Highlights from Coinbase’s First Smart Contract Hack Days

April 22, 2022 Coinbase

coinbase

By Michael Li, Vice President, Data at Coinbase

Hackathons have been a long-standing and important part of Coinbase culture, as they give our engineering teams the opportunity to collaborate with one another and experiment directly with the tools that are enabling a new era of open finance.

At Coinbase, we acknowledge that Web3 unlocks a whole new realm of possibilities for developers that are largely yet to be explored. In order to pursue these possibilities confidently, engineers need to have a baseline knowledge of the ecosystem, the Web3 stack, and key smart contract concepts across different blockchain protocols.

This year, we used the time set aside for the annual Coinbase hackathon to kick off Smart Contract Hack Days to give all of our engineers a crash course in Web3 development for real-world applications.

Time to BUIDL

In December, we assigned all participants to project pods of 5–10 individuals which were led by an experienced Coinbase team member that had been through in-depth blockchain engineering training. Following a day-long crash course in Solidity (developer tools and workflow), each pod had 48 hours to build a demo that would be judged on product, engineering, and design.

Participating pods had a chance to score one of the eight awards and crypto-forward prizes. Award categories included People’s Choice (selected by the entire audience), Learning Showcase (the pod that demonstrated the most learning through working on their project), Judges Choice (overall judge favorites), Best Executed (evaluates quality, teamwork and overall execution), and Most Creative (the most exciting and creative take on hack day guidelines).

Hack Day Showstoppers

Among the 44 pods that presented on Smart Contract Hack Demo Day, the top 5 categories of project submissions spanned Web3 infrastructure, gaming, DAOs, NFTs, and event ticketing.

While there were many strong ideas presented, some of the key ones to highlight (along with their taglines) include:

(Gas)tly: Complete gas transactions with confidence
Concert-AMWest-2: A NFT concert ticket and a marketplace contract that can transfer funds from the buyer to the marketplace and royalty to the musician
GenEd Labs: A charitable giving DAO that enables the ethical investor to leverage the blockchain to close the skill gap within underserved communities.
Real-Time Shibas: Capture the yield farms with your Shiba army
BridgeIt: Pooling deposits together for cost-efficient bridging
Not So Bored Apes: Decentralizing and revolutionizing the casino world one step at a time

What We’ve Learned After Experiencing a Day in the Life of a Web3 Dev

We were inspired by the number of creative product ideas that were presented during this time and took many important insights away to be applied for future training and hackathons.

Some of these insights include:

Teams need more focus time to execute — many projects felt they lacked adequate time to execute due to competing priorities from day-to-day work. We will improve by providing full dedicated time for all participants in the future.
Participants would like more autonomy in team creation — team dynamics are important. Finding teammates who share a similar vision or vibe or may have complementary work styles and perspectives can go a long way, especially in high-pressure scenarios.
Save room for ideation — rather than being assigned to projects, participants may feel more engaged or motivated to take an idea over the finish line if they feel more passionate about what they’re building.

What’s Next?

One of the most exciting things about Web3 is its limitless potential. It is likely that it will touch every single industry — whether that be as the infrastructure that underpins a wave of new products or as the tool for interacting with brands and businesses in a more trustless and equitable way. This year’s hackathon, in many ways, is a testament to the efforts needed to onboard developers from the world of Web2 to Web3.

At Coinbase, we remain optimistic about the future of the industry and are committed to spearheading new initiatives that will allow our teams to continue learning, creating and building together.

We are always looking for top talent to join our ever-growing team and #LiveCrypto. Learn more about open positions on our website.

Highlights from Coinbase’s First Smart Contract Hack Days was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Part 3 — Blockchain heuristics through time

April 15, 2022 Coinbase

Blockchain Analytics

Part 3 — Blockchain heuristics through time

In our last post we introduced the cornerstone of scaling up blockchain analysis, commonspend, and its pitfalls. In this blog post we’ll explore more complex and novel blockchain analysis scaling methods, their drawbacks and why time is a critical feature of blockchain analytics.

1. Change prediction

Change prediction is the second most commonly applied UTXO heuristic. It aims to predict which receiving address is controlled by the sender. A hallmark of UTXO blockchains is that when addresses transact, they move all outputs. The surplus amount is normally returned to the sender via a change address.

Consider the transaction below and try spotting the change address that belongs to the sender:

The change address is likely 374jbPUojy5pbmpjLGk8eS413Az4YyzBq6. Why? In this case, prediction logic relies on the fact that the above address is in the same address format as the input addresses (P2SH format, where sender’s addresses start with a “3”).

Among other factors, rounded amounts (i.e. 0.05 or 0.1 BTC) are often recognized as the actual send, with the rest being redirected to the change address. This suggests that change prediction relies not only on technical indicators, but also on elements of human behavior, like our affinity for rounded numbers.

Naturally, a more liberal change prediction logic that takes into account multiple variables in favor of a desired outcome can potentially lead to misattribution and mis-clustering. In particular, blockchain analytics tools can inadvertently fall into the trap of unsupervised change prediction — that’s why it is vital for blockchain investigators to be mindful of the limitations posed by this approach.

2. Change prediction, not a fact

Consider a more challenging example:

We have legacy addresses (starting with a “1”) sending on to two other legacy addresses. So which one is the change address?

The best way to figure out which address is the change address is to look at how each address spends BTC onwards. Usually output addresses receiving rounded amounts are not change addresses — but this could be wrong. So let’s just place our bet on the latter output address:

1Hs6XkSpuLguqaiKwYULH4VZ9cEkHMbsRJ — its next transction is as follows:

At first glance, this sort of looks like the pattern we saw in a previous transaction. The only aspect that stands out is a significant decrease in fees.

Looking at a second output address — 12Y8szPTeVzupEfe5RXs84fRsJJZBVhTgG — we see that its next transaction is distinct from the transaction it previously made:

The fees also look low compared to our initial transaction. And we notice that both our output addresses’ next transactions involve the original 1Hs6XkSpuLguqaiKwYULH4VZ9cEkHMbsRJ address in their outputs. Following the address’s next transaction we arrive to output #1’s next transaction.

To simplify, let’s visualize:

The diamonds in the above graph represent transactions — whereas the circles represent addresses. Notice that input address 15sMm6Rkf9hzz6ZtrrdhxdWZ8jGW12gQ93 commonspends in a transaction with 12Y8szPTeVzupEfe5RXs84fRsJJZBVhTgG. Therefore, output address #2 is in fact our change address!

This example illustrates how complicated change prediction can become leading to erroneous results.

3. Bespoke heuristics are still heuristics

Entities that attempt to preserve privacy in very public blockchains, such as exchanges and dark markets, may go out of their way to create their own wallet infrastructure that makes it difficult for blockchain investigators to identify how they operate. For these cases, blockchain analytics companies will create bespoke heuristics for these particular entities.

Still, no heuristics are foolproof. Parameters and limitations for blockchain analysis depend on how restrictive the scope is — or how much room is left for interpretation. A conservative approach would dictate not attributing anything that cannot be determined with close to 100% certainty; a liberal approach would allow wider attribution, at the cost of expanding the potential margin of error.

This also applies to any bespoke heuristic that is constructed with specific blockchain entities in mind. This is illustrated well by the above mentioned coinjoin Wasabi example. Although the transaction in question highly likely to belongs to Wasabi wallet, we need to ask ourselves what this transaction is displaying:

Most likely this transaction is displaying Wasabi addresses commonspending with other users’ addresses. As complexity increases, the accuracy of attribution decreases — especially if we consider that a user might own one or more addresses in this transaction.

