Hyperledger Ursa Archives

Apr 21

Why Distributed Ledger Technology (DLT) for Identity?

By Stephen Curran, Hyperledger Aries Maintainer, Cloud Compass Computing Inc. Blog, Hyperledger Aries, Hyperledger Indy, Hyperledger Ursa, Identity

As we continue our pandemic journey that is 2021, more and more people are getting vaccinated against COVID-19. Once vaccinated, people are (finally!) able to do more “in the real world.” However, in some cases such as international travel, there is a need to prove that you have been vaccinated before you can participate. In the past, that proof has been accomplished in the form of the paper World Health Organization Carte Jaune/Yellow Card. But in our 21st century pandemic, a handwritten paper document is not particularly trusted. It’s just too easy to buy or make your own. The sudden, urgent need to be able to prove health information in a safe, privacy-preserving and secure way has brought the spotlight on the concept of verifiable credentials and, for Hyperledger, on the three identity-focused projects in the community, Indy (a distributed ledger for identity), Aries (data exchange protocols and implementations of agents for people, organizations and things), and Ursa (a cryptographic library underlying Indy and Aries).

While people understand that paper credentials are insufficient and that a trusted digital solution is needed, they don’t understand why verifiable credentials, or more generally, identity, works extremely well with distributed ledger technology (DLT)—a distributed database spread across multiple nodes, of which blockchain is an example. To be clear from the start, it is not to put the credentials on a public ledger so everyone can see them! We’ll reiterate that a lot in this post. No private data ever goes on the blockchain!!!

To understand why DLT is useful for identity, we need to go back to the basics—paper credentials, how that model has worked for 1000s of years, and how the use of DLTs with verifiable credentials allows us to transition the great parts—security and privacy—of that model to the digital age.

Since as far back as 450BC, people have used paper credentials to enable trusted identity. Legend has it that King Artixerxes of the Persian Empire signed and gave Nehemiah a paper “safe transit” authorization that he used in travels across the empire. People have been using such documents ever since. In technical terms, a credential is an attestation of qualification, competence, or authority issued to an entity (e.g., an individual or organization) by a third party with a relevant or de facto authority or assumed competence to do so. Examples of credentials issued to people include a driver’s license, a passport, an academic degree, proof-of-vaccination and so on. Credentials are also issued to companies, such as business registrations, building permits, and even health inspection certifications.

Examples of Paper Credentials
*By Peter Stokyo,* *peter.stoyko@elanica.com, Licensed under* *CC By 4.0*

The Paper Credential Model
By Peter Stokyo, peter.stoyko@elanica.com, Licensed under CC By 4.0

Verification in the paper credential model (ideally) proves:

Who issued the credential.
That the credential was issued to the entity presenting it.
That the claims have not been altered.

The caveat “ideally” is included because of the real possibility of forgery in the use of paper credentials. Back to our “proof-of-vaccination” problem.

Let’s see how the good parts of the paper credential model are retained in the verifiable credentials model. With verifiable credentials:

An authority decides you are eligible to receive a credential and issues you one.
You hold your credential in your (digital) wallet—it does not go on the distributed ledger!
At some point, a verifier asks you to prove the claims from one or more credentials.
If you decide to share your data with the verifier, you provide a verifiable presentation to the verifier, proving the same three things as with the paper credentials.
Plus: You may be able to prove one more thing—that the issued credentials have not been revoked.

As we’ll see, verifiable credentials and presentations are not simple documents that anyone can create. They are cryptographically constructed so that a presentation of the claims within a credential proves four attributes:

Who issued the credential–their identifier is part of the credential and they signed the credential.

Who holds the credential–there is a cryptographic binding to the prover.
The claims have not been altered–they were signed at the time of issuance.
The credential has not been revoked.

