Posted by

Posted on

January 24, 2017

Posted under

Comments

Towards Deeper Collaboration in Distributed Ledgers: Thoughts on Digital Asset’s Global Synchronisation Log

It’s now almost two months since we open-sourced Corda and I’m delighted by the reception it has received. In our rapidly growing community, we’re already seeing new users grow into leaders who help other newcomers get to grips with the platform.

And I am amazed by the number of inbound messages from users who have been impressed by the quality of Corda’s design and codebase – and who are already building significant applications and products on top of it. Indeed, as I write this, one of our member banks is running a global hackathon, with over 150 of their developers building on Corda and I’ve just returned from our Asia Members’ Conference in Hong Kong, where I sat through so many presentations about Corda projects I didn’t even know were happening…

If you’re not already on our Slack or participating in our discussion forum, you’re missing out!

But one additional benefit from delivering on our commitment to make Corda Open Source is that it means we can explore opportunities to collaborate with peers, competitors and partners across the ecosystem: identifying areas where our visions are aligned, where we see things the same way and where we might be able to reuse rather than needlessly reinvent.

A good example of the potential for firms who some might see as competitors (but who actually aren’t…) to collaborate was provided late last year in the form of an excellent whitepaper from Digital Asset: The Global Synchronization Log. The paper helps clarify some really important aspects of distributed ledger design and shows a really deep understanding of the tradeoffs that are inherent in the design of these platforms.

The first time I read the paper, I was struck by how closely our two firms’ visions for DLT are aligned. As Mike Hearn has written, there are two fundamentally different ways to design a DLT –“UTXO” or “replicated virtual machine” – and it was very encouraging when I realised that our two firms, completely independently, had both concluded that the correct architecture for a significant range of important financial services use-cases is the UTXO model.

This bears repeating: two firms who, in R3’s case, had worked with a huge consortium of financial institutions on a groundbreaking year-long Architecture Working Group and, in the case of Digital Asset, had begun delivery of implementations for clients, had reached extremely similar conclusions about what the “correct” architecture should look like.

But, in reading the paper, it was also clear that we had made some different decisions, too. And the interesting thing is that the differences are almost all related to choices we’d made about acceptable tradeoffs. As I’ve often written, there are no perfect solutions in DLT; just tradeoffs. But I will also freely admit that we made some additions to Corda’s technical vision in the light of the paper!

So it’s time, I thought, to share my thoughts on what I think are the key points in the paper and outline how I think Corda could be a perfect way to implement the concept.

What is the Global Synchronisation Log?

At the heart of this space is a beguilingly simple vision:

DLT allows me to build systems where “I know that what I see is what you see”

That is: if a computer system that I own and run and which exists to serve my needs tells me something about a deal you and I have done, I want to know that the system you’re looking at, that you own and run and which exists to serve your needs, is telling you the same thing.

Before Bitcoin and blockchains and Distributed Ledger Technology there were only two ways of doing this, neither of them perfect: 1) we could build a centralised infrastructure and just agree to agree that whatever they say is the truth… consensus by authority, if you like or 2) we could build our own systems and then spend all our lives checking that they had come to the same conclusion about everything… consensus by reconciliation.

Bitcoin and the systems it inspired showed us there was a third way: we could use advances in cryptography, consensus algorithms and other technologies to give ourselves near total assurance that our systems were in sync without having to employ armies of people to check.

But there was a problem… and this problem is at the absolute heart of everything that’s going on in the DLT space today: the solution invented by Bitcoin and refined through subsequent systems depends on all data being shared with all parties. So you gain something amazing on one hand: an end to errors, duplication, inconsistency and associated risk. But, on the other hand, you create a privacy nightmare and a system that goes slower the more things you use it for.

This is precisely the conundrum that motivated the invention and development of Corda. We decomposed the building blocks of existing blockchain platforms and reassembled them in the light of the different threat-model we have, the different use-cases and different tradeoffs we are prepared to accept.

One of the key insights in our work was that, for our scenarios, we can separate transaction verification from the question of whether two verified transactions conflict with each other. I wrote about this when we first announced Corda in April last year.

We think the question of transaction verification should be down to the transaction participants: if one of them pretends that their smart contract produced a different answer to what it actually did then we’ll deal with it out-of-band; it’s a permissioned system and we know who they are… They gain nothing by playing games like that.

But the question of which transactions actually get confirmed is a question for an independent observer; we need somebody we all trust to choose between two equally valid but conflicting transactions. At R3, we call this observer a notary but that’s just the name we use to generalise the role performed by miners in a traditional blockchain.

In so doing, we addressed many of the privacy and scalability issues of other platforms at a stroke.

But it’s a tradeoff, of course. Because there’s something that a full public blockchain gives you that this approach doesn’t. Both approaches assure you that only valid transactions can get confirmed, but a full public blockchain also ensures that everybody gets to know when this happens.

But, of course, a traditional blockchain does this by using full broadcast, in the clear, of pretty much everything that happens. A privacy and scalability disaster.

So we had some very heated debates when we designed Corda about which tradeoffs were acceptable and which ones were not. And the GSL paper touches on all of them really succinctly.

Two of the more important debates were as follows:

If I send a full transaction to a notary (think ‘miner’ in a traditional blockchain), that could be a privacy leak: the notary gets to see all the data in the transaction. But if I only send the pieces of the transaction that the notary actually needs to see in order to decide transaction ordering then I could execute a “denial of state” attack by having the notary confirm an invalid transaction that “consumes” an input and stops a valid transaction from subsequently being confirmed.
If I send a transaction to a notary, how does it know which other parties to inform? I could execute an attack whereby I get a transaction confirmed but the other side doesn’t learn about it… that might allow me to selectively choose not to reveal it if it so suits me.

In Corda, we made the following observations. We said:

The “notary privacy versus denial-of-state” question is one that should be solved on a case-by-case basis. So we support “validating notaries” that need to see all data and “non-validating notaries” that just see the subset that allows them to make a confirmation decision. But we require the non-validating notaries record who sent them the transactions they sign so we know who’s to blame if anybody does try to do something nefarious.
But the notification issue is more tricky: recall, the full-broadcast solution used in “traditional” blockchains just won’t cut it. Indeed, that’s why, in Corda, there is no global broadcast, by design. So if a notary is going to inform you that something happened, it needs to know who you are and how to reach you. But that’s also a privacy issue if you implement it simplistically. So users effectively need the right to decide who they trust more: the notary or their counterparties.

So now to Digital Asset’s paper. What they propose is very reasonable. In essence, they say the following:

The Digital Asset GSL model is comfortable with the risk of a “denial of state” attack. (As are we at R3 for many scenarios, by the way, because the mitigations are robust; but Corda’s default mode is to protect against this threat).
So this means it’s fine if the notary only gets to see the subset of a transaction that is needed in order to determine ordering/uniqueness.
But GSL users are entirely not OK if a transaction can be confirmed and yet all the affected parties don’t get to hear about it at the same time as the transaction submitter.

And the paper goes on to explain how they think that last problem should be solved.

In essence, they do the following:

They effectively add the identities of all the parties who should know about the transaction to the outside of the transaction. This is the part that the notary sees.
- They don’t actually put the interested parties’ identities on directly – that would be a privacy leak – but that’s the effect; you can think of them as “tagging” the transaction with the list of everybody who needs to know about it.
But that’s not enough, of course. The notary doesn’t get to see most of the transaction contents, remember… so the list could be wrong and the notary wouldn’t know! So they go a step further.
They add an additional rule to the transaction verification logic: if the transaction doesn’t “tag” the right set of intended recipients then it isn’t considered valid.
So now you have something pretty cool: you can get a transaction that fails to tag the right people notarised just fine (the notaries are ‘non-validating’ in the DA model, remember). But the “attacker” gains nothing because the transaction itself won’t be considered valid per the rules of the system. So whatever nefarious scheme you were plotting fails…
And if you do construct a valid transaction then the act of getting it confirmed is also the irreversible act of having the notary inform all affected parties. So a bad guy doesn’t get to withhold valid, confirmed transactions.
This approach binds the question of transaction validity to the question of notification of affected parties. You can’t have one without the other.

