Flash Depth Data Forum

Forum

Search Extension

Cheers Up AMA record: talk about wallet technology

2022-11-05 11:51

Read this article in 43 Minutes

Guests of this event include the Slow Mist team, Cobo, and well-known KOL magistrates.

Kitty: Hi, I'm NextDAO's Lead Mod Kitty. I am very happy to receive the invitation and trust from Cheers Up to host tonight's event. Today is the first time I host such a strong technology-related topic. As a technical novice, I have done some homework in advance. Fortunately, today's guest teachers have all produced content on Mirror and Twitter, and provided me with some learning materials.

The guests of this event include the Slow Mist team, Cobo, the well-known KOL magistrate, and the Cheers Up team.

Kitty: OK, first let me introduce why there is an event with this theme today. When everyone next door is talking about Hong Kong's new policies and market conditions, let's talk about security here.

In fact, wallet security has always been a big problem and hot spot in the Web3 world. Almost every day we can see that a project party’s wallet is stolen, worth tens of thousands of dollars.

The latest large-scale theft may be the Solona ecological wallet in August this year, with a total of 9,000 Multiple wallets were emptied. In the early hours of this morning, $28 million was stolen from Deribit's hot wallet. Therefore, wallet security is not only a threshold for those who want to enter Web3 from Web2, but also a dark forest for users who are already in Web3. We receive countless unfamiliar links every day, and send them to you through Twitter, discord, or even WeChat groups. Maybe you accidentally click on the authorization, and the small picture in the wallet will disappear.

As an NFT project, CheersUP is also very concerned about the wallet security of holders, because many people who buy NFT Friends are not very aware of the potential risks in the wallet, because users who play NFT are generally young, and their first step into Web3 may be to buy NFT. So we also hope that through today's event, holders can pay more attention to this matter when surfing the Internet.

Okay, then let's enter the official AMA session. First of all, if we talk about wallets, we have to talk about mnemonic words. Many people say that mnemonic words are anti-human, because the current MPC technology can theoretically achieve that users do not need to keep the mnemonic words themselves. The first The question is, what kind of technology is

MPC and what effect can it achieve? Does MPC have anything to do with hosting? Let’s invite Cobo’s friends to answer this question first.

Cobo: MPC refers to multi-party secure computing, I Here we first quote an academic definition of MPC: MPC refers to the collaborative calculation of an agreed function by multiple participants without a trusted third party. Except for the calculation results, each participant cannot pass the calculation process. The interactive data infers the original data of other participants; this definition is a bit of a mouthful, but in simple terms, it is to complete a collaborative calculation based on everyone’s private data under the premise of ensuring the privacy of their own data; here we can give a more specific example, assuming A and B are two millionaires. They want to know who is richer, but they don’t want to reveal their specific asset amount. At this time, they can use MPC technology to calculate, and under the premise of satisfying privacy, who More money this conclusion.

The example just mentioned is the famous millionaire problem raised by Mr. Yao Qizhi in the 1980s. A seminal problem for the entire field of MPC scholarship.

Kitty: How can I hear what you said, MPC technology and ZK zero What does proof of knowledge look like? It is all possible to get answers or complete calculations without exposing or exposing privacy.

Cobo: Yes, MPC questions specifically can also be found in Subdivided into some different security models, a relatively simple model is assuming that the participants are honest, they just don't want to expose their privacy, but everyone will not do evil, then the MPC operation will be relatively easy to implement ; Another more general model is assuming that the participants do not trust each other and there is a possibility of doing evil. At this time, the MPC calculation generally needs to be combined with zero-knowledge proof to get the correct final result.

