NuCypher: Proxy re-encryption may emerge as a suitable solution when applied to complex decentralized identity schemes
Biweekly update 23rd August — 6th September
Hello everyone! NuCypher is a company which aims to make Proxy re-encryption (PRE) practical and even increase its original capabilities. After developing an audited forerunner implementation of the encryption scheme, their mission has been to set up a secure network of proxies incentivized to perform PRE and operate under other rules of the protocol. It also offers developers a new level of abstraction for ID management and fine-tune policies. Their promise even includes time-based policies supported by carefully designed token economics. There is still a long way to go for NuCypher to fully achieve each of their goals, but many breakthroughs have already been accomplished. Read more in our report.
As common encryption techniques reach their limits when applied to complex decentralized identity schemes, proxy re-encryption may emerge as a suitable solution.
Experimentation is the key to mastering a new framework and actively participating in its construction. Like so many enthusiasts around the world, at Blockchain Partner they constantly strive to innovate through a series of products, proof of concepts and open source projects. The present one tries to tackle privacy issues in new decentralized identity schemes.
Decentralized identities and claims
With the advent of blockchains, decentralized identities have taken on a new dimension. Bitcoin addresses represent digital identities supporting transfer of value on the decentralized ledger. On Ethereum, many projects intend to build platforms dedicated to the management of these new items. Today, attention seems to be focusing more specifically on a few community-driven standards : ERCs 725, 734 and 735.
These new contracts draw part of their strength from their extreme versatility. They serve at the same time as an open key directory, an on-chain representation of various identities and a support for all their interactions. The endless applications that could arise from such a framework go beyond the scope of this paper.
As encompassed in figure 1, identities may represent individuals, but also communities, states, companies, connected objects, etc… Their interactions are translated into flexible claims. A State would for instance be able to declare some citizens as adults which would grant them new rights, both off and on chain. All this data, once sent and registered on the ledger, becomes public knowledge. Yet, in many cases, information should be kept private while it would still largely benefit from the potential of on-chain claims.
In figure 1 for example, Alice could be willing to disclose part of her medical records, coming from the hospital and her smartwatch, to her insurance company while keeping it secret from other entities.
Developing privacy solutions adapted to these new frameworks is thus of prime importance.
Limits of conventional encryption schemes
Many mathematical tools are constantly improved in order to address privacy challenges inherently intertwined with blockchains. Expectations in this field are indeed humongous and technologies like zero-knowledge proofs, multi-party computation or secure enclaves recently gained renewed interest and tremendous achievements have already been reached.
In the present case, however, the core of the subject is the simple secure sharing of data from point A to point B. Above-mentioned techniques are not particularly suited and traditional public-key cryptography should be our main focus.
Public-key encryption (PKE) is the most straightforward way to share private data in a 1-to-1 manner. Decentralized identities on the blockchain may serve as a key directory to help the data producer identify the data consumer, but as shown in figure 2, the subject of the data, Alice, is left apart from the process. On-chain claims may also include relevant information to organize and find cipher data which may be stored on IPFS for instance.
In case the data producer wants to share his message with multiple consumers, other techniques built on top of PKE help to achieve this goal more effectively. Broadcast encryption for instance essentially uses PKE to encrypt a symmetric key which, once decrypted by consumers, allows them to access the clear data. If an entity like Alice, the subject of the data, is part of the consumers and can verify some expected properties on the received message, it may specify it on the blockchain. In this scenario, claims may help producers to organize cipher data but also consumers to gain confidence in its integrity.
This brief introduction to public-key cryptography and broadcast encryption shows how conventional encryption could eventually complement new decentralized identity schemes to empower privacy. But their limitations were rapidly reached :
- The subject is constantly kept out of communications. Yet, in practice consumers would be willing to access every data related to a side of Alice, not specifically data coming from a certain entity. Insurance companies are likely to be interested in Alice’s complete health record, including metrics from her smartwatch, rather than solely files coming from the hospital.
- What if a consumer was only interested in part of the producer’s data ? Why would the latter invariably encrypt all messages for him ?
- What if consumers and producers come and go ? Why would they even have to know each other and interact directly if their only common concern is Alice’s profile ?
Encryption in the age of distributed systems
Proxy re-encryption overcomes many limitations of aforementioned cryptosystems.
With Proxy re-encryption (PRE), the data sharing workflow changes significantly. The hospital (producer) encrypts the data for Alice (subject) using her public key. Knowing the insurance company’s own public key, Alice can create a re-encryption key that allows any proxy to re-encrypt the original cipher into a new one that only the insurance company (consumer) can decrypt. That way, Alice reveals the data privately shared by the hospital and encrypted using her public key to the insurance company without revealing her private key. It also guarantees that the proxy never gains access to the clear data.
Compared to other protocols, PRE is thus more suitable for N-to-N communication. Whatever the numbers of data producers and consumers, it does not need any interaction with the final recipient for the producer to encrypt and share the data with Alice. Re-encryption keys can in fact be created and used at any point, possibly after the original encryption.
