NIST takes aim at blockchain security hype


Blockchain technology is all the rage right now. Largely because of the glitz of Bitcoin. While the concept of blockchain has been around since the early 1990s, it wasn’t until the advent of Bitcoin in 2009 that the idea of blockchains and distributed immutable ledgers grew popular as a concept for a group of people to record transactions.

During the rapid run-up in the price of Bitcoin, we’ve seen many headlines about the potentially transformative nature of blockchain, such as How Blockchain Will Transform X, where X is the technology or industry of your choice. I think blockchain will have quite the impact over time but perhaps not as transformative as many predict.

Others in these blogs have provided a good overview of blockchain, such as Max Hemingway’s B is for Blockchain and Frank Cutitta’s Blockchain has an identity problem, the latter of which which details the challenges describing and implementing blockchain.

One of the best overviews of blockchain that I’ve read recently, and the impetus for this post, is NIST’s new publication on the subject, Blockchain Technology Overview (available here as a .pdf). The “overview” provides a technical deep dive into the technology and also tackles some of the hype around the concepts of blockchain. It’s still a draft and NIST is looking for public comment through February 23.

The report authors summed the point of the paper as such: “Because there are countless news articles and videos describing the “magic” of the blockchain, this paper aims to describe the method behind the magic (i.e., how a blockchain system works). There is a high level of hype around the use of blockchains, yet the technology is not well understood. It is not magical; it will not solve all problems.”

“As with all new technology, there is a tendency to want to apply it to every sector in every way imaginable. This document attempts bring a high-level understanding of the technology so that it can be applied effectively,” it continued.

To that aim, the NIST paper details blockchain architecture, how blockchains work in operation, and how consensus on the blockchain works. It also dives into smart contracts, blockchain categorizations and platforms (such as Bitcoin and Ethereum). If you have been looking for a technical dive into many of these concepts, this is a great place to start.

As a security person familiar with many of these concepts already, I was especially interested in the section Blockchain Limitations and Misconceptions. If you are familiar with the Gartner Hype Cycle, you likely know how new technologies might flow through the “technology trigger” up through the “peak of inflated expectations” and down to the “trough of disillusionment” through the “slope of enlightenment” and finally to the ”plateau of productivity.” It’s fair to say, when it comes to blockchain, we are closer to the peak of inflated expectations than the plateau of productivity.

Likewise, when it comes to security implications, blockchain is also near peak hype. The NIST report authors put it this way: “There is a tendency to overhype and overuse most nascent technology. Many projects will attempt to incorporate the technology, even if it is unnecessary. This stems from the technology being relatively new and not well understood, or the technology being surrounded by misconceptions. Blockchain technology has not been immune.”

With that, there are six primary areas where NIST found serious security misconceptions. These include how permissionless blockchains are systems without control and ownership. Not necessarily so, report authors contend, stating that while no user, government, or country controls a blockchain, there are still groups of developers responsible for the system’s development. “These developers may act in the interest of the community at large, but they still maintain some level of control,” the report states.

The other areas include how malicious users can game the blockchain in permissionless systems; that there is “no trust” needed within the system; resource usage, transfer of burdened to credential storage to users, and that blockchains are not actually designed to be dedicated identity management systems. For more details on these, have a look at the report yourself.


  1. Ronald Sonntag says:

    Eager to follow-up on your links and thank you for an excellent summary and introduction!

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.