Reconceptualizes cybersecurity in critical IT systems as the by-product of the intrinsic resilience, accountability, and competency of all organizational and cyber-social processes that are critically-involved in the entire life-cycle and supply-chain; and whose quality can be assessed by moderately educated and informed citizens.
Subjects all and every software, hardware and processes that are critically involved in the IT service provisioning or lifecycle – from CPU design to fabrication, to hosting room access to standard setting – are subject to extreme verification relative to complexity, or to extremely resilient cyber-social oversight, based on offline citizen-witness or citizen-jury processes.
Assumes that extremely skilled attackers are willing to devote even tens of millions of dollars to compromise the lifecycle or supply chain through legal and illegal subversion of all kinds, including economic pressures; and many tens of thousands to compromise of the individual end-user.
Includes only critical HW and SW components that are publicly verifiable in their source design. Strongly minimizes the inclusion of non-Free and Open Source Software, including updatable and non-updatable firmware. Makes extensive reuse of battle-tested Free/Open Source Software components – through extreme stripping down, hardening and re-writing. Strongly aims at realizing the computing device with the least amount of non-free software and firmware in security-critical hardware components.
Trustless Computing Paradigms (Summary)
A Trustless Computing-compliant IT service will be one which complies to all of the following:
undergoes continuous certification by an extremely technically-proficient, comprehensive and citizen-accountable independent standard-setting and certification body.
assumes that extremely-skilled attackers are willing to devote even tens of millions of euros to compromise itssupply chain or lifecycle, through legal and illegal subversion of all kinds, including economic pressures; and advanced algorithmic, brute force and AI-assisted hacking.
provides extremely user-accountable and technically-proficient oversight of all hardware, software and organizational processes that critically involved in the entire lifecycle (i.e. including the supply chain). By “critical” we refer to hardware, software or procedures which cannot protect to a very high degree against confidentiality and integrity failures, or abuses, by using by implementing state-of-the-art time-proven OS, SoC and/or CPU level isolation/ compartmentation techniques.
provides extreme levels of intensity, proficiency, ethical security-review relative to system complexity for all critical components;
includes only critical components that are publicly inspectable in their source designs, and strongly minimizes the use of non-Free/Open-source software and firmware, especially in critical components.
includes only highly-redundant and decentralized hardware and/or software cryptosystems whose protocols, algorithms and implementations are open, long-standing, extensively-verified and endorsed, and with substantial and “scalable” post-quantum resistance levels.
includes only innovations with clear and low long-term royalty terms, from patent and licensing, to prevent undue intellectual property right holders’ pressures, lock-ins and vetoes; and sustainably ensure low-cost for affordability by average citizens;
will provide an in-person offline key or data recovery function, to benefit end-users, in case of loss of death or loss passcodes, and to enable a voluntary (i.e. in addition to current law requirements) compliance to legitimate lawful access requests. This function will rely on setups and management process of multiple hosting rooms in multiple jurisdictions that implement unprecedented safeguards. In addition to state-of-the-art security, these will utilize only TC-compliant endpoints and door locking mechanism. Access to such rooms for any reason, always requires the express approval of an attorney and 5 trained citizen-jurors, that are managed and accountable to the Certification Body – that will assess the compliance of the requests to national law, constitution and EU Charter of Human Rights. Any kind of remote access is physically disabled.
Position Paper – Case for a Trustless Computing Certification Body PDF
(43-pager & 1-pager summary)
Trustless Computing Paradigm (Full version)
A TC-compliant IT service will therefore be one which complies to all of the following:
AIMS: aims at constitutionally-meaningful levels of actual and perceived trustworthiness of the integrity and confidentiality (data and metadata), and not mere substantial improvements;
THREAT: assumes that extremely skilled attackers are willing to devote even hundreds of millions of dollars to compromise the lifecycle or supply chain through legal and illegal subversion of all kinds, including economic pressures;and many tens of thousands to compromise an individual end-user.
TRUSTLESSNESS. assumes an active and complete lack of trust in anyone or anything, except in the intrinsic constraints and incentives against decisive attacks to all organizational processes critically involved in the entire lifecycle, from standard setting to fabrication oversight, as assessable by any moderately informed and educated citizen.
OVERSIGHT: provides extremely user-accountable and technically-proficient oversight of all hardware, software and organizational processes critically involved in the entire lifecycle. “Critical” hereafter shall refer to hardware, software or procedures against whose possible vulnerabilities one can NOT be protected by using proven OS, SoC and/or CPU level isolation/ compartmentation techniques. This includes access for whatever reason to any server-side facilities or hosting rooms containing user-sensitive data.
SUPPLEMENTARITY: aims to provide a user-friendly supplement or “add-on” to ordinary commercial mobile and desktop devices, rather than a replacement to them.
ORGANIZATIONS: provides extreme user citizen-accountability, independence and technical proficiency of all organizational processes critically involved in the computing service lifecycle and operation, including the Certification Body itself. Involves direct and exhaustive involvement of informed samples of citizens in the design and operational security oversight of all critical components.