So you achieve something useful: transaction contents remain visible only to those who need to see them, transaction verification is in the hands of those to whom they pertain, notaries don’t see what they shouldn’t and if a transaction gets committed all relevant parties get to hear about it. For a good number of use-cases, that’s a decent set of tradeoffs.

So can Corda provide a solution for the GSL?

(Spoiler: YES!)

It turns out that Corda’s design already has every single one of the features needed to implement the GSL – apart from one, which we added specifically to address this requirement.

Corda’s notaries already log the transaction submitters when operating in non-validating mode so we already solve the “denial of state issue” just fine.
Corda already supports “transaction tear-offs”, the mechanism whereby only the relevant information is shared with third parties such as notaries, using Merkle trees.
Corda already supports the concept of “participants” – aka“tags” – a list attached to each transaction that identifies interested parties
Corda’s transaction verification engine already allows contracts to verify that the participant list is correctly populated.

So we already have the mechanism to bind the verification to the population of the notification list. But the “out of the box” design does not then ensure the notification actually happens… This was a deliberate choice based on prioritisation of requirements and (yet another!) tradeoff around privacy.

In other words, there was one missing piece, albeit a deliberate one. But reading this paper made us convinced adding that feature made sense and so we’ve added it to our design and will be added to the codebase in a future milestone release. The thinking is captured in section 7.5 of our technical whitepaper, starting page 33.

Note that our proposed implementation is slightly different to the design sketched in the Digital Asset paper because we deliberately and famously don’t have a blockchain: so there is no data structure that participants can passively browse to look for transactions of interest. Instead, we use a push point-to-point messaging network. So the notary will directly inform affected parties.

Open Innovation: 2017 is the Year Corda Goes Mainstream

One of the many benefits of working on an open source project is that it becomes so easy and natural to explore these sorts of concepts with other firms, through initiatives such as the Hyperledger Project; through discussion of each other’s papers, like here; and through coding and direct collaboration between developers: we’re very much enjoying working with one of Digital Asset’s developers in our public Slack group, for example.

We think Corda is shaping up to be a perfect architecture for implementing the Global Synchronization Log concept and I am grateful to the team at Digital Asset for sharing their thinking – and their list of requirements – so openly and clearly.

Here’s to open innovation!

Posted by

gendal

Posted on

November 25, 2016

Posted under

Corda, distributed ledger, distributed ledgers, open source, Uncategorized

Comments

39 Comments

Countdown to Corda Open Source

R3 will soon be open-sourcing Corda. Here’s what to expect.

As I confirmed a few months back, R3’s Corda platform will be open-sourced, under the Apache 2 licence, on November 30.

Corda is a distributed ledger platform designed and built from the ground up for the recording and automation of legal agreements between identifiable parties. It is heavily influenced by the requirements of the financial industry but we believe the community will find the underlying architecture will lend itself to a broad range of applications.

We’ve built Corda because we see requirements – especially in finance – that need a distributed ledger but which cannot be met by existing platforms.

Corda is the only Distributed Ledger platform designed by the world’s largest financial institutions to manage legal agreements on an automatable and enforceable basis.
Corda only shares data with those with a need to view or validate it; there is no global broadcasting of data across the network.
Corda is the only Distributed Ledger platform to support multiple consensus providers employing different consensus algorithms on the same network, enabling compliance with local regulations.
Corda is designed to provide a great developer experience and to make integration and interoperability easy: query the ledger with SQL, join to external databases, perform bulk imports, and code contracts in a range of modern, standard languages.

We designed it with the members of R3, the world’s largest financial services DLT consortium, but we think its applicability is far broader. You can find out more in our introductory whitepaper and my blog post on why we’re building Corda and what makes it different. If you prefer videos, here’s a short interview I did with Simon Taylor of 11:FS that explains the thought process behind Corda.

What we’ll release on November 30 is pretty much the full codebase as it exists today and we will be improving it actively and openly from then on. In fact, the only code we’ve held back pertains to laboratory projects we’re working on with our members and work on our own commercial business products that will run on top of Corda.

So do take a look around when the code is released: there’s a lot in there that is still work-in-progress and not yet integrated. For example, you’ll find a fascinating approach to writing financial contracts in the experimental branch and ongoing work on our deterministic sandbox for the JVM. We will, of course, also be developing a commercial version of Corda for those who need specific enterprise features and support, but the open source codebase is the foundation of everything we do.

This is a really important point: distributed ledger technologies will have such phenomenally powerful network effects that it is unthinkable that serious institutions would deploy base-layer ledger software that is anything other than fully and wholeheartedly open. And it’s why we’ve been committed all along to releasing Corda just as soon as we were sure it was heading in the right direction. It is and so we are.

We will also be publishing a draft of our technical whitepaper. This whitepaper outlines our roadmap to version 1.0 of Corda and production-readiness.

What to expect on November 30

We’re really proud of Corda and its progress to date. But, that said, Corda is far from finished. Mike Hearn will soon be publishing a “warts and all” description of quite how much work we still have to do. This is true for all other platforms in this space, of course, but I feel a particular responsibility to be transparent given the ambitions we have for Corda and the uses to which it will be put.

By way of example, perhaps a good way to help you figure out what we still have to do is to look at some items on the list of work we’ve set for the months ahead of us:

Functional completeness: Corda still has gaps in its functional capabilities. The technical whitepaper outlines the full vision and you’ll see us working on and merging a lot of functional enhancements in the coming months to implement the full vision in the paper.
Non-functional characteristics: We focused first on design and then on implementation of Corda’s core functionality. The work to ensure we meet our non-functional requirements, such as performance, is still ahead of us but we have a clear roadmap and have designed the platform with these needs firmly in mind.
Security hardening: There are lots of areas where we need to tighten up security. Much of this we know about and we have called it out in the code or associated docs. But there will, of course, be others. So just as you shouldn’t be using other enterprise DLT platforms in production just yet, please don’t download Corda and put it straight into production just yet either!
API Stability: Corda’s development is iterative and organic – and it is heavily influenced by the range of projects and applications to which our members are choosing to put it. As we learn about common patterns and discover assumptions that prove to be wrong, we adapt. In particular, this means that we do not commit to API stability or backwards-compatibility until version 1.0. Expect parts of the implementation to change in the coming months, perhaps quite significantly!

But these things are transient: we know how to fix them and we’ll knock the issues off one-by-one in the coming months as we head towards version 1.0. But we want you to be fully aware of them.

Why are we open-sourcing Corda now?

We had a vigorous internal debate about when was the right time to release Corda: wait until it was more mature, when we were confident we’d ironed out the bugs and made it fly? Or wait only until the design roadmap was clear and then share it immediately with the world for comment, criticism, contribution and collaboration?

We’ve wholeheartedly chosen the latter path: to release early and to work openly.

We’re serious about inviting the community to critique, collaborate and contribute. To take one example, our friends at Digital Asset recently published an excellent paper describing a set of requirements for what they call a “Global Synchronisation Log” (GSL), encouraging those in the community to incorporate these requirements into their platforms. We think that Corda’s vision is extremely well aligned to the GSL concept and by open-sourcing our work whilst there is still time to tweak our design it means we maximise the opportunities for firms such as ours to collaborate.

But open-sourcing Corda when it is still fairly young is not without its risks! In fact, I’m a little apprehensive. I’m a completer-finisher and I obsess over every detail. So the idea of releasing something before it’s perfect makes me feel uncomfortable. You will find gaps, issues, problems. But that’s fine: please do share what you find. Even better, submit a fix…!

In fact, I also have a hope that some of those who come to critique will find that they nonetheless like much of what they see, and may even join the community.