Every blockchain analytics tool will have a different set of parameters and rely on different heuristics. That is why differences between clusters displayed by various tools are so common — for example, the SilkRoad cluster will each time look differently, depending on the blockchain analytics software used to conduct its analysis.

In fact, even with only comonspend applied, we see how the block explorers CryptoID and WalletExplorer both show different sizes of the Local Bitcoins cluster.

4. In blockchain analytics the future can impact the past

Einstein would probably admire blockchains, because they are one of the few examples of where the future can change the past — at least from an attribution perspective. For example, 14FUfzAjb91i7HsvuDGwjuStwhoaWLpGbh received various transactions from a P2P service provider between August and mid-September 2021. So we might think that this address could belong to an unhosted wallet.

But if we check on that address a couple days later on September 30, 3021, we suddenly notice that it’s been tagged as Unicc, a carding shop. What happened? This address commonspent 15 days later with an address we already knew belonged to Unicc — making it a part of the Unicc cluster.

This is a simple example, but you can imagine from a Compliance and market intelligence perspective that these after-the-fact attributions can have some ripple effects.

Conclusion

Blockchain analytics is an increasingly complex field of expertise. It is not as straightforward as it seems and the difficulty is compounded by the fact that conclusions are drawn not only from blockchain, but also from external sources that are often ambiguous.

It is not possible to call blockchain analytics science — after all, scientific experiments can be replicated by unrelated parties who, by following a set scientific methodology, will come to the same conclusions. In blockchain analytics even the ground truth can have multiple facades, meanings and interpretations.

Certainty of attribution is almost scarce and because multiple parties are relying on different tools for conducting transaction tracing on blockchains, it can sometimes yield dramatically different results. That is why educational efforts in this area should continuously emphasize that even the most robust, tooled-up methodologies are prone to errors.

Nothing is infallible — after all, blockchain analytics is more art than science.

Part 3 — Blockchain heuristics through time was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Quantitative Crypto Insight: an analysis of triangular arbitrage transactions in Uniswap v2

February 8, 2022 Coinbase

coinbase

By Indra Rustandi, Nabil Benbada, Yao Ma

Arbitrage defined

In traditional finance, an arbitrage is an opportunity to make a positive gain with virtually no risk involved by taking advantage of pricing discrepancies that are present in the markets. These pricing discrepancies are an indication that some inefficiencies are present in the markets.

Arbitrageurs will exploit these opportunities to make a profit and thus remove the pricing discrepancies, bringing back the markets to a more efficient state.

Triangular arbitrage in TradFi

In FX markets, a typical arbitrage trade is the triangular arbitrage which involves at least 3 currencies:

This arbitrage would take advantage of any deviation in price between the above three pairs.

Here, in an efficient market, we should always have:

In this example:

Here, any deviation from this equilibrium will lead to an arbitrage opportunity. For example, if Euro was cheaper relative to USD.

Triangular arbitrage DeFi: Uniswap

Uniswap is a decentralized exchange venue that allows two kinds of activities:

Provide liquidity of a given pair of ERC-20 tokens
Swap one ERC-20 token for another ERC-20 token

For the remainder of the post, we will focus on the second version of Uniswap (Uniswap v2), first deployed in May 2020. And since we are interested in triangular arbitrage, let us first explain how a swap is priced.

Uniswap belongs to the category of “constant-product market”. In this category, the product of the liquidities of the two ERC-20 tokens in the pair of interest is constant:

For illustration purposes, say token A is WETH while token B is USDC, and we have in the WETH-USDC pool 1,000 WETH and 3,000,000 USDC. Then,

Assume now that we want to swap 1 WETH to USDC, how much USDC can we obtain? Our trade would increase the liquidity for WETH to 1,001 WETH. In order to maintain the constant product, we have:

So the amount of USDC that we receive in the swap is:

So in our swap, we receive an effective WETH/USDC rate of 2,997.

A few things to note here:

This example doesn’t include fees to focus on the pricing.
The effective WETH/USDC rate can change when we swap a different amount of WETH. This is called slippage. In this example, the effective price “slipped” by 3 USDC or 0.1%.
Our WETH/USDC rate is purely determined by the liquidities available in the venue and is not dependent on how WETH/USDC is quoted on other venues. This is yet another possible source of arbitrage, albeit one that is beyond the scope of this post.

Triangular arbitrage opportunities in Uniswap v2

Based on the discussion so far on both triangular arbitrage and Uniswap, a natural question is how prevalent triangular arbitrage opportunities are in Uniswap v2. We try to answer this question indirectly by analyzing Uniswap v2 swap trades that take advantage of triangular arbitrage opportunities. More specifically, we focus on the following characteristics:

All the trades are executed in the same transaction to reduce the risk of prices moving and affecting the arbitrage opportunities.
All the trades involve only Uniswap v2. With this, we miss triangular arbitrage trades that involve multiple venues (e.g. simultaneous swaps on Uniswap and Sushiswap).
All the tokens involved in the trades offset except for one token: the gain token, for which the sender will gain more at the end of the trade series.

After analyzing over 68 million Uniswap v2 swaps since Uniswap v2 was deployed until the end of 2021, we found 1,371,122 swaps grouped in 429,315 transactions taking advantage of triangular arbitrage opportunities in Uniswap v2.

On a monthly basis, we see a pronounced peak in October 2020, while the number of trades taking advantage of triangular arbitrage opportunities have been decreasing since. There are many factors that might have caused this (rise of competing DEXes, arbitrage opportunities mechanically decreasing due to the market becoming more efficient…). We are currently exploring these leads to try and explain this behavior.

Next, we see which tokens are most often used as gain tokens. WETH is the clear front runner here with 417,229 trades. 2nd-4th place are occupied by stablecoins: USDC, USDT, DAI. In total, we identified 123 distinct tokens used as gain tokens, but the top four tokens account for more than 99% of the trades.

https://medium.com/media/1c7665b6df27ba38eb01b3675af0143f/href

How many legs were typically used to trade these opportunities? A majority of these trades were done using three legs. Quite a significant number also involved up to 6 legs.

https://medium.com/media/7136469e02d21099a886f6003904184b/href

How profitable are these trades? For WETH, a high proportion of the 417,229 trades involving WETH are profitable (about 94% when accounting for gas). The most profitable trade gained around 280 WETH, but the average and median gas-adjusted gains are much smaller (average: 0.08 WETH, median: 0.012 WETH).

For USDC, the trade with the most gain accumulated more than 14,000 USDC, but on average, the gain was around 97 USDC, while the median gain was almost 28 USDC.

Let us now consider the individual addresses (without revealing any specific ones) behind these trades. We found that these trades were initiated by 4,784 unique addresses, the most active of which initiated more than 16,000 trades. In total, 94 unique addresses initiated more than 1,000 trades each. When using WETH as the gain token, the most profitable address managed to accumulate more than 1,100 WETH as a result of its trades; in the case of USDC as the gain token, the most profitable address accumulated almost 35,000 in USDC.

Arbitrage trade execution

Last but not least, let us now discuss at a high level how these triangular arbitrage opportunities are detected and how the corresponding trades are executed.

We need to monitor the prices, likely using an automated process, in the Uniswap v2 pools. Given the prices for various pairs, an algorithm can run a search to see which combinations of pairs give rise to triangular arbitrage opportunities, potentially also incorporating opportunities identified from pending transactions in the mempool.

Once opportunities are identified, then we move to the execution aspect. One key consideration is minimizing slippage, and it naturally leads toward having the swaps being executed within a single transaction. Another consideration is avoiding front-running or sandwich attacks, for which Flashbots Auction can be beneficial.

