Advanced Trust Services Facilitated by the Industrial-Scale Blockchain Technology

Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Risto Laanoja Security Engineer Outline

• Guardtime

• KSI

• What it does

• How it works

• Trust assumptions

• KSI / blockchain applicability in providing eIDAS trusted services

• Standardization challenges

2 Advanced trust services facilitated by the Industrial-Scale Blockchain technology 1. Company Overview

3 Advanced trust services facilitated by the Industrial-Scale Blockchain technology Introducing Guardtime

Who we are: • Systems engineering company, fundamental and applied research into cryptographic applications • Founded in 2007 in Tallinn, Estonia • Offices in Amsterdam, Palo Alto, Tallinn and Tartu • 71 people

4 Advanced trust services facilitated by the Industrial-Scale Blockchain technology 2. KSI Technology An Industrial Scale Blockchain

5 Advanced trust services facilitated by the Industrial-Scale Blockchain technology Keyless Signature Infrastructure (KSI): An Industrial Scale Blockchain

KSI enables real-time Scalability Settlement time massive-scale data One of the most significant In contrast to the widely distributed integrity validation. challenges with traditional crypto-currency approach, the blockchain approaches is scalability number of participants in KSI The technology – they scale at O(n) complexity i.e. blockchain distributed consensus overcomes two major they grow linearly with the number protocol is limited. By limiting the weaknesses of traditional of transactions. number of participants it becomes possible to achieve consensus In contrast the KSI blockchain blockchains: synchronously, eliminating the need scales at O(t) complexity – it grows for Proof of Work and ensuring linearly with time and independently settlement can occur within one from the number of transactions. second.

6 Advanced trust services facilitated by the Industrial-Scale Blockchain technology KSI Signature

The KSI Signature is a Upon verification, KSI Signature piece of meta-data which allows to assert: enables the properties of • Signing time the data to be verified. • Signing entity

• Data integrity

KSI uses only hash-function based cryptography to make these assertions without relying on trust.

7 Advanced trust services facilitated by the Industrial-Scale Blockchain technology KSI Properties

Open Verification: For KSI Signature Long-term validity: Proof is based only on KSI Signatures provide verification, one needs to trust publicly the properties of hash functions and does proof of time and integrity available information only - verification does not expire. not rely on trusted insiders or security of of electronic data as well key-stores. Carrier Grade: The KSI system architecture is able to deliver 99.999% availability. as attribution of origin. Massively scalable: KSI performance is practically independent of the number of Offline: The KSI system does not require The KSI System has clients or amount of data signed / verified. network connectivity for verification.

been in production use Portable: Data can be verified even after Post-Quantum: The proof stays valid even crossing geographical or organizational assuming functioning quantum computers, since 2007. boundaries or service providers. i.e. does not rely on traditional asymmetric or elliptic curve cryptography. Supports Real-time Protection: KSI Signature verification requires milliseconds, Absolute Privacy: KSI does not ingest any which allows clients to perform continuous customer data; data never leaves the monitoring and tamper detection. customer premises.

8 Advanced trust services facilitated by the Industrial-Scale Blockchain technology Introducing the Hash Calendar Blockchain

A global asynchronous Aggregation Calendar Blockchain Tree summarizing all submitted Hash Values is built every second and destroyed after all clients have received their hash chains.

The same tree is never rebuilt. Global Only the Global Root Hash Values of Aggregation the Aggregation Tree are kept in a Tree public Calendar Blockchain.

