Cardano is the first project that bets on formal method development and the team build it as a mission-critical project. It takes a lot of time and effort to build such a project. The team carefully researched other existing projects and all relevant studies, it cannot be afraid of experimenting and searching for the best approach in the real-world environment. The IOHK team had to find the best experts in the given fields and cooperate with them. The team must do research, write some studies, ask for critical reviews of studies they have written from competent people, write a piece of software following specifications, and test it. It might sometimes happen that it is needed to throw away some piece of work or at least make corrections, learn from mistakes or start from the beginning in a different way. It cannot be done in a year or two.
Blockchain is not Facebook
We are used to always available the internet and all the services we use every day, for example, services provided by Facebook, Amazon, or Google. The services mostly work fine and if not then they start working within a few hours. All these services are centralized and there are responsible administrators who are able to fix issues quickly and make the services available again for you. The services are owned by companies that make decisions about adding new features. Dedicated teams implement the features and update the source code as leaders or market research dictates. Economical model is simple. Company owners have server infrastructures, R&Ds, marketing, and sales departments. To pay for all that the services must be profitable. Do not be mistaken that you do not pay for some internet services. Services are not for free at all. These companies collect tons of information about us and then capitalize on it.
Blockchain is a name for a public global distributed consensual network and there are significant differences in comparison with traditional services provided by famous IT giants. Let’s have a look at a few of them:
- Blockchain is a public network. It means that everyone can run a node and expect a reward. Thus viable economic models must be involved. A sufficient number of people must be willing to use the protocol and pay for it in order to reward owners of nodes. The more users the lower transaction fees or usage of services can be.
- Blockchain must be available for users 24/7 without exception. If it is a global financial computer then it must be nearly 100% reliable. The world cannot stop due to a bug in the financial network.
- Blockchain must be 100% secure. Blockchain keeps the information about the ownership of valuable coins or tokenized assets. Only the owner can create a valid transaction and pass on the ownership. If there are privacy requirements that it cannot be easy to hack the system.
- Blockchain must be resistant to network attacks, be always able to make a consensus, and process all transactions in a censorship-resistant way.
- Blockchain must be decentralized and strive to keep it on a high level. Decentralization is about a protocol and also about governance. Governance is more important since if whatever goes wrong the community must decide on how to fix it. We are not able to create a fully autonomous protocol that would maintain itself. We need developers who will follow the wishes of the community via democratic voting. The only community can decide about adding new features.
- If blockchain is supposed to be a global network then it must necessarily scale. A global network that is able to serve only to 1% of the population will not be adopted. We are able to send an email with seconds. We must be able to send value fast as well and it must be cheap. People from poor countries cannot spend $1 for a transaction fee.
- A blockchain is just software and it also must be updated sometimes. It is not so obvious how to do that in a decentralized and secure way. It is needed to deploy changes and it can sometimes happen that old and new versions of the software are mutually incompatible.
- A blockchain is not something that we can have done once and then forget it. The work on fixing bugs and improvements is never-ending. The software must be open to changes but ideally closed to introducing new bugs during updates.
From the technological point of view, it is much harder to develop blockchain than common client-server protocol. The reasons are obvious. We know well how to design and create client-server protocols since we do that a few decades. For example, old mailing protocol SMTP was created during the 1970s. Moreover, there is mostly no problem with scalability and no requirement for decentralization. Creating a new global service is a more social problem than a technical problem and start-ups strive a lot with adoption.
Blockchain recently celebrated the first decade and did not meet with much attention at the beginning. We have not many experiences with building similar networks from the past. Of course, we have a few functional distributed networks. However, there is no global consensual distributed network with an economic model that would be used by masses.
At the moment, we can say that blockchain attracts attention but is not ready to serve people due to technological immaturity. If you have a critical look at the crypto-verse you will see PoW networks that were successfully attacked by famous 51% attacks. PoW networks are mostly slow and do not scale nearly at all. Only Bitcoin can be considered as a secure network but it is criticized by some people for troubles with decentralization. We also have networks using DPoS consensus algorithms. We have some projects that scale much better but their decentralization is limited due to the fact that only a given number of validating nodes can participate in proposing new blocks. We are at the beginning of the blockchain era. We need to build a decentralized, secure, and scalable blockchain and we must see it running for a few years without troubles. Moreover, it is not only about blockchain itself but also about useful functionalities and solving real issues. People will not adopt blockchain just for the fact that it exists. People adopt functionality or services, not the technology behind it.
Bugs in conventional software can be fixed by patches after they are found. You know it well since your operating system is updated regularly. Every update very probably contains a set of fixes.
It is not so easy with blockchain. Blockchain transactions cannot be undone. It basically means that there must not occur any error during processing transactions or smart contracts in the blockchain. Once one loses money due to the error then it is gone probably forever since nobody will want or be able to rewrite the history. Some smart contracts could be potentially upgraded by implementing another contract that cooperates with the first one and tweaks overall conditions in a way that a bug might not result in an unwanted result.
A blockchain bug fix is â€‹â€‹not able to reverse a potential loss. The fix only prevents the same error from occurring again. On the other hand, if someone steals your data because of a bug in conventional software, it is also an irreversible event. Fixing a blockchain bug is also more complicated because more individuals have to accept the fix through a new client installation. The question is how to do this in a decentralized way, as no one should maintain a list of important nodes on the network and know their owners.
Cardano is built as a mission-critical system
Cardano is the first blockchain project where the team realized the full complexity of the idea. Thus the project is developed from a scientific philosophy. It is designed and built by a global team of leading academics and engineers. In addition, thought and care from some of the leading experts in their fields have been devoted to the project. The scientific rigor applied to mission-critical systems such as aerospace and banking has been used to build Cardano, with a high assurance implementation.
