NuCypher ICO review

Written by Ben Longstaff, CoinRemix founder, March 2018

CoinRemix does not accept facilitation payments, gifts, pre-sale arrangements, kickbacks or other financial advantage from the projects we are reviewing.

Summary

Nucypher is body armour for data. Their offering is a decentralised key management system (KMS), providing encryption and access control services for sensitive data. It’s a powerful toolset that becomes a key enabler for applications handling identity management, sensitive datasets, and even decentralised content marketplaces. In brief: this type of security infrastructure allows data owners to securely distribute and manage access to their sensitive data via a decentralised, trustless service provider.

AREAS OF APPLICATION

smart contracts micro payments logistics ownership data access identity voting platform

COINREMIX'S ACTION

Purchase & Stake

Rating

Outline

Key management systems are widely used in enterprise applications, wherever that enterprise might be concerned about the security of their sensitive data, or simply forced by regulations to protect it.

Data can be encrypted, and keys to decrypt and access that data are distributed to authorised users on the network. At any point, keys and access can be revoked, maintaining control and integrity of the data.

Banks, financial institutions, government departments and healthcare providers are common examples of KMS users that handle sensitive data and are legislated to do securely. An engineering company holding confidential IP is a good example of an unregulated company that still has a strong interest in proper data management.

Traditional approaches to KMS are typically expensive and technically difficult for small players; newer approaches such as Google Cloud KMS and Amazon CloudHSM work well but require a high-degree of trust in the service provider.

NuCypher aims to design a decentralised KMS network that is reliable, accessible, and removes common points of failure present in centralised systems.

It uses a token economy to incentivise providers on the network to provide good service to data-owners, and a multi-layered governance protocol to ensure that the system is kept up to date and running smoothly.

They have already integrated their system with popular tools for the transfer and processing of big data, allowing their launch customers to make the switch to Nucypher without changing the data processing tools they use. This removes any ‘switching cost’, removing a key barrier to adoption of their KMS platform.

 

Token Symbol

NU

Token Type

ERC-20

Public Blockchain

No

Private Blockchain

No

Oracles

No

Cross chain bridge

No

Sidechain

No

Smart Contracts

Yes

Website

https://nucypher.com

Whitepaper

View whitepaper

 

Partnerships

Cryptocurrency Keys

Coval Emblem Vault

Decentralized Database

Bluzelle
Fluence
Wolk

Decentralized Marketplace

Datum

IoT

Spherity

Medical Data Sharing

Medibloc
IRYO
Medixain
Wholesome

Areas of application

Key Management System

Enterprises currently use KMS to create and control access to encryption keys, giving authorised users access to sensitive data, and revoking access as necessary. Centralized solutions are vulnerable to having access subpoenaed, and are more prone to security breaches.

Key Rotation

It is good security practice for a KMS to refresh encryption keys from time-to-time. Any new data is encrypted using the latest key, limiting damage if an older key is leaked or compromised. It also gets rid of the cobwebs in the system, in case an ex-employee holds on to their key, or a hacker is sitting dormant in the network, for example.

Encrypted Storage

This could be built on top of existing centralised and decentralized technologies like IPFS, Sia, Storj, Dropbox, Google Drive or S3 for storage, with NuCypher handling encryption and access management.

Shared Data Lake

Enterprises have huge amounts of data in their data lakes. NuCypher has indicated that some of their pilot customers want to share their encrypted files in a data lake with other organizations and have each organization bring their own key. Multi-tenant, multi-source data lakes enable different government organizations to collaborate, e.g. CIA, SEC, Homeland Security and FDA.

Decentralized Encrypted Chat

The proxy re-encryption technology that NuCypher utilises allows users on a network to store chat data as securely as any other data; in essence creating an access-controlled chat stream. This has the benefit of not needing to encrypt the chat data streams for each user, but still storing the data in an encrypted format.

Data Stream Access

NuCypher enables ‘pay-per-content’ Digital Rights Management (DRM). A ‘decentralised Netflix’ could grant access to a file when a customer pays for it, and revoke access after a specified time. The same concept could be applied for any marketplace or content type.

Technical Details

The main net will be launched before the ICO. The target is Spring (March - May) 2018.

Patents

The team holds patents for:

Background

NuCypher is a blockchain privacy layer that provides proxy re-encryption as a service. Proxy re-encryption can be used to share encrypted data with multiple people that have different keys. This translates well to a KMS where granting and revoking access to encrypted data is the core functionality of the system.

