underlying holders, increasing centralisation.
All that is currently outlined is that stake doesn’t influence the selection of nodes, and that stake is “currently equal for all nodes”. Later on the paper notes that “speciﬁcally, the greater computational capability or larger stake of a node does not advantage that node over others in this platform” and notes that it is Sybil resistant (intro to Sybil attacks here) because Elixxir will use elections to vote in nodes. I suspect this could end up being an article all to itself, but at first glance I don’t really see how elections logically prevent large holders just creating multiple nodes. However, the team provide links to three papers they have previously written on the subject which they describe as pioneering — I will try and include a more detailed look at these at some point in the future.
However, at present this election process is yet to be fully defined. The FAQs simply state that nodes have to both stake and satisfy the “verifiable, real-time inter-node performance tests” and that malicious nodes lose their eligibility to participate/stake. It also states that “nodes are elected via an approval vote by the community”, but again, there are no further details.
The composition of Elixxir blocks are also different to most blockchains. Rather than containing transaction details, blocks only store:
- The amount of tokens belonging to the sender’s address (now destroyed)
- The amount of tokens belonging to the recipient’s address (newly created)
Elixxir ‘mixes’ transactions to ensure those looking at the blockchain can’t link transactions or accounts together. This is done through the ‘cMix’ protocol, something Chaum brought up as early as 2016 for a different project named PrivaTegrity. cMix jumbles transactions together so that all block transactions are processed together as a batch and left anonymous. It achieves this through removing the sender’s identity from the transaction, batching all transactions in a block together before changing the order in which they appear. These transactions are then sent on to their intended destination.
Where Elixxir most obviously differs from other blockchains lies in how these transactions are constructed. Whereas most blockchains provide users with wallets, which they can access with a private key, Elixxir provides instead hash-based ownership.
What the hell is hash-based ownership?
Remember when I linked the introduction to hashes? This is why. Hashes are really important to blockchains and wider computing security. Hashes are probably most commonly represented as long alphanumeric values such as 00000000000000000021e800c1e8df51b22c1588e5a624bea17e9faa34b2dc4a. Basically, you can use an input of any size (and it doesn’t have to just be text either, you can use images for example) and it will automatically turn it into an output of a fixed length according to the hash function used. A common example are passwords on most websites, which get turned into a hash so they are not stored as plain text. These hash functions have a number of benefits which sees blockchains use them including:
- Fast (can compute and verify hashes quickly)
- Pre-image resistance (can’t use the output to find the input)
- Better for indexing (rather than dealing with lots of different inputs, all hashed outputs will be the same length)
- A given input will always equal an associated given output
So fundamentally, rather than using a private key to interact with the blockchain to prove your ownership of cryptoasset A, the user instead uses the hash of their secret (I guess you choose this when you set up an account?) to prove ownership over the Elixxir. When you transact with someone, the Elixxir then is reassigned from your hash to someone else’s. Most of this sounds analogous to other blockchains, but the main innovation of using hash-based ownership is the supposed increases in speed it engenders — Elixxir claims that hash-based ownership makes the network much faster to use than other blockchains, because they are quicker to use than digital signatures.
“Transaction processing is faster because hash-based ownership can be completed in a fraction of the time required for a digital signature in traditional blockchain platforms.”
One thing I was not initially clear on was the claim that “Elixxir secures individual tokens rather than securing an entire wallet as a whole. Each token owned by a user is secured through knowledge of an individual secret, which means that even if an attacker successfully performs a brute-force attack, only one single token from the user can be compromised”.
This is a point worth clarifying, because obviously a separate hash for each individual token would be ludicrous. Even though this is not the case, it differs from most other blockchains and I found it quite a confusing point.
Essentially, the user flow would be to create one account as normal with all of your ELIXXIR in. However, when transacting with a second party you would then create a new hash. If I wanted Alice to send me ELIXXIR, I would send her a hash generated from an input to my hash function. Alice can then send this to me. However, regardless of if I am sending or receiving, my main account is never linked to the chain because all secrets (the input to the hash function) are kept off-chain. I assume that I can still spend it from my main account, just the two are never actually linked due to the way Elixxir obfuscates transactions.
