Overview of decentralized infrastructure

The core elements of a decentralized infrastructure, including encryption and core data models

A decentralized future

As businesses generate increasing volumes of data about the physical world, they’re mapping this data back to their IT systems, defining digital representations of the machines, products, processes, and people and the relationships between them.

Delivering the trustworthy, verified, and fully auditable data that businesses will increasingly need to meet present and future challenges as the Fourth Industrial Revolution gathers pace, and building the infrastructure to support this, requires the following core elements:

  • Digital Twins - A unique and portable digital representation of any participant, or entity, you can imagine and identify

  • Decentralized Identifiers (DID)- Intelligent, opaque identifiers for those participants that are unique, verifiable, and addressable

  • Verifiable Credentials (VC)- Highly portable and yet verifiable parcels of high-value data, including signatures that make the relevant identities of their issuers and subjects discoverable and provable

  • Wallets - Lightweight pieces of software that manage DIDs and VCs for an individual user

  • Agents - A mission-critical application that routes and safeguards traffic between an entity, their underlying DIDs, and the data flowing through their control

Digital twins

The digital representation of a participant in a given IT system. These participants might be machines, products, software, datasets, or even humans; their twins are aggregations of many different kinds of up-to-date data that, in unison, represent almost fully the original entity.

In a traditional one-organization model of IT, these pieces of data might live all around the world in databases and data stores, organized and accessed by one global unique identifier that queries all these disparate sources periodically to stay current and comprehensive. Think of them as bridges between the physical and digital sphere—the more sophisticated and comprehensive a digital twin, the more fully it links a physical thing and its digital life-cycle.

Fig 4. A projected roadmap for the business value of self-sovereign Digital Twins

Digital Twins provide technical benefits for different use cases and unlock value across the entire product and system life-cycles. They comprise a key strategic accelerator for digital transformation, unlocking the value within the data created by the Industrial Internet of Things and fulfilling industry requirements such as trusted data audit trailing, interoperability, and cradle-to-grave traceability to prove provenance and authenticity.

Spherity's vision of a self-sovereign digital twin accomplishes the same kind of holistic data organization but across multiple IT systems and across organizational boundaries, building on DIDs and VCs. A self-sovereign digital twin is a unique and portable digital representation of any participant (or entity) you can imagine and identify. Although the data making up a digital twin may live in many different organizations' IT systems and data stores, a self-sovereign digital twin retains connection and access to this data through persistent identifiers and decentralized data infrastructure preserving its sovereignty over all data it produces wherever it may travel.

Through ownership transfers or shifting data needs over time, an identity retains control over its data and can even revoke access to bad actors.

Digital Twins for VPAs and Autonomous Things

When digital twins are connected to software agents with a domain specific business or processing logic (e.g. virtual private assistant (VPS), personal health assistant, ML or AI) these agents can start to interact on behalf of the real-world entity.

This approach scales how our digital-self communicates in a digital world to unprecedented new forms of human and non-human interaction and cooperation in the digital world.

To provide a trust-layer for a world of autonomous things and intelligent digital twins verifiable identity is needed.

Decentralized Identifiers (DIDs)

Our platform makes it intuitive to create and manage digital identities for the participants in IT systems. Decentralized Identifiers (DIDs) are intelligent, opaque identifiers for those participants that are unique, verifiable, and addressable, while still maximally resisting correlation and tracking. These are like the freely-circulating "tokens"—although self-minted in most cases and detached from any fungible or explicitly-defined value—that power a new infrastructure of identity, standardized by the World Wide Web Consortium (W3C) in 2019.

Each human or non-human "identity" holds such a token and uses it to control, protect, grant access to, sign, and/or verify its data and that of others. DIDs can be used in conventional identity-system ways for authentication and securing one-to-one relationships as well.

While DIDs may be controlled through wallets or even through complex enterprise wallets, their underlying cryptography and the records they publish to blockchains for the sake of maintaining discoverability, called "DID Documents", are platform agnostic and determined by open standards, not by wallet providers. These published DID documents contain up-to-date public keys for verifying signatures of data signed by that DID, and service endpoints for establishing secure communications with an authorized agent or API when more advanced communications are necessary. Both of these will, of course, need to be updated over time by the holders of the private keys via agents or wallets; they will need to "rotate" the keys, change service providers, or update policies and endpoints for DID-based communications many, many times in the life of a DID.