The Calendar Blockchain has exactly one entry for each second since 1970-01-01 00:00:00 UTC

Hash Values Hash Chains

9 Advanced trust services facilitated by the Industrial-Scale Blockchain technology KSI Signatures Are Proof of Data Integrity

HASH VALUE Calendar Integrity is verified by recreating the hash value in the calendar using the aggregation hash chain. AGGREGATION HASH CHAIN

To connect to a widely witnessed physical artifact, the publication code can be recreated using the

calendar hash chain. HASH VALUE

The widely witnessed root hash cannot be recreated from altered input data if the hash function used

is second pre-image resistant. AGGREGATION HASH CHAIN CALENDAR HASH CHAIN PUBLICATION CODE

10 Advanced trust services facilitated by the Industrial-Scale Blockchain technology KSI Signatures Are PUBLICATION CODE Proof of Signing Time

Signing time is encoded

into the shape of the CALENDAR ORDER BIT ORDERBIT HASH VALUE HASHVALUE

calendar hash chain. 1 The order bits encode the path 0 from the root to the leaf and prove

the time offset of the leaf from the 1 publication time P of the root hash value if the hash function used is 0 second pre-image resistant.

THERE IS NO TRUSTED TIME SOURCE Time = P - 10

11 Advanced trust services facilitated by the Industrial-Scale Blockchain technology Introducing Identity

HASH TREE OF THE PARENT AGGREGATION SERVER Identity: the result of an authentication request (whether PKI, LDAP, Biometric etc) as an identity tag in the KSI distributed hash tree.

A B This works for machines. PARENT SERVER IDENTITY TAG IDENTITY TAG

For a true digital signature system

for humans we need non- Root hash request from Root hash request from server “A” server “B” repudiation. Proposal: BLT CHILD SERVER CHILD SERVER signature scheme. “A” “B”

12 Advanced trust services facilitated by the Industrial-Scale Blockchain technology

3. KSI in eIDAS context

13 Advanced trust services facilitated by the Industrial-Scale Blockchain technology KSI and eIDAS trust services

Signature / seal: - Identification, RA work are hard! Registered - Employ PKI authentication or external identity delivery provider ? - Cryptomathic and other vendors: no secure element necessary? Electronic KSI blockchain - Verifying user certificates at signing time signature applicability simplifies the validation data Electronic Time stamping: natural fit, “post quantum Electronic indemnification” time stamp seal Preservation service: Preservation - Long term integrity guarantee service - No insider threat Registered delivery: proof of sending, receiving, time, integrity

14 Advanced trust services facilitated by the Industrial-Scale Blockchain technology Interoperability

Relying party protection: Independent verification Interoperability: hard question

• There is a copy of calendar blockchain in each Gateway • Notary service to translate the formats? appliance, public information • Validation Authority (privacy?) • “Root of trust” is publication printed in globally available newspaper Reality of business use: • It is possible to create self-contained “extended” signature token for true offline verifiability • Server-side processing, "apps", fixed workflow.

• No service provider help necessary • Preservation: usually closed systems.

15 Advanced trust services facilitated by the Industrial-Scale Blockchain technology 4. The Message Standardization challenge for non-traditional technology

16 Advanced trust services facilitated by the Industrial-Scale Blockchain technology The message

Risk-based accreditation process Standards should be technology neutral. Freedom to create profiles, use alternative (future) algorithms and protocols. • Trust services are based on different technologies with very different trust assumptions. Qualification • Example: XAdES – locks time-stamp to RFC 3161 format. procedures must be based on actual risk, not Signature field has algorithm ID though. baseline of measures/features. • Example: evolution of Guardtime signature token: started with • Example: time-stamping service provider audit the profiling of RFC 3161: used it as a container, specified our included ETSI TS 102 023 (Policy requirements for own signature format with registered OID inside. Positive: few time-stamping authorities) conformance check; fine, insignificant applications were able to time-stamp data (no we found some keys with formal management verification). Switched to proprietary format: 40% smaller, “local procedures and HSM protection. aggregation” for very high-volume local data signing.

• Security primitives might not be plug-in replacements. Example: many post-quantum secure schemes must keep state (e.g. spent keys), KSI needs service URIs.

17 Advanced trust services facilitated by the Industrial-Scale Blockchain technology

Thank you

Risto Laanoja [email protected]