Trustless Computing Paradigms
Synthesized Version

The following paradigms are conceived as “binding high-level certification requirements” for a certified provider, service, and technology partner, and the certification organization itself, which are meant to guide the Trustless Computing Group Initiative and the related TRUSTLESS R&D project:

A Trustless Computing service will therefore be described as one which:

  1. Undergoes continuous standards setting and certification by an extremely technically-proficient, thorough and user-accountable independent, primarily non-governmental, standard setting and certification body;
  2. Assumes that extremely-skilled attackers are willing to devote tens of millions of dollars to compromise the supply chain or lifecycle, through legal and illegal subversion of all kinds, including economic pressures;
  3. Provides extremely user-accountable and technically-proficient oversight of all hardware, software and organizational processes critically involved in the entire lifecycle, including the critical nodes of the anonymization network. “Critical” refer to hardware, software or procedures against whose possible vulnerabilities one can not be protected, to ultra-high assurance, by using proven OS, chip and/or CPU level isolation/ compartmentation techniques. This includes access for whatever reason to any server-side facilities or hosting rooms containing user-sensitive data;
  4. Provides extreme levels of security review intensity, and ethical quality, relative to system complexity for all critical components; and includes only publicly verifiable components, and strongly minimizes the use of non-Free/Open-source software and firmware, especially in critical part;
  5. Includes only open innovations with clear and low long-term royalties, from patent and licensing, to prevent undue intellectual property right holders’ pressures, lock-ins, patent vetoes, and sustainably ensure low-cost;
  6. Includes only highly-redundant hardware and/or software cryptosystems whose protocols, algorithms and implementations are open, long-standing, extensively-verified and endorsed, and with significant and “scalable” post-quantum resistance;
  7. Will provide privacy-sensitive server-side services – including key/data recovery services and compliance to constitutional – no more no less – lawful access requests, through very extreme safeguards from abuse, i.e. on these conditions:
    1. Only through extremely technically-effective, citizen-accountable and transparent safeguards, whose effectiveness is primarily reliant on highly-resilient offline citizen-jury-liked socio-technical processes, that manage on-site physical access to all critically involved hosting facilities for any reason by anyone. These processes will implement safeguards substantially in excess of those of the citizen-jury in the US judicial systems – already well honed to resist extremely determined attempt to compromise the integrity of the jury in billion dollars class actions –  and will be directly managed by the Trustless Computing Certification Body. These jurors would be assisted by legal and technical experts nominated by the Body, undergo deep vetting, screening and training, and rotate every few months. The role of this citizen-jury applies the IT trustworthiness concepts of secret sharing, threshold cryptography and trusted third party, but without the added risks involved with the introduction of additional complex technologies and socio-technical processes.
    2. Only if both the provider and the hosting facility are located in nations where legislation or known practices, do NOT make it illegal – except with less than negligible consequences – to withhold access to warrant-based or state-security-based government requests if a majority of such “citizen jury” (and their counterpart in a western democratic state) concludes that adequate proof of legal authority from a suitable military or civilian court. (The legality of such provisions have been verified in Italy and Germany, and under revision in US). When and if laws are changed so as to render such process illegal, then the (certified) provider must immediately give notice and choice to each user to either (a) agree to transfer such services to other nation where it is legal, including to another (certified) service provider; or (b) turn off the service and recoup all their data.

Key Concepts

  • A. Complete verifiability, extreme compartmentation and minimization, and sufficiently-extreme verification relative to complexity of all critical HW&SW; made possible by an initial extreme minimization of features and performance;
  • B. Extreme oversight, centered on offline citizen-witness and citizen-jury processes of all critical technical and socio-technical lifecycle components, including critical hardware fabrication; and server-room access, including for “constitutional” lawful access requests.
  • C. Extremely technically-proficient and citizen-accountable ICT assurance standards setting and certification governance.

