KSI Blockchain Technology

Blockchain meets Security

Guardtime's KSI® blockchain technology is designed to provide scalable digital signature based authentication for electronic data, machines and humans.

Unlike traditional approaches that depend on asymmetric key cryptography, KSI uses only hash-function cryptography, allowing verification to rely only on the security of hash-functions and the availability of a public ledger commonly referred to as a blockchain.

A blockchain is a distributed public ledger; a database of transactions such that there is a set of pre-defined rules as to how the ledger gets appended, achieved by distributed consensus of participants in the system.

The KSI blockchain overcomes three major weaknesses of mainstream blockchain technologies - which were designed to facilitate asset transactions - making KSI suitable also for cybersecurity and data governance applications:

Scalability: One of the most significant challenges with traditional blockchain approaches is scalability – they scale at O(n) scale complexity, meaning they grow linearly with the number of transactions. In contrast the KSI blockchain scales at O(t) space complexity – it grows linearly with time and independently from the number of transactions. KSI can sustain billions of asset registration events every second without growing out of control.

Settlement time: In contrast to the widely distributed crypto-currency approach, the number of participants in KSI blockchain distributed consensus protocol is limited. By limiting the number of participants it becomes possible to achieve consensus synchronously, eliminating the need for Proof of Work and ensuring settlement can occur within one second.

Formal security proof: Unlike other blockchains, KSI blockchain has been subjected to end-to-end formal mathematical proof that provides assurance that the protocol does precisely what it says it does.     

Next-Generation Digital Signature

A user interacts with the KSI® system by submitting a hash-value of the data to be signed into the KSI infrastructure and is then returned a signature which provides cryptographic proof of the time of signature, integrity of the signed data, as well as attribution of origin i.e.  which entity generated the signature. The properties of the KSI include:


Massive Scale

The KSI signatures can be generated at exabyte-scale. Even if an exabyte (1,000 petabytes) of data is generated around the planet every second, every data record (a trillion records assuming 1MB average size) can be signed using KSI with negligible computational, storage and network overhead, globally.


The properties of the signed data can be verified even after that data has crossed geographic or organizational boundaries and service providers.

Quantum Immunity

The cryptography behind the KSI signatures ensures that they never expire and remain quantum-immune i.e. secure even after the realization of quantum computation.


Independent Verification

The properties of the signed data (time: when was the data signed, integrity: the underlying data has not changed, and order: which data was signed in which order) can be verified without reliance or need for a trusted authority.

Data Privacy

KSI does not ingest any customer data; data never leaves the customer premises. Instead the system is based on one-way cryptographic hash functions that result in hash values uniquely representing the data, but are irreversible such that one cannot start with the hash value and reconstruct the data - data privacy is guaranteed at all times.

Contrasting KSI to Public Key Infrastructure (PKI)

Guardtime's KSI® is often compared and contrasted to Public Key Infrastructure (PKI).

For the last 40 years PKI has been the only tool in the cryptographic toolshed for authenticating data via RSA based digital signatures. PKI relies on trust authorities (a Certificate Authority - CA - in the case of identity or a Time Stamp Authority - TSA - in the case of time)

PKI was invented prior to the Internet and was designed so that two parties can share a secret across an insecure channel – and for that purpose and that purpose alone it has been a massive success.  

For everything else, and especially for authentication of data-at-rest, the complexities and cost of key management make it impossible to scale. 

The main differences between PKI and KSI digital signature technologies from the implementation point of view are the following:

Signature creationOff-lineServer-assisted
Consequence of
key abuse
The number of
forgeries is unlimited
Revocation check During signature verificationDuring signature creation
Revocation solution ComplexSimple
 Evidence integrityRelies on TTP confirmationsMathematically provable
 Quantum threat InsecureQuantum immune

KSI Glossary

Active Integrity™

The process of continuously verifying the integrity of electronic data for:

  1. detection whether data has not been manipulated,
  2. alerting in the event of detection,
  3. mitigation, either manual or automated in the event of an alert.

Active Integrity can be applied to firmware, operating systems, network routing tables, switch and router configuration parameters, event logs, data stores and computer memory.