Since this data is published to blockchains and kept current by crawling those blockchains for updates, and changing providers or platforms does not affect the underlying control of the DID, the core components of the infrastructure remain decentralized and universal across the providers and applications built on top of it.

Verifiable Credentials

To DIDs, we link Verifiable Credentials (VCs), which are highly portable and yet verifiable parcels of high-value data, including signatures that make the relevant identities of their issuers and subjects discoverable and provable.

These parcels have robust data privacy and access controls coded into their basic architecture, which keeps private and contextual dataeven those generated over time by your machines and algorithms—limited to its intended scope. Verification of that data is abstracted out to a machine-readable and easily automated cryptographic function, universally discoverable and executable with minimal maintenance or overhead obligation to the data's rightful owner or the organization issuing (and vouchsafing) the data. This allows the credential data to be truly portable, forwarded on to relying parties that need reliable data for easily verification.

This might sound surprisingly universal or simplistic coming from today's security-focused world, but that is largely because the aging architecture and security methods of hierarchically-organized servers has grown harder and harder to secure after decades of incentivizing a worldwide information theft industry. Indeed, security has famously been "bolted on" after the fact to file systems and worldwide networking systems that were never intended to carry as much value and consequence as they do today. By building in ownership and subject-centric access controls at the protocol level, many of the inherent weaknesses of the current systems are sidestepped altogether, centralizing less risk and access in one server or master account which grants access to mountains of data in being compromised. Complex capacities for limited, contingent, and revocable sharing are built into the architecture of a VC controlled by a DID, to such an extent that misdirected VCs are simply unusably encrypted without the consent of their controlling DIDs. This shifts security priorities from the central repositories of data to the individual identity objects controlling each piece of data, making completely encrypted data less of a risk to transport and less of a liability to store.

While the consequences of such a paradigm shift for enterprises are complex, the benefits can be summarized simply: better data, easier to control and security, with consent and privacy built in. This makes for happier customers, with a more mutually-trusting, less antagonistic relationship to the organizations holding their data. Data subjects do not need to request resources or bandwidth from the organizations vouchsafing their data to circulate it or have it verified again and again as it circulates.


Wallets are lightweight pieces of software that manage DIDs and VCs for an individual user. In the case of non-human identities, these might be more complex and involve many more DIDs controlled by a given individual or role held by that individual; these so-called "enterprise" wallets might also be more complex in their user interface and controls, since many different people may need to agree on changes made to important identity objects. These may include "quorum controls" which are secured by multi-party computation technology to allow the same level of cryptographic integrity as individual controls. These are sometimes called "vaults," by analogy to the high-security deposit boxes in a bank that require 2 out of 3 keys to be turned to open the vault door. Spherity was an early designer, architect, and developer of these kinds of controls for self-sovereign data, and they are a core feature of our bespoke enterprise wallets for high-security and high-complexity enterprises.


The term Agent comes from cloud computing, and before that, the design of modern, W3C-standardized browsers, where a mission-critical core of software autonomy needs to be preserved somewhere between server and client, out of the reach of the security and integrity risks of both client and server yet still reliably working in the client's best interests.

Just as a given user's browser agent sits somewhere on the route between browser and webserver, preserving the privacy and the autonomy of a browser-server connection at an arm's length from the complexity of a modern operating system, so too do self-sovereign data flows require a reliable, neutral, minimally-complex agent to route and safeguard traffic between a user, their underlying DIDs, and the data flowing through their control.

Spherity was one of the first companies on earth building sophisticated wallets and agents with an eye to the complexities and expansive architectures of large enterprises and non-human identities. Our wallet design balances the convenience and simplicity of mobile wallets for users with relatively limited functional needs and obligations within the system against the complex overlapping needs and functions of power-users setting up and delegating fleets of machines or massive hierarchies of human resources and personally identifiable information about all of them. We have worked with regulators and governments on making government data more open, more secure, and more interoperable with this new universe, and we bring decades of experience managing the IT needs of large enterprises to bear on this work. For all these reasons, we consider the work we have done so far future-proof and trail-blazing in the field.

By connecting our digital twins to intelligent agents we are building the base infrastructure for the Economy of Autonomous Things.