Decentralized identities can then serve as more detailed key directories. Alice may for example publish a key dedicated to data relating to her health and another key for data on her education. Anyone willing to report on her about these standard properties can use the designated keys without even considering the final data recipients. It is Alice’s choice to create re-encryption keys and allow some entities to access her education data and others to read her health record.
NuCypher is a company which aims to make PRE practical and even increase its original capabilities. After developing an audited forerunner implementation of the encryption scheme, their mission has been to set up a secure network of proxies incentivized to perform PRE and operate under other rules of the protocol. It also offers developers a new level of abstraction for ID management and fine-tune policies. Their promise even includes time-based policies supported by carefully designed token economics.
There is still a long way to go for NuCypher to fully achieve each of their goals, but many breakthroughs have already been accomplished.
Practical privacy for decentralized identities
All the protocols previously mentioned have the potential to guarantee the privacy of data associated with decentralized identities. However, to be used in practice, a framework must demonstrate other precise properties. Proxy re-encryption as implemented by NuCypher guarantees many of these.
- Minimalization: a data consumer, once granted access to a subject’s data, can choose to request or not to request for proxy re-encryption of data according to metadata he may find on-chain on a related claim. A consumer can indeed be interested in only a subset of all the claims he would have access to. This enables more optimal use of encryption based on real consumers’ needs.
- Flexible classification of data: as noted already, on-chain identities can serve as decentralized key directories. According to current specifications of ERC 725, a user may have multiple keys labeled with different names. When these keys are expected to be used to share private data, we can consider prefixing their names with X-. One may thus publish keys with labels such as X-/education, X-/health and X-/health/blood. It first offers a lot of flexibility to the subject who can easily choose to grant access to specific parts of his data. This flexibility would furthermore be increased by multi-hop algorithms enabling sharing of hierarchical data. A consumer, if he was granted access to data with the label X-/health, could that way be able to decrypt all data with sub-labels like X-/health/blood while the other way around would be cryptographically impossible.
- Time dependence and independence: contrary to other encryption schemes, PRE implies no direct interaction between the data producer and the final consumer. The latter may thus be granted access to private data after the producer originally encrypts it. Furthermore, NuCypher enables time-based policies to allow a subject to grant access to his data for a limited period of time only. In short, PRE and NuCypher take the best of both time dependence and independence to ensure a high degree of flexibility.
- Abstraction: with this protocol, data producers and consumers just do their job — that is producing and consuming. Their only point of contact is the subject, who is in charge and apparent control of letting producers encrypt data and giving consumers access to it.
Proof of Concept
Blockchain Partner assessed the feasibility of such a model by developing a proof of concept which sources are available on their public repository.
Figure 5 : Our Proof of concept is based on three main elements. The Ethereum blockchain supports decentralized identities and claims. An identity can publish a claim to Alice with private data encrypted using her public key and stored on IPFS. If Alice grants access to this type of personal data to a third user, the latter may ask NuCypher network to re-encrypt the data so that it can finally decrypt and read it locally.
Naming conventions are kept as close to the ones used throughout this paper. The hospital, as an encryptor, can also be referred as Enrico while the insurance company can be called Bob as the final destination of the data.
Code of the smart contracts has been reduced to a minimum to simply demonstrate the feasibility of the model. The ERC 725 contract mainly acts as a decentralized identifier as well as a key registry, and the ERC 735 serves as an elementary claim holder.
Body of the claim points to an intermediary document, the claim data, stored on IPFS. This document is not the encrypted data itself. It is a JSON object with various fields including a pointer to the encrypted data also stored on IPFS and the hash of the clear data.
The insurance company watches on-chain claims made about Alice’s health. When it finds the one published by the hospital, it asks NuCypher network for re-encryption of the data originally encrypted for Alice. Once computed, it can decrypt it locally and access the clear data. Anytime, it can also hash the clear data and compare it to the one stored on IPFS by the hospital to assess the integrity of the clear data without asking for re-encryption again.
This project illustrates that state-of-the-art cryptography can prove to be strikingly adapted to new promising identities schemes.
Of course, a lot of work remains to be done. With this model, some responsibility relies on NuCypher team to deliver and meet expectations that could reach a new level with the rise of on-chain decentralized identities.
- Will their awesome but complex venture work in production ? Can their innovative economics run in practice and will the fees be contained ?
- To what extent can we trust time-based policies mainly supported by token incentives ?
- Will multi-hop algorithms be developed, that would enable the secure sharing of hierarchical data ?
NuCypher already produced a terrific work increasing the capabilities of a cutting-edge technology with the power of fine-tune token-based incentives. By enabling a privacy layer for decentralized identities and claims, it now benefits back to the decentralized world that has made it possible in the first place.
Partnerships and team members
Social media metrics
Social media activity:
Social media dynamics: