Key management is a concept that is becoming more and more important and has become an important infrastructure in the field of blockchain. When digital currency or token is more traded and used than stored once and for all, the way of using assets through private key or wallet password is neither safe nor friendly, and it is more difficult to meet the needs of many application scenarios.
Threshold signature based on MPC (secure multi-party Computing) and multi signature are two different key management methods. In this article, we interviewed Dr. Xie Xiang, a scientist of Platon algorithm. He will introduce the key management based on MPC and the essential difference between this method and multi signature.
Xie Xiang is a mathematics and cryptography major. He is now a Platon algorithm scientist and the product director of keysard, focusing on the research, implementation and commercialization of cryptographic algorithms. Keyshard provides MPC based key management services to provide solutions for the pain points of digital currency key management and recovery.
What is MPC based key management
Q: why do we need key management?
Xie Xiang: individuals can freely register accounts and transfer money on the blockchain or bitcoin network without any third party. This function is completed through a set of digital signature mechanism. In digital currency, the core is how to manage the signature, because everything depends on the validity of the signature.
For users, managing signatures is actually managing keys. Therefore, we say that the key is money, and key management is very important.
In traditional industries, you can manage money through banks and a series of process design. For example, you can manage money by multiple people. The money can be transferred only after the investment manager agrees, the investment director agrees, the finance agrees and the CEO agrees. But once moved to the digital currency industry, the traditional one can’t be done. Why? Because whoever has a private key can transfer money, the traditional approval process is meaningless.
Therefore, our initial idea of key management is whether we can move the traditional authorization management mechanism for money to the world of digital currency. This is definitely necessary, because now many people have begun to invest with token, such as funds, such as family VC. They need an internal management mechanism, but the traditional approval mechanism is technically difficult.
Q: can more signatures solve this problem?
Xie Xiang: multi signing is based on script or smart contract. It is to design a rule. For example, if three people sign at the same time or two people sign at the same time, pass these signatures to a smart contract, the contract will start to run and transfer the money. More signing can solve some problems. In fact, it has been used in many enterprises, but with the progress of time, the exhibition has encountered more and more problems. Where is the problem?
Multiple signing needs to realize different smart contracts for different main chains. There are at least 1000 chains now. The smart contract system of each chain is different, and everyone writes contracts differently. Take VC as an example. VC may invest a lot of chains. How do you manage these tokens? You want them to write more than a dozen contracts, all of which have to go through security certification? This is a big labor cost.
In addition, any details of the contract on the blockchain will be seen. There is a layer of security problem there. Anyone can see if there are loopholes in this contract, and many new chains have not been verified over time like bitcoin or Ethereum. It is unknown whether there are problems in its contract system itself. You will find that some new tokens have problems, and 90% of them are contract problems, which is a big risk.
So in the case of multiple chains, can multiple signatures easily support key management? At present, it is actually very difficult. Using multiple contracts to manage keys has high cost and high security risk.
Q: if these different chains are based on the same digital signature algorithm, such as Schnorr, can the key management methods of different chains be universal?
Xie Xiang: No, that’s not the logic. I’ll draw it for you. Multi signature is like this. At the bottom is the blockchain and in the middle is the digital signature. It has a signature algorithm, which can be ECDSA, Schnorr, etc. at the top is the smart contract.
How to sign more? In the top part of the smart contract, count the number of legal signatures. One, two, three… If enough, transfer the money. This method doesn’t care what signature algorithm is used below. Schnorr or BLS makes no difference to it.
This is a basic principle and benefit of multi signature. It can be decoupled from the underlying signature algorithm to a certain extent. But its problem is to adapt to different chain systems. A thousand chains need a thousand smart contracts, and the compatibility of multiple chains is very weak.
Q: what is the threshold signature based on MPC?
Xie Xiang: I’ll redraw this picture. At the bottom is this chain, in the middle is digital signature, and at the top is smart contract. The threshold signature based on MPC does not care about the lower chain or the upper contract. It does not care about both ends. It only cares about the right part, that is, the part that creates the signature under the chain.
Its idea is that a signature must have a private key. It divides the private key into many “fragments” in some way. These fragments can be held by many people at the same time, and then through a set of MPC protocol, it can ensure that these fragments can directly generate a legal signature without being put together “No need to be spelled” means that the real private key never exists and does not need to appear.
Q: is the signature completed under the chain?
Xie Xiang: when signatures are needed, for example, three people in our company will run an agreement under the chain, generate a signature, and then put the signature on the chain. The logic of generating signature is implemented in MPC. What comes out is a standard signature, but others don’t know how to run this protocol.
As like as two peas, the result is put on the chain, and no one can tell whether it is signed by a person or signed by many people, because its form and appearance are just like a signature, and it is exactly the same as the direct sign with the private key. This set of signature mechanism can be completely independent of the chain and deployed inside the enterprise.
It is found that multi signature is mainly to count the number of legal signatures. It does not depend on the signature algorithm, but to adapt the chain system; The threshold signature based on MPC is mainly to generate a signature, which depends on the signature algorithm, but does not need to adapt the contract and chain system.
