For this week we will focus on an upcoming ICO that may not be terribly far along in terms of the actual token launch, but enough work has been done on the whitepaper as well as the evolution in their thinking that we have enough material here to warrant a good look.
Now, in preparation for the first project under discussion I need to cover a few things that the whitepaper presumed pretty decent knowledge of – namely, enterprise-level security concerns and cloud-based file storage. When technologists talk about “Enterprise Computing,” we are making an effort to distinguish between consumer-level computing and the computing requirements of larger companies. You might imagine that the needs and especially security concerns for let’s say a modern first-world family consist of the ability to protect their financial data, as well as the files that they hold important to them – and trust me when I say that in a family of four kids, the 16,000 or so digital photos and/or videos of your kids from birth to teen-age years are pretty important. And it’s also fair to say that there is quite a lot of overlap between these security concerns at the end-consumer level and many small businesses. Because a very large number of businesses, both in the United States and elsewhere, are run not much differently than a large family – or even by families, and so the security concerns there are quite similar. It really gets different when we talk about the security concerns and the file storage concerns of the so-called Enterprise, because now we are talking not only about a significant degree of greater liability, but also the targets of these enterprise companies are much, much larger. It really reminds me of a movie that I just saw last night – named Dunkirk, which was a week-long incident that happened in the early part of World War 2, where there were about 300,000 allied soldiers essentially stranded across the English Channel on a beachside town in France, with the enemy forces completely surrounding them and the only way out was by sea – specifically across about 20 miles of English Channel. Well, a big part of the plan to rescue these 300,000 soldiers was to use over 800 small boats mainly because it’s harder to attack a lot of small boats than it is to attack a few enormous destroyers or troop ships. So in Enterprise-level security analyses, there is a concept of “attack surface” – or exposure of a given asset is X, what happens when you distribute the pieces of X across many points, such that you must attack all points in order to pull off a completely successful attack? That is an important point to understand for this ICO – and another is the role of cloud computing in the Enterprise. Cloud computing, by the way, simply the ability to use business features and functions – everything from storing important files, to running complex business software not on servers that your company has to pay for and maintain, but services provided by large companies such as Oracle, Microsoft, Amazon, Salesforce, Google, and a few others. So the Enterprise took a little while to get there, but the big news is that they have really started to embrace the so-called Cloud. They are using cloud-based services for everything from large-scale file storage, to Customer Relationship Management Systems, to Enterprise Resource Planning software, and Supply Chain Management systems – all in the cloud, where the files, the databases, and the front-end software is maintained and provided by others. This whitepaper also presumes you understand all of this, and so in the interest of efficiency, I am providing you with this information just in case you don’t happen to know the significance of it. Now, let us get started with the analysis of our ICO for this week…
That would be spelled C-R-Y-P-T-Y-K and cryptyk.com is the place to go for more information. There are a few concepts that CRYPTYK makes in the introduction of the whitepaper:
- Although Enterprise-level data storage is cheap, enterprise-level security is most definitely not. In fact, it appears to cost roughly between $40 and $80/user/month.
- Secondly, these costs are not all that effective. That despite the fact that the Cyber-Security industry is approaching about $100 Billion in value, Security breaches, according to Forbes magazine, are now costing ten times that per year now, and will approach $2 Trillion by 2019. Needless to say this is a major concern for enterprise companies.
- Thirdly, one of the main reasons for this failure is the attack surface that we mentioned earlier. This is true for both in-house as well as cloud providers. And the centralization of cloud-based systems makes cloud services particularly vulnerable.
The answer? Well, as you might imagine a big part of it is decentralization. Like the Dunkirk movie, except that the whitepaper shows this in simple mathematical formulas, the sharing of assets provides a much more favorable attack surface using two concepts:
- A blockchain network with a certain number of trusted nodes.
- What they call “Multi-Cloud” vendor storage. That would be creating distributed access to multiple cloud vendors, such as Amazon AWS, Microsoft Azure, IBM Cloud, or any other competing cloud-based system – everything from Hitachi to Nutanix.
If you think about that, it’s a pretty powerful idea – the concept that if what is required to obtain access to data that exists on three vendor sites, but the compromise of any one or two of these sites provides data this is worthless without compromising all three, the odds drop pretty dramatically that all three vendors would be simultaneously hacked. That’s the high-level concept and we’ll dive in more when we analyze the whitepaper.