What happens next?

I performed a thought experiment a while back… I asked: what will the enterprise distributed ledger world look like when everything settles down in a few years? How many independent enterprise DLT platforms will the world need and which ones will they be?

My conclusion was that there will probably be at most three such platforms, each carefully designed and adapted for a specific set of requirements. They will all be fully open source. And they will be surrounded by thriving, inclusive communities.

And we firmly intend to ensure Corda is one of them.

Our open-source release next week is a key step on that journey.

How to get Corda on November 30

Corda’s home will be corda.net.

Head over to corda.net on November 30 for links to the codebase, simple sample applications and a tutorial to get started writing your own CorDapps.

Posted by

gendal

Posted on

November 8, 2016

Posted under

blockchain, distributed ledgers, ledgers, Uncategorized

Comments

29 Comments

On Distributed Databases and Distributed Ledgers

Why can’t companies wanting to share business logic and data just install a distributed database? What is the essential difference between a distributed database and a distributed ledger?

Last month, I shared the thinking that led to the design of Corda, which we at R3 will be open sourcing on November 30; and Mike Hearn and I were interviewed by Brian and Meher of Epicenter last week. We’ve been delighted by the response and are looking forward to working with those seek to build on Corda, help influence its direction or contribute to its development and maturation; there’s a lot of work ahead of us!

But one or two observers have asked a really good question. They asked me: “Aren’t you just reimplementing a distributed database?!”

The question is legitimate: if you strip away the key assumptions underpinning systems like Bitcoin and Ethereum, are you actually left with anything? What is actually different between a distributed ledger platform such as Corda and a traditional distributed database?

The answer lies in the definition I gave in my last blogpost and it is utterly crucial since it defines an entire new category of data management system:

“Distributed ledgers – or decentralised databases – are systems that enable parties who don’t fully trust each other to form and maintain consensus about the existence, status and evolution of a set of shared facts”

“Parties who don’t fully trust each other” is at the heart of this. To see why, let’s compare distributed databases and Corda.

Comparing Corda to a distributed database

In a distributed database, we often have multiple nodes that cooperate to maintain a consistent view for their users. The nodes may cooperate to maintain partitions of the overall dataset or they may cooperate to maintain consistent replicas but the principle is the same: a group of computers, invariably under the control of a single organisation, cooperate to maintain their state. These nodes trust each other. The trust boundary is between the distributed database system as a whole and its users. Each node in the system trusts the data that it receives from its peers and nodes are trusted to look after the data they have received from their peers. You can think of the threat model as all the nodes shouting in unison: “it’s us against the world!”

This diagram is a stylised representation of a distributed database:

In a distributed database, nodes cooperate to maintain a consistent view that they present to the outside world; they cooperate to maintain rigorous access control and they validate information they receive from the outside world.

So it’s no surprise that distributed databases are invariably operated by a single entity: the nodes of the system assume the other nodes are “just as diligent” as them: they freely share information with each other and take information from each other on trust. A distributed database operated by mutually distrusting entities is almost a contradiction in terms.

And, of course, if you have a business problem where you are happy to rely on a central operator to maintain your records – as you sometimes can in finance it should be said – then a distributed database will do just fine: let the central operator run it for you. But if you need to maintain your own records, in synchrony with your peers, this architecture simply won’t do.

And there are huge numbers of situations where we need to maintain accurate, shared records with our counterparts. Indeed, a vast amount of the cost and inefficiency in today’s financial markets stems from the fact that it has been so difficult to achieve this. Until now.

Corda helps parties collaborate to maintain shared data without fully trusting each other

Corda is designed to allow parties to collaborate with their peers to maintain shared records, without having to trust each other fully. So Corda faces a very different world to a distributed database.

A Corda node can not assume the data it receives from a peer is valid: the peer is probably operated by a completely different entity and even if they know who that entity is, it’s still extremely prudent to verify the information. Moreover, if a Corda node sends data to another node, it must assume that node might print it all in an advert on the front page of the New York Times.

The trust boundaries – the red curves in the diagram- are drawn in a completely different place!

decentralised-database

In Corda, nodes are operated by different organisations and do NOT trust each other; but the outcome is still a consistent view of data.

To repeat, because this distinction is utterly fundamental: nodes of a distributed database trust each other and collaborate with each other to present a consistent, secure face to the rest of the world. By contrast, Corda nodes can not trust each other and so must independently verify data they receive from each other and only share data they are happy to be broadly shared.

And so we call Corda a distributed ledger, to distinguish it from distributed databases. A distributed ledger that is designed painstakingly for the needs of commercial entities.

Put more simply: you simply can’t build the applications we envisage for Corda with traditional database technology. And that’s what makes this new field so exciting.

Posted by

gendal

Posted on

October 25, 2016

Posted under

Corda, r3, Uncategorized

Comments

33 Comments

R3 Corda: What makes it different

As reported by Reuters last week, Corda, the Distributed Ledger platform we’ve been working hard on at R3 for the last year at will be open sourced on November 30.

What is it? Why are we building it? What happens next?

Corda is a distributed ledger platform designed and built from the ground up for the recording and automation of legal agreements between identifiable parties. It is heavily influenced by the requirements of the financial industry but we believe the community will find the underlying architecture will lend itself to a broad range of applications.

Corda is quite unlike any other Distributed Ledger platform that currently exists. So we’ll be releasing lots of information in the coming weeks and months. To understand why it looks the way it does, I thought I’d share the journey we went on to build it. In subsequent articles, the team and I will share more detail about how it works and what to look for when it’s released on November 30.

But first, some history.

The very first decision made by the Steering Committee of the R3 consortium was to establish our Architecture Working Group, which I chair. This group consists of hundreds of senior architects, technologists and developers, many with decades of experience in a dazzling array of areas, from across our membership over over seventy financial institutions.

We were given a simple-sounding mission:

“To establish the architecture for an open, enterprise-grade, shared platform for the immutable recording of financial events and execution of logic”.

There is quite a lot packed into that sentence..! Let’s look at just two parts:

“Open”
- I stated publicly in April that we would open-source Corda and I was serious. Our mandate, from our member banks, was that whatever base platforms we selected, built or adopted had to be open. We’re delivering on this commitment with the open-sourcing of Corda on November 30.
“Immutable recording of financial events and execution of business logic”
- Notice what this doesn’t say. It doesn’t say “blockchain”. Heck: it doesn’t even say “distributed ledger”! Instead, it tries to get to the heart of what we think is the essence of this exciting new field. And that’s what I want to talk about in this blog post.

We don’t like solutions looking for problems

I wanted us to be precise about what this field is all about. After all, and as I wrote when we first announced Corda, Satoshi Nakamoto didn’t wake up one morning thinking: “I really need a blockchain!”. No: he started with a well-defined business problem and engineered a solution to solve that problem. And if you need a system of censorship-resistant digital cash, then Satoshi’s design – Bitcoin – is the elegant solution and it’s available today.

And that’s why Ethereum, to take another example, looks so different to Bitcoin. Vitalik Buterin and his colleagues started with a different business problem, which I characterise as “I want an unstoppable world computer that can execute business logic and move value autonomously” and guess what? They ended up with a very different design! Now sure: there are many similarities between Bitcoin and Ethereum but also a lot of differences.

I was determined that we would not fall into the trap of taking technologies designed to solve completely different problems and blindly apply them to banking. That way lies madness.

So we drove two key pieces of work: 1) characterising exactly what is new about this field and 2) identifying precisely where in finance it may have most applicability.

And the answer, as I outlined back in April, is that there is something genuinely new in this space and it’s something that is massively relevant to the financial system.

The definition I think best captures this is as follows:

“Distributed ledgers – or decentralised databases – are systems that enable parties who don’t fully trust each other to form and maintain consensus about the existence, status and evolution of a set of shared facts”

Let’s first test that this definition works for existing public systems:

Bitcoin: the participants don’t know each other’s identities and come to consensus about how many bitcoins there are, which addresses own them and what needs to happen for any of them to be spent without having to trust each other. Check!