Future directions

Here, we have just scratched the surface in terms of understanding and maximizing the potential of decentralized finance. We, as part of the Data Science Quantitative Research team, aim to get a good holistic understanding of this space from a quantitative perspective that can be used to drive new Coinbase products. We are looking for people that are passionate in this effort, so if you are interested in Data Science and in particular Quantitative Research in crypto, come join us.

The analysis makes use of the Uniswap v2 subgraph made available through the Graph Protocol. Thanks to Luke Youngblood and Xavier Lu for their contribution and feedback.

Quantitative Crypto Insight: an analysis of triangular arbitrage transactions in Uniswap v2 was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Scaling Content at Coinbase

December 17, 2021 Coinbase

By Clay Kohut, Senior Software Engineer

TLDR: Over the past year, Coinbase has invested in tooling to eliminate static content across our web frontend. This is the story of how we did it and why it’s important.

Coinbase Learn(ed)

The Coinbase educational portal, Coinbase Learn, launched in late 2020. Learn contains hundreds of beginner guides, practical tutorials, and market updates and is maintained by a dedicated team of content editors.

Our engineers explored various options for powering Learn. Ideally, we wanted a solution that would allow us to seamlessly integrate content into the Coinbase logged out experience.

Hosted options for blog-like content such as Medium provided too little flexibility.

The Wordpress framework was too opinionated and directly tied to the UI.

We ended up opting for a headless CMS, specifically Contentful. Contentful is a content platform that delivers a headless approach to content as well as backend extensibility to integrate with our preferred tools and ways of working. Being “headless” means the CMS is UI agnostic — it separates the content from the experience, simply providing structured JSON to the frontend, which allows for us to totally control the frontend experience.

Integrating with Contentful was simply a matter of creating data structures representing different types of content (via the Contentful UI) and then mapping those data structures to React components (which handled actually rendering the data)

Donning the Flightsuit

With Coinbase Learn under our belt and the Coinbase Direct Public Offering (DPO) on the horizon, a cohesion initiative kicked off (deemed Project Flightsuit). Project Flightsuit sought to bring a cohesive look and feel across Coinbase logged out properties as well as enforcing design standards across newly created landing pages.

While investigating the state of the Coinbase product landing pages, we uncovered 40 product surfaces spread across 15 different repositories / frontend applications. The various frontends were built using a variety of technologies — everything from React with Typescript (our current standard) to legacy Ruby on Rails templates, to static HTML.

A peek of our “Page Architecture” overview document

Leveraging the Contentful integration initially set up for Coinbase Learn, we began to create a set of “blocks” which could be used to standardize landing page layouts (while aligning around our new brand guidelines).

“Blocks,” also known as content types, are high-level components which combine to create landing pages. For example, a “Hero” block might contain a “Title”, “Subtitle” and “CTA Button” in the CMS, which corresponds to a React component on the frontend.

A “Hero Block” data structure (left) and the corresponding React component (right)

By creating a thoughtful “Block-based system” (and reworking our existing landing pages to use this system), we were able to efficiently migrate nearly all landing pages to a single frontend application, powered by React, and integrated with Contentful.

Once the block system was in place, migrating pages was a relatively simple task of dragging / dropping various blocks via the Contentful UI, and redirecting the old page routes to the new, CMS-driven alternative.

1, 2, Automate

Post-Project Flightsuit, our team focused on improving the usability and resiliency of the CMS. A few lessons learned:

Making the CMS easy-to-use for non-technical team members is extremely important. With our first pass at CMS landing pages, we had created some data structures with advanced features (such as generic layout creation) which were mostly only understood and serviceable by Engineers (thus defeating the main value prop of the CMS). We countered this by favoring editor experience above all else. By automating advanced features within Contentful wherever possible (such as automatically determining which layout would best suit a set of content), we could allow editors to focus on editing rather than building.
By integrating with Contentful (a third party), our frontends became dependent upon Contentful’s uptime. Contentful has a very consistent track record of nearly 100% uptime, but this reliance was challenged when Contentful experienced two outages due to some widespread DNS issues. (To be fair to Contentful, these outages were also experienced by some of the world’s largest websites and were the only instances we’ve seen where Contentful was unavailable). To ensure availability of our higher visibility pages (such as our homepage), we determined the best path forward was to introduce a reverse API proxy which leverages the stale-if-error, in order for our CDN to serve cached content if the upstream call happens to fail. This allows us to stay up even if the CMS goes down (for X number of days).

Above: Our CMS architecture before and after adding the cached reverse proxy

3. Training new engineering teams on working with and extending the CMS was a primary focus. My team had become the sole source of knowledge of an increasingly-used system and were often sourced to onboard new engineers to the system on a one-off basis. To better spread the knowledge of the framework, we developed the CMS Ambassador Program, which aimed to train and bring together subject matter experts for the CMS throughout the company. The program begins with a 1.5 hour structured workshop where attendees learn the ins and outs of integrating with the CMS. While this program is currently driven in real-time and onboarding sessions are held as-needed, we are currently in the process of converting this to a self-service course via an internal training tool.

A snapshot of our internal CMS Ambassador workshop

Key Results

As 2021 comes to a close, we’re proud to look back at how far we’ve come over the past year. Here is the progress we’ve seen after successfully implementing our company-wide CMS:

Landing page creation time reduced from an average of 2 weeks to less than one day.
Content change turnaround time reduced from an hour-long process of code change/review/merge/deploy to under 10 mins, and without engineering involvement.
By the end of year, 90% of all top level surfaces will be covered. This means that nearly all top-level, logged out product surfaces on Coinbase will be powered via Contentful by end of year.

These efficiency gains have been achieved thanks largely to our leadership’s investment in infra and developer tooling. Coinbase truly cares about engineering excellence, developer experience, and automating routine processes.

We also couldn’t have achieved this without the hard work of some astoundingly thoughtful, talented individuals (each of whom I’m incredibly proud to work with):

Leon Haggarty, Askat Bakyev, João Melo, Stephen Lee, Wilhelm Willie, Bryant Gallardo, Guiherme Luersen, Raymond Sohn (Eng)
Bobby Rasmusson (Product)
Ananth Chandrasekharan, Goutham Buchi, Manish Gupta (EVP of Eng)

We’re all excited to enter 2022 with a shiny, unified frontend and minimal one-off content change requests on the horizon. If you’re interested in joining Coinbase, check out our Careers page here. Here’s to a happy new year!

Scaling Content at Coinbase was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Meet Kryptology: Coinbase’s Open Source Cryptography Library

December 6, 2021 Coinbase

Blockchain

We’re excited to announce the open sourcing of Kryptology. Kryptology is a cryptographic library for the Crypto community that will enable and empower developers to create novel crypto innovations with state-of-the-art cryptography.

At Coinbase, cryptography is a first-class citizen. We’re passionate about cryptography as a driver for innovation in crypto. It is the most important mechanism for delivering delightful user experiences, and it enables privacy solutions that will change the security paradigm.

Why do we believe this?

Crypto is founded on cryptographic innovation. As described in Bitcoin’s academic pedigree, Bitcoin used existing, but not-yet-production, academic cryptography (hashcash, Chaum’s E-cash, Merkle trees) with economic game-theory to solve the Byzantine Generals problem.

Crypto changes cryptography. The feedback loop is running at warp speed. Cryptographers created private transactions with zero-knowledge techniques in ZCash, The Internet Computer is built on new cryptographic breakthroughs, Monero uses ring signatures to gain confidentiality, skale is using BLS to create roll-ups to improve scale and reduce storage on-chain, and Mina and ZCash use Halo 2 and Pasta.

Coinbase also strives to bring near-future cryptography into production. zkSNARKS and Cryptographic Accumulators, FROST, and Threshold Signing.