The threshold signature based on MPC is completely decoupled from the contract module. It doesn’t care how the contract is written or how the chain is. As long as it distinguishes the signature algorithm, as long as the signature algorithm is supported by the chain system, it can be well connected. The algorithm may now be ECDSA, Schnorr and BLS (BLS may be used in Ethereum 2.0), so the compatible algorithm can be compatible with many chains. MPC based key management can be multi chain friendly, which is a big advantage.
Another advantage is that the strategy of this signature mechanism is off the chain, so it is more secure. It avoids the risk of contract being attacked by hackers, and the design strategy can be more flexible, because most processes except signature verification are moved off the chain, and the user can formulate his own fragment management strategy according to the situation.
Q: what is the role of MPC in this process?
Xie Xiang: MPC is a collaborative computing framework based on cryptography. In a broad sense, it means that multiple parties have their own private inputs and complete a computing task together. While successfully completing the task, it can ensure that their private inputs will not be disclosed in the whole process.
For example, a “2-3 mode” MPC based key management protocol means that there are three fragments. As long as any two fragments participate in the implementation of the protocol, a legal signature can be generated. The signature generation process here, including the fragment generation process, can be regarded as a secure multi-party computing, because in the process of protocol execution, all intermediate data generated and exchanged will not directly or indirectly cause the disclosure of fragment plaintext.
Q: why is MPC based threshold signature related to the signature algorithm?
Xie Xiang: I have many pieces. How can I achieve this signature? This is strongly related to the algorithm structure, so there will be a problem that an algorithm is easy to do MPC and an algorithm is not easy to do MPC. Bitcoin needs to be upgraded to Schnorr. Schnorr is very compatible with MPC, and ECDSA is not so compatible with MPC.
Q: in MPC based key management, where is the real private key stored?
Xie Xiang: you will find a very interesting thing, that is, in the whole key management life cycle, the real private key has never appeared, so there is no problem of where the private key is stored. This is the essence of MPC based key management, which can ensure that the key can be used but does not exist.
In the traditional key management, the key is a real data asset, and it is very difficult to keep it. The threshold signature based on MPC directly separates the key from the system at the physical level, which is very different from the traditional system in security concept.
In the traditional way, hackers just stare at a point, because the private key exists at that point; However, MPC based key management disperses the security of the key in multiple managed nodes, and the private key will be divided into multiple parts at any time. In multiple places, hackers may have to break the first, second, third and fourth. They can only get the key after all four fragments are completed, and they must get four fragments at the same time within a certain time range, Because the key fragments are constantly refreshed.
For example, if the key is 10, split it into two pieces and divide it in two places. You can split 10 into 5 + 5, but in one minute, you can split it into 1 + 9, and in another minute, you can split it into 2 + 8. Hackers need to break both points in one minute to get 10. If they break the first place in the first minute and the second place in the second minute, hackers get 5 and 9, not the correct key.
Q: you can’t refresh with multiple signatures?
Xie Xiang: no way. For multi signing, for example, three people participate in multi signing, and one of them has his private key stolen. The corresponding method is not to refresh the key, but to quickly change the address and transfer the money to a new address, which is a pain point in many application scenarios; Or, for example, now three people participate in multi signing, and a fourth person needs to be added. At this time, we also need to change the address, and then we need a new multi signing contract, which is very laborious, and there is a handling fee for transferring money to the new address.
But these are very easy for MPC. It can ensure that the external address remains unchanged and the internal refresh is good. This advantage is also what we value.
Application of key management based on MPC
Q: can MPC based key management reduce the threshold of private key? This is perhaps the most troublesome place for ordinary users.
Xie Xiang: it can be no different from the traditional centralized way, and the user experience is the same: the operation when using digital currency is the same as when using wechat wallet. You don’t need to remember mnemonics, or save mnemonics in hardware, copy them in a book, etc.
What is a fun thing to do with MPC? For example, a and B use MPC to jointly manage an account, so they can control the account at the same time, but they don’t need to remember mnemonics at the same time. If a wants to use it, it needs to send a request to B. after B agrees, a and B use their own fragments to calculate some intermediate variables locally through a set of established rules. Through information exchange, a can generate a legal and complete signature locally. After the signature is verified, a can transfer the money in the account.
Of course, there is another problem, how to generate fragments for a and B. In fact, using MPC technology, a and B can generate a fragment locally, and the two fragments can be implicitly spliced into a private key. Note that this splicing is only an implied mathematical relationship, and the fragments have never been spliced at any time.
At this time, the role of B can also be a third-party server. The server confirms KYC and verifies whether it is initiated by you. After it is initiated by you, it will pass automatically, that is, it will automatically give another fragment to generate a signature. As like as two peas, KYC is designed to send messages, face recognition, and email. In this way, the user’s operation is exactly the same as the traditional way of operation. This is closely related to the actual application scenario.
We have created an app called keyshard to tell users how to use MPC based key management. We can try it. Now we only support Ethereum. It is a simulated traditional permission management, which requires the consent of two people to move the account.
Q: back to the beginning. You said to move the traditional authorization management mechanism for money to the field of digital currency. In the traditional approval process, a may need to pass first, then B signs, and then C signs. Is this what MPC can do now?