Ethereum: the participants don’t know each other’s identities and come to consensus about the state of a virtual computer. Check!

In those systems’ cases, they achieve these outcomes in ways with which we’re both familiar and which address requirements related to the environment in which those systems are expected to run.

But how about finance… parties who don’t fully trust each other but whom need to be in consensus about a set of shared facts?

Where do we have that problem?

Erm… how about everywhere..?!!

It’s perhaps only a slight exaggeration to suggest that the financial industry is pretty much defined by the web of contracts that exists between its participants: I deposit money with a bank? There’s a contract there that says the bank owes me that money. You and I enter into a Credit Default Swap? There’s a contract there that describes our mutual rights and obligations. And they’re recorded and managed in multiple places, on different systems, managed by different firms and it costs a fortune to keep them all in sync.

The shared facts in finance are the existence and state of financial agreements – ie contracts.

And the need for consensus is what amounts to the twenty-first century’s “paperwork crisis”: the tens of billions of dollars spent annually maintaining and managing the duplicated records that each firm maintain about the same deals. The same information about a deal is recorded multiple times across these parties and in situations where a centralised solution can’t be deployed, which is in lots of places, small armies are required to ensure that these disparate records agree with each other, get updated correctly and in synchrony – and deal with the issues when they don’t.

A ha! So now we have something phenomenally exciting: a new technology for establishing and maintaining consensus between parties who don’t trust each other. And a multi-billion dollar business problem crying out for this solution!

There’s only one minor problem…

Public systems like Bitcoin were not designed to solve these problems. They’re excellent at what they do; but we’re doing something else.

And you only need to take a cursory look at the architecture of various public blockchain systems to see why this might be the case. My business problem amounts to ensuring the Bank of Alice and Bank of Bob agree about a trade they just did and that it settles automatically and correctly. A solution which not only shares this confidential data with every other bank in the world but which also requires them to process the deal and maybe even validate it doesn’t meet my needs. And yet… that’s how every single public platform back in 2015 worked.

Perhaps those architectures can be heavily re-engineered to solve such problems, as some groups are attempting but it’s not an obvious starting point, especially when you then layer on all the other requirements we identified.

So there’s a problem: Bitcoin and its successors taught us that a new way of building distributed systems was possible: one where mutually distrusting parties can maintain a shared database. We identified a hitherto unsolved problem in finance. And yet the technology that existed simply wasn’t designed for this.

Coding, not talking

The reality is that finding fault is easy; proposing workable solutions is altogether harder. So simply going out and shouting about how 2015’s platforms didn’t solve our problems was hardly a way to make friends. No. We needed to do better than that.

So once we had decided we needed to prototype the alternate approach we had identified, we made a critical decision to buttress my leadership team of James Carlyle and Ian Grigg: we brought in Mike Hearn.

And he drove the prototyping effort to explore these concepts in the only way that gives you certainty that it can be done: by proving it in code. As Mike enjoys reminding me: when it comes to core concepts, talk is cheap; at some point, the talking has to give way to coding.

Early results were promising: the reductive, bottom-up approach we took to architecture and design, which is explored in our introductory whitepaper and on which we’ll elaborate in the coming weeks, was solid: we could model a diverse range of instruments; the design would allow for significant parallel processing; we did not need to send all data to all participants in all scenarios; the use of a mainstream virtual machine and its libraries led to high developer productivity; we were able to support multiple consensus providers on a single network; the use of a flat, point-to-point queue-based, peer-to-peer network mapped well to real business scenarios; and more.

We worked with our members to test the maturing codebase in a variety of contexts: interfacing Ricardian Contracts and Smart Contracts in the context of an Interest Rate Swap with Barclays and others; managing trade finance flows; and more.

And this focus on validated client requirements and a willingness to question some hitherto sacred beliefs (we have no blocks! we have no miners! we don’t put ephemeral data in the consensus layer! we allow per-transaction specification of consensus providers!) led to a unique design.

Had Corda ended up being a minor variation on an existing platform or a me-too copy of something else, what would have been the point in pursuing the work? But that isn’t what happened: we ended up with something quite distinct, something we believe is singularly well-suited to a wider variety of financial-services use-cases and something adapted to the practical reality that the industry is regulated and some rules simply aren’t going to change overnight.

So that’s the backstory. Our large – and growing – technology team still has a large amount of work to do. But now is the time to share our work with the broader community and encourage people – including in other industries – to use it for their own applications as it matures (it’s still a young codebase), to contribute to Corda itself, and to contribute to the architectural debate.

We’re looking forward to November 30. This is an exciting time!

Posted by

gendal

Posted on

August 24, 2016

Posted under

blockchain, Corda, r3, Uncategorized, whitepaper

Comments

20 Comments

Corda: An Introduction

Announcing the Corda Introductory Whitepaper

The Wall Street Journal had a couple of good pieces this morning that describe some of the work we’re doing at R3 and our vision for the future of financial services.

Project Concord is our codename for the overall vision, with Corda as our underlying distributed ledger software.

I first wrote about Corda back in April and we demonstrated it in public for the first time a few weeks later. Since then, we’ve been continuing to develop the code base in collaboration with our members, trialling it through an ongoing series of proofs-of-concept, prototypes and more advanced deployments, refining the design and maturing our thinking.

As part of this process, we wanted to share more information with the broader community about what we’re doing. I’m pleased to announce the release of our first whitepaper on Corda: an introductory, non-technical overview that explains our vision, some design choices and outlines the key concepts underpinning the platform. We’ll follow this up in the coming months with a more detailed technical whitepaper.

The whitepaper, which you can download here, explains how we set ourselves the challenge of starting with the financial industry’s pain points: duplicated, inconsistent data and business logic and redundant business processes – and asked ourselves if we could apply breakthroughs in distributed ledger and blockchain technology to solve them.

Our conclusion is that distributed ledger and blockchain technology represents a once-in-a-generation opportunity to transform the economics of data management across the financial industry. But there’s a problem because the blockchain and distributed ledger platforms that led us to this exciting moment were never designed to solve the problems of financial institutions and do not meet all our needs: we need tight linkage to the legal domain; we have an obligation to prevent client data being shared inappropriately and so can’t send all transactions to all network participants; we must integrate and interoperate with existing financial infrastructure; and more.

Corda is the outcome of the analysis we did on how to achieve as many of the benefits of distributed ledger and blockchain technology as possible but in a way that is sympathetic to and addresses the needs of regulated financial institutions. Corda is intended to be a contribution to the plurality of technologies that will be adopted in the coming years, one that is targeted specifically and with a laser-focus on the needs of financial institutions.

I hope you find the whitepaper interesting and illuminating and we would love to hear your feedback.

Posted by

gendal

Posted on

April 5, 2016

Posted under

blockchain, Corda, distributed ledger, r3

Comments

101 Comments

Introducing R3 Corda™: A Distributed Ledger Designed for Financial Services

UPDATE: The Corda introductory whitepaper is now available! And this blog post gives more context.

As reported in Bloomberg this morning, I’m delighted to confirm that R3 and our member banks are working on a distributed ledger platform for financial services: Corda™. I explain it on our official R3 blog and reproduce it here.

For the last six months, my team and contributors from our membership have been building a distributed ledger platform prototype from the ground up, specifically designed to manage financial agreements between regulated financial institutions. I am massively excited by the progress our team, led by James Carlyle, our Chief Engineer, and Mike Hearn, our Lead Platform Engineer, are making and I think the time is right to share some details.

Corda: A Distributed Ledger for Recording and Managing Financial Agreements

Corda is a distributed ledger platform designed from the ground up to record, manage and synchronise financial agreements between regulated financial institutions. It is heavily inspired by and captures the benefits of blockchain systems, without the design choices that make blockchains inappropriate for many banking scenarios.