While enabling further innovation is our primary goal, we also aim for Kryptology to elevate the standard for what is considered to be a robust, usable cryptographic library. The library provides developers with a toolbox of secure, audited, and easy-to-use APIs. Kryptology is designed to be misuse-resistant (i.e., “hard to screw up”), so developers can focus on what they do best. We hope this translates to more projects that build and grow the crypto ecosystem.

A guide to Kryptology, including full documentation, can be found in the repository. This includes common development issues and lessons learned from our years of experience with cryptographic implementations. We hope these learnings will be uniquely valuable for others that want to support developers and build great user experiences. Over time, our goal is to support a thriving ecosystem of new and working cryptography for many more applications. Check out our open source guidelines or get started here.

If you are interested in cutting-edge cryptography, Coinbase is hiring!

Meet Kryptology: Coinbase’s Open Source Cryptography Library was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Nearly one year in: Leading the herd at Coinbase

December 2, 2021 Coinbase

By Aaron Henshaw, Head of Coinbase Cloud Engineering

It’s no secret that crypto is gaining mainstream appeal, with the global crypto market cap reaching an all-time high of $3 trillion for the first time, the total value locked in DeFi reaching $250 billion, and 16% of Americans investing in, trading, or otherwise using cryptocurrency in the past year. A growing number of the world’s largest companies are looking to integrate crypto into their applications. Recently, we’ve seen Stripe, Square, Reddit, the NBA and others introducing crypto into their product lines with no signs of this trend slowing down. They all have one thing in common: a need for infrastructure and tools to operate and participate in the ecosystem.

Coinbase Cloud is committed to empowering current and future builders of the cryptoeconomy. Part of this will be building a platform that allows developers to access a suite of primitives like trading, storing, blockchain data access, and staking services. Our vision is to unleash a wave of innovation by offering turnkey solutions, enabling the innovators of tomorrow to do what they do best: build.

Joining Forces

In January 2021, Coinbase welcomed Bison Trails to become the foundational team and platform of Coinbase Cloud. By joining forces, we could accelerate our combined mission of creating a platform for the next wave of blockchain developers and provide a space to learn, participate, and build for the future of crypto.

As the founders of Bison Trails, Joe Lallouz and I saw this as an opportunity to build something bigger than Bison Trails and more expansive for Coinbase. Coinbase’s commitment to being crypto-first undoubtedly contributed to a seamless transition for our team.

The successful transition was also made possible by the support of the Coinbase leadership team, which has been committed to bringing blockchain infrastructure to the masses, as well as making this a great place for founders like Joe and I to continue building and realizing the vision that we set out to accomplish.

As crypto becomes ubiquitous, the products and services of the Web3 era will need to be powered by reliable and secure infrastructure. Coinbase sees this opportunity and is deeply committed to both our success and the growth of the crypto ecosystem.

The Momentum

Crypto infrastructure has been the bread and butter of Bison Trails since its founding. Its infrastructure platform and products are now the foundation of the Coinbase Cloud platform and suite of developer offerings, to equip the next generation of builders with even more powerful solutions.

We power some of the world’s top custodians, exchanges, funds, dapps and token holders. We are building an industry-leading platform for anyone to participate in blockchains (e.g. Celo Validators Groups, Polkadot Validators, eth2 Validators, including helping power Coinbase’s eth2 staking). We also provide reliable infrastructure for read/write data access, empowering the developers of tomorrow to build innovative crypto products and services, scale across blockchains, gain insights into network trends, and more. This frees our customers from having to invest time and resources into developing the necessary engineering, protocol, DevOps, or security competencies to do so reliably in-house.

We are also taking network participation to the next level by engaging deeply with protocol teams. For example, we’ve worked with Solana Foundation and the NEAR council, and supported the Keanu merger, among others.

Let’s take a look at our progress so far:

$30B+ in assets on platform¹ staked across more than 25 protocols as of November 2021
60,000+ nodes across our Participate, Delegate, and Query & Transact products
Doubling the team size, including expanding our dedicated security team
30+ protocols supported for our read/write infrastructure product, Query & Transact. This includes adding support for global distribution across three cloud providers, and multi-user API key management with rate-limiting options to our customers.
Powering features and cross-platform integrations for highly scaled Coinbase products, such as custody integrations for Institutional and eth2 staking for Retail

These metrics are crucial. They measure our impact on the communities we support. Unlike passive custody, assets that are staked are actively used to secure the underlying protocols, making Coinbase Cloud the largest protector of stake-based protocols.

Given the role we play across 30+ protocols, we’ve invested in the security and operational excellence of both our platform and the broader ecosystem. For example, our double-signing protection capability for eth2 has greatly reduced the risk to our platform users of any equivocation or double signing events. It’s for these reasons that companies and ecosystem players like a16z, Current, and Turner Sports have chosen to work with Coinbase Cloud.

Trevor Marshall, CTO of Current, says “the secure, reliable infrastructure and network expertise Bison Trails (Coinbase Cloud) provides has been invaluable to making it possible for Current to be an early, active participant in Polkadot, Karura and Acala and build hybrid financial products that have the potential to improve the financial outcomes of even more people.”

Up Next

We are now preparing for the next phase. We see a future world where every developer, whether part of an early stage project or a leading financial institution, is in some way touching crypto networks. Coinbase Cloud will provide the tools and the platform they need to do that. Our mission is to empower the innovators and help accelerate the Web3 evolution. This is where the world of software is going and we’re excited to lead the herd.

¹The Bison Trails platform is non-custodial.

Nearly one year in: Leading the herd at Coinbase was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Threshold Digital Signatures

November 5, 2021 Coinbase

Bitcoin

By Cassandra Heart, Arash Afshar

Digital signatures are a foundational concept in blockchain and cryptocurrencies. Modern blockchains use digital signatures to secure billions of dollars of value. Digital signatures use what is known as a keypair, a pair of random looking values, where one key is a “private key” and the other a “public key”. Through digital signatures, any person with the “private key” can “sign” a transaction and spend the digital currencies. Therefore, it is crucial to safeguard the “private key”. Some tech-savvy users of blockchains opt to safeguard this key themselves, and accept the risk of theft or loss of the key (and therefore the loss of their funds). In contrast, other blockchain users trust online wallets or exchanges with the safeguarding of their keys. Of course, this decision comes with its own set of risks based on the competency of the third party.

In both these options, the user is putting all their trust in a single entity, which may not be desirable. Enter the Threshold Digital Signature: a solution which requires a “threshold” of at least two cooperating participants to produce a signature, and which removes the problem of trusting a single entity. In this article we:

Provide an intuitive description of Threshold Signatures and their applications,
Dig a bit deeper and look into various Threshold Signature schemes, and
Compare Threshold Signatures with other techniques, such as Mulitsig wallets.

The intuition for threshold signatures

As a developer in the space of threshold cryptography, it’s really exciting to see these innovations becoming a topic in the mainstream, but readers unfamiliar with cryptography or the math behind it quickly hit roadblocks upon encountering phrases like “Paillier cryptosystem”, “homomorphic encryption” or “Galois field”. It gets even more complicated when you discuss all the moving pieces behind it to coordinate the communication, and as a consequence, very few organizations have been willing to investigate its potential. But it doesn’t have to be scary; at the end, the math comes down to not much more than multiplication and addition. So let’s ELI5: What the heck is a threshold signature?

In metaphorical terms, signatures are akin to flying a kite on an invisible string. The kite itself is the public key — everyone can see it in the sky. The kite flier moves the kite around by manipulating the invisible string — the private key. The path it takes in the sky as it flies is the signature. Everyone saw the kite fly through the sky in that path, and only through the use of that invisible string was that flight path possible. This feels really simplified compared to the underlying math, but ultimately this metaphor is useful for demonstrating the coordination and work required to make threshold signing possible.

