Trustless Computing Paradigms

(Version of October 12th, 2023)

The Trustless Computing Paradigms represent:

  • (1) a novel approach to the assessment, engineering and certification of the levels of trustworthiness of highly sensitive end-to-end IT systems and services, that we refer to as “Trustless Computing”. Initially targeted to the domains of sensitive and diplomatic communications and shortly after to other society-critical systems, such as control subsystems of the critical and advanced AIs and social media feeds subsystems.

  • (2) the binding guiding principles of a new proposed IT security standards-setting and certification body for IT systems and services, in such domains, the Trustless Computing Certification Body and Seevik Net Initiative.

Basic Principles

  • Trustless Computing can be conceived as an extreme uncompromising version of the ”security-by-design” approach to IT security, which expands “security design” and early-on deep verification to all critical technologies, supply chain processes and critically-involved organizational processes.

  • Trustless Computing is centered on (a) uncompromising transparency of source designs and extreme security-review in relation to complexity of all critical components and processes in the entire lifecycle, and on (b) democratic, battle-tested, and decentralized governance, certification and oversight processes.

  • Trustless Computing renounces to need or assumption of any upfront unverified trust in any organization, technology and person. Trustless Computing has nothing to do with zero trust, while it fully embed its principles. Trustless Computing is not based on distributed ledger technologies or blockchain systems, while it may include them.

  • Trustless Computing is a novel approach to IT security whereby actual and perceived confidentiality and integrity for an IT systems, service and experience is not a technical problem but ultimately 100% the by-product of the accountability and transparency of the design of the organizations and human processes critically-involved in the entire lifecycle, as can be assessed by moderately educated and informed citizens - just as that of electoral voting processes in a resilient mature democracies.

  • Trustless Computing acknowledges that if only one our 16 million commercial airliner fights results in an accident, whereby every smartphone or client device produced is hacked or hackable at scale by innumerable entities, it is not due to the fact that IT is harder, but because all IT and IT standards are structurally weakened and surreptitiously compromised by powerful nations due to their failure to reconcile the needs of personal privacy with that of national security. Just as leaving “keys under a doormat”, bug-doors are and will always be in all systems until a new mechanism with ensure both the utmost system security and privacy and a safe-enough front-door access.

  • Trustless Computing - to mitigate the risks of grave abuses by end-users - aims to achieve radically-unprecedented levels of confidentiality and integrity for sensitive human computing and communication while ensuring improved “in-person” national and international legitimate lawful access, without requiring any legislative changes anywhere.

  • Trustless Computing fully includes and embeds in its paradigms and certification processes the “zero trust” approach to IT security, yet it extend its “never trust, always verify” concept and an extreme “security-by-design” approach to the (a) technical and organizational “check point” components that exercise Zero Trust functions in the Zero Trust architecture applied to the target system; as well as (b) the underlying target system in their entire supply chain and lifecycle. (See more in this recent post).

  • Trustless Computing is not an IT security approach based on the distributed ledger technologies or blockchain system or standard, while a Trustless Computing IT system that satisfy it may include them. Many in its ecosystem have referred to their domain or specific solutions as “trustless systems”. We challenge the claims that DLT/blockchains constitute a “trustless” system as well as a standalone trustworthy system because it requires the user - in varying degrees - to blindly trust (a) that several key actors in the power structure of a given blockchain will not act maliciously or collude to do so; (b) that their hardware “crypto” wallet for integrity, and their software wallets and clients device for integrity and confidentiality. Conceptually, their flaw comes from thinking the digital decentralization that is not democratically governed and a server-side infrastructure without client devices, can alone deliver trustworthiness of sensitive IT systems beyond a digital speculation mechanism, like Bitcoin.

