Data is a precious commodity. How can you protect it while adopting blockchain?

The great value proposition of blockchain? Enabling collaborative commerce between parties who may not know or trust one another. Blockchain and other distributed ledger technologies can allow for greater transparency, identification of stakeholders, transfer of assets, new financial opportunities, and increased accuracy in forecasting and planning—leading to more efficient, profitable operations in supply chains.

While most companies and government entities want to realize these goals, there are at the same time concerns about the confidentiality and protection of certain information on the blockchain.

Data is a precious commodity in the supply chain. But leveraging its value with blockchain raises commercial and compliance issues, which have the potential to significantly hinder blockchain adoption if left unaddressed.

Here are the top five concerns surrounding sharing commercial information on the blockchain—and some ways to address them.

While supply chain actors are interested in blockchain precisely because it allows for transparency and visibility across multiple tiers upstream and downstream, it’s undesirable to reveal this much data to this extent.

For one thing, many critical operational points in supply chains rely on a lack of transparency, and there may be legitimate reasons to protect the identity of upstream suppliers, the prices paid by downstream suppliers, and true levels of demand and available inventory.

For another, if confidential information—for example, trade secrets—need to be revealed to regulatory bodies, such as customs and oversight agencies, they are revealed for compliance purposes only and in strictest confidence.

If confidential information must remain confidential, why might two supply chain partners want to keep certain information from one another yet log the information on the blockchain? There are two reasons.

First, the partners might believe there is value to having the blockchain serve as a single source of truth for authenticated data, so participants can extract the particular data they need.

Second, the practical challenges of understanding what should be obfuscated and what can be revealed during a one-to-one integration process are too immense.

Collaborative planning across a supply chain based on sharing accurate demand forecasts, inventory levels, and production estimates has long been a goal for optimizing supply chain operations. However, supply chains have been unable to achieve this because there has not been an incentive to share accurate forecast information with partners—and even if there had been, there was no way to securely share such information across the supply chain in a coordinated and timely manner.

In perhaps the keenest reminder of the value and importance—and therefore, sensitivity—of commercial information in a supply chain, there are instances where value can be unlocked by hiding certain information from parties even when those parties need to use that information in a transaction. For example, a commodities producer would like to move inventory off its balance sheet as soon as possible and recognize revenue. It can sell this inventory to a trading company or third-party financier on the blockchain, who can then sell to the end buyer at the appropriate time. However, the sensitivity of commodities prices is such that while all parties would benefit from this financing structure, it would be commercially unacceptable to the producers for the financier in the middle to know the actual price.

A supply chain may require matching and verification of large volumes of encrypted data. Industries with complicated assembly processes and bills of material, such as aerospace and electronics, have to manage this issue across multiple supply chain partners. For example, an aerospace manufacturer may have a joint venture to assemble an airplane engine comprised of millions of parts. In order to coordinate procurement and assembly, the companies should share their individual part numbers so parts can be reconciled. However, part numbers are sensitive, proprietary data. Once hashed or encrypted, data has to remain in this secure state even when the data is required to perform a function.

Blockchain protocols, frameworks, or platforms such as Hyperledger, Corda, and Quorum (a private fork of Ethereum) have greatly improved data privacy and confidentiality. They have identity management, can deploy product features across the ecosystem, and establish a set of policies for governance and control of the network. Importantly, these protocols are usually combined with middleware or an application layer sitting on top, each of which will likely have its own data privacy functionality.

Basic protections, such as on-chain/off-chain configurations and only storing hashed data

The simplest way to prevent data from being shared on the blockchain? Never log it in the first place. Selective placement of data on the blockchain, typically from an ERP system, is one of the most important and time-intensive steps of implementing a blockchain system. An enterprise can store information off-chain in their own centralized databases, or even in a database provided by the blockchain system, one layer removed from the blockchain itself.

If data needs to go on the blockchain, the best practice is to simply store the hash of data, while the data itself remains in a database off-chain. This is a popular solution for documents, which are data-intensive files. In addition to increased data privacy, this structure helps with the throughput rate of the blockchain—the less data on the blockchain, the less time it takes to run a query and process it.

Role-based access controls on the blockchain for selective obfuscation of data

One solution is to place information on the blockchain and reap the benefits of authenticated data while leveraging familiar security tools. An effective method is implementing access controls directly on the blockchain through chaincode or a system of smart contracts, which are a layer of logic governing a user’s interface with blockchains. Public and private keys native to the blockchain systems are generated for individual users and can be integrated with an enterprise’s existing identity management system. The public keys will let the system know whether the user has read/write access to certain information, and only those users will be able to decrypt the information.

Chaincode and smart contracts can also be programmed to trigger operations off data either still hidden or revealed. The user can run a computation on obfuscated data queried from the blockchain but will only be see the decrypted result—not the underlying data itself.

Zero-Knowledge Proof

Zero-Knowledge Proof is a well-established concept in cryptography allowing one party to assert the validity of a statement without revealing the underlying facts making the statement true or false. One key advancement in zero-knowledge proofs is zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), which significantly reduces the time it takes a zero-knowledge proof algorithm to return a result. But latency is high. JP Morgan, for instance, implemented zero knowledge proofs in its financial audit of blockchains, but the processing time for each individual transaction exceeded 40 seconds. Given speed is one of the most powerful and promising features of blockchain, the wider blockchain community is researching how to bring down the time it takes for a proof to complete its work. For lower-volume supply chain transactions, and for which this level of privacy is important, zero-knowledge proofs in their current state nonetheless might make sense.

Fully Homomorphic Encryption

Fully Homomorphic Encryption (FHE) is a way to perform mathematical calculations on encrypted data and return an encrypted result. Without the ability to independently verify the encrypted data being processed through FHE, blockchain becomes that much more crucial to authenticate the data.

The benefits for data obfuscation are clear. The supply chain partners would be able to run data analytics on AI algorithms on fully encrypted data, and only those who should have access to the result would be provided with a key to decrypt it. However, FHE is slow; it’s generally not worth the undertaking unless a supply chain has a particular computation for which it does not need real-time transmission. At Skuchain, we currently use role-based access controls and smart contracts for collaborative planning applications across the supply chain to coordinate procurement, management, production, and delivery, and we’re starting to use FHE for sensitive data and more complex algorithms requiring an extra layer of security.

Supply chain partners using blockchain need to have conversations with counterparties about how to balance the need to maintain data confidentiality with the benefits of sharing to increase the mutual effectiveness of their operations. Enterprises with extensive supply chains should continue to be active participants in industry consortia to ensure solutions meet practical standards and best practices. These efforts should yield new ways of doing business in supply chains, increasing value-add based on authenticated information and improving collaboration between partners.