Thierry Van de Velde​  Consulting Technology Specialist at Nokia www.linkedin.com/in/thierryvandevelde All Articles by Thierry Van de Velde​

How to contribute your article to Netmanias.com !           List of Contributors

1. Introduction

The surge of the Bitcoin and other cryptocurrencies throughout 2017 has drawn wider attention to the beneficial properties the underlying blockchain technology: collective validation of transactions and blocks, erasing old transactions, data immutability, privacy of coin owners, and the limited number of possible blocks (hence new coins) over time [1].

The other side of the coin is that cryptocurrencies may have become the largest waste of resources in the history of computing.  The vast majority of compute power is indeed spent on attempting random numbers (Nonces) in the transaction block header, in the hope to find a hash fulfilling a stringent difficulty condition.  The proof-of-work is a proof-of-wasted-work.

Although cryptocurrencies were originally invented to pay for goods and services, lately they are being mined for their face value and converted in currency issued by central banks.

On the other hand, the Internet of Things (IoT) is in need of a digital identity for each connected object.  Indeed, today’s identities (cellular SIM, Bluetooth MAC address, LoRa AppKey…) are identifying the modem (transceiver) or network adapter rather than the connected object itself.

For the IoT such unique and sufficiently scarce digital identity should be cheaper to generate and distribute than a cellular SIM card, burnt-in MAC address or keypair with security certificate, for example.  It should no longer rely on a central authority issuing IMSI or MAC address ranges.  And it should be as easy to sell and buy as cryptocurrency. 

2. Harvesting existing cryptopower

Encryption technology is useful, ubiquitous and economically productive.

Today IPSec guarantees the privacy and integrity of 4G LTE traffic, of teleworkers accessing their enterprise VPN, of SD-WAN networks, of voice calls over untrusted Wi-Fi networks, etc.

Transport Layer Security (TLS) is supported by nearly 90% of websites worldwide, by nearly all Apps on smartphones and tablets, and is even applied to datagram protocols (UDP besides TCP). 

In addition, access-layer ciphering is applied over the air interface in 2G-3G-4G cellular networks, most Wi-Fi networks (WPA2), and even in Bluetooth PAN.

Unfortunately to date nobody has harvested the proceedings of this massive cryptopower.  I.e. nobody has inspected whether 

• the shared key K resulting from Diffie-Hellman exchanges or
• the Integrity Check Vector (ICV) confirming the integrity of the Encapsulating Security Payload (ESP) packet
• the Message Authentication Code (MAC) confirming the integrity of TLS Record Protocol or other protocols 

… fulfill a stringent difficulty condition when generated for a scarce message M being sent and received.

If the parameters of the security association (Diffie-Hellman values etc.) could be stored together with such scarce message M they would constitute a new Unique Persistent Digital Identity, in this paper named the “Telecoin”.  An identity which, just like cryptocurrency, 

• could be generated in isolation (“mined”) without central authority (*1*) 
• could be stored in an immutable blockchain against an owner (*2*)
• could be sold to a next owner, also as a transaction in the blockchain
• would provide access to improved secure services compared to nodes not presenting such valid Telecoin: better bandwidth, access to private networks, voice, streaming services, digital content, government services and much more

*1*  Unlike a SIM card’s IMSI + secret Ki, the Public Key certificate for a private key, or a burnt-in MAC address, which must be issued by central entities eventually delegating ranges to Mobile Network Operators (MNO), Certification Authorities (CA, SubCA) or Network Interface Card (NIC) Manufacturers, respectively
*2*  Whose privacy could be protected, just like in the case of the Bitcoin

3. Telecoin for IPSec

The Telecoin for IPSec [2] consists in its most basic form of the Diffie-Hellman (D-H) generator g, prime p and private value a yielding a public Diffie-Hellman value A satisfying a difficulty condition Di (for the Initiator).