Unlike a paper credential, those four attributes are evaluated not based on the judgment and expertise of the person looking at the credential, but rather by machine using cryptographic algorithms that are extremely difficult to forge. Like the paper credential, the verifier does not go back to the issuer to ask about the credential being presented. Only the prover and verifier, the participants in the interaction, need to know about the presentation. So where do the prover and verifier get the information they need for their transaction? We’re just getting to that…

The Verifiable Credentials Model
By Peter Stokyo, peter.stoyko@elanica.com, Licensed under CC By 4.0

Compared to the paper credentials model, verifiable credentials are far more secure. When the cryptographic verification succeeds, the verifier can be certain of the validity of the data—those four attributes stemming from verifying the presentation. They are left only with the same question that paper credentials have—do I trust the issuer enough

So where does the DLT fit in?

Three of the four things that the verifier has to prove (listed above) involves published data from the issuer that has to be available in some trusted, public distributed place, a place that is not controlled by a central authority (hmm…sounds like a DLT!). In Indy and Aries, data published to a DLT is used to verify the credential without having to check with the issuer. In particular:

The verifier has to know who issued the credential based on an identifier and cryptographic signature. From the presentation, it gets an identifier for the issuer, looks it up on a DLT to get a public key associated with the issuer to verify the signature in the presentation. Thus, the identity of the issuer is known.
The verifier has to verify that the claims data has not been altered by verifying a cryptographic signature across the data. Based on an identifier for the type of credential, the verifier gets from a DLT a set of public keys and verifies the signatures. Thus, the verifier knows no one has tampered with the claims data.
The issuer periodically updates a revocation registry on a DLT indicating the credentials that have been revoked. If the holder’s credential is revoked, they are unable to create a proof of non-revocation (yes, that’s a double negative…). If the holder can generate that proof, the verifier can check it. Thus, the verifier knows the credential has not been revoked.

The fourth attribute (the binding of the credential to the holder) in Indy is done using some privacy-preserving cryptographic magic (called a Zero Knowledge Proof) that prevents having a unique identifier for the holder or credential being given to the verifier. Thus, no PII is needed for sharing trusted data.

So why DLT? First, we can get the good parts of paper credentials—private transactions between holders and verifiers and no callback to the issuer. Second, the issuer gets a trusted, open and transparent way to publish the cryptographic material needed for those private holder-verifier transactions. Third, there is no need to have a “Trusted Third Party” participating in the interactions.

And did I mention, no private data goes on the DLT!!!

Hyperledger Indy, Aries and Ursa are enabling this approach to “self-sovereign identity” in a big way, bringing about a new layer of trust on the Internet that will let us preserve our privacy and give us control over our identity and data—where it belongs. There is a lot to learn. If you’re curious, a great place to start is this Linux Foundation edX course.

Cover image by Nick Youngson CC BY-SA 3.0 Alpha Stock Images

Jan 20

Love0

Kiva Protocol, Built on Hyperledger Indy, Ursa and Aries, Powers Africa’s First Decentralized National ID system

By Hyperledger Blog, Hyperledger Aries, Hyperledger Indy, Hyperledger Ursa

For the 1.7 billion unbanked adults around the world, access to financial services is extremely limited. Without even a basic savings account, economic opportunity is often limited to informal offerings such as local shopkeepers who extend credit to their customers, microfinance institutions that work to serve the last mile, and community savings and credit associations that are setup by individuals living in the same village.

In the unbanked world, individuals borrow a few hundred to a few thousand dollars at a time, paying back over a relatively short time frame of 12-18 months. But despite excellent credit records, they are unable to receive even similar credit facilities at local banks. This is because the data from their informal transactions is essentially invisible: the banks either do not trust the data sources, or are otherwise unable to verify the provenance of the data.

While this is the state of the world today, it does not have to be our future. Kiva, a US-based nonprofit organization focused on financial inclusion, has built Kiva Protocol to bridge the data disconnect and help enable universal financial access. In 2019, Sierra Leone, a West African nation of about 7 million, launched the National Digital Identity Platform (NDIP) that used Kiva Protocol to enable fast, cheap, and secure identity verification for its citizens.