NuCypher's Proxy re-encryption is built on a few technical concepts:

Data Encapsulation

This uses symmetric key encryption. One key is used for both encrypting and decrypting the data.

Key Encapsulation

This uses public key encryption. The key used to encrypt the data is then encrypted and stored with the encrypted data. This enables sharing the same symmetrically encrypted data with multiple parties. The data key can be encrypted separately for each recipient with their individual public keys.

Public Key Encryption

Public Key Encryption (PKE) is a foundation of most blockchain applications. Users have a public key (like a Bitcoin wallet address) and a private key (like the password to that wallet). A user can interact with other users on the network by sending them an encrypted message (like an amount of bitcoin). The sender uses the receiving party’s public key to encrypt that message. Only the receiving party, who controls the private key, can decrypt that message.

NuCypher uses a form of PKE called Proxy Re-encryption, which uses a semi-trustless third-party called "the proxy" to transform encrypted data to another receiving party. The proxy, a service provider on NuCypher’s network, can do this without knowing what the original encrypted data was. This is known as Proxy Re-encryption (PRE).

Software development makes use of software libraries to solve common problems. NuCypher intends to be the default solution for Key Management Systems for decentralised applications (dApps) by using PRE. It's a distributed network that can perform re-encryption when access is granted to certain data.

Proxy Re-Encryption

There are two types of proxy re-encryption: interactive and non-interactive. An interactive re-encryption scheme means the re-encryption key is computed out of two secret keys. Non-interactive means you need the owner’s private key and the receiving party’s public key. NuCypher intends to use Umbral which is a non-interactive scheme. Interactive proxy re-encryption won't be used on the network.

NuCypher features access control for one to many. Proxy re-encryption is used to delegate decryption rights to others on the network, and also allows the owner of the data to revoke access.

Non interactive

Alice has a public key, private key, symmetric key and a document that she wants to store in encrypted storage so that she can securely share it in the future.

Alice encrypts the data that she wants to share with a symmetric key.

The symmetric key is then encrypted with Alice's public key.

The encrypted data and encrypted key are then stored. The storage can either be a centralized system like S3 or dropbox, or a decentralized system like storj or IPFS.

When Alice wants to share the encrypted file with Bob she creates the re-encryption key from her private key and Bob's public key.

The re-encryption key is split so that if a number of pieces greater than or equal to the threshold are presented then the re-encryption key can be reconstructed.

The pieces of the re-encryption key are shared across multiple proxies.

Bob downloads the encrypted data file and the encrypted key.

Bob sends the encrypted symmetric key to the Ursula proxy nodes to be re-encrypted.

Each Ursula node uses their portion of the re-encryption key to re-encrypt the encrypted symmetric key for Bob's private key. Each fragment contains no information about the underlying key. If a piece was leaked there is no damage as each part is perfectly secret.

The Ursula nodes return the re-encrypted symmetric key pieces to Bob.

Bob reassembles the re-encrypted symmetric key.

Bob uses his private key to decrypt the symmetric key.

Bob is able to decrypt the encrypted data with the symmetric key.

Governance

There are several methods to govern protocols:

  • Foundation (Representative democracy)
  • Node voting (Democracy)
  • Private company (Dictator)

Changes to the Bitcoin protocol are made by a foundation. This can result in political infighting, delaying changes or splitting the community when a fork is made to the protocol.

Dash is a cryptocurrency that allows major nodes on the network to vote on changes. This leads to relatively quick actions based on what the majority of the stakeholders want.

NuCypher has modelled their governance on ZepplinOs which allows nodes to vote on changes to the smart contract.

The contents of a smart contract cannot be updated once it has been written to the blockchain. As requirements change over time, NuCypher’s functionality will need to be updated. If all of the functionality was in one smart contract then deploying an update would be writing a new smart contract to the blockchain.

The dApps don't have to point to new smart contracts. Only NuCypher miners will be affected by smart contract updates.

NuCypher splits its functionality into three separate smart contracts.