Corda’s key features include:

Corda has no unnecessary global sharing of data: only those parties with a legitimate need to know can see the data within an agreement
Corda choreographs workflow between firms without a central controller
Corda achieves consensus between firms at the level of individual deals, not the level of the system
Corda’s design directly enables regulatory and supervisory observer nodes
Corda transactions are validated by parties to the transaction rather than a broader pool of unrelated validators
Corda supports a variety of consensus mechanisms
Corda records an explicit link between human-language legal prose documents and smart contract code
Corda is built on industry-standard tools
Corda has no native cryptocurrency

Corda’s design is the result of detailed analysis and prototyping with our members and will be open sourced when the code has matured further.

In the remainder of this post, I want to share some insight into our thinking. Why are we building Corda? Why have we made some of the design decisions we have? When will the code be ready for others to examine and build upon? How does this relate to other platforms and projects?

A thought experiment

When I joined R3 from IBM in September 2015, I forced myself to stop and think. The blockchain bandwagon was running at full speed, I’d just been appointed CTO of a project intended to bring blockchains to finance but there was a nagging worry at the back of my mind… how could I avoid falling into the trap of believing all the hype?!

I imagined myself sitting in front of the CIO of one of our member banks some time in the future. I imagined we had naively selected a “blockchain for finance” based on what was popular at the time and widely deployed a range of products and services on top of it. And I imagined we had believed the hype, had suspended our critical faculties and had omitted any engineering. In this imagined scenario, I now found myself facing an angry CIO, who wanted to know why the system I had built had just failed calamitously. Why on earth did I build it the way I did?!

I concluded that an entirely inappropriate answer to that question would be: “because blockchains were cool in 2015”! No. That simply won’t do.

The reality is that solutions based on selecting the design first and then trying to apply it to arbitrary problems never work out well. Every successful project I’ve worked on started with the requirements, not some cool piece of technology, and I was determined to bring that discipline into our work at R3.

Remind me again why a system designed to replace banks is also supposedly their saviour?

And there is a second reason for this caution: the technology and finance industries collectively “decided” some time in early 2015 that “blockchain technology” was somehow the future of financial services.

Indeed, I am one of the most active proponents of precisely that claim. But the reason for blockchain technology’s importance is extremely subtle – and this subtlety is something that most people seem to have missed.

To understand this, we need to look at Bitcoin.

Bitcoin’s architecture, as I have often written, is a marvel. Its interlocking components are one of those rare examples of something so elegant that they seem obvious in hindsight, yet which required a rare genius to create.

But what is often missed is that the cleverest part of Bitcoin isn’t actually its architecture; I think the cleverest part was to articulate the business problem. We don’t tend to think of Bitcoin as being the solution to a “business problem” but it can perhaps be thought of as a wonderfully neat solution to the problem of: “how do I create a system where nobody can stop me spending my own money?” Now, I can’t claim to know the mind of Satoshi and he certainly didn’t write the whitepaper in this way but it triggers a very useful thought-experiment.

In fact, once you write this ‘business problem’ down, the design drops out almost trivially! (Almost…) You want always to be able to spend your own money? Then you can’t have a central point of control. It could be shut down by the authorities. You can’t even have a collection of validators with known identities as they could also be shut down with concerted effort. Very quickly you realise you need a massively replicated consensus system and, if you don’t want to tie actions to real-world identities, you need something like Proof of Work to make the voting work. You work the logic through and pretty much the whole design (the blockchain, the need for mining, block rewards, maybe even the UTXO transaction model, etc., etc.) drops out. Of course, it does push a lot of work onto the users: confiscation of somebody’s bitcoins is easy if you know their private key… but let’s leave that to one side for now.

And this way of looking at it is important because it highlights how Bitcoin’s blockchain can be thought of as the solution to a business problem. Satoshi Nakamoto didn’t wake up one morning wanting to “apply Blockchain to finance”. Blockchain was the tool that was invented to solve a real problem.

So we have a conundrum, right? If that’s the case, then what on earth is the argument that says blockchain has any relevance at all to banking?!

Indeed, last time I checked, banks have the inverse of my Bitcoin problem statement!

What is the defining characteristic of blockchain systems?

So I spent most of October sitting in a dark room (really! This was our first London office… a tiny four-person room in a shared working space in the City of London) questioning some of the most fundamental assumptions about blockchains. What is it exactly that makes them interesting to banks?

Most people had already made the mental leap that the “bitcoin package” was unacceptable as a take-it-or-leave-it deal: proof of work is unnecessary for private deployments, for example. But, as I looked around, all I could see was firms who had accepted everything else… It seemed strange to me that, as an industry, we could tease apart one part of the “blockchain bundle” but then stop there.

I spent several of my earlier, formative years at IBM in a role called “technical sales”. If you’ve ever bought technology from a large IT vendor, you’ll have met somebody like me. We’re the people who visit clients with the sales rep and act as the technical expert: we explain how the product works, make sure we’re proposing the right solution to the client and ensure there is no technical barrier to closing the deal.

A lesson I learned very early in that role was: it doesn’t matter how hard you wish or how many client meetings you schedule or how aggressive the sales rep gets, if you can’t show how your solution is going to solve the client’s business problem then the deal almost certainly won’t close. And those that do are the ones you’ll live to regret…

Fast forward a decade, and as I surveyed the blockchain landscape in October 2015, all I could see was excitable (and vocal!) firms touting solutions that made very little sense to me for the kinds of problems I was trying to solve. I will confess to many moments of self-doubt: maybe they were all sane and I was the mad one..?!

But I ploughed on: even if they are right that a “take it or leave it” blockchain design is the saviour of the financial industry, I’ll be doing our members a favour if I could explain why.

So we started picking away at what can perhaps be called the “blockchain bundle”: the collection of services that blockchains provide to those who use them.

We concluded that a blockchain such as the ones underlying Bitcoin or Ethereum or any of the private variations actually provide at least five interlocking, but distinct, services. And the right approach is to treat them as a menu from which to select and customise… different combinations, in different flavours, for different business problems.

CONSENSUS

The first, and most important, feature of blockchains – and the thing that is probably genuinely new in terms of scale and scope – is that they create a world where parties to a shared fact know that the fact they see is the same as the fact that other stakeholders see:

“I see what you see… and I know that what I see is what you see”

And, critically:

“I know that you know that I know”!

And:

“I know that you know that I know that you know…”

And so on…

And it makes this promise across the Internet between mutually untrusting parties. Sure: consensus systems and replicated state machines have existed for years but consensus systems at Internet scale, between untrusting actors, that work in the face of powerful adversaries? That’s a step forward.

In Bitcoin, the shared facts are things like: “What are all the bitcoin (outputs) that have not yet been spent and what needs to happen for them to be validly spent?”. And the facts are shared between all full node users.

In Ethereum, the shared fact is the state of an abstract virtual computer.

But notice something interesting: there isn’t some law of nature that says the set of people who have to be in consensus is the whole world. Bitcoin just happens to work that way because of its unique business problem. If you don’t have Bitcoin’s business problem then be very wary of those trying to sell you something that looks like a Bitcoin solution.

VALIDITY

The second feature in the “blockchain bundle” is validity. Tightly linked to consensus, this feature is the one that allows us to know whether a given proposed update to the system is valid. It is how we define the rules of the game. What does a valid “fact” look like in the system? What does a valid update to that fact look like?

UNIQUENESS

The third feature in the blockchain bundle is its “uniqueness service”. I can quite easily create two perfectly valid updates to a shared fact but if they conflict with each other then we need everybody who cares about that fact to know which, if either, of those updates we should select as the one we all agree on. The “anti-double-spend” feature of blockchains gives us precisely this service and it’s hugely important.

