1 Introduction

There has been no shortage of hype around “the blockchain.” Its publicity has been tied to the rise of cryptocurrencies, from humble beginnings in 2008 in the cryptography community when the idea for Bitcoin was launched to its association a few years later with the illicit trade of drugs on the dark web [1]. The hype reached a frenzy in 2017 as cryptocurrencies rallied, culminating in the absurd as small public companies raced to capitalize by adding blockchain to their name. One, now infamous case, is that of Long Island Iced Tea Corp which announced in December 2017 it was leaving its ready-to-drink tea business to invest in blockchain technology, changed its name to Long Blockchain, and its stock soared by 500% in a day [2]. By January 2018, the U.S. Securities and Exchange Commission was warning public companies against abrupt shifts in names or business strategies to take advantage of crypto and blockchain hype [3]. Even though there are many today who still conflate Bitcoin with blockchain, there is a wider understanding that blockchain is the digital ledger platform underpinning cryptocurrencies which has wider applications than digital currencies. As noted by one FT reporter, “Blockchain is to Bitcoin, what the internet is to email. A big electronic system, on top of which you can build applications. Currency is just one” [4].

Blockchain is a type of distributed ledger technology (DLT). The blockchain is a block series where transactions are grouped and linked together in “blocks,” but not all DLT platforms use blocks. The appeal of DLT is rooted in its ability to establish an immutable system of records management with consensus, and without reliance on a centralized system. DLT creates a shared reality among parties in a way that lowers uncertainty and builds confidence by: (1) providing participants access to the same copy of records in a specific instant; (2) transaction history cannot be changed (immutability) and (3) records are permanently persisted in a way that allows provenance and auditing (auditability) [5]. Major players in the finance, health, and logistics sectors have been testing the technology to understand its potential and many are employing DLT in their global operations.

This chapter will introduce concepts and characteristics of DLT platforms and how its development has propelled use cases for permissioned platforms across enterprises globally. It then describes how DLT works, its main features, and benefits and concludes by providing examples of how the technology is used at the government and industry level.

2 What is Distributed Ledger Technology?

DLT is a set of technologies that enable a consistent representation of data across multiple nodes without a central authority. DLT enables a distributed record or “ledger” in which transactions are stored in a permanent, immutable way with cryptographic techniques, ensuring consistency, provenance, and auditability across the entire ecosystem. Transactions can be easily audited as they are time-stamped and “hashed,” essentially a digital fingerprint that interlinks transactions as they are appended to the ledger.

Essentially, DLT is a database that:

(i) enables a network of independent participants to establish a consensus around (ii) the authoritative ordering of cryptographically validated (“signed”) transactions. These records are made (iii) persistent by replicating the data across multiple nodes, and (iv) tamper evident by linking them by cryptographic hashes. (v) The shared result of the reconciliation/consensus process—the “ledger”—serves as the authoritative version for these records [6].

A distributed ledger is decentralized, removing the need for a central authority to process, verify or authenticate transactions. Centralized ledgers on the other hand have one central authority. The difference between the two types of ledgers is described in Fig. 1.

Fig. 1
figure 1

Centralized ledger versus a distributed ledger [7]

Full size image

3 Features of Distributed Leger Technology

The main features of DLT include hashing, immutability, peer to peer protocols, and consensus.

Hashing

The hashing algorithm was invented in the 1940s by Hans Peter Luhn, who created a machine and schemes for parsing information that were designed to work for words and sentences [8]. Today, hashing forms the basis of data authentication and security [9]. Hashing is a one-way function that can be applied to any string of input characters to generate a specific fixed-length output—whether numbers, text, whole documents, large files like videos, or even an entire operating system [10]. Its security value is its unidirectional process whereby anyone can confirm content hashes to a certain value, but it is impossible to derive the original content from the hash. Figure 2 outlines the hashing function.

