The DEDIS lab at EPFL worked on a novel blockchain system called OmniLedger. It uses Calypso to provide decentralized access control including secure storage of data on a blockchain. This combination has the following characteristics:
- OmniLedger builds on byzcoin, a permissioned, public blockchain which uses little energy. Contrary to other permissioned blockchains, it still allows public access
- Decentralized Access Rights Control, or DARC, which allows users to control their own identity. Also administrators can setup groups of users and groups of groups. All without the need for a central authority
- Calypso adds a decentralized encryption layer so that users can store their data encrypted on the blockchain. Combined with DARCs, this gives users the ability to handle their own consent management
The DEDIS lab, together with C4DT, is running a network of nodes on the public internet. These nodes create a new block every 5 seconds. Contrary to Bitcoin and Ethereum, the block creation is handled by a pre-defined set of nodes. This means that byzcoin doesn’t need proof-of-work. Every new block is accepted if 2/3 of the nodes agree it’s a valid block. So, contrary to proof-of-work blockchains, every new block is final and cannot be invalidated.
Decentralized Access Rights Control – DARC
DARCs is a group-management on steroids that allows decentralized administration and delegation of identities. It is different from common group administrations in two ways: first, there is no central handling of the links between identities and groups, and second, groups, identities, and access control rules are the same structure. The decentralization allows to use the same identiy for different services, while keeping the same interface for the user. Using the same structure allows to delegate all rules and to mix them as needed.
Calypso is a re-encryption service that allows to store information encrypted on the blockchain. The access to this information is controlled using DARCs. This allows for a secure handling of private data by a blockchain. Also, the user can verify who accessed his data.
To use it, a user encrypts his data to the group public key of Calypso. Then he creates a DARC and adds all allowed users to this DARC. If one of the users in the DARC wants to decrypt the data, she needs to do the following:
- Create a proof in OmniLedger that she has access
- Send this proof to the Calypso re-encryption service, together with her public key
- Decrypt the data using her private key
The data stays always encrypted as long as it is on the public network. Only the original, and the final decryption at the reader, are in clear text.