The blockchain as a distributed immutable ledger is a good tool to use as a public key infrastructure (PKI). On this PKI, we can announce new public keys, sign them and revoke them. Everybody can scan the blockchain for key related announcements and nobody can remove or falsify those afterwards, without notice.
For these key announcements the same properties apply as for the currency. That means an attacker will have to cut those who want new information from the blockchain completely off from the distributed network. By sending the block headers on different media (like satellite, radio or TV), a blockchain receiver can quickly see, that one of his sources diverges from the others and a warning signal can be issued, that something fishy is going on.
For this implementation of PKI on the blockchain, the bitcoin blockchain is chosen, because it is backed up by enough money and miners to ensure the integrity and immutable nature. An alternative blockchain PKI could be implemented on ethereum, which has more powerful interfaces to implement a PKI.
## Restrictions on the bitcoin blockchain
Arbitrary data can be stored in every bitcoin transaction by using a transaction output script, which begins with OP_RETURN. OP_RETURN can be followed by data chunks. There can only be one OP_RETURN transaction output script in a transaction. The size of the script including OP_RETURN must not exceed 82 bytes. Every data chunk has it's length prepended. For sizes from 1-75 bytes, the size field only consumes one byte.
An example OP_RETURN script with a 32 byte and 16 byte data chunk looks like this:
OP_RETURN 32 [32 bytes data chunk] 16 [16 byte data chunk]
which results in a script length of 51 bytes.
## Bitcoin blockchain for thin clients
Downloading the full bitcoin blockchain requires network bandwidth and storage. Mobile clients therefore use the SPV protocol to get filtered blockchain data from full nodes. For further reading consult the links in the [bitcoin glossary on SPV] (https://bitcoin.org/en/glossary/simplified-payment-verification).
Every data chunk in the OP_RETURN script can be used as a bloom filter element for thin clients. That means, that the PKI key announcements should have on data chunk, which a thin client can use for the filter to save bandwidth.
## PKI
Because of the limited amount of data, which can be stored, this implementation of a PKI on the bitcoin blockchain uses elliptic curve keys and for the ease of implementation curve 25519 and the [libsodium] (https://download.libsodium.org/doc/) functions.
## Mode of operation
* user creates 256bit master key (MK) with Ed25519 ECC curve 25519
* user creates derived 256bit key from master key as signing key 1 (K1)
* K1 public key (K1PK) is announced on the blockchain with 0xECA1 and 0xECA2
* user creates derived 256bit key from master key as signing key 2 (K2)
* K2 public key (K2PK) is announced as next key of K1 with 0xECA3 and 0xECA4
* K2 key and MK are removed from device
* K1 secret key is used on device to sign documents and ephemeral encryption keys
* K1 revocation record (K1RR) is stored somewhere for later publication
* If K1SK lost or breached:
+ K1 is revoked on the blockchain with 0xEC0F
+ MK is used to calculate K3
+ K3 is announced as next key of K2 with 0xECA3 and 0xECA4
+ K3 and MK are removed from device
A MK is stored along with the key birthday, which is the date of the first appearance on the blockchain.
An example transaction with a key revocation can be seen on the bitcoin blockchain as transaction [c7457b452c41deea0f2a34ef8bf7596c758002714062e869516b6dd5602b5565](https://www.blocktrail.com/BTC/tx/c7457b452c41deea0f2a34ef8bf7596c758002714062e869516b6dd5602b5565#tx_messages).
In this transaction a VK fb2e360caf811b3aaf534d0458c2a2ca3e1f213b244a6f83af1ab50eddacdd8c is revoked as seen with 0xEC0F
The sha256sum of the PK is f5105e87388c219e43ad9a9856c50df9f9b4a0e87a8bd32d0f72534d83a2df74
sig = binascii.unhexlify(b'34dccafe91cb0b2b30175ead0eacc1481ee7428da70158035ab657914634801a37056bbf88e27058303e6f9e6cd38d1704a62b54ec9723614e6c1cf04b052e0f')