Enter threshold cryptography. The premise of threshold is literally in its name: some numerical value must be met for an operation to succeed. Oftentimes these processes are defined using the phrase “t of n”, where n is the number of total possible participants, and t is the threshold number that must be met. A common threshold cryptographic scheme that has been used for quite some time is Shamir’s secret sharing scheme. For those unfamiliar, the process involved uses a mathematical technique called Lagrange interpolation to recombine split values into a secret value. In the metaphorical world, it is taking that invisible string, and separating it into individual threads that many people can hold onto, and in order to fly the kite, the threshold number of people must come together and combine their threads into the string again.

This process works well, and services all over the world use it to secure secret data. The downside is that everyone who is involved must do this process in a secure location when breaking apart and recombining the secret. In cryptocurrencies, this also means that once the private key is recombined and used for signing, it should be considered exposed and all funds held by the key should be moved, so if any participant who helped in recombining the key walks away with it, they can’t do anything meaningful. This is expensive, and not to mention, requires a lot of coordination of people. What if we can take the powerful math behind cryptography and improve upon this so that nobody has to ever meet in a secure location at all?

The great news is that we can! There are mountains of literature that have risen overnight with new approaches to existing cryptosystems, improvements on previous ones, and completely groundbreaking cryptographic protocols. Navigating this field requires significant time and expertise, but here at Coinbase, we have found and implemented strategies that enable us to leverage these approaches, and support the novel approaches as they are discovered and peer reviewed. There’s a lot involved in this process, so let’s bring it back to the metaphor.

The setup process for getting our avid kite fliers ready is ultimately the unique twist that enables this entire process to work: each participant follows the same rule: they bring their own invisible thread, and their own piece of kite. Each flier agrees with the others in advance how they are going to fly, and they all proceed to run with their piece of kite at the agreed speed, angle, and time. If anyone strays from the agreed flight plan, the whole tangled mess of kites comes crashing to the ground, but if everyone proceeds as agreed, the kite takes off into one combined piece through the sky, able to perform the flight as planned. When the flight concludes, the parts disassemble mid air, and everyone goes home with their kite and thread. At no point does any one person hold the whole kite or string, and each party sees the flight plan ahead of time to know that nobody is going to try some wild antics that will let them run away with the kite.

Deeper dive into threshold signatures

Now that we have an intuitive understanding of threshold signatures, let’s dive deeper into the concepts and terminologies. The threshold signature schemes are part of the secure multi-party computation (MPC) field of cryptography. The main goal of MPC is to enable computation on private data without revealing them to anyone but the owner of the private data. For example, in the kite metaphor, the invisible pieces of the thread are the secret shares of the private key and threshold signature uses these secret shares to reconstruct the private key and sign the transaction without revealing the composite private key, nor the secret shares.

A very important ingredient of threshold signing is a mathematical construct called Elliptic Curve Cryptography. The TL;DR version is that given `y = x · G`, where `y` and `G` are publicly known values, it is very hard or even impossible to find `x` in a reasonable time frame. There are many “curves” that offer this property:

Secp256k1, which is used in Bitcoin, Etherium and many others
Edwards25519, which is used in Cardano, Monero and many others
BLS12–381, which is used in Ethereum 2.0 and some other chains

Given an appropriate elliptic curve, the next step towards a threshold signature is to first choose a standard (i.e., single-signer) digital signature scheme. The popular digital signature schemes are as follows:

ECDSA, based on the Secp256k1 curve used by Bitcoin
Schnorr, based on the Secp256k1 curve used by Bitcoin Cash and Mina
Ed25519, based on the Edwards25519 curve used by Cardano

Finally, given a digital signature we can now discuss threshold signature schemes. The threshold signature schemes start from a single-signer scheme and split the private key between `n` participants. Then, in the signing phase, t-out-of-n participants can run the signing algorithm to obtain the signature. Finally any single (external) party can verify the signature using the same algorithm for verifying the single-signer signatures. In other words, the signatures generated by threshold signature and single-signer signature schemes are interchangeable. Stated differently, a threshold signing algorithm has three phases.

Generate the public/private key pair. Next, split the private key into multiple secret shares and distribute these shares between the `n` parties. This phase can be performed in two modes.
Trusted Dealer mode: A single trusted party will generate the private key, then split and distribute the keys. The main problem with this approach is that the dealer will see the private key in plaintext.
Distributed Key Generation (DKG): an MPC protocol is run between the `n` participants such that at the end, the participants will obtain the secret shares and no one will ever see the private key in plaintext at any point in the process.
Gather a threshold of `t` participants and run an MPC protocol to sign the transaction.
Verify the signature, using the standard signature’s verification algorithm.

The threshold signature schemes are fast evolving. At the time of writing this post, the secure and popular schemes include the following.

FROST is a threshold signature and DKG protocol that offers minimal rounds of communication and is secure to be run in parallel. FROST protocol is a threshold version of the Schnorr signature scheme.
DKLs18: is a 2-out-of-2 threshold signature and DKG protocol that offers fast signature computation for ECDSA signature scheme.

Threshold Signatures and Multisig

Multisig, or multisignature schemes offer similar capabilities to threshold signatures with a difference: each participant has its own public key (instead of secret shares of a single common public key). This small difference has a huge impact on cost, speed, and availability of the multisig on various blockchains.

Efficiency: in threshold signature schemes, each public key, and its corresponding private keyshares, belong permanently to a single, fixed group of signers; in multisignatures, each individual participant has its own distinct, dedicated public key. The benefit of this latter scheme is that each such participant can reuse its private–public keypair to participate in arbitrarily many distinct signing groups. The cost of using multisignatures, however, is that the size of the “public key” (actually, a list of public keys) representing any particular such group must grow linearly in the number of members of that group. Similarly, the verification time of a multisignature obviously must grow linearly in the size of the group, as the verifier must in particular read the entire list of public keys representing the group. In threshold schemes, by contrast, just one public key represents the entire group, and both key-size and verification time are constant.
Availability: to ensure that the minimum threshold of `t` is met, the blockchain should have native support for multisignatures. In most cases, this support is in the form of a smart contract. As a result, not all blockchains support multisig wallets. In contrast, the MPC-based threshold signatures are independent of the blockchain as long as the signature scheme that is used by the blockchain has a secure threshold version.

Final Notes

Threshold digital signatures enable us to do incredible things previously not possible in cryptocurrencies — multisig contracts require additional costs to operate, but this can happen without a smart contract. This means that we can support a whole new tier of wallets: where before there is the traditional custodial wallet like Coinbase offers in many different ways, or self-custody wallet options like our Coinbase Wallet application, this threshold ECDSA approach allows customers to be an active participant in this signing process. In this approach, the user holds a share of the private key, and Coinbase holds another, and only when both agree to the flight plan, can transactions be signed. This provides the security and trust we are known for at Coinbase, with the user remaining the one in control.

If you are interested in cutting-edge cryptography, check out our open roles here.

Threshold Digital Signatures was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Fast, Secure 2-of-2 ECDSA using DKLs18

November 1, 2021 Coinbase

coinbase

We’ve already discussed the general notions of digital signatures and threshold signatures in a prior post. At Coinbase, we’ve focused our attention specifically on two-party threshold signing; we’ll discuss this setting in this post.