Kiva Protocol is built using Hyperledger Indy, Aries, and Ursa, and as implemented in Sierra Leone, allows citizens to perform electronic Know Your Customer (eKYC) verifications in about 11 seconds, using just their national ID number and a fingerprint. With this verification, it is possible for the nation’s unbanked to open a savings account and move into the formally banked population.

To find the right platform, Kiva assessed more than 20 software stacks, both centralized and decentralized. Blockchain and decentralized ledger technologies quickly emerged as good solutions for the developing world as they enable data provenance at the protocol level and stakeholders can act relatively independently to enable their various activities in the formal and informal sectors.

After deep consideration, Kiva decided to use Hyperledger’s stack for identity: Indy, Aries, Ursa. While all three projects are closely related, each has a distinct mandate:

Hyperledger Indy is a distributed ledger purpose-built for decentralized ID with transferable, private, and secure credentials;
Hyperledger Aries is infrastructure that supports interactions between peers and between blockchains and other DLTs; and
Hyperledger Ursa is a modular, flexible library that enables developers to share time-tested and secure cryptography.

In August 2019, Kiva launched the beta of Kiva Protocol with a public event opened by the president of Sierra Leone. Since that launch, global regulators have made significant progress in terms of how they are considering digital identity and eKYC verifications. There is a growing global movement towards user-owned and -controlled data, better privacy, and more universal access.

As of today, Kiva is focusing on building additional ecosystem applications and services to make it easier for all stakeholders to access and use Kiva Protocol. Much of this is being contributed upstream into the Hyperledger Indy and Aires projects, with the remaining components hosted in Kiva’s repository.

Hyperledger teamed up with Kiva on a detailed case study covering the challenges of the unbanked, requirements for a solution that delivers fast, cheap and secure ID exchange, and plans for expanding Kiva Protocols’ use to other countries and other applications.

Read the full case study here.

Dec 06

Love6

Why SSI Incubator: An inside look at the program and startups

By Maya Kanehara, Managing Director, Self-Sovereign Identity Incubator Blog, Hyperledger Aries, Hyperledger Indy, Hyperledger Ursa

The identity community at Hyperledger is lucky to see the groundbreaking toolboxes, libraries, and resources grow by leaps and bounds in just a very short time. From Hyperledger Indy, then Hyperledger Ursa, to the new project Hyperledger Aries, widespread adoption of decentralized identity is closer than ever. It was this excitement and optimism for the growing industry of identity products and solutions being born out of this community from which the Self-Sovereign Identity Incubator (SSI Incubator) was launched. By combining the expert mentors from all over the decentralized identity world with some of the most passionate innovators in the identity startup scene today, the Hyperledger identity community is poised to see growth that we’ve all been waiting for.

The SSI Incubator is designed to remove barriers to startup financing and success within the self-sovereign identity (SSI) industry. More than just seed funding and high-profile pitching opportunities, participating startups also receive co-working space, educational workshops, mentorship, and networking events with some of the most influential voices in the decentralized identity community today. The startups in this program are nearing the end of this time-limited and mentor-focused program, with the 12 weeks culminating in a final evening devoted to exploring the future of SSI.

The five startup projects are:

Domi (Berlin): Digital passports for landlords and tenants that would create a fairer rental market.
HearRo (Los Angeles): A blockchain-powered phone system for trusted, effortless communication
MetaDigital Inc (Toronto): An Intelligent Healthcare Platform that would eliminate medical prescription and insurance claim fraud with real-time digital verification.
Spaceman ID Inc (Chicago): Tools for companies to easily implement private, secure, and portable digital credentials.
Xertify (Bogotá, CO): A network where people and institutions can exchange trusted information based on blockchain technology.