Formal Definition of “Trustless Computing”

While “trustless computing” is a term used widely by IT security practitioners to refer to some qualities of certain approaches and technologies, we will refer to the following definition:

“Trustless Computing” is a IT client/server IT system, service, and end-to-end experience for sensitive human computing that complies with the Trustless Computing Paradigms, as determined by the Trustless Computing Certification Body to guarantee both radically-unprecedented level of confidentiality and integrity as well as improved “in-person” national and international legitimate lawful access to such system. It does so by ensuring that, for both of those function requirements, all IT and processes critically-involved in the entire life-cycle are subject to uncompromising transparency of source design, and extreme security review in relation to complexity by “incentive-aligned” experts - down to fabrication oversight [TCCB Fab], CPU design, hosting room access [TCCB Cloud], as verified by a global certification body that ensures a sustainable maximization of its global-representativity, neutrality, accountability, competency, and resiliency from geopolitical pressures, through suitable provisions in its statute.”

A Brief History of the Trustless Computing Paradigms

The first version of the Paradigms was published as the core of an EU R&D proposal to H2020 FET-Open R&D, the next major version was included in a 2018 Position Paper. What you read above is that latest version of the Trustless Computing Paradigms. They are continuously updated until the permanent intergovernmental governance of the Trustless Computing Certification Body will take over further editing of them.

Short Version of the Trustless Computing Paradigms

The Trustless Computing Paradigms are binding principles that synthesise the requirements of a given IT system (or IT experience) as it will be elaborated by the Trustless Computing Certification Body. A TCCB-complaint IT service is one that:

  1. ensures that all and every software, hardware, and processes that are critically involved in the entire provisioning, usage or lifecycle – from CPU design to fabrication, to hosting room access to standards-setting – are subject to extreme verification relative to complexity or to extremely resilient cyber-social oversight, based on offline citizen-witness and citizen-jury processes. (By “critical” hereafter shall refer to hardware, software, or procedures against whose possible vulnerabilities one can NOT be protected, with ultra-high assurance, by using proven OS, SoC and/or CPU level isolation/ compartmentation techniques. This includes access to server-side facilities or hosting rooms containing user-sensitive data.)

  2. includes only critical HW and SW components that are publicly verifiable in their source design. Strongly minimizes the inclusion of non-Free and Open Source Software, including updatable and non-updatable firmware. Makes extensive reuse of battle-tested Free/Open Source Software components – through extreme stripping down, hardening, and when appropriate re-writing. Strongly aims at realizing the computing device with the least amount of non-free software and firmware in security-critical hardware components.

  3. includes only highly-redundant and decentralized hardware and/or software cryptosystems whose protocols, algorithms and implementations are open, battle-tested, extensively-verified and endorsed, and with high or highest, and “scalable”, post-quantum resistance levels.

  4. provides extreme levels of “incentive aligned” security-review relative to system complexity for all critical components, by a large number of experts with comprehensive expertise who are expectedly under very strong incentives, including ethical, to report only to the TCCB the vulnerabilities they find. 

  5. ensures that the staff, management and shareholders of the Provider of TCCB-compliant IT service, and its suppliers, who are in a position to measurably influence the security of the Service - while distrusted by default, as per the other TCCB paradigms - will be deeply vetted, background-checked and KYCed (know-your-customer) to estimate the likelihood that they may decide to, or be induced to, maliciously introduce backdoors or bug-doors for profit, extortion, political reasons, etc.

  6. subject to IT security standards-setting and certification processes, via the Trustless Computing Certification Body, and coherent with this Paradigms, that are conceived with the utmost care to maximize the likelihood that its governance will be and sustainably remains very highly citizens-accountable, technically-proficient, effective, independent, ethical, and resilient to undue processes from even the most powerful state and non-state actors. 

  7. renounces the need of placing upfront unverified trust in any technology, person or organization critically-involved in its entire supply chain, lifecycle and fruition. The trustworthiness of each is to be evaluated in relevant details, and in proportion to its complexity and criticality, via a certification body, whose trustworthiness derive from the quality of his statute and governance.

  8. assumes that extremely skilled attackers, nations or alliances are willing to devote even tens of millions of dollars to compromise the lifecycle or supply chain through legal and illegal subversion of all kinds, via all means, including; spy-work, advanced algorithmic, brute force, and AI-assisted hacking, and economic attacks to buy off or pressure a key partner.