DKLs: an introduction. While threshold-signing protocols for the Schnorr and BLS schemes are relatively straightforward, threshold ECDSA is much harder. A number of protocols exist for 2-of-2 ECDSA signing; some target it explicitly (i.e., they don’t support more general choices of t and n). In this purely expository blog post, we’ll study one in particular: the 2018 protocol of Doerner, Kondi, Lee and shelat. This protocol builds on prior work of Chou and Orlandi and Keller, Orsini and Scholl. This protocol — or “DKLs”, for short — allows two parties to securely generate an ECDSA signature in just a handful of milliseconds, by exchanging just 3 messages, and all the while transmitting about 120 total kilobytes of data. In the process, it uses a few interesting techniques in secure two-party computation, and represents a disciplined, striking contribution to this field.

Let’s now say a few technical things about how DKLs works. The basic idea has to do with multiplicative secret-sharing of prime-field elements. If our two parties — Alice and Bob, say — locally generate random scalars sk_A and sk_B in 𝔽_q, then, after performing a Diffie–Hellman-like exchange, the parties may mutually derive the jointly owned public key P = sk_A · sk_B · G, without learning anything about each other’s respective key-shares (or the joint secret key). The joint secret key is the product sk := sk_A · sk_B (mod q). DKLs is unusual in its use of multiplicative sharing; the protocol fails to generalize to the (t, n) setting for essentially this reason.

The parties begin the process of ECDSA-signing a particular message m in an analogous way. They generate individual nonce-shares k_A and k_B randomly, and construct R := k_A · k_B · G as they did P; using R’s coordinates (x, y), they both acquire the first signature component r := x (mod p). It remains only for the parties to jointly construct s := H(m) · k⁻¹ + r · sk · k⁻¹ (mod q), as prescribed by the definition of ECDSA. The trouble is that the parties only possess multiplicative sharings of the quantities k and sk, and not the required values themselves.

DKLs observes that the expression defining s can just as well be written as:

https://medium.com/media/2a0c40a041fc6a2fe623305df1fa751c/href

The first key idea is that it would be enough for the parties to obtain random additive sharings of the two product expressions 1/k_A · 1/k_B and sk_A / k_A · sk_B / k_B above. Indeed, if the parties were to obtain such sharings, then they could both proceed by multiplying these local shares by H(m) and r, respectively, and adding the results (recall that both parties know H(m) and r). Upon doing so, the parties would acquire additive sharings of s itself, which they could finally safely exchange (i.e., without leaking any further information about s’s individual summands). Note finally that Alice can locally compute the left-hand multiplicands 1/k_A and sk_A/k_A; Bob can likewise locally compute the right-hand multiplicands 1/k_B and sk_B/k_B.

It’s thus enough to handle the problem of “secure multiplication”, also sometimes termed “multiplicative-to-additive conversion”. In this problem, two parties submit respective input scalars i_A and i_A, and wind up with random additive shares t_a and t_b of the product i_A · i_B (mod q). In other words, the identity t_A + t_B = i_A · i_B (mod q) should hold, and moreover the outputs t_A and t_B should be random subject to this condition; finally, the parties must learn nothing about each other’s inputs i_A and i_B in the process of executing the protocol (even if they engage in malicious behavior).

DKLs describes a fascinating secure multiplication subprotocol, using a further primitive called correlated oblivious transfer (cOT for short). In a cOT protocol, the parties Alice and Bob have asymmetric roles. Alice inputs a single scalar, say ɑ, in 𝔽_q; Bob inputs just a single bit b. The parties each receive a scalar as output; let’s again call these t_A and t_B for now. By definition of cOT, the outputs t_A and t_B should be random subject to the condition that t_A + t_B = ɑ if Bob’s input bit b is 1 and random subject to t_A + t_B = 0 if Bob’s input bit is 0. Either way, the sender should learn nothing about the receiver’s bit b, and the receiver should learn nothing about the sender’s scalar ɑ. The definition of correlated oblivious transfer is illustrated in the figure below.

Assuming that we have a cOT protocol in hand, how can we bootstrap it into a multiplication protocol? Interestingly, Alice and Bob can use an algorithm from elementary school to do this. Let’s recall the so-called long multiplication algorithm. Roughly, the procedure successively shifts the top multiplicand to the left by one place at a time; in each step, it also multiplies this multiplicand by the appropriate digit of the lower multiplicand. Finally, it adds the resulting array of shifted and multiplied numbers. In binary, things become even simpler, because the lower multiplicand’s “digits” are each either 0 or 1. A figure depicting this process is shown below:

In each row of this figure, Alice’s original input is shifted a further step to the left. Furthermore, working right-to-left through Bob’s input, we also strike out the rows corresponding to the bits where Bob’s input is 0. Finally, we add up the resulting numbers to obtain the product. (In reality, everything here happens mod q, but let’s ignore that for clarity; we’ve also simplified various aspects of the multiplication protocol for expository purposes.)

The insight here is that we can use cOT to do this securely. Indeed, each row of the above diagonal array can be handled by exactly one correlated oblivious transfer. Alice inputs her original input i_A, appropriately shifted by j steps to the left; Bob inputs the jᵗʰ bit of his original input i_B. By definition of cOT, the parties end up with random additive shares modulo q of either 0 or 2ʲ · i_A, depending on Bob’s bit. By doing this for each row individually, the parties obtain additive sharings of each row above, while learning nothing about each other’s inputs in the process. Finally, by adding the local additive shares so obtained, the parties wind up with additive shares of the entire product i_A · i_B. This is exactly what we wanted above.

Future work. The techniques of DKLs are powerful and interesting; this makes its techniques easier to understand, generalize, and possibly improve. The main drawback of DKLs is its bandwidth requirement, which stands at a relatively high ~120KB (total bytes exchanged). It would be intriguing to try to lessen this bandwidth requirement, by improving DKLs’s techniques. We’ve considered trying to improve this bandwidth using a Karatsuba-like approach, but haven’t managed to put together the details yet. Roughly, Karatsuba works by cleverly replacing one product of full-length numbers by three products of half-length numbers (and handling these products recursively, and so on). The key fact which makes this approach faster is that multiplying two half-length numbers takes only a quarter of the work as multiplying two full-length numbers (because of the quadratic amount of work involved; see above). All said, Karatsuba can multiply two n-bit numbers in just

https://medium.com/media/4b4e72cc852ecf167dd90e8efa6f195e/href

atomic operations, as opposed to the O(n²) required by naïve multiplication. The problem with applying this technique to DKLs is that the outputs of each cOT need to be random modulo q. This forces each output to take up log q bits, even when the actual numbers involved are actually significantly smaller than q. This nullifies the benefits which Karatsuba is supposed to convey — because halving the length no longer correspondingly halves the bandwidth. It’s possible that this could be made to work using a few new ideas.

If you are interested in cutting-edge cryptography, check out our open roles here.

Fast, Secure 2-of-2 ECDSA using DKLs18 was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

FROST: Flexible Round-Optimized Schnorr Threshold Signatures

October 12, 2021 Coinbase

Bitcoin

By Daniel Zhou

FROST is a round-optimal threshold Schnorr signature protocol. Here we introduce why Coinbase decided to use FROST, what FROST is, and what we discovered while evaluating FROST.

Why FROST?

In order to improve efficiency of Coinbase’s threshold-signing systems, we decided to explore the FROST threshold Schnorr signature protocol, which features the following advantages over other Schnorr-based threshold signature protocols [GJKR03, SS01]:

Low round complexity in both the distributed key-generation and signing phases. The distributed key generation phase can be completed in 2 rounds. The signing phase can be completed in less or equal to 3 rounds depending on whether we use a signature aggregator role and a preprocessing stage. That is,

1-round signing with a trusted signature aggregator and a preprocessing stage.
2-round signing with a trusted signature aggregator, but no preprocessing stage.
3-round signing without a trusted signature aggregator and no preprocessing stage.