The Company and the Team –
What is interesting to me about Cryptyk is that as a company the founder, who is a physicist, has been building the company for some time before considering the ICO has a means for investment. In 2015, the company described itself as a quote “paranoid bunch of quantum physicists, security experts, software coders and ethical hackers who are at war with all criminal hacking organizations.” So, a good set of roots. If you examine the backgrounds of some of the team, you find a wide and interesting group with many collective years of experience. The chief architect, for instance, not only spent years in overseeing development of complex automation systems on wall street, he also lived on a sailboat for ten years and plays one hell of a mean blues harmonica. The other members of the team, which range from corporate lawyers to systems engineers and architects, are impressive in their respective fields. However, I would be remiss if I didn’t point out that the core team assembled is not especially strong in blockchain programming experience. On the core team, there is one person listed as a blockchain expert, but from what I could find, his output consists of a well-written blog post September of 2017 that also made its appearance in the whitepaper. Where they make up for this, however, is in the set of advisor’s they have put together. There you will find several individuals who have some extensive experience in blockchain – although no core developers. I should recognize two things here – 1. blockchain developers with long histories of blockchain-specific development are hard to find and 2. that makes sense, simply because this is a very new technology. Fortunately, there seems to be a keen interest in developers who are coding in traditional languages such as C++ and Java to look at blockchain-based technologies, so as time passes, the Cryptyk team should have a better time of it as they project begins. The company has been operational as a cyber-security firm and when looking at the history of the website we see an evolution of thought. In late 2016, they promoted ideas of a secure cloud technology and began to formulate products for secure hybrid cloud enterprise networks. If you examine the old websites you can pretty easily draw a coherent line between the thoughts expressed a year ago to the thoughts that are expressed in the whitepaper. What it shows to me is an existing company that learned about blockchain technology and had a sort of aha-moment and was able to successfully reframe their offerings to take advantage of distributed technology, which retaining some of the ideas from the past.
There is a lot to like about this whitepaper. First, it does a good job of framing the problem, which we have described in the concept part of this analysis. Secondly, it points out problems that absolutely do exist, particularly latency experienced with blockchain solutions, and specifically how this latency is simply unacceptable when using cloud-based storage in real-time applications. An example of what I’m talking about is if you have ever used a system like Google Docs in real time, collaborating with others. In this case, you have several clients interacting with a single file, in real time. There is no way this can work with network latency, which I’m going to define in this case as anything over about 100 milliseconds. That means that no more than 100 and certainly not more than 200 milliseconds can transpire between the time you type a letter, and your collaborator types their letters, and those letters show up for both of you. That’s 1/10th and 1/5th of a second, respectively. That’s an example of using a real-time cloud service that both stores the file and also presents what is known as a functional application layer – namely, the document editing software that is essentially a word processor. The authors correctly identify the problem wherein current file storage systems using blockchain cannot be used for such as system, since the latency is sometimes measured in seconds or even tens of seconds – thus making such an instant system unusable. Yes, it would be usable for long-term backup of files, where retrieval is occasional, but attempting to run an application on a distributed blockchain system is a problem.
However, blockchain systems are inherently more secure than centralized cloud systems, because of the attack surface benefit you obtain as soon as you start to distribute the information in the form of nodes. The slight problem here is that as in any classic blockchain system, more nodes means more security – but it also means more latency. This is because in a blockchain that must establish consensus among nodes for truth – the foundation of blockchain in a way, requires that those nodes talk to each other – a lot. And agree. And that communication and agreement – to vastly simplify it – costs time. This whitepaper does a good job of defining and showing the so-called sweet spot between the number of nodes and latency. It turns out – at least in the investigations they have performed, that this sweet spot lives right around 5 nodes to provide about 200 milliseconds of latency, which is just fine for real-time editing applications and immediate file storage retrieval. And best of all, with just 5 nodes operating, the attack surface is reduced by 90%, since there the reduction in attack surface through distribution – remember the Dunkirk analogy – is quite powerful – logarithmic if you look at in terms of a graph. The specific use case for this scenario is to use these nodes in a way that effects the distribution of multiple cloud providers – such as Amazon, Google, Microsoft, and others.
However, those of you who have followed this podcast might remember some discussion we have had about the security fundamentals about blockchain and the so-called Sybil attacks and 51% attacks when collusion exists between nodes. With a blockchain network of about 10,000 nodes like Bitcoin, this is very, very hard to achieve – and in fact never has been achieved. But if you believe, from listening to this podcast, that such an attack would be much, much easier with a network with 5 nodes, you would be absolutely correct. To meet the security vulnerability of this concept, Cryptyk has come up with several concepts:
- The first is a consortium-based, permissioned blockchain. We have talked a lot about this, because we are seeing it a lot in whitepapers, and because it’s clearly seems to be the result of some practical thinking when it comes to the deployment of blockchain in the enterprise. We see the health industry demand it, the Hyperledger project uses it, banks are using it, and now we see it here. Essentially, fewer nodes can be used if they are trusted, with a good deal of layers to establish and proof.
- Cryptyk has created several interoperable components based on several different concepts – the Vault, which is distributed multi-cloud storage, then Passport, which is a private, permissioned blockchain that governs user access and a ledger to keep track of the file shares on the Vault, then Codebook, which is a decentralized data map for internal data and file encryption key storage. There is also a core “backend” engine that is responsible for about 9 major functions that allow the various components to interact and maintain security and meet the challenges of the major attack vectors, such as external threats, viral threats, internal threats, operational failures, and intercept threats.
What is interesting about this ecosystem is that enterprise customers are able to select the various components they wish to use. For simple, secure, file system backup, perhaps just the Vault service would be chosen. Then, as more robust security is required to deal with man-in-the-middle attacks or internal threats would make use of the permissions blockchain (that’s called Passport) or the database map (known as CodeBook).