It is not easy to build blockchain and a bunch of average programmers cannot do it in expected high quality. It is necessary to put together experts to cryptography, software security, distributed networking, threat modeling, protocol design, game theory, operating systems, economy, and of course, software architects and programmers. In the case of Cardano, there are also smart contracts so other experts for designing programming languages are needed. Moreover, the Cardano approach requires experts for formal method development and there are not many knowledgeable people. As you can see, there must be many experts involved in the project, and do not forget that the project is global. To make it works a few great team leaders are also needed.
What is a mission-critical system
Generally speaking, a mission-critical system is a system that is essential to the survival of a business or organization. When a mission-critical system fails or is interrupted, the operations are significantly impacted.
When there is an essential service necessary for normal operations we used to call it a mission-critical system. It depends on the context of usage of the mission-critical software to decide what is potentially in danger. A mission-critical system can be a navigational system for airplanes where human life is in danger. In the context of the banking systems, we can speak about possible financial losses so we often call it the business-critical system.
For IT giants their databases and servers might be considered as mission-critical systems. Thus they build and infrastructures that are able to keep working without interruptions in cases when the network is under attack, some server crashes, database crases, there is a power shortage, or some hardware issue. There are usually more locations with servers and databases in such infrastructures. When some location is completely cut off for any reason the other is able to take over the service. Users do not notice anything.
In the context of blockchain, we talk about the public network for people maintained by people. Cryptocurrencies want to gradually replace the current financial system, give freedom to people, and allow them to rely on blockchain technologies. If blockchain would fail and some data would be permanently lost then some people could lose everything. In some cases, people could be fully reliable on blockchain and if their possessions are kept in a blockchain then we can consider it as a mission-critical system.
So public blockchain cannot be interrupted under any circumstance and must be able to come to a consensus at regular intervals. Any interruption might result in situations when people will not be able to pay for something, prove something, get somewhere, do something, etc.
Cardano is to be a world financial operating system so it deserves to be built as a mission-critical system from scratch. The project strives for billion users so it must be reliable from the beginning. It makes no sense to create a blockchain quickly, wait for adoption, and if it comes then try to improve the protocol.
Formal method development
Formal method development is a way how to build software with a focus on its reliability. It is a method helping to build mission-critical systems. Using the formal method is not usual in business nowadays since the development of such systems is very slow in comparison with the usual approach of commercial IT companies. They often need to deliver something, try it and after that improve it. It is mostly due to high competition in the market.
The formal methods approach is also very expensive. Not only due to the time needed for delivery but also due to the scientific and mathematical nature that requires hiring experts with appropriate education or experience. Moreover, there is a lack of support tools for formal method development and verification.
To put it simply, formal method development is a particular kind of mathematically based techniques for writing specification, development, and verification of the result — the created software. The motivation to use the formal method is the expectation that mathematical analysis or modeling can significantly contribute to the reliability, and robustness of a design and specifications that are later used for writing software. In case that the design, based on math and modeling, is correct and the software is written strictly following the design then there is a high probability that the software behaves as it is expected by authors and also by users.
In other words, formal methods are used to provide a precise and detailed description of the system that is to be developed. The description or design is often prepared by researches or scientists and it is used by software architects and programmers for guiding further software development. Additionally, it is used for the verification process. When the software is created it must be verifiable that it fulfills all requirements completely and accurately. The design must be written in a way that programmers are able to understand it, write the code by that, and finally verify it. For that, a formal language with a precise and unambiguously defined syntax and semantics can be used. Scientists and programmers must understand each other and there cannot be much space for communication noise.
If we simplify it there are three major steps in the process:
- Preparing a specification for developers mostly by researches, mathematicians, and/or scientists. In this step, a formal description of the system must be prepared. This step should also contain a validation of the specification. A review from other experts is highly welcomed.
- Once the formal specification or design is prepared programmers can take it, study it, and start to create software strictly following the specification.
- Once the software is developed it is time to verify that it really behaves in all possible scenarios as the formal specification dictates. Many different methods might be used to verify that. However, the software should work correctly in the real environment.
IOHK uses formal specifications that allow them to verify that the final code is in line with what the researchers initially envisaged in their publications. By creating implementation-independent specifications, they can build components of the system using different languages and be confident that they will work together.
It is worth noting that IOHK decided to use programming language Haskell what is a great pick for the project driven by the formal methods since it can be easily verified that the code does what is expected by specifications.
In the past, IOHK released many design specifications or formal specifications. For example:
- Design Specification for Delegation and Incentives In Cardano-Shelley. It describes the requirements and design for the delegation and incentive mechanisms to be used in the Shelley release of Cardano: https://hydra.iohk.io/build/790053/download/1/delegation_design_spec.pdf
- A Formal Specification of the Cardano Ledger. It specifies the ledger rules for Shelley, including delegation and incentives: https://hydra.iohk.io/build/789825/download/1/ledger-spec.pdf
There are many other specifications for every part of the project, for example, Ouroboros PoS, wallet, UTXO model, etc. The team, as the first one, formalized Bitcoin PoW to ensure that it is really secure. After that, it was easy to mathematically prove that Ouroboros PoS is as secure as Bitcoin PoW.
Building a mission-critical project takes time and criticism for waiting too long for delivery is not appropriate. Building high-quality software takes time and Cardano put the level even higher and the IOHK team decided to use the formal methods. All that had to be done from scratch and Charles managed to find many great scientists and experts.
Cardano will be ready for real business in 2020. It will be secure, decentralized, and much better scalable than competitors. In 2021 we can expect even better scalability (Basho phase) and governance (Voltaire phase). However, if everything goes well there should not be a need to improve or fix what is already delivered. Thanks to that, Cardano can have a competitive edge.