Xie Xiang: This is actually a key issue. In the traditional process, this is called signing transfer. There will be some obstacles in MPC. Let me draw the general logic of MPC.
The MPC algorithm protocol should be connected and interactive with each other. For example, the manager, finance and CEO participate in generating signatures. It requires that these three people must be online at the same time. Therefore, it is difficult for the MPC pure algorithm itself to transfer signatures.
However, we can use the engineering architecture to realize the signature transfer function at the product level, so that the upper users do not have to care about or think about how the lower layer operates. For users, the operation experience of the product is the same as that of the traditional signature transfer. Therefore, there are great differences between algorithms and products. Here are two sets of things. In addition to the algorithm itself, we also need to combine technology and business logic.
Q: can it be understood that MPC based key management is not only to store keys safely, but also to facilitate the use of keys by individuals or enterprises to meet business logic?
Xie Xiang: it has many advantages. Secure storage is one aspect; Making it more secure and convenient for individuals or enterprises to use keys is another aspect. The former refers to the “hosting ability” of MPC based key management for keys or assets, which reflects the static security; The latter means that MPC based key management can actively design diversified policy management, which is a dynamic service empowerment.
Q: if there is an investment institution that needs to manage multiple tokens, can it buy a set of key management algorithm based on MPC, and then use this algorithm to sign different chains, so as to realize the management of assets on different chains?
Xie Xiang: it is unlikely to buy algorithms directly. It will buy products. For example, it will buy a set of MPC based key management software and install it on the company’s internal server, and then it can manage assets through an interface. You can understand that it bought a set of financial management system based on MPC.
The bottom layer of key management is a set of algorithms, but it can be packaged into products, apps and SDK (software development kit).
Q: if a wallet company wants to add a function that allows users to manage private keys based on MPC, can it find a professional company providing MPC solutions?
Xie Xiang: Yes. You can understand that there are investment institutions, wallets, exchanges and other business companies in this market. They each have their own business, but they must have the problem of how to manage money. We provide a set of MPC based key management capability, that is, MPC based money management capability, to connect with their current system.
In terms of the company’s positioning, Platon is a technology provider or infrastructure provider, and keysard is the infrastructure that provides key management for digital currency. It sinks itself a little more and does not touch the above business. It dominates the underlying key management SDK and hopes to integrate the business process of authorization management into the SDK. Of course, the difficulty is to abstract a set of SDK that is relatively flexible and easy to use.
Challenges of key management based on MPC
Q: what are the difficulties in MPC based key management?
Xie Xiang: both technical and non-technical. Non technical, some people will ask why it is safe? Give me a certificate. Traditional kms (key management service) has certificates, but because MPC technology is relatively new, it has not been used in key management for a long time, and there is not enough authority and extensive authentication at present.
This is a problem caused by the particularity of this discipline. Although cryptography has a solid theoretical foundation, it is divided into theoretical security and practical security. Whether practical security can reach the level of theoretical security needs time to test. Therefore, one is the need for standard institutions, and the other is the need for the promotion of academic research. We will actively promote similar standards and industrial recognition of this technology, but it takes time, not so fast.
The technical difficulty is just mentioned. We need to combine this new set of technology with complex business logic. In addition, MPC is a set of distributed technology. If it is distributed, there will be synchronization, that is, the problem of consensus.
The original authorization management is a purely centralized thing, and the business process will be well matched; However, in the distributed scenario, there will be some difficulties, such as the problem that the user is not online, the problem of whether the network is good, and the problem of whether to use the back fragment or the front fragment if there is a delay in key refresh. There will be many details to consider.
Q: is it accurate to say that MPC based key management has no accountability? That is, I don’t know who signed and who didn’t, so I can’t trace the responsibility?
Xie Xiang: actually, you can know who signed it from the algorithm level. The bottom layer of the algorithm can trace who did not sign, or even know who gave the error information that did not follow the rules in the signature process by introducing the check and report mechanism.
Re recognize the “private key”: the private key is not a key
The intuitive response of the word “private key” is that it is a kind of “key”. Its function is to open the safe where digital currency is kept. It seems reasonable to think about it. You can get money by using the private key. But in fact, in the field of blockchain and digital currency, the private key means the asset itself.
Imagine that if you lose your safe key, your money is still there. You can match another key; But if the private key is forgotten, the money will disappear forever. If your safe key is stolen, your money may still be safe, because the thief still needs to sneak into the building and pry open the door of the room; But if the private key is stolen, the money will no longer belong to you almost immediately.
The private key is not the key to open the safe, it is the asset itself to be put into the safe. How to design a safe system to store the private key so that the private key in the safe is safe and easy to use is key management. At that time, the private key will not be handed over to the user, but a set of keys to open the safe.
Both multi signature and threshold signature based on MPC are methods to realize asset management, but they are different design routes: the former depends on the number of smart contracts and the number of legal signatures in the chain; Under the chain, the latter relies on MPC to generate legal signatures with fragments. This paper focuses on the latter, that is, key management based on MPC. I hope it can help you understand this technology and scheme.
Responsible editor; zl