Attributable Network

On an attributable network, every action can be traced back to an original source so that every user  is legally responsible for their actions (non-repudiation).

Attributable networks can be achieved using the TTL (Tag, Track, Locate) functionality of KSI by signing all digital assets (trade secrets, proprietary information, at al) and all network components (routers, switches, applications, virtual machines, configuration information, authentication and event log systems, and associated network services) so that they can be audited, independently from service providers and network administrators, based on forensically strong proof.

Clean State Proof™

The mathematical proof provided by KSI that a network is in a clean state and free of compromise. Once this state has been achieved it then becomes possible to continuously verify that the network remains in a clean state and act when a compromise is detected.

Clean State Proof is a fundamentally different approach to traditional security solutions that search for vulnerabilities. It is the difference between searching for needles in a haystack; and having mathematical assurance that there are none, by possessing situational awareness on every stalk of hay.

Forensic Auditability

The ability to conduct an audit that produces forensically sound and legally admissible evidence.

For digital networks, this means that any action can be documented so that there is a preponderance of evidence of who took it and when it was taken.  The evidence is legally acceptable, and can be verified independently by a court or other third party.

Independent Verification

Probably the most important innovation in KSI. It means that digital evidence can be verified without reliance on chain of custody, security of keys or any trusted human.

As a practical example consider the implications of a connected car involved in a collision. Who is liable: the driver, the  vehicle manufacturer, the software vendor, the network hardware manufacturer, or the Telco? With independent verification, the events are indisputable and can verified without the need to trust any of the parties involved.

Information Assurance

The practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data.


A globally distributed network infrastructure for the issuance and verification of KSI signatures.

KSI signatures are cryptographic tags for electronic data which provide verification of the provenance, time and integrity of electronic data using only hash-function cryptography without the need for trusted administrators, secrets or the security of key-stores.

Mutual Auditability

Mutual Auditability means that in a networked environment it is possible for an administrator to prove to a user, in the event of a dispute, that their actions were their own and not the administrator's.

Equivalently a user can independently verify whether or not they performed an action that is in question. Most importantly, an auditor (or any other 3rd party for that matter) can go in and determine which actions were completed by which parties.

Portability of Evidence

Evidence portability means that:

  • data can be independently authenticated, no matter where it travels.
  • the tools needed to verify data can be obtained and  utilized independently from on the service provider that originally created or maintained the data.
  • time, authenticity, and identity information can be extracted from the data regardless of where it is maintained.
  • even if KSI services were to go offline, independent verification is still possible via media publication.
  • meta-data evidence for authenticity, time, and identity information can be escrowed and shipped/migrated and analyzed independent of the data as well. This is important for regulators or auditors or 3rd party data analytics firms.
  • transformation or changes to data through migration can be observed and verified.
  • integrity information is valid for the lifetime of the data regardless of its location.
  • users, governments, regulators, analytics firms, or service providers do not have to depend on each other to perform authentication.

Provsec (Secure Provenance)

Provides cryptographic proof of the chronology of the ownership, custody and  modifications to electronic data.

As an example consider some electronic data such as a source code file. If secure provenance is enabled then the history of modifications to that file (including time, integrity and ownership) can be cryptographically verified in a way that cannot be denied by any party contributing to the modifications.

KSI is a key technology for enabling secure provenance and when combined with Directed Acyclic Graphs (DAGs) provides scalability and privacy preservation.

Provsec is an intense area of research within the academic community. In 2011 UT Dallas, UTSA and Purdue University announced an NSF Funded 5 year project on Privacy-Enhanced Secure Data Provenance, with Prof. Ravi Sandhu of UTSA as the lead Principal Investigator.

SOC (Security Operations Center)

The people, processes and technologies involved in providing situational awareness through the detection, containment, and remediation of IT threats.

SOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported.

SOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have a business impact.

Software Assurance

Planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures. It includes the disciplines of Quality Assurance, Quality Engineering, Verification and Validation, Nonconformance Reporting and Corrective Action, Safety Assurance, and Security Assurance and their application during a software life cycle.