It’s been several years since the classic ‘double spending’ problem for digital currencies was solved – by elegantly preventing people duplicating the digital bits that represent the money. This was the advent of ‘cryptocurrencies’ such as Bitcoin. One of the key innovations was the ledger based data storage mechanism known as the Blockchain – a way of storing information securely without a central authority. This innovation turns out to be useful for a variety of tasks that are not necessarily to do with currency, but involve secure consensus between a number of parties, particularly where those parties have different capabilities.
For instance one startup ‘EverLedger’ hopes that a mine in Africa and a high end Antwerp dealer might be able to interact on the same Blockchain to establish the authenticity of diamonds. The same principle can be applied to check the pedigree of pharmaceuticals throughout a chain of custody. Another startup Factom is partnering with NFC label provider Smartrac to run document authentication checks on a Blockchain, and Filament in the US are targeting agriculture sensors registered on a Blockchain to monitor soil quality using long range wireless sensors.
The common theme for these varied scenarios is that many parties may need to access the data, but there are too many players (or simply no dominant player) to agree on who should be trusted to hold the ultimate ‘truth’ in a master database.
Others are targeting the ecosystem of players in supply chains, to enable clearer liability and chain of custody information – imagine you are an operations manager taking control of a fleet of cars and you want to do a software upgrade before deploying them, but you’re not sure of the current state of the vehicles. With the complexity of today’s supply chains, it is difficult to know whose software is already installed and which versions, what hardware revisions of whose chips are in the cars, and whether those parts are genuine and everything will play nicely together after a software module upgrade. The proposal is that from the vehicle number you could look up data on a Blockchain to get a fully authenticated list of how many parts are genuine and whether all the manufacturer and third party software on it is up to date and approved – this problem of putting together data from many parties who don’t necessarily talk to each other requires the type of interoperability at which the Blockchain excels.
Further into the future, there are ambitions to use Blockchain consensus features for distributed governance of legal frameworks, communities, and even companies.
With one of the key barriers to Internet of Things (IoT) adoption being agreement on security standards that allow a large ecosystem with different capabilities to interact securely with the same device, there’s an opportunity to connect the two technologies.
We like to put theory into practice at Cambridge Consultants, so given our experience of low power technologies, digital security, connectivity, and digital services here are some practical thoughts on how your IoT device can best make use of ledger based systems – all while retaining a viable Bill Of Materials cost, and a battery that doesn’t need charging as often as your smartphone.
- Use the Blockchain for the right reasons. Blockchains are good at preventing copying of digital assets, such as title deeds, enforcing contractual commitments between large ecosystems of players, meeting compliance and audit requirements, or tracking individual actions carried out on an item by different parties. They’re not (currently) good at high volume data throughput or running your distributed data processing algorithms as cloud analytics.
- At business model level, decide which kind of blockchain you need – public, private, or consortium. The responsibilities, liabilities, opportunities and challenges vary widely across these models – we have further analysis on this in-house.
- At a technical level decide what level of interaction is appropriate:
- For the very lowest level, a simple non secure ID is sufficient, this could be held on a QR code or serial number, or available over NFC or Bluetooth. The device relies on another party (probably a phone or smart hub) to carry out any additional authentication and perform the digital signatures that interact with the Blockchain
- At the next level up, all an IoT device such as a smart door lock needs to do to participate in a Blockchain based system is have the capability to create or verify a digital signature. It doesn’t need gigabytes of storage for a full chain, the onboard processing to carry out a proof of work algorithm, or the networking capability to run peer to peer data sharing.
- For more autonomous devices the next level is to store enough of the chain (with newest protocols the last few blocks) to verify and authenticate the other parties. With this level the device can start to manage its own security and decide who is allowed to modify it and read any private data. This implies some more heavy duty networking too – either to stream blockchain data or to interact with other devices using a mesh network.
- The top level is to act as a full ‘node’, helping verify the blockchain itself via proof of work or proof of stake. At this point you may need dedicated silicon, for instance using some of the ASICs that have been designed to mine cryptocurrencies – this is more likely to be done at a smart hub level than on every IoT device.
- For today’s blockchain interactions you need Elliptic Curve Crypto (ECC) functionality, for which accelerators exist in silicon form, to carry out the main signature or verification functions. We have a few favourite accelerators we use on projects at under $0.30 BoM cost, and there are plenty of ‘secure element’ chips around (they appear in your bank card and SIM card) if higher security is required. Don’t be fobbed off with a rebadged RSA accelerator, and be prepared for latency if using a pure software solution. If your deployment is going to last more than 10 years keep an eye on ‘quantum resistant’ alternatives to ECC cryptography.
- Since you’ve got an ECC accelerator now, put it to good use verifying your signed firmware build for some additional security and anti-counterfeit benefits.
- If you decide to pass public keys around to allow new players to work out who is who, use a digital certificate designed for low power. While the venerable X.509 standard does keep the internet running, it wasn’t designed for low power devices, large scale revocation never really worked, and it’s rarely used for 2 way authentication. Get your certificates under 256 bytes if you can – we’ve just designed and implemented one at 138 bytes for a payment application – if you go lower than that keep an eye on Certicom patents. Don’t have an expiry date on your IoT device’s digital certificate (we have a good justification for this, but it doesn’t fit in the margin). One day, use a Blockchain to store and distribute your public keys as well – although certificates are still useful if IoT devices meet each other offline.
- Select a Contract Manufacturer that can support a secure online link to the brand owner Blockchain or database during production and provisioning – to do good key management when it matters
- Distribute the information, but not necessarily the control – allow your IoT device to make binding decisions (open the door, pay a delivery team) only if it will have all the input information available, including the ability to authenticate – if that’s not possible, use it as an information feed, but make the important decisions elsewhere in the system
- Put the time limited warranty on your service, not your product. Connected digital services sold a few years ago are reaching end of life and being switched off with the device still in the buyer’s hand – Blockchains haven’t fixed this problem (although they might make it clearer if, for instance, an Ethereum contract runs out of gas) and we can expect buyers to start asking how long the service will be around for before they make their purchasing decisions.
- Don’t lose the user experience – while being able to warranty track a device, securely confirm its pedigree or instruct it to monitor a facility to give operational benefits, make sure there’s a compelling reason for the end user to keep the connectivity alive
With the amount of venture capital going into the industry, we can expect more from Blockchain technologies, whether they are public, private, or consortium based – when used in the right context, they enable genuinely more efficient processes and more detailed compliance and audit, and support the sharing economy in a wide range of applications.
Challenge us to demonstrate how we can connect your next IoT device to the blockchains being built today.