The role of the Dispatcher smart contract is to:

  • Provide a constant smart contract address for dApps to call on when they want to use NuCypher
  • Pass on the dApp calls through to the contract that holds the functionality
  • Store the smart contract address of the current version of the NuCypher functionality contract
  • Update the address of the NuCypher functionality contract

The role of the Functionality Contract is to:

  • Contain the functionality of NuCypher in its most up to date version

The role of the Government Contract is to:

  • Accept votes from the government dApp, which allows nodes to vote on changes to any of the smart contracts and functionality of NuCypher
  • Update the Contract Version stored in the Dispatcher

This separation of responsibilities means that the protocol can be updated without the businesses that are built on top of it having to make any changes - it’s all handled automatically by the smart contracts. The image below shows how this appears before and after an update.

Note that the Nodes don’t need to make any change either, as they still make the call to the same dispatcher contract.

Economics

To become a Provider, a computer must stake NU tokens. This bond gives the user the right to run a node that can do work to earn tokens. If a Provider is found to be attacking or manipulating the network, they forfeit the bond and lose the right to do work.

Miners are paid for providing the re-encryption service and making themselves available to re-encrypt the data.

ICO Sale

NuCypher have not yet announced details of their sale or whitelisting process.

They have advised that all interested participants join their open Telegram, news-only Telegram channel, or their mailing list. Subsequent steps will be announced via all three.

There has not been a public presale, although there has been a private pre-allocation funding round completed already.

Caps will be set at or above the required minimum staking to run a node.

 

ICO start date

(tbd)

ICO end date

(tbd)

Cap

(tbd)

Whitelist

Yes

KYC

Yes

Pre-sale

Yes

Restrictions

(tbd)

Individual Caps

(tbd)

Bonuses

no

Supply

(tbd)

Available to crowdsale

(tbd)

Team Composition

MacLane and Michael started working together in March 2015. The team went through Y Combinator S16. They started by building ZeroDB in 2016, an end to end encryption database. They pivoted from ZeroDB when their main customer, banks, wanted to perform more complicated computations on the stored data. The team has brought a new level of security to popular big data tools Hadoop and Kafka by releasing open source NuCypher integrations.

Leadership

MacLane Wilkison

CEO

Previous leadership experience

None of record

Exp on public blockchain projects

4 years

Bluechip tech company exp

None on record

Tier 1 blockchain exp

None on record

Michael Egorov

CTO

Previous leadership experience

None of record

Exp on public blockchain projects

3 years

Bluechip tech company exp

LinkedIn

Tier 1 blockchain exp

None on record

Technical Team

David Nuñez, PhD

Cryptographer

Exp on public blockchain projects

2 years

Experience programming

9 years

Bluechip tech company exp

None on record

Tier 1 blockchain exp

None on record

John Pacific

Cryptographic Engineer

Exp on public blockchain projects

8 months

Experience programming

3 years

Bluechip tech company exp

None on record

Tier 1 blockchain exp

None on record

Justin Myles Holmes

Engineer

Exp on public blockchain projects

7 months

Experience programming

10 years

Bluechip tech company exp

Django Contributor

Tier 1 blockchain exp

None on record

Sergey Zotov

Consultant

Exp on public blockchain projects

1 year 5 months

Experience programming

9 years

Bluechip tech company exp

None on record

Tier 1 blockchain exp

None on record

Kieran Prasch

Engineer

Exp on public blockchain projects

7 months

Experience programming

5 years

Bluechip tech company exp

None on record

Tier 1 blockchain exp

None on record

Advisers

Prof. Dave Evans

Adviser

Cryptography Research

18 years

Prof. Giuseppe Ateniese

Adviser

Cryptography Research

18 years

John Bantleman

Adviser

Entrepreneur

35 years

Tony Bishop

Adviser

Datacenter Technologist

25 years

Media

Similar technologies and projects

There are four approaches to using private data with blockchain technology: off-chain sMPC, private blockchain, zero knowledge proofs and hash reveal. Each approach has limitations. Off-chain sMPC has a communication overhead for communicating between the nodes. Private blockchains lose public accountability and are not able to function in a trustless environement. Zero knowledge proofs are unable to provide safe delegation of data. The hash reveal pattern requires all of the parties involved in the transaction to be online at the same time.

A centralized system has the risk that a hacker could gain access to the re-encryption keys. It also requires that you trust they have implemented the proxy re-encryption correctly, NuCypher on the other hand is open source. A centralized system can be censored by third parties where as NuCypher can not. Centralized services can be threatened or sued by a government or company into compliance where as a de-centralized service can not.

Similar projects include:

Besafe.io

Besafe is a centralized proxy re-encryption service

-

Avg. score from analysts

-

Coinremix's action