The Scienfic Breakthrough

The breakthrough targeted by Trustless Computing is the definition and validation of novel socio-technical systems paradigms – and related standards, certifications governance model, proof-of-concept and early uptake ecosystem – that enable any independent service provider to bring about and sustain levels of trustworthiness that radically exceed state-of the-art  in critical computing systems, and levels of effectiveness, in critical societal organizational systems. Key intuitions are that (a) the trustworthiness of critical computing systems can be reduced to that of the  accountability and competency of any and all organizational processes critically involved in its entire lifecycle and operation; and, in turn, that (b) key to assessing and improving the effectiveness of critical societal organizations is to rely on the trustworthiness in the computing systems used in its governance and operations, and their reframing in essence as permanently-constituent socio-technical organizational processes.
The current state-of-the-art high-assurance IT paradigms epitomized by Trusted Computing would be replaced by the model of Trustless Computing, where zero trust is assumed in any person, organization or technology involved in the offering of a given IT service (or system), except in self-guaranteeing transparent and accountable organizational processes that underlie its operation, lifecycle and certification governance, whose quality can be assessed by moderately educated and informed citizens.
For critical computing systems, it aims at actual and perceived levels that are today not merely beyond current roadmaps, but overwhelmingly deemed inconceivable or, when rarely deemed conceivable, universally believed to be uneconomical or irreconcilable with the needs of state security. Most crucially, it aims to validate novel governance and engineering paradigms that could prove foundational to sufficiently increase the trustworthiness and accountability of short and medium-term advanced AI systems in critical societal sectors, that many scientist believe is an inevitable and the most important historical will inequivocally be the arguably the primary shapers of the future of humanity.

Trustless Computing Paradigms
Synthesized Version

The Preliminary TRUSTLESS Socio-technical Paradigms, which follow, are defined in the form of high-level provider certification requirements. In their Final version and detailed in specifications at the end of the UVST R&D project and/or the Trustless Computing Certification Initiative and related Free and Safe in Cyberspace event series – will define a compliant TRUSTLESS Service. They will constitute the terms that any “TRUSTLESS Provider” needs to respect to be certified by the rustless Computing Certification Body, and what any Technical Memerb of the Consortium need to respect to be part of all current and future Trustless Computing R&D projects, promoted or led by Open Media Cluster or any future Trustless Computing Consortium. They are therefore intended to guide not only the establishment of aTrustless Computing Certification Body, but also to ensure and sustain a suitable ecosystem and consortium that is fully coherent with such standards.

Follows a full version of the Paradigms as defined in the binding MOU that was formally agreed by all participants to our 4M€ R&D TRUSTLESS proposal submittal to FET-Open H2020 Call in Sept 30th 2015 (full docs here), it states that when one such proposals will be accepted, they will: (a) be binding to all participants during and after the project and (b) may be changed only with the unanimous consent, minus two, of the FET-Open Scientific Board.

TRUSTLESS Preliminary Socio-technical Paradigms. The following terms may only be changed with the unanimous consent, minus two, of the scientific board of the TRUSTLESS Consortium:

  1. Definition: Critical hardware, software or firmware is that whose possible vulnerabilities can NOT be protected against – at the highest-levels of assurance – through proven OS, SoC and/or CPU level isolation/ compartmentation techniques, and other techniques.

For (future) TRUSTLESS Providers

  1. aims at constitutionally-meaningful levels of actual and perceived trustworthiness to the end-user of the privacy, anonymity, integrity and authenticity of an entire connected computing experience, and not mere substantial improvements;

  1. aims to provide a highest-assurance and user-friendly complement to ordinary commercial mobile and desktop devices, rather than replace them as their complexity makes meaningful assurance intrinsically impossible. Will be affordable to the average western citizen, when mass-produced above a few tens of thousands of units, and may include substantial non-security features to increase overall utility to an ordinary citizen of carrying an additional, albeit seamless, device;

  1. extends these paradigms to all software, hardware and organizational processes critically involved during the entire lifecycle at endpoints, as well as to the overall architecture of midpoints relevant to the ensuring of metadata privacy;

  1. assumes an active and complete lack trust in anyone or anything, except intrinsic resilience against decisive attacks of all organizational processes critically involved in the entire lifecycle, from standard setting to fabrication oversight;

