原文标题：《 Web3 钱包终局：安全便捷与去中心化的统一 》
Original article by Cipher, SevenUp DAO
Wallet in the Web3 world is the unity of assets, identity and account, and its consistency and composability among different applications are even more important than wechat or Google accounts in the traditional world. However, due to the threshold of the use of wallet itself, Web3 wallet users can not break through Metamask all the time. That's an order of magnitude in M months.
Standard EOA wallet addresses, represented by Metamask, hash the public key corresponding to the private key managed by the user. This statement alone explains why it keeps most people from entering the world of Web3 -- there are too many concepts involved to understand. The problem is that these concepts really can't be dispensed with. To use an EOA wallet, you have to manage private keys yourself through mnemonics, you have to understand what a public key is and what a digital signature is, and if a mnemonic is lost or leaked, assets and identities are permanently lost. These barriers are so high that users have to be extremely motivated to come in. This is why the current mainstream users of Web3 apps are speculative and throwaway users, not normal users in the normal sense. This in turn sends the ecology of Web3 applications in the wrong direction, and no one really cares if your project has long-term value. When to issue coins, how to add white become the main appeal of users.
We're certainly not alone with EOA wallets. Centralized hosting, MPC, and Account Abstraction Wallets are all trying to come up with wallet solutions that balance ease of use with security. Centralized hosting is not accepted by mainstream applications due to single point risk and capital management security issues. So can the multi-party MPC scheme and the abstract account wallet scheme can completely solve the contradiction between security and convenience?
MPC The technology divides the key into pieces, and the user and the host each hold a part. When using the wallet, both parties need to cooperate to complete the signature. Once a user-side shard is lost, it can be recovered through multiple hosts. Neither party can manipulate user assets in isolation. The solution, which seems to solve both the user-managed private key threshold and the ethical issue of asset custody, is one that is currently being touted as a promising solution. But the MPC addresses these issues while introducing larger ones that make it impossible for the MPC solution to become the infrastructure for mass adoption of Web3 accounts in the future.
The MPC does address the security risk of losing a user's private key, but the risk of damage to the MPC server is largely ignored. MPC servers often use hardware-based encryption machines such as HSM, which are subject to accidental damage, and once the equipment is damaged, the user keys involved cannot be easily recovered or even lost permanently. In response, some MPC providers claim to insure these servers. Obviously, the insurance policy can only cover the loss of its hardware, not the corresponding loss of digital assets. This just shows how serious these security risks are. The fact that most MPC wallets don't directly inform users or publicly address the risk further amplifies the risk.
MPC claims to solve the single point of failure problem of the user holding the private key, and even if the user key fragment is lost, it can be recovered through the MPC service. But when we look at the whole package, MPC providers are the new A la carte. Although MPC services often ignore this problem by saying that "multiple individual shards are kept in the cloud without a single point of failure", once the MPC service stops operating (the life cycle of blockchain startups is usually less than two years), users will not be able to access their accounts, regardless of how many key shards they have helped to distribute. Even if the MPC provider allowed users to migrate keys, the migration process would be a nightmare for both users and applications.
Each user signature and each interaction must pass through the MPC server, and TSS itself is not low in performance requirements, resulting in a limited number of transactions per second processed by the MPC server. Many MPC providers claim to be solving this problem with heap machines by using HSM clusters. However, this approach is unlikely to really solve the performance problem, because MPCS are essentially SaaS and there will always be performance bottlenecks compared to distributed transaction initiation systems like EOAs.
SaaS is the MPC's original sin, and despite its advanced mathematical packaging, it is still SaaS. Users really don't care about the technology behind each solution, as long as it works for the end user. We shouldn't even assume that users have a deep understanding of decentralization and unmanaged security. But for developers and project parties, no one wants to tie their users to a startup with an uncertain future. That is why the MPC is not destined to be the right direction.
Account Abstraction (AA) is another area where wallet technology is being looked at. Theoretically, it can bypass the underlying cryptographic restrictions, adopt arbitrary account authentication logic, allow arbitrary gas fee payment method, and support account recovery logic. In this way, the core problems of wallet popularization such as key, gas fee and lost recovery are solved at one stroke. AA clearly has a bright future, and recently. 4337 is also launched on the main Ethereum network. Does that mean the wallet problem has been solved? Unfortunately, it didn't. EIP On the basis of the traditional smart contract wallet, 4337 has been optimized in the application layer. For example, AA transactions can be merged to reduce the cost of a single transaction, and standardized interfaces are proposed to facilitate the cooperation between wallet parties and aggregation service providers.