Specific to our digital currency wallet, in fact, what we will really use at present is TSS (that is, threshold signature algorithm), the threshold signature algorithm will use some MPC technology to solve the core privacy computing problem, so it can be considered that the threshold signature technology is a specific application of MPC. And at this time, it will be assumed that there is no trust between the participating parties, so if you look deeply at the implementation of the threshold signature algorithm, a large number of zero-knowledge proofs are used to ensure that no one does evil. Most of the time, for the sake of simplicity, we directly refer to the threshold signature wallet as the MPC wallet, but we still hope to explain these basic concepts clearly to everyone.

Kitty: So what products currently support MPC?

Cobo: Currently there are many products that support MPC. It may not be possible to list them one by one, but let me just say a few that I have a deep impression on; among ToC products, ZenGo is a company that I think is currently doing very well in terms of product level and open source contribution, and they should also be the best in this direction. One of the early start-up companies; in terms of ToB, Fireblocks should have the largest market share at present. In addition, Safe Heron is a Chinese entrepreneurial project. They have also done a very good job in terms of product level and open source contribution. Cobo also participated At the same time, our Custody service of Cobo is also increasing the support of MPC. In the near future (should be the last one or two months), we will also provide the service of MPC co-management wallet. Thank you! Interested friends can pay attention to it.

Kitty: Good, good, support. See if the friends of Slow Mist have anything to add.

Slow Mist: The full English name of MPC is: Multi-Party Computation, which is Multi-party computing, which is a cryptographic technique by which all parties perform complex joint computations in order to complete a task, while their data remains private and secure, not shared with other parties.

Specific to the MPC wallet, or a more specialized threshold signature wallet, through the multi-party calculation of the private key in the chain Complex verification methods such as secure multi-party joint management of accounts are realized.

Simply speaking, it is to safely break a private key into multiple pieces and manage them jointly by multiple parties; or simply generate a virtual key jointly by multiple parties, which may be the case of the latter More common because no one has ever seen the full private key at this point. This also means virtual.

The core idea of MPC is to decentralize control rights to achieve the purpose of diversifying risks or improving disaster preparedness, effectively avoiding single Point failure and other safety issues.

Cobo has already explained what MPC is, so I won’t introduce the concept of MPC here. We know that a new technology must be created to solve certain pain points. Just like the host just said that mnemonics are anti-human things, users must be careful to keep them. So from a security point of view, the private key or mnemonic is actually a single point of failure. Once stolen or lost, it is difficult to recover. Then the emergence of MPC wallet is also to solve the problem of single point of failure.

After summarizing a large number of wallet phishing cases, we found that web3 wallets can generally be divided into three categories in terms of phishing methods. Stealing mnemonics or private keys (such as: fake wallet APP wallet plug-in wallet), maliciously modifying the target address of the transfer (such as: fake trading platform APP, fake social software TG), and the other is that it occurs in a real wallet, but the attack Perpetrators steal users' assets by deceivingly approving transactions with malicious signatures.

Then, due to the seedless mechanism, MPC naturally defends against the method of stealing the private key, but when dealing with other phishing methods Additional hardening and security reminders for wallets are still required.

In addition, we have recently audited several MPC wallets, and we will also find that there is a Biometric authentication process, and then start to enter the backup or restore the backup, here you can verify whether the APP is the wallet of the official website by verifying the signature of the APP, preventing users from using malicious wallets and restoring the backup.

In addition, even if the wallet adopts the MPC architecture, from the perspective of auditing, we still need to check the MPC Is it safe to implement. Basically just add these.

Cheers Up: Let me add something about MPC. In the signature scenario, MPC may have two main technologies, one is the threshold signature technology, which is called TSS in English, and the other is the secret segmentation technology, which is Shamir’s Secret Sharing or SSS for short. The difference between the two is that the threshold signature technology TSS directly signs, while the secret split technology SSS mainly encrypts and decrypts information.

When the private key signature is required, if the threshold signature technology is used, it is generally not necessary to splice the fragments together Form a complete private key. Instead, all parties perform calculations using their own fragments in accordance with established security protocol requirements, and synthesize their calculation results into a complete signature. It should be noted that during this process, the full private key does not need to be recovered. This is a core security of threshold signature technology.