  1. assumes that extremely skilled attackers are willing to devote even tens of millions of Euros to compromise the supply chain or lifecycle, through legal and illegal subversion of all kinds, including economic pressures, to the extent that the foreseeable cost and risks for such party to perform continuous or pervasive remote targeted surveillance of any TRUSTLESS users, through compromise or tampering, is many times smaller than the cost of typical continuous proximity-based surveillance techniques;

  1. provides extreme user accountability, independence and technical proficiency of all organizational and processes critically involved in the computing service lifecycle and operation, which ultimately rely on an international independent standard and certification body or bodies;

  1. provides extreme intensity and competency of engineering and auditing efforts deployed, relative to complexity, for all critical software and hardware components, including through extreme software and hardware compartmentation;

  1. allows for complete auditability and extremely user-accountable and effective oversight of assembly and hardware manufacturing processes of all critical hardware components;

  1. includes only highly-redundant hardware and/or software cryptosystems, whose protocols, algorithms and implementations are either open, long-standing, standards-based and extensively verified and endorsed by recognized ethical security experts, albeit with little performance, and possibly public and widely recognized for their post-quantum resistance levels;

  1. may provide user’s encryption keys backup and recovery services, and/or privacy-sensitive server-side services that may be substantially inefficient or significantly less safe to provide via TRUSTLESS onion-routing-based “hidden services”, on condition that they are provided:

    1. only through technically-effective, citizen-accountable and transparent safeguards, centered on highly-resilient citizen-witness-supported on-site physical access management organizational processes of involved hosting facilities, similar to those that govern high-standard paper-based ballot box voting. These include the ability and strong obligation of those randomly-selected citizen witnesses to prevent attempts to procedural violation by anyone by reliably and promptly causing either such services’ termination and secure erasing of sensitive data, or their immediate or deferred transfer to an alternative CivicRoom”. Key operations of the system must not depend on the availability of the hosting room;

    1. only if both the Provider and the hosting facility are located in nations where mandatory key disclosure, and similar legislation, or known practices, do NOT make it illegal to withhold access to warrant-based or state-security-based government requests. Terms of service and operational procedures must in fact clearly exclude compliance to any government request for personal data of users. When and if laws are changed that make it illegal, then the Provider must give a choice to each individual user to either (a) agree to transfer such services to other nation where it is legal; or (b) turn off such server-side services. Providers that are governamental agencies, civil or military, and offer service to public employees are exempt fom this requirement;

  1. allows user to anonymously, in compliance with all applicable laws, and reliably pay conditional-accessed streaming linear or interactive media, as well as get paid for, as opposed to ad supported models, through the very same socio-technical safeguards that assure authenticity, privacy and integrity for other communications. The point is to provide users with a secure, convenient and uncompromisingly privacy-preserving method to pay for access to information;

  1. includes effective first-time in-person training exceeding 20 minutes for commercial users to ensure knowledge of basic operational security (OpSec) and the risks for self and others. This, in addition to the absence of externally-exposed ports and presence of effective tampering detection on the end-user devices, will provide most or all the benefits of remote attestation, which is not permitted due to its significant risks. Users must be able to fully reprogram the device using an internal port after triggering the tampering detection mechanism;

For Participants & Providers

Although these following terms are binding to both Participants and future Providers, Participants (i.e. for the future, Participants and participants to future funded TRUSTLESS R&D projects, and according to separate agreements) are not liable for any claims of non-compliance, except when involving a deliberate choice or unwillingness to make reasonable attempt, or when in their eventual capacity as Providers:

  1. integrates and develops only software and firmware whose source code and compiler allows for auditing without non-disclosure agreement (“NDA”), and which is developed openly and publicly in all its iterations;

  1. strongly minimizes the inclusion of non-Free Software, including updatable and non-updatable firmware. Makes extensive reuse of existing Free/Open Source Software components through extreme stripping down, hardening and re-writing. It strongly aims at realising the computing device with the least amount of non-free software and firmware in security-critical hardware components;