Fig. 2
figure 2

Hashing [7]

Full size image

Immutability

Each block stores the hash of its predecessor, serving as a type of DNA strand that connects each transaction and block on the blockchain. Hashing, coupled with the append only structure of DLT, provides for immutability in which a transaction cannot be changed after it is recorded on the ledger as depicted in Fig. 3. If Transaction A was modified to Transaction A’, then Block 2 would be stored as #A’BCD which would no longer correspond to the previous hash in Block 3.

Fig. 3
figure 3

Immutability [7]

Full size image

Peer-to-Peer (P2P)

In its simplest form, a peer-to-peer network is created when two or more devices are connected and share resources without going through a separate server. The concept of peer-to-peer networking has been around since 1969, but the first dial-up P2P network, Usenet, was created in 1980 as a worldwide internet discussion system [10]. DLT uses P2P to avoid the prevalent server—client structure by allowing network participants to exchange data that is verified and stored by the network. DLT’s P2P architecture allows all transactions to be transferred to all network participant nodes, where each keeps a complete copy of the ledger and compares it to the other nodes to ensure that the transaction is accurate [11]. P2P networking is a distributed architecture as opposed to the traditional server-based architecture as depicted in Fig. 4.

Fig. 4
figure 4

Server-based network versus P2P network [7]

Full size image

Consensus

Consensus protocols are the rules and methods by which transaction validation is settled on by nodes in a distributed ledger. Consensus is the trust mechanism for authentication and access controls. Early protocols developed in the 1980s and 1990s relied heavily on a cryptographic primitive known as ‘Chaumian Blinding’ which is the method of performing a transaction without having to know who is present from both sides of the transaction, including the time and content. Chaumian Blinding was invented by David Lee Chaum and published in the paper “Blind Signatures for Untraceable Payments” in 1982 [12].

Early attempts at developing digital currencies led to advances in consensus where algorithms developed to limit denial of service attacks (such as that used by Hashcash in 1987) [13] or to use computing power to solve cryptographic puzzles which were time stamped and added to the next puzzle to form a chain of records as with Bit gold which was launched in 1998 [14]. Its founder Nick Szabo also proposed “a solution to secure namespaces and similar problems as well as the problem of securely recording agreements on traditional property rights” and “how new developments in replicated database technology allows for the secure management and transfer of ownership for a wide range of property” [15]. Wei Dai also published a paper titled “b-money, an anonymous distributed electronic cash system” in 1998, which identified the core concepts later adopted by Bitcoin and other cryptocurrencies, such as solving computational puzzles and decentralized consensus [16], but it was limited in explaining how decentralized consensus could be implemented [17]. With Bitcoin, financial incentives were added for maintaining the connected copies of the ledger which became the foundation for the proof of work consensus [18].

These advances in turn helped to evolve DLT platforms into three different categories based on how consensus is organized: open/permissionless, permissioned, and hybrid.

Open DLT platforms are open to the public, allowing anyone to participate. Many public cryptocurrency platforms including Bitcoin use a “Proof of Work (PoW)” consensus as noted above in which a node validates the next block by being the first to solve a computer-intensive puzzle. The likelihood of a new block being validated depends on the computing power assigned to the task. The node (miner) will get a certain amount of crypto assets or transaction fees as a reward for validating a block. Because the miners get incentives, they support and secure the network, allowing it to become profitable rather than attacking it and making it unprofitable. Another consensus mechanism, “Proof of Stake (PoS)” is a method where, instead of PoW’s energy intensive computations, an established stake in a specific distributed ledger system is used to achieve consensus. Nodes involved in the consensus method are compensated by collecting transaction fees included in each block that they are the first to successfully validate.

