Trustless Computing Paradigms
Governance is about constituent processes. The sustainability in time of the democratic and technical quality of such governance is ultimately wholly dependent on the foreseeable ability of the initial organizational statutes, and members of initial key governing boards, to maximize the chances of self-improvement, amidst the pressures of growth and success, because “One cannot in the nature of things expect a little tree that has been turned into a club to put forth leaves”, said Martin Buber.
In the Trustless Computing paradigm, the trustworthiness of any end-to-end IT service or experience will not be assessed according to organizational cognitive trust (reputation) and compliance to gravely incomplete and auto-referential certifications standards (e.g. Common Criteria, FIPS, Trusted Computing), as done today. Rather, cybersecurity will be assessed and certified as the level of trustworthiness that individuals and organizations critically-involved will not perform unexpected actions, and shall be derived from dynamically modeling all technological, procedural and statute cyber-social intrinsic constraints, and all organizational, economic, liability, legal and social disincentives, that are foreseeable at any given time.
Trustless Computing paradigms are based on and derived from the following key concepts:
- complete verifiability, extreme minimization and compartmentalization, and sufficiently-extreme verification relative to complexity of all critical hardware and software.
- extreme oversight, centered on offline citizen-witness and citizen-jury processes, of all critical technical and socio-technical components during their entire lifecycle, including critical hardware fabrication and server-room access, and allowing for “constitutional” lawful access requests.
- extremely technically-proficient and citizen-accountable IT assurance standards setting and certification governance.
Trustless Computing Paradigms
In this section we define the key paradigms that form the Certification Body of any TC service. These are intended to guide not only the establishment of a certification standard but also to ensure and sustain highly resilient and open ecosystems that are fully coherent with such standards.
These are meant to be binding in nature in the sense that a compliant provider will need to respect them throughout the lifecycle of the service or the device to consistently maintain Trustless Computing certification. These are in no way meant to be exhaustive; they also provide a mechanism to make amends to the paradigms themselves.
A compliant Trustless Computing service by a provider will therefore be described as one which:
- AIMS: aims at substantial constitutionally-meaningful levels of actual and perceived trustworthiness to the end-user of the confidentiality, anonymity, integrity and authenticity of data and metadata of his/her entire connected computing experience, and not mere substantial improvements;
- SCOPE: aims to provide a user-friendly supplement or “add-on” to ordinary commercial mobile and desktop devices, rather than a replacement to them, with substantially or radically unprecedented levels of trustworthiness.
- EXTENT: comprehends all critical service components, meaning all hardware, software or organizational processes involved during the entire lifecycle and supply-chain, at the endpoints, and in the overall architecture of midpoints relevant to the ensuring of metadata privacy; i.e. those whose possible vulnerabilities and critical weakness can NOT be protected against, at the highest-levels of trustworthiness, through compartmentation such as proven OpSec, OS, IC/SoC or CPU-level isolation techniques.
- MEASURE: assumes that extremely skilled attackers are willing to devote even tens of millions of dollars to compromise the lifecycle or supply chain through legal and illegal subversion of all kinds, including economic pressures; and many tens of thousands to compromise of the individual end-user. Rate levels.
- TRUSTLESSNESS. assumes an active and complete lack of trust in anyone or anything, except in the intrinsic constraints and incentives against decisive attacks to all organizational processes critically involved in the entire lifecycle, from standard setting to fabrication oversight, as assessable by any moderately informed and educated citizen.
- ORGANIZATIONS: provides extreme user accountability, independence and technical proficiency of all organizational processes critically involved in the computing service lifecycle and operation, including the certification body or bodies. Involves direct and exhaustive involvement of informed samples of citizens in the design and operational security oversight of all critical components.
- CRYPTO: includes only highly-redundant hardware and/or software cryptosystems whose protocols, algorithms and implementations are open, long-standing, standards-based and extensively verified and endorsed by recognized ethical security experts, and widely recognized for their post-quantum resistance levels aimed at post-quantum cryptography migration over the next 5-10 years. Includes zero-knowledge proofs, blockchains, threshold, secret-sharing protocols.
- AUDITABILITY 1. integrates and develops only software and firmware whose source code and compiler allows for auditing without non-disclosure agreement (“NDA”), and which is developed openly and publicly in all its iterations;
- AUDITABILITY 2. includes only critical hardware components whose firmware (and microcode) and full hardware designs are publicly auditable without NDA at all times in open public structured format. In the case of processors, it will include code, hardware description source files (such as VHDL or Verilog files), Spin interpreter and similar, programming tools, and compilers;
- AUDITABILITY 3: allows for complete hardware fabrication and assembly auditability, and extremely user-accountable and effective oversight, of all critical hardware components, in their critical manufacturing processes;
- AUDITABILITY 4: ensures availability of one or more mirror physical copy of the complete server-side hosting room setups to enable easy independent testing by anyone, while being charged only the marginal cost of providing such access; in addition to all needed service devices at marginal production cost
- ACTUAL AUDIT. provides extreme levels of highly-ethical highly-expert security-review security review relative to complexity; i.e. levels of intensity, competency, and “expected altruism” of engineering and auditing efforts deployed, relative to complexity, for all critical software and hardware components, including through extreme software and hardware compartmentation;
- LICENSE. strongly minimizes the inclusion of non-Free Software, including updatable and non-updatable firmware. Makes extensive reuse of existing Free/Open Source Software components – through extreme stripping down, hardening and re-writing. It strongly aims at realising the computing device with the least amount of non-free software and firmware in security-critical hardware components;
- TRAINING. includes effective and exhaustive first-time in-person training for users, to ensure knowledge of basic operational security (OpSec) and the risk management for self and others. This, in addition to the absence of externally-exposed ports and presence of effective tampering detection on the end-user devices, aims to provide most or all the benefits of remote attestation, which is not permitted due to its significant risks. Users must be able to fully reprogram the device using an internal port after triggering the tampering detection mechanism;
- IP TERMS: includes only technologies and innovations with clear and low long-term royalties – from patenting and licensing fees – to prevent undue intellectual property right holders’ pressures, lock-ins, patent vetoes, and ensure an open platform with sustainably low costs, affordable to most western citizens.
