1. Home
  2. Multisignature

Multisignature

ICP’s Schnorr integration ushers in Bitcoin DeFi era

Internet Computer Protocol smart contracts will soon be able to etch Runes, trade BRC-20 tokens and enable Bitcoin-based DeFi functionality.

The Internet Computer Protocol (ICP) plans to use advanced threshold cryptography to unlock decentralized finance capabilities and smart contract functionality on Bitcoin’s base layer.

Speaking to Cointelegraph during Paris Blockchain Week, Dfinity senior research scientist Aisling Connolly outlined how ICP’s integration of threshold-Schnorr signatures will enable the protocol’s smart contracts to obtain addresses and authorize transactions directly to the Bitcoin blockchain.

Schnorr signatures are a specific type of digital signature named after mathematician Claus Schnorr. They work like a secret handshake between two parties, proving that one person has signed off on something without revealing their secret code.

Read more

Solana ETF Momentum Grows Amid Reports of SEC Engagement

Unchained raises $60M to offer collaborative custody Bitcoin services

Texas-based Unchained Capital hopes to undermine single points of failure and mitigate counterparty risk with its substantial $60 million raise, led by Valor Equity Partners.

The bear market grind has not deterred a $60 million raise from a Bitcoin-only company. 

Unchained, a financial services provider for Bitcoin (BTC) holders, has announced a $60 million Series B funding round led by Valor Equity Partners. NYDIG, Trammell Venture Partners, Ecliptic Capital and Highland Capital Partners also participated.

Unchained Capital provides a more secure way to hold fees than storing crypto on centralized exchanges or on a single key solution. The custody model leverages the Bitcoin network's native multi-signature capabilities in that clients share control of their Bitcoin between private keys they hold themselves and private keys held by Unchained or other financial services companies.

Multisignature solutions eliminate single points of failure and mitigate counterparty risk by sharing it between multiple parties. Simply put, compare the multi-sig process to a safe deposit box with two keys, one held by the customer and the other by the bank.

Single points of failure were a recurring theme during the 2022 crypto collapses: From BlockFi to Celsius to Three Arrows Capital, an array of centralized solutions collapsed, taking users’ funds along the way. Multisig radically reduces risk as no one party can run off with the funds. 

The CEO of Unchained Capital, Joe Kelly, explained:

"Multisig is one of the most important technologies in the ecosystem that can be taken mainstream. It helps to protect individuals from loss and theft, two of the biggest issues for the industry."

To date, Unchained secures over $2 billion in Bitcoin across thousands of keys globally. Casa, a competitor crypto security company, recently added Ethereum (ETH) to its suite of products. 

Related: 6M Bitcoin Are Secured by Shared Custody

According to the announcement, the $60 million in funding will be used to expand the client base and product offering further. Kelly told Cointelegraph:

"Using this fresh capital investment to expand our reach and suite of services, we hope to enable new entrants to Bitcoin to leapfrog centralized custodians into our safer collaborative custody model."

Ultimately, the group will hope to further the mantra “not your keys, not your coins.” In light of centralized exchange collapses, greater numbers of Bitcoin and crypto enthusiasts learn to take custody of their assets, and multisig will undoubtedly play a greater role.

Solana ETF Momentum Grows Amid Reports of SEC Engagement

Multisig wallets vulnerable to exploitation by Starknet apps, says developer Safeheron

The vulnerability allegedly allows Web3 apps using the Starknet protocol to bypass the security protection of private keys in MPC wallets, potentially exposing users' private keys to wallet providers.

Certain multisignature (multisig) wallets can be exploited by Web3 apps that use the Starknet protocol, according to a March 9 press release provided to Cointelegraph by Multi-Party Computation (MPC) wallet developer Safeheron. The vulnerability affects MPC wallets that interact with Starknet apps such as dYdX. According to the press release, Safeheron is working with app developers to patch the vulnerability.

According to Safeheron’s protocol documentation, MPC wallets are sometimes used by financial institutions and Web3 app developers to secure crypto assets they own. Similar to a standard multisig wallet, they require multiple signatures for each transaction. But unlike standard multisigs, they do not require specialized smart contracts to be deployed to the blockchain, nor do they have to be built into the blockchain’s protocol.

Instead, these wallets work by generating “shards” of a private key, with each shard being held by one signer. These shards have to be joined together off-chain in order to produce a signature. Because of this difference, MPC wallets can have lower gas fees than other types of multisigs and can be blockchain agnostic, according to the docs.

MPC wallets are often seen as more secure than single signature wallets, since an attacker can’t generally hack them unless they compromise more than one device.

However, Safeheron claims to have discovered a security flaw that arises when these wallets interact with Starknet-based apps such as dYdX and Fireblocks. When these apps “obtain a stark_key_signature and/or api_key_signature,” they can “bypass the security protection of private keys in MPC wallets,” the company said in its press release. This can allow an attacker to place orders, perform layer 2 transfers, cancel orders, and engage in other unauthorized transactions.

