Technology for secure partitioning and updating of a distributed digital ledger

What is claimed is: 1. A device with technology to verify a block record for a digital ledger that is distributed and partitioned, the device comprising: at least one processor; non-volatile storage responsive to the processor; and instructions in the non-volatile storage which, when executed by the processor, enable the device to operate as a first validation node by performing operations comprising: receiving a block record of a distributed digital ledger from a second validation node, wherein the block record comprises a payload of transactions, a header with a link to a previous block, and a digital signature for the block record; in response to receiving the block record, automatically obtaining a node identifier for the second validation node, based on the digital signature for the block record; using the node identifier for the second validation node to determine whether the second validation node belongs to a validation group that comprises the first validation node wherein the validation group comprises a plurality of validation nodes to validate a ledger slice partitioned from the distributed digital ledger; using an attestation service of a remote attestation node to determine whether the node identifier for the second validation node belongs to a node with a trusted processor; using the digital signature for the block record to determine whether the digital signature was created with a private key that corresponds to the node identifier for the second validation node; and accepting the block record as valid only if the first validation node determines that (a) the second validation node belongs to a validation group that comprises the first validation node, (b) the node identifier for the second validation node belongs to a node with a trusted processor, and (c) the digital signature for the block record was created with a private key that corresponds to the node identifier for the second validation node. 2. A device according to claim 1 , wherein the operation of using the attestation service to determine whether the node identifier for the second validation node belongs to a node with a trusted processor comprises: using the attestation service to determine whether the node identifier for the second validation node belongs to a node with a processor that has features comprising (a) support for a trusted execution environment (TEE) that prevents software outside of the TEE from accessing data in the TEE, (b) technology to generate at least one secure private key (SPK) based on a root key in the processor, and (c) technology to prevent the root key from ever being exposed outside of the processor. 3. A device according to claim 1 , wherein the operation of using the digital signature for the block record to determine whether the digital signature was created with a private key that corresponds to the node identifier for the second validation node comprises: using the node identifier for the second validation node as a public key for the second validation node, and verifying that the digital signature for the block record was signed with a private key that corresponds to the public key for the second validation node. 4. A device according to claim 1 , wherein the operations further comprise: at the first validation node, receiving a transaction record from a transaction node, wherein the transaction record comprises a digital signature for the transaction record; in response to receiving the transaction record, automatically obtaining a node identifier for the transaction node, based on the digital signature for the transaction record; and using the node identifier for the transaction node to determine whether the transaction node belongs to the validation group that comprises the first validation node. 5. A device according to claim 4 , wherein the operations further comprise: in response to a determination that the transaction node belongs to the validation group that comprises the first validation node, automatically validating the transaction record; and in response to successful validation of the transaction record, adding the transaction record to a new block record. 6. A device according to claim 5 , wherein the operations further comprise: generating a secure private key (SPK) for the first validation node, based on a root key in the processor of the first validation node; and in response to successful validation of the transaction record, using (a) the SPK and (b) an elliptic curve digital signature algorithm (ECDSA) to generate a digital signature for the new block. 7. A device according to claim 6 , wherein the operations further comprise: generating a node identifier for the first validation node; and wherein the operation of generating the SPK for the first validation node comprises generating the node identifier for the first validation node as a public key counterpart for the SPK. 8. An apparatus to support verification of a block record for a digital ledger that is distributed and partitioned, the apparatus comprising: at least one non-transitory machine-accessible storage medium; and instructions in the machine-accessible storage medium, wherein the instructions, when executed by a device, enable the device to operate as a first validation node by performing operations comprising: receiving a block record of a distributed digital ledger from a second validation node, wherein the block record comprises a payload of transactions, a header with a link to a previous block, and a digital signature for the block record; in response to receiving the block record, automatically obtaining a node identifier for the second validation node, based on the digital signature for the block record; using the node identifier for the second validation node to determine whether the second validation node belongs to a validation group that comprises the first validation node, wherein the validation group comprises a plurality of validation nodes to validate a ledger slice partitioned from the distributed digital ledger; using an attestation service of a remote attestation node to determine whether the node identifier for the second validation node belongs to a node with a trusted processor; using the digital signature for the block record to determine whether the digital signature was created with a private key that corresponds to the node identifier for the second validation node; and accepting the block record as valid only if the first validation node determines that (a) the second validation node belongs to a validation group that comprises the first validation node, (b) the node identifier for the second validation node belongs to a node with a trusted processor, and (c) the digital signature for the block record was created with a private key that corresponds to the node identifier for the second validation node. 9. An apparatus according to claim 8 , wherein the operation of using the attestation service to determine whether the node identifier for the second validation node belongs to a node with a trusted processor comprises: using the attestation service to determine whether the node identifier for the second validation node belongs to a node with a processor that has features comprising (a) support for a trusted execution environment (TEE) that prevents software outside of the TEE from accessing data in the TEE, (b) technology to generate at least one secure private key (SPK) based on a root key in the processor, and (c) technology to prevent the root key from ever being exposed outside of the processor. 10. An apparatus according to claim 8 , wherein the operation of using the digital signature for the block record to determine whether the digital signature was crea