In Nokia’s patent application

• the Initiator still picks its Nonce Ni randomly but
• the Responder (*3*) signals its support for Telecoin by no longer picking a random Nonce Nr, but as pseudorandom function of at least A and Ni

(other methods could be envisaged to signal it)

*3*  E.g. a Security Gateway (SeGW), evolved Packet Data Gateway (ePDG), VPN Gateway, SD-WAN node, etc.

A Telecoin can be completed with Ni, SPIi, SEQi and PAYLOADi (scarce message M) of an ESP packet (Encapsulating Security Payload) with Integrity Check Vector (ICVi) satisfying Di.  It then becomes the vector (g, p, a, Ni, SPIi, SEQi, PAYLOADi) as the private identity and (g, p, A, Ni, SPIi, SEQi, PAYLOADi) as the corresponding public identity.

4. Restricting the number of valid node identities

In the past, there had been attempts to limit the number of valid node identities for IPSec Security Associations by using the IPv6 Cryptographically Generated Address (CGA) [4] [5] as the node identity (IKE IDi and/or IDr).

However, a better approach is, as in Nokia’s patent application [2], to impose the difficulty condition:

• already on the Initiator’s Public D-H value, allowing e.g. to reject DDoS attacks of rogue Initiators picking random D-H values, or not possessing the private value corresponding to the public value
• and optionally on the Shared Secret D-H value K, bringing benefits which we’ll detail in the next sections

With Telecoin the IKE IDi and IDr fields can then continue to be used to announce the Initiator’s and Responder’s real identities, as in today’s implementations.

5. Not imposing any difficulty condition on a shared secret

Let’s imagine that Alice and Bob would set up an IPSec Security Association (SA) using a Telecoin only relying on a difficulty condition Di imposed on Alice’s public D-H value A.  Alice would then mine or purchase a private D-H value a resulting in A fulfilling Di, for example A < Di. A would then be numerically small enough in an attempt to limit the number of possible records in the blockchain (*4*).

*4*  Throughout this article we will use the simple difficulty condition that numbers shall be smaller than each other, although other difficulty conditions could be imagined later which are less trivial for everyone to check

Alice and Bob could store their telecoin in the blockchain using A and B as their public “identities” (in the sense of the blockchain), without however revealing their private “identities” a and b.

In this scheme, no difficulty condition would be imposed on shared secret K or security keys SK – the security material derived from K, Ni and Nr (e.g. authentication key SK_ai for the calculation of ICVi).

A mining transaction would consist of Alice and Bob finding message M which, when authenticated via SK_ai, resulted in an ICVi fulfilling difficulty condition Di.  Other security material should not be revealed, certainly not SK_ei for encryption. 

The blockchain’s Voters would be able to validate each transaction by assessing that ICVi is indeed produced by applying SK_ai on M.

A first problem would occur in that an indefinite number of values B could be stored against A in the blockchain, affecting the desired scarcity and economic value of the record {A, B, SK_Ai, M, ICVi}.

Secondly and worse, the Voters would not be able to assess possession of the private keys (a, b, c and d).  An attacker could pick A < Di and B randomly, and store any combination of SK_ai, M and ICVi against A and B.

Although multiple loyal miners (including Cate and Don) would honestly store their telecoin against their public identities {C, D, SK_ai’, M’, ICVi’} the attackers would create fake records starting with Cate and Don’s public D-H values.

6. Imposing a difficulty Condition on a shared secret

Let’s thus correct this situation by imposing a difficulty condition on B or K, as in Claim 5 of  Nokia’s patent application [2].

Bob would now mine for b to result in K < Dr or in B < Dr, the former being preferred in that it would not reveal the use of a telecoin to eavesdropper Eve.  

In this case let’s thus assume that K < Dr. The blockchain voters would validate this condition, which may become increasingly stringent over time.  IKE responders would provide better service to sessions with lower K.

