The Trustless Computing Initiative (TRUSTLESS) is global initiative by world-class partners and advisors for the creation and jump starting, from existing open components, of a complete general-purpose ICT service platform, lifecycle, open ecosystem and related non-governmental international certification body, that will radically exceed state-of-the-art in confidentiality and integrity trustworthiness, while avoiding any significant risks of malevolent use and obstruction to constitutional and lawful cyber-investigations.
Initially aimed at corporate communications and financial transactions, as a go-to-market beach-head, it will then scaleup to tens of millions of mass-market consumer devices and critical autonomous systems; and then highly-regulated civilian and military critical offense and defense informational systems.
- Several proposals to EU public R&D funding programs, Following previous 2 proposals, we submitted in April 2016 a 129-pages 4.8M€ proposal to the EU H2020 DS-01 RIA with an amazing set of partners, which describes in fine detail the technical work, societal impact and business planning of our proposed platform, ecosystem and certification body.
- TRUSTLESS.AI startup spin-off to deploy Trustless Computing in order to dirsupt secure communications and secure financial transactions, to then scale up in consumer electronics and autnomous systems. Created in April 2016, it has and relocated in Menlo Park, California, on Oct 22nd 2016, it is seeking funding for 3.5M$ from smart complementary investors in US and EU: angels, early stage VC, friends/family, as well as current Trustless Computing Consortium partners and their shareholders (e.g. EOS, DFKI), large IT company.
- Free and Safe in Cyberspace. The event series promotes the establishment of a Trustless Computing Certification Body, with a wide consensus has catalized the discussion and definition, validation and consensus building to build new IT paradigms, standards and certification governance processes that could both deliver constitutionally-meaningful privacy (i.e. Free) and enable constitutional – no more no less – lawful access (i.e. Safe), through the definition of new international paradigms, standards and certification bodies for ultra-high assurance IT service and life-cycle. The 1st EU Edition was held in Brussels on Sept 2015 with amazing world-class speakers, then in Iguazu (Brazil), and next we’ll be in July 2016 in New York, and on Sept 22-23rd 2016 in Rome. Some of the participants – including Bart Preneel, CapGemini Netherlands, Jovan Goilic, Tecnalia – have been working on of the processes a 50-pager draft Proposal for Trustless Computing Certification Body (gdoc) and a 6-pager Manifesto of Trustless Coomputing (gdoc).
Uniquely, all and every software, hardware and processes that are critically involved in the ICT service provisioning or lifecycle – from CPU design to fabrication, to hosting room access – are subject to extreme verification relative to complexity, or to extremely resilient socio-technical oversight, based on offline citizen-witness or citizen-jury processes.
By “trustless” computing, we mean computing without the need or assumption of trust in anything or anyone, except in the intrinsic resistance of the organizational processes critically involved, as recognizable by moderately informed and educated citizens. By constitutionally-meaningful, we mean resistant to attacks of tens of millions of euros to the life-cycle or supply-chain, by actors with very low liability and high access to plausible deniability.
Our base 3M€ R&D project proposal will realize a production-ready prototype, and dedicated certification body, that will realize the goals of the Trustless Computing Initiative. The main output will be a dedicated 1.8-2.2mm-thin touch-screen e-ink screen handheld device (or CivicPod) which is available either attached to the back of any user’s mobile phone via a dedicated external case, or (outside scope of this project) “inserted” inside the internal case of a custom-built smartphone’s (or CivicPhone), sharing its battery.