EIP 4337 can indeed solve the problem of gas fee payment, so that for example GameFi Users do not have to pay for on-chain operations. But it does not touch on the deeper cryptographic algorithm problem, and therefore can not solve the user's key management problem.
Despite the fact that The 4337 or CA wallet (contract wallet) theoretically allows arbitrary authentication logic, but due to gas cost and gas limitations, the cost of decoding and validating mainstream cryptography outside the blockchain world with EVM is not practical. That is to say. After 4337, users can still only use the default K 1 (or software simulates RSA for digital signature), which requires that the user still needs to manage its own key, so it is still unable to bypass the maximum threshold of the user entrance.
A Device Account (DA) is a modern computing device that uses the user side (e.g., Hardware security modules on PCS, phones, tablets, etc.) manage user keys and wallet accounts. Device account combined with account abstraction technology can achieve a perfect balance of security, convenience and decentralization.
Thanks to the development of the security system of modern terminal equipment, modern user equipment is equipped with an independent security chip, which is used to store user key information. Our daily use of fingerprint login, face login behind the digital signature of the security chip to achieve high security authentication scheme. Whether it's mobile FaceID/FingerID, PC Windows Hello, or even standalone Yubikey hardware, they all support a unified set of browser interfaces called WebAuthn. Through this interface, web pages can request the user device to create a hardware security level private key and obtain a signature. Device accounts take advantage of this interface, invoking biometric modules to sign user transactions using a mechanism similar to hardware wallets.
The device account experience is perfect. When the user opens the webpage of dApp, the page can call the user's device account through js without installation. The DA invokes system-level biometric authentication, which returns the corresponding digital signature to the dApp. In order to support functions such as multi-device login, commission payment and social recovery, DA will set up an abstract account on the blockchain to achieve multi-dimensional management through contracts.
DA accounts have the following features: helpless word memorizing. The user key is generated and managed by the hardware device, so there is no need to manage the user, let alone record the mnemonic words. No password, the user's access to the key is completed by biometric identification, more secure than the password, and will not be forgotten; No email, no phone number; No installation, dApp can use the DA account through the browser, no pre-installation is required; Security and anti-leakage, the key is stored in the hardware, can not be read, only through the biometric signature request, there is no theft; Self-signature and self-management, no centralized custodian, and no single point of failure; Recoverable. Through AA, you can set multiple devices to log in to the same account, and support social recovery. Once the device is lost, it can also be recovered.
As you can see, device accounts are far superior to other account solutions in every way and have excellent hardware compatibility. But a big barrier to DA's popularity is that it relies on key support at the bottom of the blockchain, namely full account abstraction and cryptographic abstraction. Only a handful of public chains currently have this capability.
The earliest public chain to support smart devices to directly create blockchain accounts is EOS, but it takes a magic approach. EOS directly supports the device signature cryptography algorithm at the VM level. However, it does not support account abstraction. As a result, the accounts created by EOS cannot be used for multi-device backup and loss recovery. Difinity uses a similar scheme to EOS, but the Difinity account has built in some account abstraction capabilities, so it is slightly more flexible, but due to icp's platform architecture, it has not been widely used. Near protocol is making similar attempts and has yet to see a finished product. In addition, there are some public chains directly at the hardware level to find ways, such as Solana And Polygon Has developed the "blockchain mobile phone", through the hardware magic to support their own cryptography algorithm. But also because of the lack of account abstraction, the experience of using the device cannot accommodate all the needs of the user.
Of note are the Starknet and Nervos solutions. Unlike public chains like Ethereum, which offer full account abstraction, Starknet is Ethereum's Layer 2 ZK Rollup Chain and Nervos are independent. Layer 1 Plus Layer 2 Public chain ecology. Ledger Fresh, a popular hardware wallet company, plans to launch Ledger Fresh, which will be available on Starknet. braavos Wallet has also announced that it will bring device accounts to Starknet. However, as a zero-knowledge proof scheme, the secp  required by the equipment account is taken into account. 256 r 1 Algorithm complexity is higher than secp 256 k The 1 algorithm is an order of magnitude higher, and the circuit complexity overhead to support the cryptographic algorithm corresponding to the device account may far exceed that of ordinary transactions. It remains to be seen whether Starknet can actually host the device account. On the Nervos public chain, JoyID Wallet is developing accounts for Nervos Layer 1 and Layer 2 EVM-compatible devices, which is a good experiment.
From EOA to CA to AA and DA, these terms are the result of developers thinking long term about their products. Device accounts overcome the problems of blockchain accounts in one shot and are likely to become the ultimate solution in the Web3 world. Let's look forward to more and better Web3 infrastructure products.