As such, a brute force attack against the account which Alice transacted with would only be able to take what she sent me — not the rest of my account holdings. And my main account is never linked to the main chain, staying ‘hidden’.
The combination of limited information available to those browsing the chain, a lot of account work being handled off chain and the cMix protocol provide the basis for how Elixxir is tackling privacy concerns. But what about speed and scale, the other two points addressed at the outset? This is where we return to pre-computation.
What the hell is pre-computation?
One of the ways Elixxir aims to speed up the process is by performing a lot of the block generation prior to the arrival of the data to be contained within said block. I think logically this is hard to understand at first glance. How can anything be done prior to the data for a block arriving? How can multiple blocks be in varying degrees of creation in parallel when data from the prior block must be included in the next one?
The brief states that “precomputations produce a template that dictates how the nodes within a team must process information during block generation. Consequently, the template is completely deﬁned before any message information arrives for block generation.” Precomputation is the first phase in the block production process, as the random team of nodes perform the precomputation which produces a “unique template deﬁning how the information or messages of the block will be processed.”
Then, when the block information arrives, the nodes process the messages in real time according to the pre-completed template. This, the team argues, saves a significant amount of time from the process.
The other thing Elixxir does to increase speed not touched upon thus far is the nature of finality. Blocks in Bitcoin, for example, have to be propagated to a majority of nodes before finality can be reached. Finality can take many confirmations, implementation dependent. Elixxir, however, claims that nodes reach finality by “evaluating short proofs that are propagated optimally through the network” which means finality is reached in seconds. Again, I think more information will be needed on this.
One thing that did stand out to me was a Wired article from 2016 in which Chaum discusses PrivaTegrity. PrivaTegrity planned to have nine servers spread across nine countries in ‘democratic governments’ and would have a back-door which, if the nine server owners agreed, would be able to strip the anonymity and privacy of any user transacting on the network.
I can understand the argument that it is better to provide a solution palatable to governments which can maintain all the ‘good’ people’s privacy than to have no mainstream solution for privacy because it is banned/restricted/too hard to convince people to use (e.g. Tor).
Of course, the usual back-breaking problem also applies, namely as to who decides what is good and the highly problematic issue of having just nine people in charge of the servers brings. This brings forth the need to trust against bribery and coercion, which is unpalatable.
“You have to perfect the traceability of the evil people and the untraceability of the honest people.” — David Chaum, Wired
I am not suggesting there is any such backdoor in Elixxir, but it is a radical change that has occurred in just two years — especially when some of the technology of PrivaTegrity (cMix) is being used on Elixxir. Having just nine servers is obviously also highly centralised and all serves to make it appear a slightly incongruent volte-face.
No ICO announced, a seed fund round is ongoing.
While I’m sceptical of some of the claims, I have also read a lot of hostile and unfair comments about Chaum. If Chaum was simply in it to enrich himself he could have taken up lucrative advisory roles in last year’s bull run. Someone of his stature could have made a small fortune joining one of the prominent ICOs or VC funded ventures.
By the same token, if it didn’t have David Chaum associated with it then I suspect the levels of scepticism would be off the charts given what is outlined in the technical brief.
There are claims of 10,000+tps, instant finality, invulnerability against 51% attacks, a new consensus algorithm, pre-computation of blocks, some sort of PoS/DPoS type implementation, guaranteeing equality for all users, token based activity rather than wallets, the eschewing of digital signatures, transaction mixing, quantum computing resistance — there’s just a lot going on and scarce details on several key elements. I fall into the camp that I think many do currently, which is that of waiting for the team to release more information which will hopefully justify a lot of the claims made.
Disclaimer: I have made no investment in Elixxir/no current intention to do so.
You can follow me @FlatOutCrypto.