Concurrent security. The signing phase is secure when performed concurrently. That is, an unlimited number of signature operations can be performed in parallel. In contrast with other threshold Schnorr signature protocols, there are existing Schnorr-based threshold signature protocols, such as [GJKR03, SS01], that have the same round complexity, but they suffer from limited concurrency to protect against the attack of Drijvers et al. [DEF19]. This attack was originally proposed in a Schnorr multi-signature n-out-of-n setting, but it also applies similarly in a threshold t-out-of-n setting with the same parameters for an adversary that controls up to t-1 participants. We refer readers to section 2.6 of the FROST draft for more details. To prevent this attack without limiting concurrency, FROST binds each participant’s response to a specific message as well as the set of participants and their set of elliptic curve (EC) points used for that particular signing operation. In doing so, combining responses over different messages or EC point pairs results in an invalid signature, thwarting attacks such as those of Drijvers, et al.

Secure against dishonest majority. FROST is secure against adversaries which control up to t-1 signers in the signing phase.

Simple cryptographic building blocks and assumptions. FROST is built upon the threshold Shamir secret sharing and Feldman verifiable secret sharing schemes and it relies only on the discrete logarithm assumption.

How does FROST work?

Before we introduce how FROST works, we first recall how the standalone Schnorr signature works.

A Schnorr digital signature algorithm is a triple of algorithms: (KeyGen, Sign, Verify).

Let G be a group generator of a cyclic group with prime order p, and let H be a cryptographic hash function mapping to the field Zₚ* . A Schnorr signature is generated over a message m by the following steps:

KeyGen -> (sk, vk)

Randomly sample the secret key sk <- Zₚ.
Return (sk, vk = sk * G).

Sign(sk, m) -> sig

Randomly sample a secret nonce k <- Zₚ.
R = k * G
c = H(m, R)
z = k + sk * c (mod p)
Return signature sig = (z, c)

Verify(vk, m, sig) -> true/false

Parse sig = (z’, c’)
R’ = z * G -c * vk
c’ = H(m, R’)
Return true if c = c’, otherwise return false.

We call (sk, vk) the secret and verification keys respectively. We call m the message being signed and sig the Schnorr digital signature.

FROST is a threshold Schnorr signature protocol that contains two important components. First, n participants run a distributed key generation (DKG) protocol to generate a common verification key; at the end, each participant obtains a private secret key share and a public verification key share. Afterwards, any t-out-of-n participants can run a threshold signing protocol to collaboratively generate a valid Schnorr signature. The figure below gives a high-level sketch of how FROST works in the case of t = 3 and n = 5.

**(3, 5) — FROST DKG + Threshold Signing Overview**

In the following context, we introduce FROST distributed key generation and threshold signing in more technical details.

FROST — distributed key generation (DKG). The secret signing key in Schnorr signature is an element in the field Zₚ. The goal of this phase is to generate long-lived secret key shares and a joint verification key. This phase is run by n participants. FROST builds its own key generation phase upon Pedersen’s DKG [GJKR03], in which it uses both Shamir secret sharing and Feldman’s verifiable secret sharing schemes as subroutines. In addition, FROST also requires each participant to demonstrate knowledge of their own secret by sending to other participants a zero-knowledge proof, which itself is a Schnorr signature. This additional step protects against rogue-key attacks in the setting where t ≥ n/2.

At the end of the DKG protocol, a joint verification key vk is generated. Also, each participant Pᵢ holds a value (i, skᵢ) that is their long-lived secret share and a verification key share vkᵢ = skᵢ*G. Participant Pᵢ’s verification key share vkᵢ is used by other participants to verify the correctness of Pᵢ’s signature shares in the signing phase, while the verification key vk is used by external parties to verify signatures issued by the group.

FROST — threshold signing. We now introduce the signing protocol for FROST. This phase builds upon known techniques that employ additive secret sharing and share conversion to non-interactively generate the nonce for each signature. This phase also leverages binding techniques to avoid known forgery attacks without limiting concurrency.

Our implementation is slightly adapted from the FROST draft. In our implementation, we opted to not use the signature aggregator role. Instead, each participant is a signature aggregator. This design is more secure: all the participants of the protocol verify what others have computed to achieve a higher level of security and reduce risk. In contrast with other open source libraries, as far as we know, we are the first to implement FROST without the signature aggregator role. Furthermore, we have chosen not to do the (one-time) preprocessing stage in order to speed up the implementation. In the preprocessing stage, each participant prepares a fixed number of EC point pairs for further use, which is run for a single time for multiple threshold signing phases. However, we take this stage as an additional round and only prepare a single pair of EC points, which means we run it every time for each threshold signing phase. In more detail, there are two major differences between our implementation and the original draft.

First, the signature aggregator, as described in the draft, validates messages that are broadcast by cosigners and computes the final signature. In our implementation, we do not use such a role. Instead, each participant simply performs a broadcast in place of a signature aggregator performing coordination. Note that FROST can be instantiated without such a signature aggregator as stressed in the draft. Also, implementing it in a decentralized way is more appropriate to Coinbase’s multiparty computation approach.

Second, the protocol in the draft uses a preprocessing stage prior to signing, where each participant Pᵢ samples a sequence number, say Q, of single-use nonces (dᵢⱼ, eᵢⱼ), computes and broadcasts pairs of public points (Dᵢⱼ = dᵢⱼ*G, Eᵢⱼ = eᵢⱼ*G) for further use in subsequent signing rounds, where j = 1….Q. This preprocessing stage is a once-for-all stage. That is, each participant can prepare a fixed number of EC point pairs, say Q, and broadcast them to the signature aggregator, then the signature aggregator distributes these EC point pairs to all participants for further use. Once these pairs of EC points are used up, then these participants should run another preprocessing stage. Since we opted to not use such a signature aggregator role in our implementation, we have chosen instead to let each participant generate a single pair of EC points (Dᵢ, Eᵢ). Therefore, there is no preprocessing stage in our implementation and thus there are 3 rounds in our threshold signing phase instead of 2. Also note that whether our implementation contains the preprocessing stage or not simply depends on how many EC point pairs are generated in signing round 1. If each participant generates a Q number of EC point pairs in the signing round 1, then this round can be viewed as the preprocessing stage and our implementation becomes a 2-round signing protocol.

We describe how these three signing rounds work and give some technical details.

Signing Round 1. Each participant Pᵢ begins by generating a single private nonce pair (dᵢ, eᵢ) and corresponding pair of EC points (Dᵢ, Eᵢ) and broadcasts this pair of points to all other participants. Each participant stores these pairs of EC points received for use later. Signing rounds 2 and 3 are the actual operations in which t-out-of-n participants cooperate to create a valid Schnorr signature.

Signing Round 2. To create a valid Schnorr signature, any t participants work together to execute this round. The core technique behind this round is t-out-of-t additive secret sharing. This technique creates the secret nonce k = SUM(kᵢ), which is the same value generated in the single-party Schnorr signing algorithm, and each kᵢ is the share computed by participant Pᵢ. To do this, each participant prepares the set of pairs of EC points B = (D₁, E₁)……(Dₜ, Eₜ) received in round 1, and then computes kᵢ = dᵢ+eᵢ*rᵢ , where rᵢ=H(i, m, B) and H is a hash function whose outputs are in the field Zₚ. Computing rᵢ is important since it works as a binding value for each participant to prevent the forgery attack. Then each participant computes the commitment Rᵢ=Dᵢ+Eᵢ*rᵢ such that it binds the message m, the set of signing participants and each participant’s EC points to each signature share, such that signature shares for one message cannot be used for another. This prevents the forgery attack because attackers cannot combine signature shares across distinct signing operations or permute the set of signers or published points for each signer. The commitment for the set of signers is then simply R = SUM(Rᵢ). As in single-party Schnorr signatures, each participant computes the challenge c = H(m, R).