Permissioned DLT platforms restrict access to a specific set of participants. Permissioned, enterprise platforms are rapidly advancing as more enterprises/consortiums are developing them to meet specific scalability and governance requirements within different business models and their global operations [24]. For example, Hyperledger Fabric uses “endorsement policies” in which a set of policy requirements guide the acceptance of such transactions by network users. Indeed, Hyperledger Fabric [19] is one of the most well-known and widely used system for deploying and operating permissioned platforms. Launched in 2015, Hyperledger was put under the Linux Foundation when many organizations wanted to achieve more by working together to create open-source frameworks, tools, and libraries for enterprise blockchain solutions [20]. It provides an option for allowing only approved parties to replicate data on the platform, providing the benefits of DLT for decentralized consensus, immutability, data integrity and authentication [21]. Circulor, one of the use cases discussed in the case study section below, uses Hyperledger Fabric.

Consensus mechanisms in permissioned platforms are faster and more energy efficient than for open platforms. Since security is managed by access control, permissioned ledgers need less processing resources to maintain consistency, and the benefits of speed and reliability are likely to be maintained. For example, Bitcoin can process a transaction at a rate of 5 to a maximum of seven tps (transactions per second). If the transaction is complex, with five inputs, the rate is two tps, but theoretically ten tps, and the transaction must wait for a new block to be processed, which could take up to ten minutes. A permissioned DLT framework. such as the Hyperledger Fabric can process 20,000 transactions per second [22] while Guardtime’s KSI can process billions per second [23]. However, new permissionless blockchain platforms such as Avalanche and Algorand, both for decentralized finance, are on the rise, with tps exceeding 1000. Avalanche is a new blockchain network developed by Ava labs that employs a proof of stake consensus mechanism to achieve high throughput, which is expected to exceed 4500 tps [24]. On the other hand, according to company website, Algorand is “the world’s first pure proof-of-stake foundational blockchain designed for the future of finance,” [25] and it aims to increase throughput to 46,000 tps from 10,000 tps [26].

Guardtime’s KSI is the platform underlying Estonia’s e-government system. Guardtime was founded in 2007, the same year that cyber-attacks on Estonia took down government communications, banking services and media outlets. In 2008, Guardtime was contracted for certifying the integrity of the digital registries and repositories and [27] by 2012, Estonia became the first nation to adopt DLT as a layer within its government structures.

Open DLT platforms and permissioned platforms both use distributed data structures and consensus to validate transactions but with different assumptions to solve different sets of problems. The Bitcoin blockchain for example solves the issue of double spending while Guardtime focuses on governance, applying DLT at an operational level beyond cryptocurrency.

Hybrid distributed ledger platforms combine the privacy advantages of a permissioned distributed ledger system with the protection and accountability advantages of permissionless distributed ledger systems. This gives organizations flexibility in deciding what information they want to make public and what information they want to keep private [28]. Governments, for example, can use hybrid DLT in a voting system [29] where they can verify a voter or auditor prior to participation while also making the voting system transparent and publicly auditable. For example, Voatz was used in West Virginia during the 2018 U.S. midterm elections, [30] by Denver County during the 2019 US Municipal Election, and by Utah County during the 2020 US Presidential Election [31].

Figure 5 outlines the main differences between open and permissioned DLT platforms.

Fig. 5
figure 5

Public open platform versus private permissioned platform [7]

Full size image

4 What is in a Block?

A block is composed of a block header and records of transactions. The block header contains block number, current timestamp that captures the date and time to ensure a record of a chronological sequence, the hash of a previous block to link the blocks together and the hash of what is called the “Merkel Root” which allows easy composition and verification of larger data sets of transactions.

In public DLT platforms, a block header includes the “nonce,” a random sequence of numbers that the miners must find to validate the blocks. It refers to the first number a blockchain miner needs to discover and include in a block [32]. Miners stop calculating the nonce once they find one that works, allowing them to submit their block for approval by the rest of the nodes. It is important to note that a nonce is difficult to calculate which in turn makes it difficult to work out a block with different data and ruin consensus. It is also considered a way to cut out the less talented miners from the system [33]. To provide an additional level of security, permissioned DLT platform nodes include an access-control layer. In addition to the other components of a block, digital signatures are an important component used to prove transaction ownership.