  9. ensures that its level of trustworthiness - as per democratic elections - rests ultimately on the levels of rational confidence in the intrinsic resistance to abuse and failure of the critically-involved organizational processes, and their governance models, as recognizable by moderately informed and educated citizens.

  10. includes only endpoint and network intrusion prevention, detection and mitigation systems and services - including based on a Zero Trust architecture - whose technical and organization components, and their interaction with its target IT system, has been vetted with the same assurance levels of this Trustless Computing Paradigms, so as to sufficiently mitigate the risk that added risk is not higher than the added assurance.

  11. includes only innovations with clear and low long-term royalty terms, from patent and licensing, to prevent undue intellectual property right holders’ pressures, lock-ins, and vetoes; and sustainably ensure in the medium term the low-cost for affordability by average citizens; 

  12. provides an in-person offline key and data recovery function, to benefit end-users in case of loss of death or loss passcodes, and enable a voluntary (i.e., in addition to current law requirements) compliance to only legitimate international lawful access requests. This function will rely on the setups and management process of hosting rooms in multiple jurisdictions that implement unprecedented safeguards. All sensitive data and keys are stored in “secret-sharing” architecture” in at least three hosting rooms in different nations, at least one part of a different military/intelligence alliance.

    • Physical access to such hosting rooms by anyone for any reason will require the physical presence and approval of at least 5 randomly-selected local citizens in a jury-like body, in addition to system administrators and an expert legal counsel.

    • For local jurisdiction lawful access requests, such a jury-like body and legal expert will vet the due-process validity of submitted court orders and absence of blatant unconstitutionality of submitted supposed legal authority or executive order.

    • For foreign jurisdiction lawful access requests, the submitted request is vetted by a TCCB Judicial Board, made of 15 recognized experts in international law, civil rights, and public security, who have been elected or appointed to high offices, such as a leading international court, the highest court of a large democratic nation. If approved, such a Board instructs the TCCB Jury as to what data should be conceded to the requesting public authority.

TCCB Cloud: Unique Server-side Oversight

All sensitive data and services – of the provider and users – will be hosted in dedicated hosting rooms in 3 nations from different global military/intelligence alliances whose access at any time requires 5 randomly-sampled citizen-jurors and only utilize dedicated compliant servers (TCCB Servers) and locks. Such hosting rooms will provision, we provision (1) key recovery service to all end-users, in case of user death or loss of password; (2) extreme protection against insider threats; as well as (3) a way resiliently comply (voluntarily) to only legal AND constitutional lawful access requests (legal in Switzerland and several EU nations). More details on this TCCB Cloud page.

TCCB Fab: Unique Chip Fabrication Oversight

Fabrication and design of all critical hardware components will be subject to oversight processes, that will substantially exceed in end-user trustworthiness the NSA Trusted Foundry Program at substantially lower costs; by adding to state-of-the-art process the exclusive use of TCCB compliant monitoring equipment and the presence of 5 trained citizen-witnesses, during the 6-8 critical phases of the chip fabrication process. All TCCB Devices are assembled, verified, flashed, and shipped to their users by a compliant electronics manufacturing plant/service (TCCB EMS), applying monitoring processes similar to the TCCB Fab. More details on this TCCB Fab page. 

Full Version of the Trustless Computing Paradigms

A TCCB-compliant IT service will be one that complies with all of the following:

  1. AIMS: aims at constitutionally-meaningful levels of actual and perceived trustworthiness of the integrity and confidentiality (data and metadata), and not mere substantial improvements;

  2. THREAT: assumes that extremely-skilled attackers are willing to devote even hundreds of millions of dollars to compromise the lifecycle or supply chain through legal and illegal subversion of all kinds, including economic pressures; and many tens of thousands to compromise an individual end-user.