The so-called Shamir’s Secret Sharing algorithm, if you use SSS technology, you often need to restore the key first. This seems less secure than the threshold signature technique, but it may be more applicable in certain situations. For example, if the shared secret is not a seed or a private key, but a password of a symmetric encryption algorithm to encrypt further information, then SSS technology may be more suitable for this occasion. Of course, the equipment or computer used to reconstruct secrets requires special security reinforcement, and even some confidential computing technologies can be used to provide further security guarantees.

Kitty: Here I would like to add a question, why do we use Is the wallet an explicit mnemonic? Whether it is onekey, keystone, this kind of hardware wallet, or our more commonly used little fox or imtoken, you need to write down a large list of mnemonic words. Is it because MPC technology is immature?

Cheers Up:Yes, threshold signature technology seems very safe, so why Did it start to be discussed more recently? This is because the signature algorithm ECDSA used by Ethereum does not use the private key like the RSA signature algorithm, and cannot directly use the threshold signature scheme. In fact, there is a process of research and development, maturity, and adoption of new technologies. Including an algorithm with a two-party signature at the beginning, which may have been proposed by Lindell in 17 years.

It was not until 2018 that the algorithm of selecting m from n appeared, including GG18. The so-called m chooses n means, for example, three out of five people, or two out of three people. Then cryptographers research the algorithm, and there is a process of security analysis, followed by library development and application development. In fact, GG18 was found to have a little safety hazard in 21 years. It is not difficult to fix it, but it is really not easy to say the word safety. And this is only about the security risks in the algorithm. In the actual implementation, whether there are implementation problems or not, it is still necessary to invite a team of experts to audit. This is why several TSS libraries carry a security audit. This also takes time, including audits and bug fixes, validation, etc., which can take months.

In other words, this threshold signature algorithm has actually been adopted very quickly. For the products introduced by the previous guests, the team behind them is already moving relatively fast.

What exactly does seedless mean? Is there no mnemonic at all? What technologies and products are there?

Cobo:seedless or keyless means that during the user's use, there will be no explicit The complete mnemonic or private key appears. In the threshold signature algorithm, there are two core processes, namely KeyGen private key generation process and Signing signature process. In the process of KeyGen, all participants perform calculations through MPC technology, and eventually everyone will obtain a private key shard; then in the process of Signing, each participant performs MPC calculations based on their own private key shards to obtain Legal signature result.

During the whole process, the complete private key will not appear on any device explicitly, so It can well resist single-point risks. But at the logical level, the private key of this group does exist. Furthermore, if the participating parties encounter some system failures, which makes the threshold signature system unable to operate, theoretically, it is possible to agree on a process to collect the private key fragments in their respective hands in a certain place and recover a real private key. Of course, this is a disaster recovery solution and is only used in extreme cases.

Slow Mist: The seed here refers to the seed phrase, which means we create a wallet The mnemonic phrase that is often asked to be backed up. Then seedless means "without mnemonic", or it can also be said as "without private key".

Note that "none" does not mean that there is no key in the actual sense, but that there is no need for user backup assistance Memorize words/private keys or perceive their existence. So for the wallet, that is, the wallet will not generate or save the complete private key and seed phrase at any time. Throughout the process of creating a keyless wallet, private keys are not created or stored at any time and anywhere. When signing a transaction, no private key is involved and at no point will the private key be reconstructed.

From the perspective of our security audit, we will say this, we will pay attention to the safe life of the key During the cycle, generation, storage, use, backup, and destruction, the complete private key or seed phrase should not appear. Unlike traditional wallets that use private keys to sign transactions (which creates a risk of theft), keyless wallets are able to co-sign transactions with multiple key shares from different parties in a distributed fashion without sharing key shares be exposed to each other or to any other party.