The first block in any blockchain-based protocol is called the genesis block. Every block stores a reference to the previous block other than the genesis block; the technology uses cryptographic signatures (hashes) to facilitate this. Figure 6 outlines the contents of a block.

Fig. 6
figure 6

What is in a block [7]

Full size image

5 How DLT Records Transactions

The steps involved in transactions in a permissioned DLT are depicted in Fig. 7 [34].

Fig. 7
figure 7

Transaction in a permissioned DLT platform [7]

Full size image

Step 1:

A DLT transaction requires a digital asset, or a document. The transaction is requested by a participant to upload a document to the platform.

When a transaction is submitted, a key pair is generated by the requester, including a public key that is made available to other network participants. A key-pair is generated only once, not every time a transaction is submitted. The requester then hashes the data to be sent, converts it into a new digital string of predefined and fixed hash length. The hash is signed with the private key using public–private key cryptography. The requester then transmits the digital signature to participants in the peer-to-peer network with the plaintext data.

Step 2:

Transaction is broadcasted to peer-to-peer network participants—the receivers, often called nodes—and added to an unvalidated transaction pool.

Step 3:

Receivers—in the case of permissioned blockchains, authorized nodes—validate the transaction using the requester’s public key to decrypt the transaction. A successful decryption confirms that the transaction originates from the claimed sender. The network participants can then verify the integrity of data by comparing the decrypted hash value sent by the sender with the hash value that was computed when applying the same hash algorithm on the plain data transmitted by the sender.

Validated transactions are combined with other transactions to create a block that is then validated based on the consensus protocol of the platform. If validated, the new block is linked to the chain as the “true state of the ledger.”

Step 4:

Once the transaction has been validated, it is time-stamped and linked to the preceding blocks/transactions with a “hash pointer”—a hash of the previous block/transaction—thereby forming a linear chronological chain of blocks/transactions.

The transaction is then confirmed, and the block/transaction cannot be altered or removed—thus, the block/transaction is immutable. Each time a block/transaction is added to the chain, the digital ledger is updated on all the participating nodes.

6 Operationalizing DLT

The following case studies provide examples of various DLT platforms currently being used. The first is the case of Circulor, a software company that has developed a solution for tracking raw materials and proving their provenance [35]. Second, the AURA platform, the world's first global blockchain designed to assist consumers in tracing the provenance and authenticity of luxury goods [36]. The two use cases are from vastly different fields. They do, however, share one feature: they both involve multiple stakeholders dealing with confidential or proprietary information on a global scale. They also address questions regarding various types of platforms: how to connect specific physical objects or analog resources to specific digital content or digital twins in a tamper-proof manner; how to create clarity to opaque areas of activity; and how counterfeiting can be mitigated.

6.1 Circulor and Volvo—Tracking Cobalt from the Congolese Mines to Car Batteries

The Cobalt Supply Chain involves a complex web of highly diverse actors upstream, which is further complicated by difficult political conditions, corruption, and other general conditions, especially for foreign companies. The lack of transparency begins in the mines, where child labor and exploitation are common issues. One third of the cobalt mined in the Democratic Republic of Congo (DRC) is extracted by hand by independent miners, which represents around 20% of the global supply [37]. Cobalt is then sold to traders and large mining companies, making it difficult to know whether it comes from sustainable and ethical sources. Once cobalt leaves the mines, it passes through a number of actors and intermediaries that often cover all five continents [38]. These actors include miners, smelters, refiners, precursor and cathode producers, and battery manufacturers. As is often the case with traditional supply chains, intermediaries usually know only the immediate supplier or customer in the chain. Mistrust and competition define the relationship between the parties concerned.

Circulor pioneered its technology platform for tracking the cobalt supply chain in 2017 by combining DLT and other technologies to create an immutable chain of custody record for materials as they transform during their journey from source to end-use in a car. DLT was chosen in addition to database technology for three main reasons. Firstly (and primarily) for its immutability, given that it involves multiple parties creating a digital chain of custody. Secondly, because the chain of custody must persist through the entire circular economy of the battery (the battery passport): through in-life uses and then on to recycling. Thirdly, because the solution needs to be able to interoperate and connect with other systems and networks.