  3. TRUSTLESSNESS. assumes an active and complete lack of trust in anyone or anything, except in the intrinsic constraints and incentives against decisive attacks to all organizational processes critically involved in the entire lifecycle, from standard-settings to fabrication oversight, as assessable by any moderately informed and educated citizen.

  4. OVERSIGHT: provides extremely user-accountable and technically-proficient oversight of all hardware, software and organizational processes critically involved in the entire lifecycle. By “Critical” hereafter shall refer to hardware, software, or procedures against whose possible vulnerabilities one can NOT be protected, with ultra-high assurance, by using proven OS, SoC and/or CPU level isolation/ compartmentation techniques. This includes access for whatever reason to any server-side facilities or hosting rooms containing user-sensitive data.

  5. SUPPLEMENTARITY: aims to provide a user-friendly supplement or “add-on” to ordinary commercial mobile and desktop devices, rather than a replacement to them.

  6. ORGANIZATIONS: provides extreme user citizen-accountability, independent, and technical proficiency of all organizational processes critically involved in the computing service lifecycle and operation, including the Certification Body itself. Involves direct and exhaustive involvement of informed samples of citizens in the design and operational security oversight of all critical components.

  7. CRYPTOGRAPHY: includes only highly-redundant hardware and/or software cryptosystems whose protocols, algorithms, and implementations are open, long-standing, standards-based and extensively verified and endorsed by top recognized ethical security experts, and widely recognized for their post-quantum resistance levels. The above also applies to any use of zero-knowledge, blockchain, threshold cryptography, secret-sharing protocols.

  8. INSPECTABILITY 1. integrates and develops only software and firmware whose source code and compiler allows for inspecting without a non-disclosure agreement (“NDA”), and which is developed openly and publicly in all its iterations;

  9. INSPECTABILITY 2. includes only critical hardware components whose firmware (and microcode) and full hardware designs are publicly inspectable without NDA at all times in open public structured format. In the case of processors, it will include code, hardware description source files (such as VHDL or Verilog files), Spin interpreter and similar, programming tools, and compilers;

  10. INSPECTABILITY 3: allows for complete hardware fabrication and assembly inspectability, and extremely user-accountable and effective oversight, of all critical hardware components, in their critical manufacturing processes;

  11. INSPECTABILITY 4: ensures availability of one or more mirror copies of the complete server-side hosting room setups to enable easy independent testing by anyone while being charged only the marginal cost of providing such access; in addition to all needed service devices at marginal production cost.

  12. SECURITY-REVIEW. ensures extreme levels of highly-ethical highly-expert security-review relative to complexity; i.e.  extreme levels of intensity, competency, and “expected altruism” of engineering and security-review efforts – in relation to system complexity – for all critical software and hardware components; also by implementing extreme software and hardware compartmentation, and feature and performance minimization;

  13. LICENSING. strongly minimizes the inclusion of non-Free Software, including updatable and non-updatable firmware. Makes extensive reuse of existing Free/Open Source Software components – through extreme stripping down, hardening and re-writing. It strongly aims at realizing the computing system with the least amount of non-free software and firmware in security-critical hardware components;

  14. TRAINING. includes effective and exhaustive first-time in-person training for users, to ensure knowledge of basic operational security (OpSec) and risk management for self and others.

  15. IP TERMS: includes only technologies and innovations with clear and low long-term royalties – from patenting and licensing fees – to prevent undue intellectual property right holders’ pressures, lock-ins, patent vetoes, and ensure an open platform with sustainably low costs, affordable to most western citizens.

  16. ZERO TRUST: includes only endpoint and network intrusion prevention, detection and mitigation systems and services - including based on a Zero Trust architecture - whose technical and organization components, and their interaction with its target IT system, has been vetted with the same assurance levels of this Trustless Computing Paradigms, so as to sufficiently mitigate the risk that added risk is not higher than the added assurance.

  17. PEOPLE: ensures that the staff, management and shareholders of the Provider of TCCB-compliant IT service, and its suppliers, who are in a position to significantly influence the security of the Service - while distrusted by default, as per the other TCCB paradigms - will be deeply vetted, background-checked and KYCed (know-your-customer) to estimate the likelihood that they may decide to, or be induced to, maliciously introduce backdoors or bugdoors for profit, extortion, political reasons, etc.

