Multi-Party Computation for generating accounts (“wallets”) on Stellar Network.

navshardx

Shard X is a digital asset security provider specializing in Secure Multi-Party Computation (MPC) applications for use by exchanges, custodians and other blockchain interfacing businesses. Shard X’s software solution provides a unique way of generating wallets without a private key. This removes the single point of failure of blockchain assets – the private key and offers security comparable to cold storage while maintaining the ability to transact as quickly as with a hot or "networked" wallet.

Goal: Develop an implementation of MPC-based technology for storing and managing digital assets on Stellar Network

Timeline: 6 - 8 Months

Description:
Shard X is a technology service provider specializing in the development of secure multi-party computation technology. Shard X has had success in building Bitcoin and Ethereum implementations of this technology and now intends to build an implementation for the Stellar Network with a long term goal of lowering the barrier to entry for businesses to build on or gain exposure to Stellar-based assets
MPC-based technology removes the single point of failure of blockchain assets which is the private key and has a number of inherent advantages over established mechanisms, including:

The ability to generate and transact from wallets without construction of a private key translates to a much higher degree of security
Replacing a private key with multiple unique and independently generated secrets ("shares") makes blockchain assets easier to manage in organisations
The ability to transact using variable quorum (M-of-N) without construction or reconstruction of a private key
Enables businesses to change quorum structure at any given time based on changing business requirements, i.e. easily moving from a 3-of-3 to 3-of-5 quorum scheme
Systematic refreshing of keys to maintain a high degree of security and privacy
More private than multi-signature or smart contract (looks like normal signature)
Highly scalable (software only)

The result is a software solution for generating and managing institutional grade wallets on Stellar Network which lowers the barrier to entry for businesses to make use of the Stellar Network and in turn improving rates of adoption.

Links:
Website: www.shardx.io

dzham

navshardx

I've got the code for this ready for Stellar already, so you can just redirect your funds to me, mkay 🙂

dzham

[unknown] This can also be done with multi sig, where 3 to 5 people in the organisation can sign a transaction based on weight.
why would i want to use a software solution when i can use one that comes with the blockchain itself.

Stellar only supports up to twenty signers per account, and twenty signers per transaction.
Using threshold-MuSig, there aren't really any limits, more than w/ the complexity of the setup MPC + signing MPC, all of which take place off-chain anyway.

dzham

[unknown] why would i want to use this when there is private key and multi sig.

Sometimes you want the privacy of not letting people know a certain account has multiple signers, or you don't want to expose the individual keys of the signers.

The irony is, of course, that businesses aren't even using the regular multi-signature capabilities that comes with Stellar in any meaningful fashion.

OrbitLens

dzham A while ago I spent some time reading articles regarding various secret sharing schemes. Looks like currently Boneh–Lynn–Shacham is the most promising scheme beating Shamir's (or Schnorr) secret sharing in most cases. But I failed to find an answer (and I dig through a lot of papers for both SSS and BSL) for my main question. Is it possible to generate the parts of a secret key separately (on different machines) and is it possible to sign a message separately, without reconstructing the secret key from parts? In case of untrusted environment the machine that generates the secret key (or reconstructs it from several multisig parts) is potentially vulnerable, and this makes the whole scheme vulnerable by default.

Could you please share you hands-on experience? Maybe I missing something?

dzham

OrbitLens Is it possible to generate the parts of a secret key separately (on different machines) and is it possible to sign a message separately, without reconstructing the secret key from parts?

Yes!

If you've followed what's going on in Bitcoin country, there's been a lot of talk recently about Schnorr signatures, and what you can do with them.. Ed25519 is basically a Schnorr signature scheme, so most of the things you read can be applied directly to Stellar.

Blockstream's MuSig is an n-of-n multisignature scheme, that takes n public keys, generates an new, joint public key, and provides a way to sign partial signatures, and aggregate them into a full signature, w/o anyone having access to anything more than their own private key.

This can be extended to n-of-m by using SSS.

dzham

OrbitLens Could you please share you hands-on experience? Maybe I missing something?

I pinged you on keybase

navshardx

[unknown]

Some of the advantages for using this on an ed25519 asset like Stellar are that:

It generalizes to m-of-n case much more gracefully than MuSig, which requires building a Merkle tree of all key combinations, which grows up exponentially, whereas MPC signing threshold schemes typically scale linearly.
Using SSSS to "generalize" n-of-n to m-of-n is what some call "presentation layer threshold signature" and basically has most of the problems of plain SSSS
Share refresh when combined with the ability to issue new shares, allows redefining quorum over time without changing the public key, making an attackers life much more difficult, because they have to assemble quorum over a restricted time window.

So in a nutshell, MuSig is a definite improvement over plain multisig, and MPC signing takes this a few steps further.

dzham

navshardx

MuSig doesn't require Merkle trees for m-of-n, that was just an early suggestion people had. Andrew Poelstra has a video presentation where he goes through verifiable secret sharing using Feldman's scheme.

Share refresh never really becomes an issue with Stellar, since you can just use an account with zero master-weight, and use an auxiliary signer that you replace when needed.