Each CivicPod user will also optionally receive, at cost, a paired cheap TV-connected device (or CivicDongle) with capability to act as secure Tor node for metadata privacy (and for later mass roll-out, play on-TV secureTRUSTLESS content, as well as ordinary mobile-formatted Web content). CivicPods are assembled, verified, flashed, and transferred to their users in dedicated custom-built street-facing lab (or CivicLab), that contains a server room, where all privacy-sensitive services, if offered, must be hosted in dedicated hosting room (or CivicRoom), whose access requires 5 randomly-selected user -witnesses and dedicated servers (or CivicServers). Fabrication and design of all critical hardware components will be subject to oversight processes (or CivicFab) that will substantially exceed in end-user-trustworthiness those of NSA Trusted Foundry Program, at substantially lower costs. After an initial exclusivity for a Post-R&D TRUSTLESS Consortium, TRUSTLESS services can be managed, distributed and commercialized by any willing service provider (or CivicProviders). CivicProvider service is regularly and continuously verified and certified by a to-be-established dedicated certification organization/committee (or TRUSTLESS Certification Body), made up mostly of world leading global digital civil rights organizations, also responsible for the updating of the certification specifications, the final formal Paradigms (or TRUSTLESS Paradigms) and derived certification requirements (or TRUSTLESS Specifications). The same base HW&SW base will run CivicDevices (Pod, Server, Dongle) and CivicRoom locks.
User authentication may optionally rely on an external dedicated non-RF and non-MCU smart-card CivicPod-embedded chip (or CivicID), and a RF-enabled “bank-card sized” smart-card (or CivicCard) that provides 2nd factor authentication while the card is in the user’s wallet. The same extremely minimized HW&SW computing base will run all CivicDevices (Pod, Server, Kiosk Dongle) and CivicRoom locks, to drastically reduce costs.
ACTIONABLE PATH TO DISRUPTION
It will initially be marketed as an end-2-end mobile+desktop communications service for use case scenarios of the highest confidentiality and integrity requirements – albeit with very basic text/voice features – via a 2-2.5mm-thin touch-screen screen handheld device attached to the back of a user’s mobile phone, or embedded into the back shell of a partnering mobile device makers (see details of device below). In a short-to-long term actionable path, it is designed to be extensible to dual-use highest-availability scenarios; and to constitute low-level computing base and socio-technical certification standards and the most security- and privacy-sensitive targeted lawful access systems, and for the most safety-critical strong and narrow artificial intelligence applications.
ULTRA-OPEN & RESILIENT ECOSYSTEM
It’s aim is to create a open-licensed patent-unencumbered publicly-verifiable set of core critical technologies, and a highly resilient ecosystem, from standard setting body to fabrication oversight. All R&D partners have also formally agreed to detailed binding consortium MoU (pdf) that guarantee, in the long-term and in fine details, the openness of the technologies and of the ecosystem, so as to render it resilient even against very strong economic pressures. The project has gathered over 2 years world-class advisory boards and core technical partners with globally unique or rare expertises in ultra-high assurance systems and processes – that are bindingly committed to low, clear and patent-encumbered IP terms, to guarantee its scalability to many millions in consumer markets, as well as its high attractiveness as open low-level target service architecture for the most critical use cases in most IT domains.
SERVICE CLASSES & LAWFUL ACCESS
The new standards setting and certification processes will initially certify only specific service classes of end-2-end IT services addressed at specific market sub-domains, in full compliance with the EU Charter and local constitutions:
- A. Pure P2P Communication Service, without anyone’s access, by design, to user encryption keys, except the user himself;
- B. Hybrid P2P Communication Service, which provide voluntary, discretionary (i.e. in addition of what is required of current laws) availability by the provider to evaluate and approve constitutional – no more no less – lawful access requests, through independent citizen-accountable processes with extreme socio-technical safeguards against abuse. An example can be the CivicRoom concept; which is centered on the explicit on-site approval of a jury of 5 or more random-sampled citizens at a specific facility, coupled with transparency and independent verification relative to complexity of all critical technical and organizational components involved in the process that radically exceed current state-of-the-art.
- C. Targeted lawful access Services, including all critical technological components and organizational processes critically involved;
- D. Ultra- critical Internet-connect cyber-physical systems and individual endpoints, in complex and dynamic environment, including for IoT, narrow AI, critical infrastructures.