The record published in the blockchain would now be {A, B, K, Ni, M, ICVi} - revealing the full security material used by Alice and Bob’s SA (*5*), as well as the best M with lowest ICVi they found during their exchanges.  The only way Alice and Bob could restore the security of their exchanges is by picking a new Ni* (not shown).

*5*  Before any IKE rekeying occurred. The IKE SKEYSEED = PRF’(K, Ni, Nr) and Nr = PRF(A, q, p, Ni)…

In the blockchain Cate notices an attractive value K providing access to great services, and Alice owns the record with to date the lowest ICVi value for K.  In other words that M is the magic, most scarce message ever found for K.

Depending on the economic value of K and the relative ease to mine for M (*6*), Cate would make Alice an offer to start mining on K.  In return for the money or other benefits (*7*) Alice would reveal her secret D-H value a to Cate.  Cate would verify that A is indeed the public D-H value corresponding to a.

*6*  ICVi not too low yet…

*7*  In a possible scenario Cate would only need to pay Alice if she’d find a better M’…

Don would make a similar offer to Bob, who’d reveal b to him, which Don would verify against B.  If Don and Bob are in the same organization that response may be instant, allowing subsequent IKE responders to immediately acknowledge SA from Telecoin owners.

Cate should select a new nonce Ni’; the penalty for not doing so would be that her SA would no longer be secure.

As soon as Cate and Don would find a better message M’, they would not only store it in the blockchain as {K, Ni’, M’, ICVi’}, but they would transfer ownership of K to themselves, by signing the transaction [C, D, K] with private values a and b, thus adding signatures Sa and Sb.  The complete transaction record would be {C, D, K, Sa, Sb, Ni’, M’, ICVi’}.

Blockchain voters would assess that

• ICVi’ is correct in {K, Ni’, M’, ICVi’}
• ICVi’ is indeed lower than ICVi, the integrity check vector of K’s previous owners with public values A and B
• [C, D, K] is indeed signed by Sa and Sb, confirming Alice’s (represented by A) and Bob’s (B) agreement to sell ownership of K to Cate (C) and Don (D)

The transfer of K would not be irreversible.  Alice and Bob could make an offer to Cate and Don to continue mining for K, however for a lower amount, since it’s more difficult now to find a better {Ni*, M*, ICVi*}.

7. Telecoin economy

In the Telecoin economy, Communication Service Providers (CSP) adapt the services they offer to the value of the Telecoin presented by the end user.  In return for a high-value Telecoin the visited Service Provider may offer more bandwidth for Internet access, but also voice over IP, conferencing applications, platforms configuring and monitoring the Internet of Things, access to exclusive local video content, to Mixed Reality servers etc.  

At the basis and by global convention, users 

• presenting Telecoins with the lowest value K shall obtain the best resource Allocation & Retention Priority (ARP)
• sending magic messages with the lowest ICVi (integrity check vector of initiator) shall obtain the highest bandwidth.  

The CSP’s ePDGs (evolved Packet Data Gateways) shall thus divide the limited overall bandwidth with an algorithm based on the ICVi presented by each User Equipment.

Today’s three income sources of CSPs (invoices to own subscribers, prepaid users and invoices for inbound roaming) are thus replaced with the income from mining and selling Telecoins in the Telecoin economy.

A Telecoin CSP may thus act as Alice and Bob in the previous section, mining for low values A and K, and selling their users (Cate) the chance to find a lower ICVi for K, on his own network (Bob) or on any third-party network (Don).  

While Telecoin CSPs select the D-H algorithm, the mining activity of A and K may be outsourced to different organizations, although mining in isolation could be more capital-consuming than harvesting the proceedings of existing telecom networks.