“The Hyperledger identity community holds the secret to growing the use and interoperability of SSI. The SSI Incubator has shined a light on the breadth of organizations of all types and sizes that see the value of decentralized identity,” said Heather C. Dahl, CEO & Executive Director of the Sovrin Foundation. “The mix of SSI solutions and startups focused on healthcare, enterprise adoption, the home rental market, telecommunications, and education joined us from around the world shows the widespread interest and development in self-sovereign identity technologies. This range of diverse solutions is what is driving SSI adoption.”

The SSI Incubator is a joint venture between the Sovrin Foundation and investment firm Hard Yaka. Join the SSI Incubator and startups for the culmination of their work by registering for their final event of the year.

Jan 30

Love0

Hyperledger Kicks Off the New Year with Eight New Members

By Hyperledger Announcements, Hyperledger Fabric, Hyperledger Grid, Hyperledger Ursa

Growing community, new project developments and accelerating pace of deployments mark start of 2019

SAN FRANCISCO (January 30, 2019) – Hyperledger, an open source collaborative effort created to advance cross-industry blockchain technologies, begins 2019 by announcing it has added eight new members to the consortium. In addition, Hyperledger has delivered some key technology updates and now has a total of 12 projects.

Hyperledger is a multi-venture, multi-stakeholder effort that includes various enterprise blockchain and distributed ledger technologies. Recent project updates include the release of Fabric v1.4 LTS, the first long term support version of the framework, as well as the addition of two new projects Hyperledger Ursa and Hyperledger Grid. Grid uses shared, reusable tools to accelerate the development of ledger-based solutions for cross-industry supply chain applications. Additionally, a detailed case study on Circulor’s Hyperledger Fabric-based production system for tracing tantalum mining in Rwanda adds to growing list of resources for guiding enterprise blockchain adoption.

“We wrapped up 2018 with a successful and exciting Hyperledger Global Forum,” said Brian Behlendorf, Executive Director, Hyperledger. “This first worldwide meeting of the Hyperledger community underscored the growing pace of development and deployment of blockchain in general and our tools and technologies in particular. We are seeing more signs of this accelerating pace of maturation and adoption here in early 2019. We welcome these newest members and look forward to their help in driving this growth.”

Hyperledger allows organizations to create solid, industry-specific applications, platforms and hardware systems to support their individual business transactions by offering enterprise-grade, open source distributed ledger frameworks and code bases. The latest general members to join the community are BTS Digital LLP, Exactpro Systems Limited, Jitsuin, Lares Blockchain, Myndshft, Omnigate, Poste Italiane and Wrapious Marketing Co Ltd.

New member quotes:

BTS Digital LLP

“We are an emerging company aiming at creating a national digital ecosystem in Kazakhstan that will facilitate the basic processes of human life and provide equal access to resources,” said Eugene Volkov, Chief Digital Officer, BTS Digital LLP. “As we see accelerated growth of transactions and actors in today’s life, we acknowledge the growing need to build a trustworthy society where all the participants can act with consensus, immutability, equality and transparency. Building such an environment requires trust. Our trust in Hyperledger’s expertise is a primary reason why we choose to become a member. We believe this community will guide us in finding technological solutions in achieving our goals.”

Exactpro Systems Limited

“Being a firm strategically focused on providing the highest level QA services for mission-critical market infrastructures, Exactpro understands the important role of this new technology and strives to enhance our expertise in this area through collaboration with leading blockchain consortia such as Hyperledger,” said Maxim Rudovsky, CTO, Exactpro. “We firmly believe our Hyperledger and The Linux Foundation memberships will provide Exactpro with access to community resources that will help us deliver more profound testing of DLT-based software systems to our clients.”

Jitsuin

“One of the founding decisions we made at Jitsuin was to become a Hyperledger member,” said Jon Geater, Chief Technology Officer, Jitsuin. “As part of our mission to unlock the value of data in the Internet of Things, we focus on Industrial IoT device lifecycle assurance where security, price, reliability and shared responsibility are all crucial. Keeping IoT in a known, good state is a team sport and is exactly where distributed ledger technologies work best. I am also delighted to continue serving the Governing Board and Hyperledger community to help ensure it remains the unrivaled home of advanced cross-industry business blockchain technologies.”

