Guardtime's KSI Blockchain technology to date has been used throughout Estonian Government ID services in order to provide immutability of transactions - i.e. when a identity event happens that event is hashed and registered in the KSI Blockchain (and ultimately the Bitcoin blockchain and physical media). This eliminates the need for trusted insiders and cumbersome key management in order to confirm  the veracity of transaction history. The  new Archimedes award will extend this work to cover commercialization of three main areas.

1. Derived Identities: Global Access with Local Management

The canonical example of derived identities is verifying that you are above the legal age when entering the local pub.  The doorman doesn't need to know who you are, your address or even date of birth -  all that is necessary is to get a yes/no answer to the question "are you above the legal age".  Any other information is redundant and revealing it represents a potential security risk. In the physical world you could in theory create a government backed physical card that has a photo along with your  age but otherwise discloses no identify information about you .

Of course this is much more practical to do in the digital world and is known as a derived identity or derived  credential- and has very broad implications for financial services (KYC), health-care and enterprise.  

A very topical example of a derived credential would be credit score information, telecom operators offering derived identity services with and for financial services clients would address many of the security challenges we are seeing play out with Equifax in the US.



Matthew Johnson, Guardtime CTO: "Blockchain is an incredibly elegant tool to enable identity portability across trust boundaries - it enables enterprises to leverage their local authentication servers but gain access go to global services. We see this as a major opportunity for telecom operators who are offering identity services to their customers. Telecom operators can now offer financial services direct KYC portability with legal evidence that they have followed compliance steps - and with an approach that integrates directly into existing IDAM systems". 

2. Machine Identities for the Industrial Internet

The Industrial Internet, or the convergence of the global industrial system with the power of advanced computing, analytics and low cost sensing is bringing us to a threshold of a new era of innovation. Connecting the digital world with the world of machines holds the potential to bring about profound transformation to global industry bringing greater speed and efficiency to industries as diverse as automotive, aviation, energy, power and health-care.

However browse vendor marketing materials and it will feel like the 1990s never happened. It’s all key management, digital certificates and certificate authority hierarchies for 50 billion machines.

Guardtime announced its alliance with IntrinsicID earlier this year to combine Physically Unclonable Functions (PUF) technology and blockchains for a new form of device authentication and identity management - unlike certificates, PUFs are unique to a device and by linking to blockchain and ledger technology the a device can be managed throughout its lifecycle, through multiple transfers of ownership with an immutable audit trail of device history.

3. Preparing for Quantum Computers: An Upgrade for RSA

The RSA signature algorithm has been the underpinning of Internet security for the last 40 years but with the advent of quantum computing it is rapidly approaching the end of its shelf life. As the sophistication of nation-state cyber-attacks continues to increase on a daily basis, there is an urgent need to find alternatives to RSA  to protect strategic national assets and critical infrastructure.

BLT is a new cryptographic algorithm invented and named after Guardtime cryptographers Ahto Buldas, Risto Laanoja and Ahto Truu in 2014. It is intended to be a replacement for the RSA signature algorithm that is quantum-immune - i.e. it uses only hash function cryptography and not asymmetric key cryptography.

The  main benefits of BLT include:
  • Simplified revocation management: There is no need to check the certificate validity when verifying signatures, eliminating the need for complicated Certificate Revocation Lists (CRLs).
  • Long-term validity: There is no need for periodic re-timestamping of the signatures due to expiring keys – time and integrity of the signature can be proven mathematically without reliance on trusted parties or the security of keys.
  • Limited liability: Unlike with RSA, BLT signatures cannot be generated offline, removing the potential for unlimited liability in the case of private key theft.
  • Quantum immunity: BLT’s hash functions cannot be broken using quantum algorithms.
The objective of the current Archimedes research grant  is to develop the BLT signature scheme into a maturity level ready for standardization and commercial product development.