KEY SOCIO-TECHNICAL PARADIGMS
Key intuitions are that (a) the trustworthiness of critical computing systems can be reduced to that of the accountability and competency of all critical organizational processes involved in its entire lifecycle and operation; and, in turn, that (b) key to assessing and improving the effectiveness of critical organizations is to rely on the trustworthiness in the computing systems used in its governance and operations, and their reframing in essence as permanently constituent organizational processes. It achieves such unprecedented trustworthiness through revolutionary new paradigms. It’s coreTrustless Computing Paradigms, which currently deal with service classes A and B, are binding through an MOU (pdf) for all our core technical R&D partners, and future certification body and providers. They prescribe: (a) extreme auditing relative to systems complexity; (b) iterative development of highly-accountable constituent organizational processes that manage all and any security critical processes; (c) hardware fabrication oversight and design-phase verification that aim to substantially exceed in user- trustworthiness the state-of-the-art, and that of NSA Trusted Foundry Program, at substantially lower costs. They also prescribe extremely clear and low long-term IP terms that – after an initial high-premium phase to recover go-to-market costs – ensure wide-market provisioning cost of under 1-200€/user/year, and the very minimal technical footprint, and the inclusion of substantial consumer-level features (for later-stage wider consumer deployments), are key to ensure extreme auditing relative to complexity of all critical parts, economies of scale, as wel as wide-market adoption and related societal benefits.
PREVENTION OF MALEVOLENT USE
Notwithstanding the unprecedented levels of assurance being targeted, and the public verifiability of the digital designs of all critical hardware and software components, we believe to have nearly eliminated the potential for malevolent use. We have devised highly innovative mitigation measures at the fabrication and service levels, that radically reduce the risks of hampering legitimate cyber-investigation, while providing unprecedented safeguards against end-user rights abuse.
It will uniquely enable unprecedented and constitutionally-meaningful assurance levels of confidentiality, integrity, authenticity and non-repudiability for end-2-end IT services, civilian and dual-use applications, while avoiding significant risks of malevolent abuse and obstruction to legitimate cyber-investigations. By constitutionally-meaningful, we mean resistant to attacks of tens of millions of euros to the life-cycle or supply-chain, by actors with very low liability and high access to plausible deniability (See below for Details of Scope). It’s aim is to create a open-licensed patent-unencumbered publicly-verifiable set of core critical technologies, and an highly resilient ecosystem, from standard setting body to fabrication oversight.
Extreme minimization of hardware and software will allow extreme verification relative to complexity of ALL software, firmware, hardware and processes (including hardware design and manufacturing, and datacenter management processes) involved end-to-end in the TRUSTLESS telematics services, which in turn will enable to achieve unprecedented assurance levels at a low per unit cost, and economic sustainability within an initial 4M€+ R&D Project budget. All its critical hardware components, will be manufactured in one or more partnering low-capacity 2-300mm semiconductor mini foundry which will reliably and sustainably allow complete oversight of any critical manufacturing processes (CivicFab); location in participating countries is preferred but not required. It will developed starting from the most minimal, verified and hardened free/open-source (or at least publicly verifiable) software and hardware components available. Most of all, it will develop highly-accountable constituent socio-technical organizational processes to manage all any critical processes potentially affecting the assurance of the computing experience.
DETAILS OF SCOPE
Definition of “constitutionally-meaningful” IT trustworthyness. While perfect assurance is impossible we found crucial to arbitrarily define, as concretely as possible, an “high enough target level of trustworthiness, to set a base for discussions that we argue should be our main target. Therefore, for the purpose of this event, we’ll adopt the following definition: “An IT service has constitutionally-meaningful levels of trustworthiness when his levels of confidentiality, authenticity, integrity and non-repudiation are sufficiently high to make its use, in ordinary user scenarios, rationally compatible to the full and effective Internet-connected exercise of their core civil rights, except for voting in governmental elections. In more concrete terms, it defines an end-2-end computing service that warrants extremely well-placed confidence that an attacker with extreme skills, resources and access – willing to perform continuous or pervasive comprimization – would incur costs and risks that exceed the following: (1) for the comprimization of the lifecycle including the supply chain, the tens of millions of euros, and significant discoverability (albeit with unlikely actual liability), that are typically sustained by well-financed and advanced public and private actors, for high-value supply chains, through legal and illegal subversions of all kinds, including economic pressures; or (2) for comprimization of a single user, the tens of thousands of euros, and a significant discoverability, such as those associated with enacting such level of abuse through on-site, proximity-based user surveillance, or non-scalable remote endpoint techniques, such as NSA TAO”.