Related: New “zero-value transfer” scam is targeting Ethereum users

Safeheron implied that the vulnerability only leaks the users’ private keys to the wallet provider. Therefore, as long as the wallet provider itself is not dishonest and has not been taken over by an attacker, the user’s funds should be safe. However, it argued that this makes the user dependent on trust in the wallet provider. This can allow attackers to circumvent the wallet’s security by attacking the platform itself, as the company explained:

“The interaction between MPC wallets and dYdX or similar dApps [decentralized applications] that use signature-derived keys undermines the principle of self-custody for MPC wallet platforms. Customers may be able to bypass pre-defined transaction policies, and employees who have left the organization may still retain the capability to operate the dApp.”

The company said that it is working with Web3 app developers Fireblocks, Fordefi, ZenGo, and StarkWare to patch the vulnerability. It has also made dYdX aware of the problem, it said. In mid-March, the company plans to make its protocol open source in an effort to further help app developers patch the vulnerability.

Cointelegraph has attempted to contact dYdX, but has been unable to get a response before publication.

Avihu Levy, Head of Product at StarkWare told Cointelegraph that the company applauds Safeheron's attempt to raise awareness about the issue and to help provide a fix, stating:

 “It’s great that Safeheron is open-sourcing a protocol focusing on this challenge[...]We encourage developers to address any security challenge that should arise with any integration, however limited its scope. This includes the challenge being discussed now.

Starknet is a layer 2 Ethereum protocol that uses zero-knowledge proofs to secure the network. When a user first connects to a Starknet app, they derive a STARK key using their ordinary Ethereum wallet. It is this process that Safeheron says is resulting in leaked keys for MPC wallets.

Starknet attempted to improve its security and decentralization in February by open-sourcing its prover

Solana ETF Momentum Grows Amid Reports of SEC Engagement

Organizations look toward multiparty computation to advance Web3

Multiparty computation is being leveraged to ensure private key security and decentralization within Web3 platforms. But why use it?

Protecting user data and private keys is crucial as Web3 advances. Yet, the number of hacks that have occurred within the Web3 space in 2022 alone has been monumental, proving that additional security measures, along with greater forms of decentralization, are still required. 

As this becomes obvious, a number of organizations have started leveraging multiparty computation, or MPC, to ensure privacy and confidentiality for Web3 platforms. MPC is a cryptographic protocol that utilizes an algorithm across multiple parties. Andrew Masanto, co-founder of Nillion – a Web3 startup specializing in decentralized computation – told Cointelegraph that MPC is unique because no individual party can see the other parties’ data, yet the parties are able to jointly compute an output: “It basically allows multiple parties to run computations without sharing any data.”

Masanto added that MPC has a history that runs parallel to blockchain. “Around the same time that blockchain was conceptualized, a sibling technology purpose-built for processing and computation within a trustless environment was being developed, which is multiparty computation,” he said. It has also been noted that the theory behind MPC was conceived in the early 1980s. Yet, given the complexity of this cryptographic method, practical uses of MPC were delayed.

Understanding how MPC will transform Web3

It was only recently that blockchain-based platforms began to implement MPC to ensure data confidentiality without revealing sensitive information. Vinson Lee Leow, chief ecosystem officer at Partisia Blockchain – a Web3 infrastructure platform focused on security – told Cointelegraph that MPC is a perfect ideological match for the blockchain economy.

Unlike public blockchain networks, he noted that MPC solves for confidentiality through a network of nodes that computes directly on encrypted data with zero knowledge about the information. Given this, companies focused on digital asset security began leveraging MPC in 2020 to ensure the security of users’ private keys. Yet, as Web3 develops, more companies are starting to implement MPC to create a greater level of decentralized privacy for various use cases. Masanto added:

“The evolution of Web2 to Web3 focuses on creating methods where people and organizations can collaboratively work on different data sets in a manner that respects privacy and confidentiality while maintaining compliance. Blockchains are not purpose-designed for this because they are typically inherently public, and smart contracts are often run by one node and then confirmed by others. MPC breaks down the computation across the network of nodes, making it a truly decentralized form of computation.”

The promise of MPC has since piqued the interest of Coinbase, which recently announced its Web3 application functionality. Coinbase's new wallet and DApp functionalities are operated with MPC in order to secure the privacy of senders and receivers while ensuring the accuracy of a transaction.

Rishi Dean, director of product management at Coinbase, explained in a blog post that MPC allows users to have a dedicated, secure on-chain wallet. “This is due to the way this wallet is set up, which allows the ‘key’ to be split between you and Coinbase,” he wrote. Dean added that this provides a greater level of security for users, noting that if access to their device was lost, a DApp wallet is still safe since Coinbase can assist in the recovery.

While Coinbase released this feature in early May 2022, the crypto wallet provider ZenGo was equipped with MPC from the company’s inception in 2018. Talking with Cointelegraph, Tal Be’ery, co-founder and chief technology officer of ZenGo said that the wallet applies MPC for disrupted key generation and signing, also known as threshold signature scheme (TSS). He explained that the key is broken up into  two “secret shares" split between the user and the company server.