  18. LEGAL: ensures that current cyber-security legislation and state agencies practices in the country of origin and/or localization of user, provider, assembly facilities, foundry – and other critical process involved – are not inconsistent with a constitutional, lawful and feasible compliance with these certifications; in regards to surveillance, mandatory encryption key disclosure, crypto exports, liability, and other relevant legislation.

  19. ASSEMBLY. provides one or more dedicated crowded urban street-level glass-walled spaces where devices are publicly assembled, verified, flashed, and transferred to their users. It will be subject to 24/7 high-trustworthiness live streaming oversight, and monitoring.

  20. LIABILITY: includes an extreme level of cumulative liability, contractual/economic and legal, for all individuals and organizations critically involved for not strictly following procedures or willingly compromising the life-cycle.

  21. OPEN ECOSYSTEM. involves participants to an initial open R&D Consortium, which will set out to build the first certified service, that commits to terms that ensures very–high resilience to the openness of the ecosystem and its resistance to economic pressures, including (a) through such consortium, offer only certified services; (b) state clear, perpetual and very-low (or null) royalties to all the IP they integrated and developed in the services they offer jointly or independently.

  22. INTEGRITY: shall provide a uniquely accountable and “trustless” form of remote attestation, in addition to extreme anti-tampering, in order to further guarantee a user that its interlocutors’ devices have not been insecurely modified. (For example, the entire local archive of a highly-private mailing list of frontline political activist group, or of top executives of a corporation, may be totally jeopardized if only one of their interlocutors applies the wrong software modification). Nevertheless, users and researchers must be able to fully reprogram the software, after triggering the tampering detection mechanism that warns all other users, to facilitate open research.

  23. SERVER-SIDE & DATA RECOVERY. will provide extreme safeguards for all security - and privacy-sensitive server-side (and/or “decentralized”) infrastructure – which will mandatorily include the provision of in-person offline user key and data recovery, for benefit end-users – in case of loss of death or loss passcodes – and to enable a voluntary (i.e. in addition to current law requirements) compliance to only legitimate and constitutional lawful access requests, according to the TCCB Cloud socio-technical standard. These collectively will comply with the following safeguards:

    1. Shall physically disable remote admin access, and physical access by anyone will be conditional to the physical presence and express approval of at least 5 randomly-sampled citizen-jurors – in addition to an attorney, and  2 system administrators – through dedicated TCCB-complaint access mechanism (such as keypads). Citizen-jurors are entitled to record anything and ask for a dump of all code before and after any session. Citizen-jurors are managed and regulated by the Certification Body to ensure their adequate vetting, self-training, resilient and protection;

    2. Shall use secret sharing cryptographic techniques, threshold cryptography, or other similar advanced but time-tested protocols –– in addition to such offline authorization procedures – to enable 10 or more citizen-witnesses participating via video stream to also approve using TCCB-compliant client devices; therefore adding an additional layer of security.

    3. Shall enable security-review in one or more complete replicas, including TrustlessRooms for verification by anyone who might substantiate a moderate capacity to do so;

    4. Shall employ state-of-the-art public video streaming and recording, and shall be located at street level in busy urban streets, with large glass fronts, to increase perceived social control, ownership, and trustworthiness.

    5. Shall maintain copies of time-limited encryption keys of subsets of data or metadata of users (and for each user personas if multiple ones) by providing socio-technical systems with extremely-careful safeguards to enable the highest user-control and security in data recovery in the scenarios of user death or user loss of password, as well as enabling lawful access that is lawful, constitutional and compliant with EU Charter of Human Right. It will allow for voluntary compliance (i.e. in addition to what is required by all relevant laws) to limited and targeted due- process lawful access requests, with the extremely-careful safeguards that follow:

      1. Shall enable the TCCB Room citizen-jurors to launch a “Scorched earth procedure” with plausible deniability, which allows a qualified majority of such citizen-jurors – in cases of extreme abuse attempts – to cause immediate physical destruction of all sensitive keys and data in the TCCB Room, which will remain available in other TCCB Rooms of the same provider in a different country. Providers that are governmental agencies, civilian or military, and offer service only to public employees are exempt, transparently to their users, from the requirements of this clause.