At each point of the supply chain, a different data handling system, sometimes even manual paperwork, is in place, making collaboration difficult and transparency almost impossible. Moreover, the raw materials, by their nature, are difficult to reliably tag—the material transforms on its journey from source to end-use; thus, after each transformation, a new identity must be added which inherits the origin of the material and destroys the old identity. Cobalt ore, for example, is transformed into cobalt hydroxide and is further combined with nickel and manganese at different ratios depending on the chemistry to form the precursor. The precursor is then processed into cathode and produced into cells that are then inserted into batteries or electric vehicles. The end product bears no resemblance to the original mined material.

Circulor pioneered its technology platform for tracking the cobalt supply chain in 2017 by combining DLT and other technologies to create an immutable chain of custody record for materials as they transform during their journey from source to end-use in a car. The system provides materials with a unique identity and then tracks their flow as it changes through processing and manufacturing. The system uses IoT and tags to generate digital twins, as well as machine learning to detect anomalies and combat fraud, as well as identify supply chain weaknesses to target due diligence and compliance activities. Circulor currently uses AI for image analysis to ensure security by detecting and recognizing objects. In mid-February 2020, the Swedish car manufacturer Volvo Cars released its first fully electric vehicle, the XC40 Recharge, whose cobalt supply chain is fully traceable on the Circulor platform [39].

Given that some of the data can be sensitive, Circulor uses a private permissioned blockchain—Hyperledger Fabric—to preserve the privacy of participants as well as their data. Furthermore, Oracle Cloud Services provides enterprise-level security and in-depth authentication capabilities and is used to manage access rights and ensure security, reliability, and availability of data. Circulor’s customers and participating organizations determine the access rights of users within their organization and private channels on the blockchain ensure that sensitive data can be shared within an organization, without providing visibility to the broader supply chain network [40].

There are several options to upload data to the blockchain [40]:

  1. 1.

    The data can be provided to the blockchain via system integration using RESTful Web Service Application Programming Interface (API) with security and authentication protocols. RESTful APIs are available as integration points from any existing IT system to the Circulor system to securely provide digital chain of custody information that is updated on the blockchain—serving as an immutable record of traceability and provenance. Data transmission using RESTful APIs is secured via state-of-the-art privacy protocols including the use of Secure Sockets Layer (SSL) encryption providing an end-to-end encrypted link to the customer and the Circulor system, in addition to OAuth 2.0 authentication. These measures ensure that data is protected and only visible to authorised users.

  2. 2.

    Via the desktop application, data can be manually entered or uploaded.

  3. 3.

    The mobile application can be used to upload data via scans and manual entry to ensure an inclusive low barrier to entry for all participants.

Circulor uses other technology to prove that the data entered into the system is correct, such as AI, GPS fencing, and facial recognition, because validation has to happen before the data enters the system. Material verification begins at source throughout the supply chain. Circulor uses DLT in conjunction with mine site inspections, GPS tracking, entry and exit scanning, verified logistics providers, facial recognition, Id checks and time tracking, which contribute to the traceability of materials from the mine to the car factory [40]. Registered users in the field are checked using facial recognition via an app. The material is registered in the system with checks on the location of origin and checks to counter the risk that the material is imported from other locations. Each material badge is tagged with a tamper-proof QR-code generated by the Circulor system. The QR code specifies the time, location, weight, person delivering the badge and the person receiving the badge. The number of QR codes issued on that day is registered. In addition, the app that scans the QR code can only be used in a predefined radius. Each anomaly is automatically flagged in the system.

The material will be transported through purchase or sorting centers to raw refining smelters, where the material (cobalt hydroxide) is processed. This product is then shipped, usually to China, for the next steps in refining. The refined material is used to make the cathode for the cells of the battery. In the mid-stream of this supply chain, data is collected directly from the production control and management systems used at each stage via the API.