Kitty: After listening to the speeches of the previous guests, I understand what everyone said. After using MPC technology, there may not be a mnemonic Words, but how to manage the shards or shards managed on each end, is there still some technical design? Otherwise, the user still needs to manage or back up the fragments. It seems that the burden has not been reduced?

Cobo: MPC solves the problem of single point risk, but does not It is not to say that after using MPC technology, you must sit back and relax. The holder of each private key shard should actually manage the MPC private key shard with a security storage logic no lower than that of the original single-signed private key.

Taking the business of Cobo Custody as an example, in the original full hosting mode, we will use SGX or HSM to keep users private key; under the MPC-based collaborative wallet in the future, our internal risk control management logic for the fragmentation of the MPC private key we hold is consistent with the original risk control management logic of the single-signed private key. There will be no reduction in security capabilities. Under the MPC co-management wallet, for customers, the benefit is to solve the risk of Cobo single point of failure, but as the holder of MPC private key shards, the customer's security responsibility is actually increased, and we also Will assist customers to build a set of their internal systems to maintain the management and daily use of this MPC private key shard.

In addition, the aforementioned ToC wallets such as ZenGo, they will design complex MPC private key shard access, backup and recovery logic, on the one hand, ensure that the MPC private key shards in the hands of customers will not be leaked, and on the other hand, ensure that MPC private key shards will not be lost due to customer misuse. By the way, sometimes, the loss of the private key is actually more dangerous than the leakage of the private key. The leakage of the private key leads to the theft of assets. There may be some ways for the hacker to pay back the money, but if the private key is lost, it is completely useless. Law recovered.

Kitty answered: So Cobo’s custody service is that Cobo and the user manage a multi-signature wallet together. Will you assist users in risk judgment and verification when they make transactions? I used to think that escrow was depositing money directly with you guys.

Kitty: The MPC you talked about reminds me of account abstraction. Can you explain what account abstraction means? What are the conveniences?

Slow Mist: There are two types of accounts in Ethereum: externally-owned account and contract account (contract account).

The external account is the wallet account we usually use to initiate transactions. It is controlled by the private key. The account itself is codeless and therefore independent of the Ethereum Virtual Machine.

A contract account is a smart contract, whose code is run by the Ethereum virtual machine and stored in the smart contract account controlled by the Ethereum Virtual Machine code.

Account abstraction is trying to combine two types of accounts into one, that is, to make external accounts like contract accounts works the same. Reference: https://legacy.ethgasstation.info/blog/ethereum-account- abstraction-explained/

As a wallet user, many factors need to be considered, such as gas price, gas limit , transaction blocking and other complex cost logic, it is not particularly suitable for users to deal with these problems directly. Make external accounts closer to contract accounts, so that wallets can be empowered to handle these complex logics through smart contracts.

Kitty: Got it. External accounts do not have code logic. If you want to introduce more complex logic to implement other functions, such as multi-signature, you need to use MPC and account abstraction. Let's see if Teacher Zhixian has anything to add.

Magistrate: From the perspective of EVM (Ethereum Virtual Machine), account Abstraction makes it possible to replace cryptography tools in the future; from the user's point of view, account abstraction can be used to improve user experience, such as seedless / gasless, which can make users use it very smoothly; with user experience and assets account abstraction can also allow users to upgrade their account logic without changing their addresses, and add more security or convenience capabilities.

From an ecological point of view, account abstraction liberates client capabilities and can provide batch transactions, offline New underlying capabilities such as authorization are similar to the GPS capabilities provided by smartphones that allow LBS-related products to shine. Building upper-layer applications based on account abstraction capabilities is more likely to produce products that can acquire a large number of users, and further may appear the earliest web3 native applications.

Kitty: Then follow up to the previous question, can the smart contract wallet and MPC be used together? This question was originally whether account abstraction and MPC can be used together, but the previous statement seems a bit inaccurate. It just so happens that Mr. Zhixian is an expert. You can first explain to us the difference and relationship between the terms "account abstraction" and "smart contract wallet". Because our friends who buy NFT, including myself, are actually relatively unfamiliar with these words.

