Sepior Threshold KMS
Blockchain Privacy Control

Sepior’s Threshold KMS Blockchain Privacy Control introduces a powerful new tool to efficiently manage confidentiality and privacy of permissioned blockchain data and applications accessed by authorized participants. Using the latest threshold cryptographic techniques, including threshold multiparty computation (MPC), Sepior™ Threshold KMS delivers the highest online ledger security and privacy available, with industry leading granularity, while also minimizing costs and complexity.

One minute video introducing Sepior Threshold KMS which provides off-chain privacy control for blockchain applications.

Sepior Threshold KMS provides fine-grained privacy control in a simple to implement and highly interoperable off-chain manner, which maximizes interoperability with other systems and future blockchain technologies.

The control to content access may be defined per user on a per document or smart contract level, or to the level of specific fields or objects within the application. The result is an agile privacy control solution with industry leading key availability, and minimum complexity and cost.


Sepior™ Threshold KMS works with virtually any blockchain technology, using the latest threshold cryptography techniques. Key management policies are fully defined and implemented off-chain, for administrative and operational simplicity.

Sepior’s patented threshold cryptographic approach, using threshold MPC, allows n number of Threshold KMS services to run on separate virtual machines that may be hosted across multiple data centers or clouds to provide maximum system resiliency. These systems use threshold MPC to confirm that at least m (a definable threshold) of these Threshold KMS services are available for MPC to produce keys used by each authorized blockchain participant to access content, without ever having a whole key exist on any virtual key management server.


Sepior™ Threshold KMS consists of:

  • n instances of Threshold KMS Services running in VMs

  • Management portal, an application specific web portal

  • SDKs for the relevant languages, including smart contract languages

  • Plugins or connectors when required (i.e., Hyperledger Fabric)

The result is that Sepior’s Threshold KMS approach:

  • Maximizes fine-grained privacy control for distributed trust across multiple organizations

  • Eliminates the need for costly hardware security modules (HSMs)

  • Supports unlimited scale and high availability using the cloud

  • Maximizes interoperability with an off-chain implementation


Enterprise Grade KMS Considerations

Permissioned access blockchains applications require confidentiality and varying levels of privacy for business purposes

  • Deny access to illicit attempts to access data or applications within the network

  • Control access by legitimate participants to access some, but not all data and applications

Fine grained confidentiality and privacy control may be required for compliance purposes

  • Confidentiality of Personally Identifiable Information (PII) recorded on the blockchain

  • Privacy with regard to the individuals involved in a transaction

Effective security and management of encryption keys are required to assure that confidentiality and privacy are sustained, and that keys are continuously available, without risk of key corruption

The use of channels with Hyperledger Fabric (a specific implementation of blockchain) allows for natively defined levels of access to specific audiences, but with increased on-chain workloads. Channels may be complex to administer in certain use cases.

  • Channels may be useful when a subgroup of participants have a lot of transactions in common, if there’s no dependency on blockchain state controlled by outside entities

  • Some have raised concerns about possible complexity and scale considerations of building, modifying, and maintaining large amounts of channels to support fine grained control

  • Off-chain key management and participant access management may be preferable, to minimize on-chain computations and flexibly adjust to changing requirements

Threshold key management services (Threshold KMS) represents a new opportunity to support fine grained access control, off-chain, with per-user privacy control, without increasing blockchain complexity or on-chain workloads

  • Threshold KMS may be implemented in conjunction with channels or other blockchain specific controls, or as an alternative form of control, providing flexibility for case-by-case optimization

Sepior™ Threshold KMS achieves these new benchmarks in performance through patented techniques using secure, multiparty computation (MPC).


Threshold KMS Features & Benefits

Enterprise-grade key management services for managing blockchain data confidentiality

  • Manage blockchain access to authorized participants

Privacy control down to the object level

  • Enables fine grained control for participant access to specific fields of data (objects) on the blockchain as may be required for business or compliance purposes

Full lifecycle key management services

  • Generate, regenerate, rotate, and retire keys as required

Audit logging

  • Providing full visibility to events and authorizations

Cross-domain IdM support

  • Flexible identity management integration

  • Supporting administration down to a per user, per group, or per organization level

Integration at the application or the blockchain platform layer

  • Allows for use case specific optimization and simplified integration

Works with any blockchain

  • Eliminates requirements to use a particular blockchain technology to achieve business and compliance objectives

Distributed trust model, using threshold cryptography with MPC to provide a distributed, virtual key management system across multiple VMs

  • Keys are generated and managed without ever producing a whole key on any key server, eliminating the potential for server key theft

  • Provides hardware security module (HSM) trust level, without the need to purchase, install, physically secure, and maintain HSM appliances

  • Provides the system resiliency of fully redundant HSM configurations, without the cost or complexity of multiple redundant appliances

Cloud-native micro services architecture

  • Automatically scale key management services up / down based on service loads

  • Eliminates dependency on a hardware appliance or dedicated VM to support scale requirements

Implemented as VMs, with no dedicated or proprietary hardware required

  • Minimizing CapEx and OpEx