IMMUTABILITY

The fourth feature in the “Blockchain Bundle” is often, if misleadingly, termed “immutability”: data, once committed, cannot be changed.

This isn’t quite true: if I have a piece of data then of course I can change it. What we actually mean is that: once committed, nobody else will accept a transaction from me if it tries to build on a modified version of some data that has already been accepted by other stakeholders.

Blockchains achieve this by having transactions commit to the outputs of previous transactions and have blocks commit to the content of previous blocks. Each new step can only be valid if it really does build upon an unchangeable body of previous activity.

AUTHENTICATION

The final critical feature in the “Blockchain Bundle” is authentication: every action in the system is almost always associated with a private key; there is no concept of a “master key” or “administrator password” that gives God-like powers. This is quite different to traditional enterprise systems where these super-user accounts are prevalent and petrifying from a security perspective.

So what is the financial services business problem?

So why did I take us through this analysis? Because it gets us to the heart of the distributed ledger domain: the thing that is genuinely new is the emergence of platforms, shared across the Internet between mutually distrusting actors, that allow them to reach consensus about the existence and evolution of facts shared between them.

So if that’s what this is all about, then what are the “shared facts” that matter in finance? What business problem would we need to have for any of this work to be of any use at all?

And this is the light bulb moment and the fundamental insight driving the entire Corda project:

The important “shared facts” between financial institutions are financial agreements:

Bank A and Bank B agree that Bank A owes 1M USD to Bank B, repayable via RTGS on demand.
This is a cash demand deposit
Bank A and Bank B agree that they are parties to a Credit Default Swap with the following characteristics
This is a derivative contract
Bank A and Bank B agree that Bank A is obliged to deliver 1000 units of BigCo Common Stock to Bank B in three days’ time in exchange for a cash payment of 150k USD
This is a delivery-versus-payment agreement
… and so on…

The financial industry is pretty much defined by the agreements that exist between its firms and these firms share a common problem: the agreement is typically recorded by both parties, in different systems and very large amounts of cost are caused by the need to fix things when these different systems end up believing different things. Multiple research firms have postulated that tens of billions of dollars are spent each year on this problem.

In particular, these systems typically communicate by exchanging messages: I send an update to you and just hope you reach the same conclusion about the new state of the agreement that I did. It’s why we have to spend so much money on reconciliation to check that we did indeed reach the same conclusions and more money again to deal with all the problems we uncover.

Now imagine we had a system for recording and managing financial agreements that was shared across firms, that recorded the agreement consistently and identically, that was visible to the appropriate regulators and which was built on industry-standard tools, with a focus on interoperability and incremental deployment and which didn’t leak confidential information to third parties. A system where one firm could look at its set of agreements with a counterpart and know for sure that:

“What I see is what you see and we both know that we see the same thing and we both know that this is what has been reported to the regulator”

That’s Corda.

How does Corda choose from the “Blockchain Bundle” Menu?

So now we understand the financial services requirement, we can look again at the “Blockchain Bundle” menu from above and outline the choices we’ve made.

CONSENSUS

A critical piece of the Corda philosophy is that our problem is to ensure that “I know that you see the same details about a shared fact that I see”.

But this does not mean that a third party down the road also needs to see it: our consensus occurs between parties to deals, not between all participants.

VALIDITY

Furthermore, in Corda, the only people who need to be in agreement about a fact are the stakeholders to that fact: if you and I agree about something that pertains only to us then why should we care what some completely unrelated third party thinks? And why would we even think of sending them a copy so they could opine on it? So, in Corda, we let users write their validation logic in time-tested industry-standard tools and we define who needs to be in agreement on a transaction’s validity on a contract-by-contract basis.

UNIQUENESS

Just like every other distributed ledger out there, we need to be sure that two valid, but conflicting, transactions cannot both be simultaneously active in the system. But we also recognise that different scenarios require different tradeoffs. So Corda’s design allows for a range of “uniqueness service” implementations, one of which is a “traditional blockchain”. But it doesn’t need to be and, for our purposes, we also need implementations that make different tradeoffs under Brewer’s CAP theorem: in particular, some financial services use-cases need to prioritise consistency at the expense of availability in the event of a network partition.

IMMUTABILITY AND AUTHENTICATION

Here, Corda’s design departs very little from existing systems: our data structures are immutable and our building block is the exchange of digitally-signed transactions.

So Corda is very traditional in some respects – we directly apply the “authentication”, “immutability” and “uniqueness service” features of blockchains but we depart radically when it comes to the scope of “consensus” (parties to individual deals rather than all participants) and “validation” (the legitimate stakeholders to a deal rather than the whole universe or some arbitrary set of ‘validators’).

How is Corda Different?

Hang on? Isn’t this the same pitch that every other blockchain firm is making? Not quite.

Notice some of the key things: firstly, we are not building a blockchain. Unlike other designs in this space, our starting point is individual agreements between firms (“state objects”, governed by “contract code” and associated “legal prose”). We reject the notion that all data should be copied to all participants, even if it is encrypted.

Secondly, our focus is on agreements: the need to link to legal prose is considered from the start. We know there will still always be some disputes and we should specify right up front how they will be resolved.

Thirdly, we take into the account the reality of managing financial agreements; we need more than just a consensus system. We need to make it easy to write business logic and integrate with existing code; we need to focus on interoperability. And we need to support the choreography between firms as they build up their agreements.

Different Solutions for Different Problems

But… we should be clear. We are not viewing Corda as a solution to all problems. This model is extremely powerful for some use-cases but likely to be less well suited to others. It’s why we continue to engage extremely deeply with all our partners who are working on complementary platforms in this space; we are not omniscient. Moreover, there are still many significant design and research questions we have to resolve: there is still a great deal of work to do.

Furthermore, I have been deeply impressed by the quality engineering embodied in the many platforms that have passed through our labs and you will continue to hear about projects we are delivering on platforms other than Corda: different solutions for different problems is our mantra. Indeed, those who have attended panels or workshops in recent months will have heard me saying this for some time now.

Corda does not seek to compete with or overlap with what other firms are doing: indeed, we are building it because no other platform out there seeks to solve the problems we’re addressing. That’s what makes this space so endlessly exciting.

What next?

In the coming weeks and months, you’ll hear more about Corda, about our initial projects and about its design. We will also be gearing up to release the core platform as open source, possibly as a contribution to other endeavours. Watch this space.

And… we’re still hiring: there is a great deal of work still to do!

Posted by

gendal

Posted on

January 4, 2016

Posted under

blockchain, careers, distributed ledgers, r3, shared ledgers

Comments

8 Comments

It’s New Year… Time to change the world

We’re hiring!

Are you a talented developer?
- … who has experience of banking technology and a passion for blockchain technology?
Can you tell your nostro from your vostro?
- … and do you have an intuitive understanding of why it’s quite so hard to change anything in a bank?!
Do you understand why Bitcoin works the way it does?
- … and can you explain the block size debate in a way that all sides would agree was fair?
Can you explain why $100 at Chase is different to $100 at Wells Fargo?
- … and can you design a data model that reflects this reality?
Do you have a passion to transform the world of finance by applying insights from the worlds of cryptography, blockchain technology and distributed systems?

If so, we should speak.

At R3, we’re working on what I think is the most interesting and exciting technology project in finance for years and we’re hiring talented, motivated professionals to turn our vision into a reality.

If you think “a blockchain” is the answer to every question then you probably shouldn’t apply. But if you think the application of modern cryptography, consensus techniques and modern internet-scale technologies to some of the thorniest problems in financial technology sounds exciting, please email me.

Before you do, however, some background. Because I’m convinced many people are thinking about the problems and opportunities completely back to front…

The reality is that banks were amongst the earliest adopters of information technology and, contrary to popular belief, they have done a good job in automating previously manual processes and in digitising previously physical processes.

But there are, of course, significant opportunities to improve the cost and efficiency of the architectures that have emerged – and today’s developments in blockchain technology and distributed ledgers are showing us how.