- LEGAL: ensures that current cyber-security legislation and state agencies practices in the country of origin and/or localization of user, provider, assembly facilities, foundry – and other critical process involved – are consistent with a constitutional/lawful and feasible compliance with standards; in regards to surveillance, mandatory encryption key disclosure, crypto exports, liability, and other relevant legislation.
- ASSEMBLY. provides one or more dedicated crowded urban street-level glass-walled spaces where devices are publicly assembled, verified, flashed, and transferred to their users. It will be subject to 24/7 high-trustworthiness live streaming oversight, and monitoring.
- LIABILITY: includes an extreme level of cumulative liability, contractual/economic and legal, for all individuals and organizations critically involved for not strictly following procedures or willingly compromising the life-cycle.
- OPEN ECOSYSTEM. involves participants to an initial open R&D Consortium, which will set out to build the first certified service, that commit to terms that ensures very-high resilience to the openness of the ecosystem and its resistance to economic pressures, including: (a) through such consortium, offer only certified services; (b) state clear, perpetual and very-low (or null) royalties to all the IP they integrated and developed in the services they offer jointly or independently.
- SERVER-SIDE. may provide privacy-sensitive server-side services on condition that they are provided with very extreme safeguards from abuse, at the following conditions:
- only through extremely technically-effective, citizen-accountable and transparent safeguards, whose effectiveness is reliant on highly-resilient citizen-witness-supported on-site physical access management organizational processes of involved hosting facilities, similar to those that govern high-standard paper-based ballot box voting. These include the ability and strong obligation of those randomly-selected citizen witnesses to prevent attempts to procedural violation by anyone, by reliably and promptly causing either such services’ termination and secure erasing of sensitive data, or their immediate or deferred transfer to an alternative safe hosting room. Key operations of the system must not depend on the availability of the hosting room;
- only if both the provider and the hosting facility are located in nations where legislation or known practices, do NOT make it illegal – and with less than negligible consequences – to withhold access to warrant-based or state-security-based government requests. Terms of service and operational procedures must in fact clearly exclude compliance to any government request for personal data of users. When and if laws are changed that make it illegal, then the Provider must give a choice to each individual user to either (a) agree to transfer such services to other nation where it is legal, or (b) turn off such server-side services. Providers that are governmental agencies, civilian or military, and offer service to public employees are exempt, transparently to their users, from the requirement of this clause.
- HOSTING ROOMS. deploys only TC-compliant devices as for any critical function, where remote admin access is disabled; involves state-of-the-art public video streaming and recording, and is located at street level in busy urban street with large glass fronts, to increase perceived (and actual) social control;
- on-site access by anyone is conditional on the physical presence and approval of a minimum number of citizen witnesses;
- enables citizen-witnesses to launch a “scorched earth procedure”, with plausible deniability, which physically burns all data;
- may rely on an additional layer of safeguard by allowing a set of users located in a different Member State and/or randomly selected users to act as “remote witnesses”, as an additional layer of oversight, using secret-sharing and threshold approval/cryptographic techniques;
- will maintain one (or more) complete replicas of the complete infrastructure which will be publicly available for complete audit tests;
- sets intrinsic technological limits to the maximum number of users and percentage of total users whose personal data or keys may be recovered within a given time frame;
- may make use of additional safeguards, such as protection via implicitly learned passcodes, that cannot be revealed explicitly by the user and may increase the plausible deniability in case of emergencies, and the related “scorched earth procedure”;
- FABRICATION. ensures that the requested hardware is all produced in one continuous batch in a short time span (a few days or weeks), as is typical anyway, and
- adds a minimum number of “user witnesses”, in a role of active oversight witnesses 24/7.
- chooses to produce critical ICs (such as CPU, SoC, memory, etc) at foundries with older technologies, simpler processes, and less third-party IP obstacles than today’s Asian mega fabs, that allow the technicians and witnesses to publicly and completely document the process with videos, photos and more.
- uses equipment and sensors, to be applied to the chosen foundries, that as much as possible not require direct interventions or disruption of the foundry equipment and facilities, but just rely on setting up an additional overlay of sensing equipment, and on getting copy of the existing quality control sensor feeds.