The United States' National Institute of Standards and Technology (NIST) has finalised its report on blockchain distributed ledger technology and suggested that there are very few use cases to which it should be applied.
The report finds that there is little understanding of what blockchain does and how it can be applied.
"There is hype around the use of blockchain technology, yet the technology is not well understood. It is not magical; it will not solve all problems,"the report's [pdf] authors said, adding "As with all new technology, there is a tendency to want to apply it to every sector in every way imaginable." .
Blockchain was created for cases where there is little or no trust among parties who wish to conduct direct transactions between each other without participation of a trusted third party.
Whereas traditional applications follow the CRUD (create, read, update, delete) functions for data, blockchain only has CR. Older data can be deprecated but there's no way to remove data from a blockchain and each entry is verified by cryptographic calculation.
This append-only mode gives blockchain the ability to provide a full transactional history, while being tamper-evident and resistant; sharing the blockchain among participants provides transparency as well as resilience against attacks by bad actors.
But NIST says theory is not translating into practice. The organisation's report says Blockchain's immutability is not complete and can be violated if an attacker garners enough resources to outpace the block creation rate of the network - the computationally expensive but technically not difficult 51 percent attack.
The most recently published blocks ("tail blocks") can also be replaced by longer, alternative competing chains, NIST noted.
Even though blockchains are said not to require a trusted central authority, the reality is that a great deal of trust is needed for the technology to work.
Blockchain participants have to trust the cryptography used, that smart contracts if used are correct and bug-free. They must also rely on the competence of blockchain developers.
Users also have to trust that other blockchain participants aren't colluding in secret to gain control of more than half the block creation power, and that nodes accept and process transactions fairly.
Depending on which consensus model is used, each of which has its own set of pros and cons, transaction processing with blockchain can be much slower than other technology solutions.
"One must as if their application can handle relatively slow transaction processing?" NIST wrote.
Validating blockchain transactions is computationally intensive and requires a great deal of electricity and network bandwidth, the standards body cautioned.
The digital keys that secure transactions on the blockchain must also be stored securely. If they are lost, all assets associated with the digital keys can be stolen by attackers, and there's no way to undo for instance unauthorised funds transfers between accounts.
Privacy laws covering personally identifiable information (PII) such as Europe's General Data Protection Regulation (GDPR) are problematic for both permissioned and permissionless blockchain networks; it may not be appropriate to store PII on blockchain networks on which data is visible to other users, NIST noted.
Last month, the French data privacy watchdog, the National Commission on Informatics and Liberties (CNIL) weighed in on blockchain versus GDPR.
Not being able to delete information as required by GDPR means blockchains don't sit well with current privacy regulation, CNIL said.
When you might want to use blockchain
Despite the above caveats, NIST said blockchain solutions could work in scenarios with many and distributed participants, without a trusted third-party.
In most cases however, blockchain is a solution looking for a problem and a database will do a better job instead, the standards body said.
Source: Department of Homeland Security Science and Technology Directorate.