At core, this is all about moving from firm-level systems to industry-level systems.

Today, each bank has its own ledgers, which record that firm’s view of its agreements and positions with respect to its customer set and its counterparts – and its counterparts, in turn, maintain their views. This duplication, whilst robust, is expensive and can lead to inconsistencies, and it drives a need for costly matching, reconciliation and fixing of errors by and among the various parties to a transaction. To the extent that differences remain between two firms’ views of the same transaction, this is also a source of risk, some of it potentially systemic.

The maturation of cryptographic techniques, exemplified in part by “blockchain technology”, provides a new opportunity: the possibility of authoritative systems of record that are securely shared between firms. This provides the opportunity to implement new shared platforms for the recording of financial events and processing of business logic: one where a single global logical ledger is authoritative for agreements between firms recorded on it, even though the relationships and obligations recorded remain between those firms.

I believe successful, transformational, large-scale deployments of shared ledger technologies in finance depend on the adoption of an architecture that is designed from the ground up to address the functional and non-functional requirements of banks. And the non-functional requirements are really, really, exacting.

It’s why I hired James Carlyle, Mike Hearn and Ian Grigg to start building out our technical leadership team: I might be CTO but I’m not remotely clever or experienced enough even to begin to figure out the answers to these questions.

And it’s also why we’re hiring talented developers, designers and architects to join our team.

So, if you’re experienced, intelligent, curious and motivated by solving difficult problems in distributed systems in finance, I can think of no better places to be working right now.

email me at richard@r3cev.com if you want to talk.

Posted by

gendal

Posted on

November 19, 2015

Posted under

Uncategorized

Comments

40 Comments

Introducing the R3 Technical Leadership Team

I joined R3 in September as our Chief Technology Officer. Regular readers may have noticed a drop-off in my blogging at precisely the same time. It turns out that joining a high-profile, fast-growing startup consumes a lot of time..!

In this post, I want to share some early thoughts and to introduce my senior leadership team. Regular readers of my blog will know that I have thought deeply and written often about the applications of blockchain and distributed ledger technology in finance. But as I set out on my journey at R3, I tried to imagine myself in a few years, sitting in front of the CIO of one of the world’s largest banks, having a conversation about our project. What would we talk about? How would I describe what we had built? How would I explain why we built it one way rather than another?

I figured it would be an extremely difficult conversation if my opening line was: “well… you know…. I built the platform like this because blockchains were cool in 2015”… No. That simply won’t do. The rules of engineering and architecture don’t fly out of the window just because somebody pulls out the “shared ledger” trump card.

If we aspire to reduce cost, free up capital, improve controls and enable innovation in finance and beyond, we need to build our vision on more than hype and hope. So I’ve gone back to basics: what properties does a technology platform need to possess if it is going to enable the world’s banks – and other firms – to deploy shared platforms to record, manage and report on their contractual agreements with each other and with their customers? What is the irreducible set of functional requirements we must provide? What are the non-negotiable non-functional requirements?

So I’ve spent my first few weeks building my leadership team, establishing an Architecture Working Group with our members and developing a detailed view on what a shared ledger for financial firms needs to look like if it’s going to gain widespread adoption and solve real business problems.

In the coming weeks, I’ll share thoughts on these questions. I’m probably wrong about huge portions of it (I usually am…). But my strong desire is to have this debate in the open: just as we’re driving this discussion with our members, we also want to debate this with other practitioners, firms and projects. Not least, because it’s manifestly obvious that a base “fabric” for the recording of financial events and execution of logic has to be open and if I can persuade you of my vision (or you can persuade me of yours…), perhaps we can work together to drive some standardisation too. Watch this space.

In the meantime, I’d like to introduce my senior leadership team.

First, I’m delighted to announce that James Carlyle, formerly Chief Engineer at Barclays Personal and Corporate Bank, is joining R3 as our Chief Engineer. He is almost too-good-to-believe: he built hugely complex systems for a hugely complex bank, founded two startups and he happens to to be one of the few people I know who can both talk about ethereum and develop for it.

Secondly, I am beyond excited that Mike Hearn has joined us as our Lead Platform Engineer. He brings half a decade of experience of blockchain and cryptocurrency development and over seven years of experience helping run some of Google’s most heavily-trafficked websites. The combination of deep understanding of blockchain technologies and real-life experience of building rock-solid internet-scale production platforms is truly unmatched in the industry. And his involvement in the recent bitcoin blocksize debate gives me confidence he can hold his own against a group of very opinionated bank architects…

Thirdly, I would like to welcome Ian Grigg, our Architecture Consultant. Ian has been building cryptographic ledger platforms for over two decades. He invented the concept of the “Ricardian Contract”, co-invented the concept of triple-entry accounting and astounds me every day with the experience and perspective he brings to the team. You would be amazed how many of the concepts in the shared ledger space today can be traced back to Ian’s work.

Fourthly, Tim Swanson joins as our Head of Research. I have to believe there are people in this space who Tim doesn’t know, but I’ve not met one yet. He teaches me every day that it’s OK to be opinionated, provided you can justify the opinions. And Tim can; his most recent report is a fascinating demonstration. I lean on him heavily for advice and insight and am delighted to have him as a colleague.

They join a fast-growing team, which also includes Jo Lang and Ayoub Naciri, amongst others.

… and what about you? We’re hiring!

We are working on the most interesting and exciting project I can imagine in technology today. We’ll be sharing details of our open roles and how to contact us shortly. In the interim, if you’re interested in working with us, I’d encourage you to think about a few questions that just might come up in interview…

If you were building a system to enable multiple parties to come to consensus about the state of an agreement between them and maintain that in lockstep for the life of that agreement, what are some of the most important non-functional requirements you would want to explore to validate your design?
If you were building a shared ledger system between large numbers of regulated financial entities with hugely sophisticated IT infrastructures, what would be your approach to co-existence and integration?
What would be your answer to the CIO’s follow-up question? “Tell me… why did you build your shared ledger using a blockchain rather than another technology?”

Posted by

gendal

Posted on

August 26, 2015

Posted under

advice, architecture, blockchain

Comments

18 Comments

Free advice can be valuable… but only if you take it

If a client tells you your solution doesn’t solve their problem, it may not be the problem that needs to change…

I often argue for the importance of blockchain and distributed ledger technology by using the following chain of logic:

Bitcoin’s architecture solved the problem of censorship-resistant digital cash
But few, if any, financial firms are interested in censorship-resistant digital cash
So why are they looking at this technology?
Because some principles underpinning Bitcoin’s architecture – shared ledgers, for example – could be relevant to problems that banks face.

Sure, a blockchain or a replicated shared ledger could indeed be useful to banks. Perhaps it could reduce the need for reconciliation between firms if they all ran off a single ledger, for example. But this says nothing about whether blockchains are the optimal solution to any particular problem in banking. That still has to be argued, of course.

Recall: the bitcoin architecture was a solution to a very specific, very carefully framed problem – how to transmit value without the risk of censorship. Just because the underlying architecture could be used to solve some pressing problems in banking doesn’t mean it’s the best way to do so. Indeed, although the interlocking aspects of the Bitcoin solution are in some ways quite elegant, there are also some compromises. After all, it is an engineering solution to a set of very specific constraints and so it has to be demonstrated that it’s the right solution when the constraints are different.

Lee Braine, of Barclays Investment Bank CTO Office, made an important contribution to this debate when he spoke at London Blockchain Conference 2015 recently. The video is now available and I urge anybody working in this space to watch it and to internalise its message.

[vimeo 137190236]

We all too often “talk past each other” in the distributed ledger world and we are quick to assume the other person just “doesn’t get it”. I can assure you that Lee does get it and it would be a brave startup in this space that chooses to disregard what he said. He’s giving us free advice! Take it!

Like I say, watch the video for yourselves.