The Telecoin scheme natural incentives for Initiators to mine for:

• private D-H values a for which the public D-H value A = g^a mod p satisfies difficulty condition Di; those are the only values admitted to the blockchain
• Ni’ and message Mi’ achieving ICVi’ < ICVi, the previous best for {A, B, K}

Responders wishing to attract traffic and sell services are incentivized to mine for:

• corresponding private D-H values b achieving the difficulty condition for K = A^b mod p < Dr, rewarding the senders for accessing their services
• message Mr’ achieving ICVr’ < ICVr (*8*), the previous best for {A, B, K}, thereby proving their trustworthiness to Initiators wishing to avoid honeypots, rogue organizations not respecting privacy, or not firewalling their users well enough from the attacks of the public Internet

*8*  Not shown on the diagrams in this paper

Indeed, 

• a low K provides access to better services, attracts helping miners offering $$$ without even having the guarantee to find a better ICVi
• A low ICVi guarantees long-term ownership of K despite the owner already having cashed in several offers; it thus guarantees higher economic value too

Contrary to a Bitcoin, the ownership of a Telecoin may be shared between an Initiator (e.g. the Subscriber) and a Responder (e.g. a Service Provider), thereby guaranteeing a stronger bond, a partnership to mine for better Telecoins jointly.  

Whether ownership of a Telecoin is shared with a certain Responder (*9*)  depends on factors such as whether 

• the PRF to calculate Nr is specific to a Responder (or group of Responders)
• Bob is revealing the private value b to anyone for free, or in return for a roaming agreement between Don’s visited network and Bob’s home network, or in return for big $$$

*9*  Or across all Responders and then in fact only owned by the Initiator

It is our conviction that the Telecoin will be able to replace all off today’s known identifiers of connected Objects, including SIM cards, PKI certificates, Burnt-In MAC addresses and more.

The Telecoin also has huge potential to protect intellectual property, where the message M is the content being shared by an author Alice to a licensee Bob.

Finally, the Telecoin has the potential to replace cryptocurrency and central-bank-issued currencies.

Economic models for the use of Telecoin are being discussed on-line [6] [7].

8. Other embodiments

The use of Elliptic-Curve Diffie-Hellman (ECDH) instead of normal DH is covered by the main patent [2].  As well as the use of Groups, Zones and Time periods (G, Z, T) to restrict the validity of a Telecoin to e.g. a group of Objects of a type or vendor; to a geographic or logical zone; or to a period such as the decade 2020-2029.

Telecoin also exists in a TLS variant [3] hence could be widely adopted by adapting TCP daemons (tcpd).  TLS is the dominant protocol on the internet today.

Other variants could be developed for WPA2 (IEEE 802.11i in Wi-Fi chipsets), cellular air interface encryption protocols, or higher-layer protocols (HTTP…).

9. References

[1] Bitcoin: A Peer-to-Peer Electronic Cash System, https://bitcoin.org/bitcoin.pdf

[2] “Method to generate and use a unique persistent node identity, corresponding initiator node and responder node”, Thierry Van de Velde, European Patent application 16290189 filed by Alcatel-Lucent on 29/9/2016, today owned by Nokia

[3] “Transport Layer Security (TLS) based method to generate and use a unique persistent node identity, and corresponding client and server”, Thierry Van de Velde, European Patent application 16290250 filed by Alcatel-Lucent on 23/12/2016, today owned by Nokia

[4] “CGA as alternative security credentials with IKEv2: implementation and analysis”, Jean-Michel Combes, Aurelien Wailly, Maryline Laurent, 30/10/2012, https://hal.archives-ouvertes.fr/hal-00747186/document

[5] “Cryptographically Generated Addresses”, IETF RFC 3972, https://tools.ietf.org/html/rfc3972 and https://en.wikipedia.org/wiki/Cryptographically_Generated_Address 

[6] “The IoT : Identification of Things?”, Thierry Van de Velde, Netmanias Tech-Blog, 01/03/2017, https://www.netmanias.com/en/post/blog/11446/iot/the-iot-identification-of-things 

[7] “An Economic model for the Internet of Trust”, Thierry Van de Velde, Netmanias Tech-Blog, 2/11/2017, https://www.netmanias.com/en/?m=view&id=blog&no=12831