In addition, Circulor uses a number of verification tests, such as elapsed time or mass balance, to check that there are no anomalies and that the chain of retention of the material is maintained to ensure that the input components of each process can be reliably linked to the output. This process takes place at every step of the battery that is eventually installed in a car. The solution needed to extend Volvo Cars entire battery supply chain for electric vehicles (EV) to ensure full traceability of cobalt from source to the EV itself.

The aim was to manage the risk and demonstrate with as much certainty as possible that material that was produced responsibly throughout the supply chain at every stage. Following the success of this work, Volvo Cars is now extending the use of the platform to other mining materials.

6.2 AURA—A Consortium Model Powered by Ethereum Quorum

According to official figures, counterfeit products cost the European Union's apparel, footwear, and accessories industry approximately €26.3 billion (approximately US$27.7 billion) each year [41]. According to the OECD and the EU's Intellectual Property Office, global imports of counterfeit and pirated goods are worth nearly half a trillion dollars per year, or about 2.5% of global imports [42]. In the United States and Europe, counterfeiting/intellectual property (IP) theft are federal and state crimes “that involve the production and distribution of goods in the name of another person without their permission” [43]. Counterfeit goods are typically made from lower-quality components sold at a low-cost to imitate well-known and trusted brands [43].

DLT is a better solution than traditional databases in this case because a traditional database is centrally managed by a trusted administrator, whereas blockchain is jointly owned by a consortium. Furthermore, the luxury goods industry requires a data store that can be written to and accessed by multiple parties such as luxury brand designers, manufactures and distributers, and DLT is a more cost-effective and trustworthy solution than a traditional database. DLT also outperforms traditional databases in terms of historical tracking for auditability and transparency.

Many specialized actors are involved in the luxury goods industry, including designers, producers of raw materials, manufacturers, and distributors. LVMH Moët Hennessy Louis Vuitton commonly known as LVMH, is a French multinational corporation and conglomerate specializing in luxury goods, headquartered in Paris, France [44]. LVMH collaborated with Microsoft and blockchain software company ConsenSys to develop the AURA platform, a hybrid DLT system aimed at serving the entire luxury industry with product tracking and tracing services based on Ethereum and utilizing Microsoft Azure [45]. With AURA, consumers can track the lifecycle of their products, from design and raw materials to manufacturing, and distribution. The platform is built on Traceability Smart Contracts (ERC 721 non-fungible token standards [46]) and the AURA blockchain infrastructure, a permissioned consortium network based on Quorum to ensure no information in leaked between brands or their customers [47].

The platform is hybrid, meaning some procedures and information are kept private while others are made public. The most significant advantage of using a hybrid platform is having more control over the network. AURA runs behind the brands using it. During production, each product is irreproducible and contains unique information, which is recorded on the shared ledger. At the time of purchase, a consumer can use the brand's application to receive the AURA certificate containing all product information. It could, for example, identify an individual handbag and trace its entire lifecycle from an alligator farm to the store where it was first sold, and then multiple chains of owners who have owned and sold it [48].

The AURA platform is an example of how DLT provides transparency and a single source of truth for the consumer: it ensures the authenticity of the product, provides details on product origin and components (including ethical and environmental information), instructions for product care, and the after-sales and warranty services that are available.

7 Conclusion

Advances in distributed ledger technology over the past ten years have propelled the technology forward both in public and permissioned applications. Permissioned systems have allowed DLT to be adopted in global operations, streamlining, and securing records management across consortiums while tracking supply chains and their materials. These enterprise solutions have moved DLT beyond the hype, demonstrating its ability to provide wide ranging benefits which in turn may benefit applications for international security.

Although the use cases in this chapter are not specific to international security, they are used to manage risks to commercial supply chains that are similar to challenges faced in the implementation of non-proliferation treaties governing nuclear, chemical, and biological materials and technology where immutability, trust, and a single source of truth would benefit industry and regulators.