I think another way to capture the chain of logic in the video is as follows:

Assume the ongoing interest in the application of blockchain technology continues
Assume further that some banks identify some compelling business opportunities in deploying a cryptographically-secure shared ledger between themselves.
What is the probability that a derivative of Bitcoin or Ethereum or any other current platform will be the best solution to that specific problem?
Given that none of them were invented to solve that problem, surely it’s quite low, right?

So we could find ourselves in the situation that bitcoin and blockchain technology have catalysed an orgy of activity, that this activity has identified countless high-quality business problems and yet none of those opportunities are best addressed with the technology that triggered the excitement in the first place!

The theme of this blog is “free advice” and the free advice I’m taking from Lee’s comments includes:

First, we shouldn’t get enamoured by a particular implementation of a technology. Sure: if you have an implementation then you may have bought a place at the table. But don’t make the mistake of assuming that if the business problem doesn’t fit the technology then it’s the business problem that needs to change!

Secondly, if you’re working in a financial institution, be careful to distinguish between the principles embodied in these technologies. Shared ledgers? Yes. That seems to be at the heart of this domain. Indiscriminate replication? Perhaps. Cryptographically-secured access down to the “row” level? Probably. And so on.

Thirdly, consider the complexity of banks’ existing IT environments. An idealised, “wouldn’t the world be perfect if…” solution is no use to anybody if it requires the whole world to move at once and/or if there is no credible migration path. This points to a need to listen to the incumbents when they object. Furthermore, consider the non-functional requirements which are simply a given in this space.

Fourthly, if we assume that today’s current hyperactivity will lead to a new understanding of the possibilities for banks but don’t assume that today’s blockchain platforms (permissioned or permissionless) are the (whole) answer, then surely we’re back in the land of engineering, architecture and hard work? Perhaps this means that the combination of persistence, data models, APIs, consensus, identity and other components that we need won’t all come from one firm. So a common language, some common vision and an ability to collaborate may become critical. Where is your distinct differentiation? Where would you fit in an overall stack?

Posted by

gendal

Posted on

August 17, 2015

Posted under

Bitcoin, bitcoin xt, block size, governance

Comments

148 Comments

Brief thoughts on the Bitcoin block size debate

I’ve kept well away from the block size debate but the launch of Bitcoin XT is worth a quick mention.

My reasons for staying out of the debate are pretty obvious: I’m not a miner, I’m not a core developer, I don’t run a wallet service, I have no particular insight into the engineering trade-offs and, perhaps most importantly, I’m not mad. If I wanted to argue with people on the internet, there are far more interesting topics than Bitcoin’s block size…

But I’ve been asked by several people what I think. And, at core, I think it might come down to three issues: 1) fear of two different types of failure, 2) a clash of visions and 3) no process for reconciling the first two issues.

Fear of Two Different Types of Failure

Fear of technical failure

I don’t contribute, but I do read the Bitcoin Development mailing list. I find it immensely helpful in keeping up with much of the day-to-debate debate. What becomes clear when you read it is that there are (at least!) two distinct cultures at work.

First, there is a very strong security engineering culture. I sometimes think the trick to being a good security engineer is to think like a software tester (and vice versa): “How could I break this?”… “How could an attacker get round this?”… “What could go wrong here?”… “How could I force the provider of this service to waste all their resources” And so on. Your job is to figure out all the ways something could fail, and fix it.

So, when presented with something like an increased block size, you obviously focus on all the things that could go wrong: miners on slow connections could get out-of-sync with those on the other side, the increased cost of running a node could create a centralisation pressure and so on. And when you compare this against the potential benefits, you might not think the change makes sense: there’s an increased technical and security risk but you haven’t fixed the underlying scalability issue at the heart of the system… you have, in some ways, just kicked the can down the road. So you might say that a driving issue here is “fear of technical failure”: the change, which has uncertain benefits, could cause catastrophic harm. Better not do it just yet.

Fear of practical failure

But, on the other side, is a somewhat different culture, one that comes from a world where there are problems everywhere you look and they all need fixing. So you pick the biggest one, fix it and move on. The engineering functions of large companies are often like this. You know your change might cause problems but if you believe “doing nothing” is not an option then it comes down to making the least-worst decision. There are, after all, usually no good solutions, just compromises.

So, if you’re faced with a problem like blocks getting full in some foreseeable timeframe, it is natural to ask yourself: what is the risk of doing nothing? If your belief is that consumers mostly have choices and will simply abandon a system that can’t guarantee transaction confirmation in a reasonable period then you’ll likely see failure to increase the block size as something that will lead to a catastrophic exodus of users and your bias will likely be towards making the change. For you, the issue is “fear of practical failure”: failing to increase the blocksize, a change which has uncertain risks in any case, will drive away users and make the system a failure in all practical cases.

I exaggerate for effect, of course and I’ve ignored many aspects of the argument (e.g. the fee market, etc). And I’m sure some of the details are simply wrong. But note: even under this simplistic model, it doesn’t mean either side is “wrong” or “bad”: it is possible to hold either view quite legitimately and to passionately believe the other side is wrong

A Clash of Visions

Where it gets more complex is when it comes to vision: if there was common agreement on what outcome was desired (e.g. “x transactions per second across the blockchain by 2017” or “the system should support this number of consumer wallets”) then the discussion would be a pure engineering discussion: “what is the best way to achieve this goal?” But it strikes me that there isn’t agreement on this underlying vision.

And so, the engineering discussions get lost in the sound of people talking past each other or, worse, resorting to ad hominem arguments. If you’re arguing from different premises, you never get anywhere, sadly. It’s what makes political discussions on the internet so tedious..!

Process

In most projects, these issues can be resolved, ultimately, through the “benevolent dictator” model. Linus just decides. Unfortunately, that process just doesn’t work in a system like Bitcoin. It’s not enough to control which code goes into the “core” distribution: the prevailing network rules are a complex function of miner adoption, full node adoption, wallet adoption, major merchant/processor adoption, and more. It’s an inherently messy and political process. So the block size debate is likely to just be the first of many such controversies in this world. The launch of Bitcoin XT is an interesting way to force the debate towards a conclusion but it’s likely to be messy.

And I hope those looking at “private blockchains” aren’t feeling smug as they read this. Managing the maintenance and upgrades of shared ledger systems between firms won’t be a walk in the park, either.

I have no particular insight into where this will go or which vision of the future will prevail. But I hope (perhaps forlornly) that it will be resolved through the actions of professionals acting in good faith and that neither side will resort to “dirty tricks”.

Richard Gendal Brown

Thoughts on the future of finance

Author Archives: gendal

Towards Deeper Collaboration in Distributed Ledgers: Thoughts on Digital Asset’s Global Synchronisation Log

What is the Global Synchronisation Log?

So can Corda provide a solution for the GSL?

Open Innovation: 2017 is the Year Corda Goes Mainstream

Countdown to Corda Open Source

On Distributed Databases and Distributed Ledgers

R3 Corda: What makes it different

Corda: An Introduction

Introducing R3 Corda™: A Distributed Ledger Designed for Financial Services

Corda: A Distributed Ledger for Recording and Managing Financial Agreements

A thought experiment

Remind me again why a system designed to replace banks is also supposedly their saviour?

What is the defining characteristic of blockchain systems?

CONSENSUS

VALIDITY

UNIQUENESS

IMMUTABILITY

AUTHENTICATION

So what is the financial services business problem?

How does Corda choose from the “Blockchain Bundle” Menu?

CONSENSUS

VALIDITY

UNIQUENESS

IMMUTABILITY AND AUTHENTICATION

How is Corda Different?

Different Solutions for Different Problems

What next?

It’s New Year… Time to change the world

Introducing the R3 Technical Leadership Team

Free advice can be valuable… but only if you take it

Brief thoughts on the Bitcoin block size debate

Fear of Two Different Types of Failure

A Clash of Visions

Process