Magistrate:Yes, MPC provides the key layer The smart wallet is on the upper layer of the key layer ("extracted" from the account abstraction), and different key layers can be selected according to the needs of the scene. For example, the UniPass SDK wallet has built-in Zengo's 2-2 MPC solution to meet the needs of embedded SDKs; the Seedless Snap made by UniPass and MetaMask uses the key management provided by MetaMask Flask as the key layer, so there is no MPC . Now we are also selecting partners for the MPC solution / EOA wallet solution to provide a more suitable key layer solution for users in more diverse scenarios in the future.

Cobo: At present, most of the account abstract wallets are opened independently from the MPC wallet .

I can briefly introduce the advantages and disadvantages of the two: the advantage of account abstraction wallet is that it can realize many complicated Business logic, but its disadvantage or limitation is that it needs the support of the underlying public chain or smart contract system, so the cross-platform is weak. Generally, this concept is only mentioned in the EVM ecology now; the advantage of MPC wallet is that it is very easy Cross-platform, as long as a few types of signature curves are supported, it can basically serve all public chains on the market, but the disadvantage of the MPC wallet is that it can only achieve multi-signature capabilities, or further, some layered multi-signature Ability, but cannot implement particularly complex business logic in it.

In general, the account abstraction wallet is based on some complex smart contract logic or chain logic to achieve some For example, authority distribution, risk control, social recovery and other capabilities; MPC wallet is based on the principle of cryptography to realize the multi-signature capability of any public chain. In fact, the two are technical means at different levels, one is in the underlying cryptography, and the other is in the application layer of smart contracts or chains, so theoretically, the two can definitely be used together.

Slow Mist: Here are some supplements, such as in the scenario of multiple contracts , define different permissions for each private key: transactions below 50U need to be signed by private key A, transactions above 50U need to be signed by private key B, transactions exceeding 2000U need to be co-signed by private key ABC, etc.

But in fact, the wallets of ABC and other parties can also be realized and managed through the MPC solution.

Of course, you can also use the MPC scheme to approve business processes (such as the practice of Safe Heron). The method is similar to the multi-signature contract in perception, except that the multi-signature contract method requires multiple wallet addresses to be realized on the chain through smart contracts, while the MPC scheme can be achieved off-chain through key fragmentation/threshold Such effects.

Kitty: What are the current technological trends that are conducive to improving security for novice users?

Magistrate: The bosses will definitely talk about a lot of security solutions related to key management, so I won’t Let me talk about the security improvements that Web2 and even the facilities in life can bring, many of which belong to the level of interactive security:

WebAuthn standard can make 2FA more secure and convenient, and can also prevent phishing; if the giants implement more algorithms, or on some chains with flexible cryptography, they can also directly Use this standard to generate and manage keys, which is full of security and convenience.

· HRM (Human Readable Message) related standards are advancing smoothly, such as EIP-712 and more and more transaction insight services allow everyone to know what they are doing when signing.

The smart wallet can allow users to use different keys to make different Things, such as asset-related keys and login-related keys can be different, but they all correspond to the same address (account)

Smart wallets can also allow users to use Daily familiar infrastructure such as passport/bank card/email to enhance account security.

Kitty: As far as I know, some chains The wallet already partially supports 2FA and several of the solutions proposed by Mr. Zhixian.

SlowMist: Mnemonics and private keys are a single point of failure, Technology that can solve the single point of failure problem. In the MPC wallet, private key sharding (stored on different devices) controlled by the user is a technology that can recover the complete private key authority.

(assuming a scenario, the wallet project party is maliciously ddos, the user can still exercise the key authority normally without being affected impact.)

A technology that can identify malicious signatures/black addresses and provide effective security reminders.