Lares Blockchain

“Lares Blockchain Security is delighted to join the Hyperledger community,” said Chris McGarrigle, CEO, Lares Blockchain Security. “Hyperledger’s fundamental strengths of performance, scalability and security resonate with our core values at Lares Blockchain Security. As our blockchain products and technologies continue to gain momentum in the medical, biotech, mining and financial industries, we see our partnership with Hyperledger as critical to further establishing ourselves in the enterprise.”

Myndshft

“Blockchain presents an enormous opportunity for healthcare to simplify and unify claims management, prior authorizations and other administrative functions, helping payers and providers reduce costs and improve timeliness and quality of care,” said Ron Wince, CEO, Myndshft Technologies. “That is why Myndshft is thrilled to join Hyperledger and collaborate with blockchain leaders and innovators across industries to find ways to leverage the technology to increase efficiency of healthcare operations, improve the patient experience and optimize financial performance in the value-based care era.”

Omnigate

“Omnigate Systems is delighted to join Hyperledger and to leverage blockchain technologies to drive interoperability in finance. Omnigate provides enterprise-grade, universal ledger software with extensive integrations. Our mission is to empower businesses of any size to rapidly build production-grade transactional systems for both traditional assets and emerging digital assets,” said Raphael Carrier, CEO, Omnigate. “We consider the integration of the Interledger protocol (via Hyperledger Quilt) into our product to be a key milestone. We believe this is an important initiative which will advance interoperability and accessibility to the ‘Internet of Value.'”

Poste Italiane

“Blockchain is not just a buzzword or a myth anymore, but is becoming the foundation for establishing a distributed, transparent and cross-industry interoperable ecosystem,” said Mirko Mischiatti, Chief Information Officer, Poste Italiane. “Poste Italiane wants to actively participate in this new and exciting community by becoming a member of Hyperledger in order to continue its path for the innovation and modernization of financial, logistic and insurance industries. We really look forward to working with other members and making our effort to contribute for the enhancement of blockchain technology.”

Wrapious Marketing Co Ltd

“It is our honor to become a member of the Hyperledger community,” said Tommy Wong, Chief Operating Officer, Wrapious Marketing Co Ltd. “Joining Hyperledger provides us with more opportunity to explore more within the blockchain space and to contribute to project developments. Our vision is to create a virtual world that provides equal access to everyone regardless of their status or social class in the community. We believe being part of Hyperledger will add to our ability to achieve this vision.”

About Hyperledger

Hyperledger is an open source collaborative effort created to advance cross-industry blockchain technologies. It is a global collaboration including leaders in finance, banking, Internet of Things, supply chains, manufacturing and Technology. The Linux Foundation hosts Hyperledger under the foundation. To learn more, visit: https://www.hyperledger.org/.

Dec 04

Love0

Welcome Hyperledger Ursa!

By Hart Montgomery Blog, Hyperledger Ursa

Hyperledger Ursa is the latest project to be accepted by the TSC! It is a modular, flexible cryptography library that is intended for—but not limited to—use by other projects in Hyperledger. Ursa’s objective is to make it much safer and easier for our distributed ledger projects to use existing, time tested, and trusted cryptographic libraries but also new cryptographic library implementations being developed.

Ursa aims to include things like a comprehensive library of modular signatures and symmetric-key primitives built on top of existing implementations, so blockchain developers can choose and modify their cryptographic schemes with a simple configuration file change. Ursa will also have implementations of newer, fancier cryptography, including things like pairing-based signatures, threshold signatures, and aggregate signatures, and also zero-knowledge primitives like SNARKs.

Ursa will be written mostly in Rust, but will have interfaces in all of the different languages that are commonly used throughout Hyperledger.

Why Ursa?