Related: Blockchain and NFTs are changing the publishing industry

According to Be’ery, this specific type of MPC architecture allows a user to sign an on-chain transaction in a completely distributed manner. More importantly, Be’ery added that both secret shares are never joined. “They are created in different places, and used in different places, but are never in the same place,” he explained. As such, he noted that this model remains true to the original MPC promise: “It jointly computes a function (the function in this case is key generation or signing) over their inputs (key shares), while keeping those inputs private (the user’s key share is not revealed to the server and vice versa).”

Be’ery believes that using MPC for signatures is complementary to blockchain technology, since a private key is also required to interact with blockchain networks. However, the TSS method leveraged by ZenGo allows users to distribute their private key, adding an additional layer of security. To put this in perspective, Be’ery explained that private keys for non-custodial wallet solutions are typically burdened by an inherent tension between confidentiality and recoverability:

“Because a private key is the only way to access the blockchain in traditional wallets, it also represents a singular point of failure. From a security perspective, the goal is to keep this private key in as few places as possible to prevent it from getting in others’ hands. But from a recoverability perspective, the goal is to keep the private key as accessible as needed, in case there is a need to recover access.”

However, this tradeoff is not an issue for most MPC-powered systems, as Be’ery noted that this is one of the main challenges MPC solves for crypto wallet providers. Moreover, as Web3 develops, other multiparty computation use cases are coming to fruition. For example, Oasis Labs – a privacy-focused cloud computing platform built on the Oasis network – recently announced a partnership with Meta to use secure multiparty computation to safeguard user information when Instagram surveys asking for personal information are initiated. Vishwanath Raman, head of enterprise solutions at Oasis Labs, told Cointelegraph that MPC creates unlimited possibilities for privately sharing data between parties: “Both parties gain mutually beneficial insights from that data, providing a solution to the growing debate around privacy and information collection.”

Specifically speaking, Raman explained that Oasis Labs designed an MPC protocol together with Meta and academic partners to ensure that sensitive data is split into secret shares. He noted that these are then distributed to university participants that compute fairness measurements, ensuring that secret shares are not used to “learn” sensitive demographic data from individuals. Raman added that homomorphic encryption is used to allow Meta to share their prediction data, while ensuring that no other participants can uncover these predictions to associate them with individuals:

“We can say with confidence that our design and implementation of the secure multiparty computation protocol for fairness measurement is 100% privacy-preserving for all parties.”

MPC will reign supreme as Web3 advances

Unsurprisingly, industry participants predict that MPC will be leveraged more as Web3 advances. Raman believes that this will be the case, yet he pointed out that it will be critical for companies to identify logical combinations of technologies to to solve real-world problems that guarantee data privacy:

“These protocols and the underlying cryptographic building blocks require expertise that is not widely available. This makes it difficult to have large development teams designing and implementing secure multiparty computation-based solutions.”

It’s also important to highlight that MPC solutions are not entirely foolproof. “Everything is hackable,” admitted Be’ery. However, he emphasized that distributing a private key into multiple shares removes the singular attack vector that has been a clear vulnerability for traditional private key wallet providers. “Instead of getting access to a seed phrase or private key, in an MPC-based system, the hacker would need to hack multiple parties, each of which has different types of security mechanisms applied.”

While this may be, Lior Lamesh, CEO and co-founder of GK8 – a digital asset custody solution provider for institutions – told Cointelegraph that MPC is not sufficient by itself to protect institutions against professional hackers. According to Lamesh, hackers simply need to compromise three internet-connected computers to outsmart MPC systems. “This is like hacking three standard hot wallets. Hackers will invest millions when it comes to stealing billions,” he said. Lamesh believes that an MPC enterprise-grade approach requires a true offline cold wallet to manage most digital assets, while an MPC solution can manage small amounts.

Related: Ethereum Merge: How will the PoS transition impact the ETH ecosystem?

Masanto further claimed that traditional MPC solutions may be superior to a solution that “stores sensitive data across many different nodes in the network as a group of unrecognizable, information-theoretic security particles." As the result, hackers would need to find each particle without any identifiable footprint connecting any of the nodes. Masanto added that to make the particle recognizable again, the hacker would need a large proportion of “blinding factors,” which are used to hide the data inside each particle in an information-theoretic security manner.

Those are just some example of how MPC-based solutions will advance in the future. According to Masanto, this will create access to even more MPC use cases and, for example, utilizing the network itself for authentication:

“We consider this a form of ‘super authentication’ – a user will authenticate based on multiple factors (e.g., biometrics, identity, password, etc.) to a network without any of the nodes in the network knowing what they are actually authenticating because the computation of authentication is part of MPC.”

According to Masanto, such a form of authentication will lead to use cases within identity management, healthcare, financial services, government services, defense and law enforcement. “MPC enables systems to be made interoperable while also respecting peoples’ rights and giving them control and visibility over their data and how it is used. This is the future.”

Solana ETF Momentum Grows Amid Reports of SEC Engagement