Kitty: Very interesting, the use of passports, bank cards, etc. to improve account security mentioned by the Zhixian teacher just now may be closer to ordinary people’s daily life Experience with bank accounts, especially account recovery. Can you expand on this in detail? How should the project party manage treasury assets? Is there any best practice recommendation? How does the community judge whether the technology adopted by the project party is reliable?

Magistrate: I’m not professional about this haha, smart wallet (gnosis safe) is also useful for mpc (fireblocks), I think from the perspective of a leek, it mainly depends on transparency, such as who has the authority to move money and how much money is moved.

The advantage of smart wallets in this regard is that permission control can be made more flexible and complex, such as Permissions, the introduction of on-chain governance, and more.

Cheers Up:Here I can briefly introduce some security aspects of the Cheers UP project Practice, explain to the community, and at the same time, please feel free to enlighten me.

Currently, the assets of the project party are the assets on baselabs.eth, where the sales revenue and attribution are mainly placed The blind boxes of the project party have hundreds of ethers and more than 200 blind boxes, and the treasury assets also have more than 200 blind boxes. Of course, security is very important here, and we don't want to lose assets, which is a bad thing for both our project party and the entire community. Surely no one wants this to happen.

Then our project party actually put the safety of this asset in a very important position from the very beginning. We start from two aspects of technology and management process to ensure the security of assets. First of all, technically, we have adopted MPC technology, and we have technically ensured that no one in the team has the private keys of our assets. They are all controlled by the collective, and even the few colleagues who are collectively controlled cannot directly recover the private key, and there will be some technical barriers. I may not go into detail about the specific technology here, but technically we do not only have no one who holds the private key, nor does any group directly hold the private key.

The second is to ensure the management and process. Because even the best technology is used by people, we need to minimize and control the risks brought about by human errors and human factors. I just said that all our private keys are collectively controlled, but in fact, we need to add a collective management here. Here I may not fully describe our specific technology and management solutions. What I want to share is that all scenarios using private key signatures, whether it is the signing of transactions or the invocation of contracts, require multiple people to participate and jointly After confirmation, there will be corresponding records for later auditing. If one of the participants has doubts about the transaction and he does not advance his part, then the transaction cannot proceed until the doubts are cleared.

Through this two-pronged approach, we jointly protect the safety of project assets and treasury assets from both technical and human aspects . Of course, we don't just do it once and for all, we will continue to pay attention, continue to study, and continue to improve.

I can go back and answer the host's previous questions. The question is, is MPC technology similar to ZK zero-knowledge proof? It is all possible to get answers or complete calculations without exposing or exposing privacy.

Let's put it this way, the host's question itself reflects a very keen observation. While in reality the two technologies are quite different, they do share certain similarities.

As the name suggests, zero-knowledge proof is a kind of proof technology; and MPC, the C in it is Computing, means to calculate. The focus or purpose is different.

But there are also calculations in the zero-knowledge proof, which proves the result of a certain calculation, for example, I have a secret data, I will not tell you what it is, but its hash is so-and-so, here is the proof data, you can verify it. Then the other party verified it, it really is. Therefore, its protection of privacy is reflected in the fact that there is no need to disclose this secret data to prove a result calculated based on this data.

The more important thing about MPC is MP, that is, Multi-Party, multi-party participation. It is a calculation involving multiple parties. If the TSS threshold signature technology is applied in the wallet, it can complete the signature without reconstructing the private key, which plays a role in protecting the private key. Then MPC technology may also apply certain zero-knowledge proof technology. For example, if a certain P in MP is a third-party server, will this server launch a protocol attack on me, trying to steal my private key? What about fragments? This is entirely possible, and it can be proved by zero-knowledge proof technology. Everyone strictly follows the MPC protocol to participate in the calculation.

So back As for the host's question, it is indeed true. In terms of the protective functions they play, they have certain similarities, but the specific application scenarios are different. Then according to the specific scene, you need to choose the corresponding technology.