Michael J. Casey is the chairman of CoinDesk’s
advisory board and a senior advisor for blockchain research at MIT’s
Digital Currency Initiative.
The following article originally appeared in CoinDesk Weekly, a custom-curated newsletter delivered every Sunday exclusively to our subscribers.
Advances in cryptography are converging to help developers bring
blockchain applications closer to the core decentralizing principles on
which this technology is founded.
Inventions such as atomic swaps, zk-SNARKS and Lightning-based smart contracts are
allowing developers to realize the dream of true peer-to-peer
transactions in which neither party, nor an outside intermediary, can
act maliciously. Witness the rising number of non-custodial and
decentralized exchange (DEX) services for trading crypto assets.
This is exciting. But it also shines a light on another big problem
that has curtailed the widespread adoption of cryptocurrency and
blockchain technology: secure key management.
For too long, the most reliable means of protecting the private keys
that afford the holder control over an underlying crypto asset have been
too clunky, insufficiently versatile, or difficult to implement on
scale. User experience has been sacrificed in return for security.
Now, some big strides in another hugely important field of
cryptography – secure multiparty computation, or MPC – point to a
potential Holy Grail situation of both usability and security in a
decentralized system.
A keyless wallet
Progress in this field was marked last week by Tel Aviv-based KZen’s public announcement of the specs for its new ZenGo wallet. ZenGo uses MPC, along with other sophisticated cryptographic tools such as zero-knowledge proofs and threshold cryptography, to share signing responsibility for a particular cryptocurrency address among a group of otherwise non-trusting entities.
The beauty of the KZen model is that security is no longer a function
of one or more entities maintaining total control over a distinct
private key of their own – the core point of vulnerability in
cryptocurrency management until now. Instead the key is collectively
derived from individual fragments which are separately generated by
multiple, non-trusting computers.
The model draws on the genius of MPC cryptography.
With this approach, multiple non-trusting computers can each conduct
computation on their own unique fragments of a larger data set to
collectively produce a desired common outcome without any one node
knowing the details of the others’ fragments.
The private key that executes the transaction is thus a collectively
generated value; at no point is a single, vulnerable computer
responsible for an actual key. (KZen’s site includes a useful explainer on how it all works.)
KZen is not the only provider of MPC solutions for blockchain key
management. Unbound, another Israeli company, is going after the
enterprise marketplace with its MPC solutions for crypto security.
Unbound’s prolific (if blatantly pro-MPC) blog offers different angles on the same argument.
It makes a repeated case for why MPC is superior to the two preferred
approaches to crypto security of the moment: hardware security modules
(HSM), on which hardware wallets like Ledger and Trezor are built, and
multi-signature (multisig) technologies, which are favored by exchanges.
Attacking the trade-offs
If KZen and Unbound are to be believed, MPC solutions resolve both the hot-versus-cold trade-off in key management and the dilemma of self-versus-managed custody.
Cold wallets, in which keys are stored in an entirely offline
environment out of attackers’ reach, are quite secure so long as they
remain in that offline state. (Though you really don’t want to lose that
piece of paper on which you printed out your private key.)
But bringing them into a transactable, online environment poses an
overly cumbersome challenge when you want to use those keys to send
money. That’s perhaps not a problem if you’re just a HODLer who
transacts rarely but it’s a serious limitation to blockchain
technology’s prospects for transforming overall global commerce.
On the other hand, hot wallets have, until now, been notoriously vulnerable.
Whether it’s the relentless “SIM jack” attacks on people’s phones
that are emptying out both hosted (third-party custodial) wallets and
on-phone self-custody holdings, retail participants’ horror stories are
legion. And, of course, we all know the stories of custodial exchanges
being hacked – from Japan, to Hong Kong, to Canada, to Malta.
At the same time, the solution that regulated institutional investors
are currently seeking – that custodians and exchanges build Fort
Knox-like “military-grade” custody solutions – inherently contain a compromise.
Not only does this approach fail to resolve the dependence on a
third-party, but there are serious doubts about whether any such
solution can be forever safe from hackers, who are constantly improving
their methods for getting over firewalls. In best-case scenarios, the
constant IT upgrades becomes a massive money suck.
Alternative to HSMs and multisig
None of this is not to say that existing security technologies are useless.
Ledger and Trezor’s hardware devices – a more nimble form of cold
wallet – are widely used by individuals who are uncomfortable with both
external third-party custody and online, on-device self-custody wallets.
And, separately, multi-signature (multisig) solutions, in which an m-of-n quorum of keys are required to execute a transaction, have proven robust enough to be used by most exchanges.
But in both cases, vulnerabilities have been exposed. And to a large
extent those risks come down to the fact that, regardless of the
surrounding security model’s sophistication, the all-important keys are
always sitting at single points of failure.
Just last week, researchers demonstrated how they could hack into a remote hardware security module. The irony: the researchers were from Ledger, which relies on HSM to secure its customers’ keys.
Multisig models arguably offer protections across such attacks,
because a breach requires simultaneous control of more than one key held
in separate locations, but the fact is that multisig solutions have
also failed because of both technical and human vulnerabilities (inside
jobs).
What’s more, both solutions are inherently limited by the need to
customize them to particular specifications or ledgers. Crypto
developer Christopher Allen pointed out last week , for example, that HSMs are particularly constrained by the fact that they are defined by government standards.
And in each case, the ledger-specific design of the underlying
cryptography means there is no support for the kind of multi-asset
wallets that will be needed in a decentralized interoperable world of
cross-chain transactions.
By contrast, KZen is boasting that its key-less wallet will be a multi-ledger application from day one.
Challenges and opportunities
To be sure, MPC remains unproven in a practical sense.
For some time, the heavy resources needed to carry out these network
computing functions made it a challenging, costly concept to bring into
real-world environments. But rapid technical improvements in recent
years have made this sophisticated technology a viable option for all
kinds of distributed computing environments where trust is an issue.
And key management isn’t its only application for blockchains,
either. MPC technology plays a vital role in MIT-founded startup
Enigma’s work on “secret contracts” as part of its sweeping plan to build the “privacy layer for the decentralized web.”
(An aside: Enigma CEO and founder, Guy Zyskind, is also an Israeli.
Israel has fostered a remarkable concentration of cryptographic
expertise in this space.)
It would be unwise to assume that MPC, or any technology for that
matter, will provide a perfect, totally infallible solution to security
problems. It is always true that the biggest security threats come when
human beings complacently believe security is not a threat.
However, if you squint hard enough, and think about how this
technology’s prospects for better key management can be married to
Enigma’s vision for an MPC-based secret contract layer and to the
broader march toward decentralized, interoperable asset exchanges, a
compelling vision of true peer-to-peer blockchain-based commerce starts
to emerge.
At the very least, you need to watch this space.
Keys image via Shutterstock
source link