CRYPTO: includes only highly-redundant hardware and/or software cryptosystems whose protocols, algorithms and implementations are open, long-standing, standards-based and extensively verified and endorsed by recognized ethical security experts, and widely recognized for their post-quantum resistance levels aimed at post-quantum cryptography migration over the next 5-10 years. The above also applies to any use of zero-knowledge, blockchain, threshold cryptography, secret-sharing protocols.
INSPECTABILITY 1. integrates and develops only software and firmware whose source code and compiler allows for inspecting without non-disclosure agreement (“NDA”), and which is developed openly and publicly in all its iterations;
INSPECTABILITY 2. includes only critical hardware components whose firmware (and microcode) and full hardware designs are publicly inspectable without NDA at all times in open public structured format. In the case of processors, it will include code, hardware description source files (such as VHDL or Verilog files), Spin interpreter and similar, programming tools, and compilers;
INSPECTABILITY 3: allows for complete hardware fabrication and assembly inspectability, and extremely user-accountable and effective oversight, of all critical hardware components, in their critical manufacturing processes;
INSPECTABILITY 4: ensures availability of one or more mirror physical copy of the complete server-side hosting room setups to enable easy independent testing by anyone, while being charged only the marginal cost of providing such access; in addition to all needed service devices at marginal production cost.
SECURITY-REVIEW. ensures extreme levels of highly-ethical highly-expert security-review relative to complexity; i.e. extreme levels of intensity, competency, and “expected altruism” of engineering and security-review efforts – in relation to system complexity – for all critical software and hardware components; also by implementing extreme software and hardware compartmentation, and feature and performance minimization;
LICENSING. strongly minimizes the inclusion of non-Free Software, including updatable and non-updatable firmware. Makes extensive reuse of existing Free/Open Source Software components – through extreme stripping down, hardening and re-writing. It strongly aims at realising the computing system with the least amount of non-free software and firmware in security-critical hardware components;
TRAINING. includes effective and exhaustive first-time in-person training for users, to ensure knowledge of basic operational security (OpSec) and the risk management for self and others.
IP TERMS: includes only technologies and innovations with clear and low long-term royalties – from patenting and licensing fees – to prevent undue intellectual property right holders’ pressures, lock-ins, patent vetoes, and ensure an open platform with sustainably low costs, affordable to most western citizens.
LEGAL: ensures that current cyber-security legislations and state agencies practices in the country of origin and/or localization of user, provider, assembly facilities, foundry – and other critical process involved – are not inconsistent with a constitutional, lawful and feasible compliance with these certifications; in regards to surveillance, mandatory encryption key disclosure, crypto exports, liability, and other relevant legislations.
ASSEMBLY. provides one or more dedicated crowded urban street-level glass-walled spaces where devices are publiclyassembled, verified, flashed, and transferred to their users. It will be subject to 24/7 high-trustworthiness live streamingoversight, and monitoring.
LIABILITY: includes an extreme level of cumulative liability, contractual/economic and legal, for all individuals and organizations critically involved for not strictly following procedures or willingly compromising the life-cycle.
OPEN ECOSYSTEM. involves participants to an initial open R&D Consortium, which will set out to build the first certified service, that commit to terms that ensures very–high resilience to the openness of the ecosystem and its resistance to economic pressures, including: (a) through such consortium, offer only certified services; (b) state clear, perpetual and very-low (or null) royalties to all the IP they integrated and developed in the services they offer jointly orindependently.
INTEGRITY: shall provide a uniquely accountable and “trustless” form of remote attestation, in addition to extreme anti-tampering, in order to further guarantee a user that its interlocutors’ devices have not been insecurely modified. (For example, the entire local archive of a highly-private mailing list of frontline political activist group, or of top executives of a corporation, may be totally jeopardized if only one of their interlocutors applies the wrong software modification). Nevertheless, users and researchers must be able to fully reprogram the software, after triggering the tampering detection mechanism that warns all other users, to facilitate open research.
SERVER-SIDE & DATA RECOVERY. will provide extreme safeguards for all security- and privacy-sensitive server-side (and/or “decentralized”) infrastructure – which will mandatorily include the provision of in-person offline user key and data recovery, for benefit end-users – in case of loss of death or loss passcodes – and to enable a voluntary (i.e. in addition to current law requirements) compliance to only legitimate and constitutional lawful access requests. Deploys only TC-compliant endpoints and networks for any critical server-side endpoints involved in the server-side/decentralized components and complaint hosting room access management setups and processes,TrustlessRooms, that are standardized and certified by the Certification Body. These collectively will comply to the following safeguards: ;
Shall physically disable remote admin access, and physical access by anyone will be conditional to the physical presence and express approval of at least 5 randomly-selected citizen-jurors – in addition to an attorney, and 2 system administrators – through dedicated TC-complaint access mechanism (such a keypads). Citizen-witnesses are entitled to record anything and ask for a dump of all code before and after any session. Citizen-jurors are managed and regulated by the Certification Body to ensure their adequate vetting, self-training, resilient and protection;
Shall use secret sharing cryptographic techniques, threshold cryptography, or other similar advanced but time-tested protocols –– in addition to such offline authorization procedures – to enable 10 or more citizen-witnesses participating through via video stream to also approve using TC-compliant client devices; therefore adding an additional layer of security.