The Network / Technology
The name of the token is to be CTO, and the blockchain described will be the basis for one of the components of the ecosystem named Passport, which is designed as a private, permissioned blockchain. The consensus mechanism is a bit unique in that there is a consensus algorithm described as “proof of security.” Proof of security consists of a function of no less than 5 other proofs. These proofs are Integrity, Confidentiality, Access, Posture and Compliance. There are brief descriptions of these, but there are no specific details about how any of these proofs are achieved. It is mentioned that there are CTO miners, so we might presume that these could be forms of proof of work. But as an example, when you read Satoshi’s bitcoin whitepaper, proof of work is clearly described in a couple of paragraphs and references earlier work known as Hashcash. The fundamentals are covered – starting with the importance of a timestamp, and then with a description of how the nonce is found. Here we don’t have any details, but since there is some time between now and the token sale – we aren’t even quite sure how much time – there should be time enough to ask those types of questions.
As for the management of the token and the way in which it is used in the network, this is spelled out pretty well, as well as other details, such as how the system will interface with providers like Amazon Web Services, Google, and others that provide cloud solutions. Central to the system is a proprietary exchange, which will effect the flow of inbound coins of various denominations, such as ETH, BTC and of course CTO. This exchange will allow customers of Cryptyk to purchase services using CTO and will allow those cloud service providers to be paid in fiat currency as needed. There is something called an Incentives engine which is funded by a non-profit organization that receives a third of the proceeds of the token sale , and which will create a pool for partner incentives and other initiatives. I should mention that you can sign up at the cryptyk website as a partner – even an open-source partner, and it’s mentioned that projects could be funded in varying amounts between $5K and $100K. This reminds me of the fund that was planned for the Ambrosus token sale with what they called the Farmer’s Fund for small farmers in undeveloped nations. Pretty interesting.
The Token and the Sale
The website that is intended to provide information about the token sale does not yet exist. When you visit cryptyk.com and click on the link for Token Sale, you are directed to www.cryptyk.io but the message is that the website is under construction and coming soon. Fortunately, though, the whitepaper has a few details. Essentially, it appears that 750,000,000 tokens will be issued, and the price of a token will be ten U.S. cents each. This implies a cap of $75,000,000. The whitepaper an even three-way split between what are described as “investors”, Cryptyk, and the Non-Profit Cryptyk Foundation. For an ICO, it’s a little unusual in that the $25 million dollars labeled as “Cryptyk, Inc” is described as “ .. reserved for the shareholders of of Cryptyk, Inc. who can slowly exchange their equity for tokens over a two to four year vesting period (depending on whether they are founders, investors, advisors of employees.) I am going to take a wild guess here and presume that as we get closer to the ICO, that this language will probably change. I say this only because I’m not sure how this sort of language holds up in the current climate with respect to a token offering labeled as a security by the Securities and Exchange Commission. Of course, we don’t know the details of the token offering – so it’s quite possible that this company will file with the SEC as a security – so who knows. This could be another question to ask the company as we get closer to the token sale launch.
Community and Response –
There is actually little or no community involvement with this ICO – so far, anyway. For instance, there is no announcement on BitCoinTalk. There is nothing about them on Reddit. There is no code on GitHub. There is no slack channel, no Discord or Telegram Channel. I realize, of course, that this is quite early – since there is only a whitepaper. They do mention that the token sale will happen in “early 2018” but I believe they have a little way to go before they might be ready to attract the kind of attention that will be required to successfully launch a token sale. When they get these communication channels open, it might be easier to ask the questions that we may have as they move closer to launch.
Business Viability and Possible Gotchas
In the whitepaper they mention a price of about $20-30 per user per month for a full suite of file storage for 1 TB of user data, plus all of the surrounding security mechanisms and dashboards and various functionality to ensure a much higher degree of security that can be had by current cloud providers. I would say that if they can, in fact, provide this level of security along with additional front-end application-layer functionality, then they will be able to compete in today’s marketplace, simply because enterprise companies spend much, much more than that for security that is clearly not working. So to the extent they can make risk managers and CIO’s CTO’s and CEO’s more comfortable, they should have a ready market.
A good thing I see from a business perspective here is that this is a company that understands and values partnership. There are several ways in which to partner with them, and from archived web pages we can see that they have felt this way for years. Frankly, you don’t see that a lot with ICO’s these days beyond a page of icons showing various companies, probably because of the success of recent ICO’s have proven that you don’t necessarily need partners to successfully launch an ICO and collect millions of dollars. But this company has sign-up forms and descriptions of the benefits with partnering with them. From a business viability perspective, this is a good thing to see.
My final takeaway with this ICO is that the whitepaper is definitely worth reading because it seeks to address not only some major issues that enterprise companies face, but also with existing deployments of file-based blockchain deployments. I certainly like some of the ideas expressed, and I think a lot of the concepts are quite valid and would be quite successful if deployed and adopted. On the other hand, it is clearly early in the process, and I think that the final verdict will be a bit more clear when we get closer to the token launch. This will be especially true as the communication channels open up. So I would recommend keeping and eye on this one, since the ideas are sound and it will be interesting to see how their sale goes off as well as the community response, once they start engaging with the community.