As Hyperledger has matured, the individual projects within Hyperledger have started to find a need for sophisticated cryptographic implementations. Rather than have each project implement its own cryptographic protocols, it is much better to collaborate on a shared library. There are many reasons to do this, including the following:

Avoiding duplication: Crypto implementations are notoriously difficult to get correct (particularly when side channels are taken into account) and often require a lot of work in order to achieve a high level of security. The library allows projects to share crypto implementations, avoiding unnecessary duplication and extra work.
Security: Having most (or all) of the crypto code in a single location substantially simplifies the security analysis of the crypto portion of Hyperledger. In addition, the lack of duplication means maintenance is easier (and thus, hopefully security bugs are less numerous). The presence of easy to use, secure crypto implementations might also make it less likely for less experienced people to create their own less secure implementations.
Expert Review: In addition, the ability to enforce expert review of all cryptographic code should increase security as well. Having all of our cyptographic code in a single location makes it easier to concentrate all of the cryptographic expertise in the project and ensures that code will be well reviewed, thus decreasing the likelihood of dangerous security bugs.
Cross-platform interoperability: If two projects use the same crypto libraries, it simplifies (substantially in some cases) cross-platform interoperability, since cryptographic verification involves the same protocols on both sides.
Modularity: This could be the first common component/module and a step towards modular DLT platforms, which share common components. While we have already outlined most of the advantages this modularity brings in terms of actual functionality, a successful crypto library encourages and pushes forward more modular activities.
New Projects: It is easier for new projects to get off the ground if they have easy access to well-implemented, modular cryptographic abstractions.

Who Is Involved in Ursa?

On the more practical side, Ursa currently includes developers who work on the security aspects of Hyperledger Indy, Sawtooth, and Fabric. In addition, the Ursa project includes several cryptographers with an academic background in theoretical cryptography to ensure that all cryptographic algorithms meet the desired levels of security.

Our goal in creating Ursa is to combine the efforts of all the security and cryptography experts in the Hyperledger community and move all of the projects forward.

Features and Plans

Currently Ursa has two distinct modules: a library for modular, flexible, and standardized basic cryptographic algorithms, and a library for more exotic cryptography, including so-called “smart” signatures and zero knowledge primitives called zmix.

Our first library is our “base crypto” library. Right now we are focused on our shared modular signature library, but we plan to extend this to allow easy modularization of all commonly used cryptographic primitives in Minicrypt. This—work in progress—has the implementation of several different signature schemes with a common API, allowing for blockchain builders to change signature schemes almost on-the-fly—or to use and support multiple signature schemes easily. Exact implementations and APIs have not been finalized, but they are in progress.

We note that there aren’t raw crypto implementations in this library—things here are stable and generally standardized—but wrappers for code from existing libraries and also code generated by commonly used cryptography libraries such as the Apache Milagro Crypto Library (AMCL). The novelty here is the modularization and API, which enables blockchain platforms to easily use a wide variety of changeable cryptographic algorithms without having to understand or interact with the underlying mathematics.

In the future, we expect other wrappings and modular code to go in this library. For instance, Indy makes use of aggregate signatures, a feature which the other platforms would also like available to them. There are also a variety of hash algorithms which provide different performance characteristics or support different signature schemes. Selecting vetted implementations and providing a common interface helps the Hyperledger community manage a growing crypto feature set in a responsible manner.

Our second initial subproject is zmix, which offers a generic way to create zero knowledge proofs that prove statements about multiple cryptographic building blocks, including signatures, commitments, and verifiable encryption. The goal of zmix is to provide a single flexible and secure implementation to construct such zero knowledge proofs. Zmix consists of C-callable code but there are also convenience wrappers for various programming languages.

Getting involved

If you’re interested in learning more about, using, or contributing to Ursa, please check out the following: https://www.hyperledger.org/projects/ursa

We welcome interest even from those who aren’t working with Hyperledger projects, so feel free to join us if you like!