      2. Shall be offered only after the service has been used successfully tested for 3 months, in publicly-accessible pilot deployments, with real data, that involve highly-sensitive communications by voluntary elected public officials, as well as by highly expert ethical hackers. (Use of such systems by elected officials would in fact make so that their communications are, on one side, much more resistant to undetected illegal espionage and blackmail, while on the other, are interceptable when mandated by a court warrant.)

      3. Shall offer the service only where at least 3 TCCB Rooms are located in at least 3 different nations. All encryption keys of all security- and privacy-sensitive data will be shared between the 3 TCCB Rooms, so that even if, through unconstitutional or illegal action, attackers prevail in one nation, they would only have one-third of the keys required, unless they prevail also in the other two countries. Eligible nations will be such that:

        1. the service can be offered as a service that is not subject to state mandatory lawful intercept or lawful access legislation (such as those typical of phone operators, like the US CALEA for example);

        2. mandatory key disclosure, and other legislation, or known practices, do NOT make it illegal – except with negligible consequences – to withhold access (with or without gag order) to warrant-based or state-security-based government requests, that may be believed by involved citizen-jury-like body

        3. liability for malicious or gravely negligent breach of the laws or regulations are substantial – and proportionate to the damage caused – for all citizen-witnesses, citizen-jurors, provider staff, or for attackers (both state and non-state actors).

        4. at least one of those nations is not part of the same first-degree military or Intelligence/Surveillance alliances (Five eyes, Nato, EU, etc.);

        5. when and if a nation no longer complies with conditions (1) to (4) above, then the Provider must give a choice to each individual user to agree to transfer such services to a TCCB Room in another nation, or terminate his/her service by recuperating all his data.

      4. Shall have a technological limit in the maximum number of users, and percentage of total users, whose personal data or keys may be extracted within a given time frame;

      5. Shall utilize the highest precautions to (a) prevent or minimize leakage of non-public information related to the lawful access requests, through video and other oversight processes; and (b) to prevent the accidental or malicious deletion or alteration of stored user data, keys, and logs, also by integrating redundantly battle-tested state-of-the-art blockchain technologies.

  24. FABRICATION. ensures that all critical Integrated Circuits (such as CPU, SoC, memory, etc) components and critical assembly processes are executed under a TCCB Fab process whereby:

    1. aims to substantially or radically exceed in end-user-assurance those of Common Criteria Site Certification EAL 5 and NSA Trusted Foundry Program, at substantially lower costs.

    2. setup and configure an extensive sensing, and monitoring infrastructure and allow about 3 (or more) competent, trained, redundant and technicians to verify thoroughly all the critical steps, from the monitoring room and/or inside the cleanroom.

    3. utilizes equipment and sensors, that as much as possible not require direct interventions or disruption of the foundry equipment and facilities, but just rely on setting up an additional overlay of sensing equipment, and on getting a copy of the existing quality control sensor feeds. This would also increase the portability of the TCCB Fab processes to other foundries, and therefore increase its resiliency.

    4. utilizes only foundries, (such as Lfoundry, Italy) that allow the technicians and 5 citizen-witnesses (or peer-witness for governmental/military Provider) to thoroughly oversee and monitor all critical processes –  even though that may force the utilization of older foundries with technologies and simpler processes and less IP.

For a more detailed arguments of the rationale for these Trustless Computing Paradigms - TCCB in general, and especially the legitimate lawful access mechanisms - please read our 2018 Position Paper – Case for a Trustless Computing Certification Body PDF (43-pager & 1-pager summary) and to 2015-2016 R&D initiatives that we coordinate about the same.