Shall enable security-review in one or more complete replicas, including TrustlessRooms for verification by anyone who might substantiate even a low to moderate capacity to do so;
Shall employ state-of-the-art public video streaming and recording, and shall be located at street level in busy urban streets, with large glass fronts, to increase perceived social control and trustworthiness.
Shall maintain copies of time-limited encryption keys of subsets of data or metadata of users (and for each user personasif multiple ones) by providing socio-technical systems with extremely-careful safeguards to enable the highest user-control and security in data recovery in the scenarios of user death or user loss of password, as well as enabling lawful access that is lawful, constitutional and compliant with EU Charter of Human Right. It will allow for voluntarycompliance (i.e. in addition to what is required by all relevant laws) to limited and targeted due- process lawful access requests, with the extremely-careful safeguards that follow:
Shall enable the TrustlessRoom citizen-jurors to launch a “Scorched earth procedure” with plausible deniability, which allows a qualified majority of such citizen-jurors – in cases of extreme abuse attempts – to cause an immediate physical destruction of all sensitive keys and data in the TrustlessRoom, which will remains available in other TrustlessRooms of the same provider in a different country. Providers that are governmental agencies, civilian or military, and offer service only to public employees are exempt, transparently to their users, from the requirements of this clause.
Shall be offered only after the service has been used successfully tested for 3 months, in publicly-accessible pilot deployments, with real data, that involve highly-sensitive communications by voluntary elected public officials, as well as by highly expert ethical hackers. (Use of such systems by elected officials would in fact make so that their communications are, on one side, much more resistant to to undetected illegal espionage and blackmail, while on the other, are interceptable when mandated by a court warrant.)
Shall offer the service only where at least 3 TrustlessRooms are located in at least 3 different nations. All encryption keys of all security- and privacy-sensitive data will be shared between the 3 TrustlessRooms, so that even if, through unconstitutional or illegal action, attackers prevail in one nation, they would only have one third of the keys required, unless they prevail also in the other two countries. Eligible nations will be such that:
the service can be offered as a service that is not subject to state mandatory lawful intercept or access legislation(such as those typical of phone operators under US CALEA);
mandatory key disclosure, and other legislation, or known practices, do NOT make it illegal – except with negligible consequences – to withhold access (with or without gag order) to warrant-based or state-security-based government requests, that may be believed by involved citizen-jury-like body
liability for malicious or gravely negligent breach the laws or regulations are substantial – and proportionate to the damage caused – for all citizen-witnesses, citizen-jurors, provider staff or for attackers (both state and non-state actors).
at least one of those nations is not part of the same first degree military or Intelligence/Surveillance alliances (Five eyes, Nato, EU, etc.);
when and if a nation no longer complies with conditions (1) to (4) above, then the Provider must give a choice to each individual user to agree to transfer such services to a TrustlessRoom in another nation, or terminate his/her service by recuperating all his data.
Shall have a technological limit in the maximum number of users, and percentage of total users, whose personal data or keys may be extracted within a given time frame;
Shall utilize the highest precautions to (a) prevent or minimize leakage of non-public information related to the lawful access requests, through video and other oversight processes; and (b) to prevent the accidental or malicious deletion or alteration of stored user data, keys and logs, also by integrating time-proven state-of-the-art blockchain technologies.
FABRICATION. ensures that all critical Integrated Circuits (such as CPU, SoC, memory, etc) components and critical assembly processes are executed under a TrustlessSite process whereby:
aims to substantially or radically exceed in end-user-assurance those of Common Criteria Site Certification EAL 5 and NSA Trusted Foundry Program, at substantially lower costs.
setup and configure an extensive sensing, and monitoring infrastructure and allow about 3 (or more) competent, trained, redundant and technicians to verify thoroughly all the critical steps, from the monitoring room and/or inside the cleanroom.
utilizes equipment and sensors, that as much as possible not require direct interventions or disruption of the foundry equipment and facilities, but just rely on setting up an additional overlay of sensing equipment, and ongetting copy of the existing quality control sensor feeds. This would also increase the portability of the TrustlessSite processes to other foundries, and therefore increase its resiliency.
utilizes only foundries, (such as Lfoundry, Italy) that allow the technicians and 5 citizen-witnesses (or peer-witness for governmental/military Provider) to thoroughly oversee and monitor all critical processes – even though that may force the utilization of older foundries with technologies and simpler processes and less IP.