  1. includes only critical hardware components whose firmware (and microcode) and full hardware designs that are publicly auditable without NDA at all times in open public structured format – by anyone without NDA. In the case of processors, it will include code, hardware description source files (such as VHDL or Verilog files), Spin interpreter and similar, programming tools, and compilers;

  1. allows for exceptions to Section 3 clauses 14 and 15, only in the case of non-critical hardware or firmware/software, i.e. those parts/firmware whose possible vulnerabilities can be protected against – at the highest-levels of assurance – through proven OS, SoC and/or CPU level isolation/ compartmentation techniques, and other techniques;

  1. includes only innovations with clear and low long-term royalties, patenting and licensing fee terms, to prevent undue intellectual property right holders’ pressures, lock-ins, patent vetoes and ensure low-cost; and therefore facilitate widespread consumer adoption, open innovation and open competition. Therefore:

    1. TRUSTLESS Consortium will become member of the Open Invention Network, as OMC already is, to protect from patent infringement claims;

    1. the total cumulative royalties may not exceed 25% of total target end-user service/device end-user cost, be it from Participants or any other party. IC hardware Participants’ royalties cannot exceed 10%;

    1. All Participants will state royalty requirements for their background intellectual property (“Background IP”) or results for their technologies at least 2 weeks in advance of any funding proposal submission;

  1. allows anyone to use the resulting intellectual property to setup a non-TRUSTLESS-compliant service and, for any TRUSTLESS enduser, to remove the anti-tampering of their certified device, and to modify the hardware and/or the software in full freedom, even in ways that the CivicAuthority has deemed unsafe;

  1. involves Participants i.e. Participants to the original production-ready socio-technical proof-of-concept of the Project and future participants to future funded TRUSTLESS R&D projects, and according to separate agreements – that

    1. retain all copyright on their own results (generated by them) and Background IP, and right to offer any services based on them at any time, except committing for software/firmware code to:

      1. release all results, including derivatives of Background IP, at all times for the duration of the participation to under free software licenses, such as the GNU GPL. The consortium will designate a coordinator who will be responsible for license compatibility, checking for compatible licensing within the project, and also with respect to existing free software that the project builds on;

      1. assign all patents that result from work in the Project, to the Open Invention Network under its OIN License Agreement as a model;

    1. have a right to join a to-be-established post-R&D TRUSTLESS Consortium – as opposed to the TRUSTLESS FET-Open Consortium required by the H2020 rules – on the following terms:

      1. at the end of the Project, all OMC Background IP, OMC results and joint results will be transferred to such a consortium, compliant to the latest version of these binding paradigms;

      1. such consortium will be allowed to include TRUSTLESS brand names in its name, provided that it offers only TRUSTLESS-compliant products and services, as certified by the CivicAuthority. CivicAuthority activities will be financed by at least 15% of the direct revenue of each TRUSTLESS Provider, including the TRUSTLESS Consortium, excluding “CivicFab” processes which will be billed at-cost to TRUSTLESS Providers;

      1. shares and voting rights of each Participant at any given time in such consortium will be proportional to the sum of the following: (a) its past work packages budgets and (b) clearly-documented cumulative investment, over the last quarter at any given time, on further development or deployment of TRUSTLESS-compliant services. The CivicAuthority will retain 30% voting rights in the Consortium;

    1. Notwithstanding all of the foregoing, the Participants agree that: (i) all Scytl’s intellectual property rights, including but not limited to all copyrights, software, patents, trademarks, trade secrets and know-how, existing prior to the Effective Date shall remain Scytl’s ownership; and (ii) Nothing in this MoU shall be construed as granting or implying any license or transfer of rights to any of the Participants and/or the Providers and/or any third party in any of or to any of the pre-existing intellectual property rights previously owned by Scytl and which are not integrated in the Project, without Scytl’s previous written consent;

    1. if a Participant chooses to offer TRUSTLESS (certified) services or using joint results, not covered by Section 3 clause 20.a. above, such Participant will have an obligation to offer, or participate to other Participants’ offer of such services exclusively through the TRUSTLESS Consortium, up until 6 months after more than 5000 end-user device units have been commercialized.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text.

Start typing and press Enter to search