Having computed the challenge c, each participant is able to compute the response zᵢ to the challenge using the single-use nonces (dᵢ, eᵢ) and the long-term secret shares skᵢ, which are t-out-of-n (degree t-1) Shamir secret shares of the group’s long-lived key sk. One main observation that FROST leverages is that if kᵢ are additive shares of k, then each kᵢ/Lᵢ are t-out-of-n Shamir shares of k, where Lᵢ is the Lagrange coefficient for participant Pᵢ. That is, Lᵢ = prod(i/(j-i)), where j = 1,…,t, j ≠i. This observation is due to the work by Benaloh and Leichter [BL88] and the work by Cramer, Damgaard and Ishai [CDI05]. They present a non-interactive mechanism for participants to locally convert additive shares generated via the Benaloh and Leichter t-out-of-n secret sharing construction to Shamir’s polynomial form. FROST uses the simplest t-out-of-t case of this transformation. Thus kᵢ/Lᵢ+skᵢ*c are degree t-1 Shamir secret shares of the correct response z = k+sk*c for a plain (single-party) Schnorr signature. Using share conversion again and the value each participant has computed (namely, kᵢ = dᵢ+eᵢ*rᵢ), we get that zᵢ=dᵢ+eᵢ*rᵢ+Lᵢ*skᵢ*c are t-out-of-t additive shares of z. At the end of signing round 2, each participant broadcasts zᵢ to other participants.

Signing Round 3. After receiving zᵢ from all other participants, each participant checks the consistency of these reported zᵢ, with their pair of EC points (Dᵢ, Eᵢ) and their verification key share vkᵢ. This can be done by checking the equation zᵢ*G = Rᵢ+c*Lᵢ*vkᵢ. Once all zᵢ are valid, then each participant computes z = SUM(zᵢ) and output (z, c) as the final Schnorr signature. This signature will verify properly to any party unaware that FROST was used to generate the signature, and can check it with the standard single-party Schnorr verification equation with vk as the verification key. As we have mentioned, we do not use the signature aggregator role in our implementation. Thus, each participant works as a signature aggregator. Therefore, we let each participant self-verify its own signature before outputting it.

Implementation Challenges

We referred to some known FROST implementations: two Rust implementations — one by ZCash foundation and another by frost-dalek — but they are not appropriate to our tech stack. One Golang implementation is from the Taurus group, but unfortunately this Go implementation is not ready for production use and has not been externally audited. As a result, we decided to implement the protocol in-house.

One feature of FROST signing is that each participant must know Lagrange coefficients for each participant in order to compute zᵢ. This is uncommon in other threshold signature protocols that use Feldman verifiable secret sharing as a sub-protocol, so there are few existing Go libraries to support THIS. Most existing libraries support generating secret shares, polynomials, and their interpolation, but do not support Lagrange coefficient computation. To fill in this technical gap, we implemented participants’ Lagrange coefficients given arbitrary t participant IDs as input. Before running the threshold signing protocol, it takes input IDs of the t participants and generates all Lagrange coefficients. As the FROST draft suggests, we assign these coefficients to each participant before signing to improve performance.

Summary

FROST is a flexible, round-optimized Schnorr threshold signature scheme that minimizes the network overhead of producing Schnorr signatures in a threshold setting while allowing for unrestricted parallelism of signing operations and only a threshold number of signing participants. We introduce FROST, highlight its features, and describe it in a fully decentralized approach (i.e., without any third-party signature aggregator). This post exposes what Coinbase discovered while evaluating and implementing the FROST protocol and we look forward to adding it to our suite of threshold signing services.

If you are interested in cutting-edge cryptography, Coinbase is hiring.

FROST: Flexible Round-Optimized Schnorr Threshold Signatures was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

The technical benefits of EIP-1559

October 5, 2021 Coinbase

Blockchain

By Yuga Cohler

TLDR: EIP-1559 transactions have allowed Coinbase and Coinbase users to save ETH on gas prices without sacrificing confirmation times. Coinbase has also burned a lot of ETH, permanently reducing the supply of the second largest cryptocurrency by market capitalization.

On August 5, 2021, Ethereum’s “London” upgrade launched successfully on mainnet as the last hard fork before the transition to Proof-of-Stake / ETH 2.0. As one of the most anticipated upgrades, London included a significant change in Ethereum’s monetary policy and transaction fee structure — EIP-1559 — that has proven beneficial to both Coinbase and ETH holders at large.

In legacy transactions prior to London, senders would specify a single gas_price they were willing to pay for their transaction, and miners would select transactions based on a first-price auction. With London, the gas prices that senders pay are in part determined by a block-to-block base_fee_per_gas, which rises and falls with usage of the network.

EIP-1559 transactions allow senders to specify two values: max_fee_per_gas and max_priority_fee_per_gas. The former is an upper bound on the total gas price the sender is willing to pay, while the latter is an upper bound on the gas price the sender is willing to pay to the miner of the transaction. The effective_gas_price, i.e. the amount that the sender actually pays, is then computed as:

priority_fee_per_gas = min(
  transaction.max_priority_fee_per_gas,
  transaction.max_fee_per_gas — block.base_fee_per_gas
)
effective_gas_price = priority_fee_per_gas + block.base_fee_per_gas

The block’s base_fee_per_gas is burned, thereby making the native currency more deflationary and returning value to ETH holders.

While there was significant uncertainty surrounding the market effects of EIP-1559, we at Coinbase took a proactive approach to ensure that our infrastructure was prepared to send EIP-1559 transactions on day one of the fork. Based on the work of people such as Zsolt Felföldi and Frederik Bolding, we developed a novel gas pricing algorithm for these transactions. Crucially, it leverages the new eth_feeHistory JSON RPC API that allows us to dynamically compute an appropriate max_priority_fee_per_gas based on market conditions.

We rolled out this change gradually so that we could compare the metrics of legacy and EIP-1559 transactions. Our findings were surprising:

On average, we saved about 9% on effective gas prices (this was computed as the difference in confirmed gas price between legacy transactions and EIP-1559 transactions).
At the same time, we improved our broadcast-to-confirmation time by 11 seconds, or 0.7 blocks (this was computed as the difference in broadcast-to-confirmation time between legacy transactions and EIP-1559 transactions).

*Fig 1. Average gas savings from EIP-1559 transactions in gwei*

*Fig 2. P50 broadcast-to-confirmation time delta between EIP-1559 and legacy transactions in seconds*

As Taylor Monahan posits, we suspect that we are able to simultaneously save on gas price and improve confirmation time because we specify a max_fee_per_gas that is significantly larger than the current base_fee_per_gas. This makes the effective priority_fee_per_gas larger than the equivalent legacy transaction, incentivizing miners to include our EIP-1559 transaction in the next block.

Coinbase executes a large number of transactions on Ethereum to source liquidity and provide withdrawals for our customers, so these savings add up. As of September 27, 2021, Coinbase has burned 13,800 ETH, for an average of about 254 ETH per day. This means we save about 27 ETH per day on gas prices from EIP-1559 transactions. Seeing this data, we have rolled out EIP-1559 to 95% of transactions, preserving a small holdback for data collection purposes. We intend on eventually rolling it out to 100%.

The London upgrade was a remarkable achievement not just for Ethereum, but for decentralized financial networks as a whole. A diverse group of participants across the world came together to implement a complex shift in one of the core mechanisms that dictates market prices. We’re looking forward to continuing to work with the Ethereum community to push forward the cutting edge of DApps & DeFi, and usher in the new era of ETH 2.0.

If you are interested in building the future of finance, check out our open roles here.

The technical benefits of EIP-1559 was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

coinbase-eng