Hashing It Out
Hashing It Out

Episode 38 · 2 years ago

Hashing It Out #38 - KZen - Omer Shlomovits

ABOUT THIS EPISODE

We have the great pleasure of speaking with Omer Shlomovits. Omer is a multi-party computation and cryptography expert with KZen. He speaks to us about KZen, his research on threshold signatures for building simpler and more secured wallets, key recovery schemes, and the future of multi-party computation. Fantastic episode choked full of deep knowledge!

LinksL

  • https://www.kzencorp.com/
  • https://github.com/KZen-networks
  • https://twitter.com/KzenCorp
  • https://www.youtube.com/watch?v=veIXYIZrSC8
  • https://www.facebook.com/groups/800441673459620/

Now injuy indwelcome to hashing it out pocaspedfor Resockd to the ATECH innevators behind blocked in intrastructure anddecentralized networds. We dive into the weeds to get at whyand how peoplefilled this technology. The problems they face along the way come, listenand learn from the best in the business. You can join their ranksall right,hashing it out episode, thirty thirty, it's probably thirty, seven or thirty.Eight. We had some delay with our previous episode, so it's kind ofwaiting in the CEUE, it's either thirty, seven or thirty. Eight Wen realeaseIthello. I am Calacuche welcome to the pod cast and I have the reat pleasureof introducing you guys to Umer Schlemoviz cofounder of KezaCryptography, expert, Multi Party, computation expert, and he gave afantastic talk at SBC, but unfortunately he was the last presentpresentor and it wasn't really fair. I felt like you know. He gave a reallygood good presentation and I want to give him an opportunity to reach ouraudience with this presentation, because the last talk was right afterpatolic and everybody kind of left the room and it was like Ha havful. I feltlike that was just total injustice. 'cause they're workitg US reallyawesome and interesting things over there occasan and I had a really greatconversation with Omer. So Um you know I just I I I figured that this would bea good opportunity for you to kind o hash out what you, what you were sayingfor Athat half hour in an hour to our wider audience, so ewant you to openwith just telling us a little about yourself and and what you're doing sure. So. Thank you for having me firstand also a comment about as TSI. Don't think it's unfortunate that I spoke.Lest specifically, I got some some goodwads from Danbonek, which is, Iguess, what you can call a lifetime achievement and look so Thaoneis, theprofessor O for Chytography scamfod. So this I this is about that so yeah, my name is Omer. I'm contlycofounder of company started basl E name, Cason, Preson netforks. We aredealing with K Management Systems lased on MOE party computation, I'm alsocofounder of community here in Israel and and kind of maybe a bit Gobel thatfocuses Zelknowledge in privaceconologies. So we hare four fourhundred members and we're having meat ups. Once a month and H, you can check it out the FASB, goof andt meet a book and videos as well yeah, well Prid dozlings, an the Shenis. Sothank so your talk was about building a more minimalistic, more user friendly scheme for Crypto WalletsM, and I thought it was particularly interesting m y. you, you went oversome topics that I am not particularlystrong in myself and it actually got me kind of looking into them a little more.One of them is just you know, more depth, knowledge of secret shareing,using threshold signatures Um, and I want you to kind of step us throughthe process of what you're proposing with with that talk and kind of what you think, Yu you're doing better than the currentsystem systems. Atrinplace yeah sure. So I think that Um, the FEWW. U Se, we can storp with some backound on a few topics. So, first of all, as I said, we're dealing I'm dealingwith Semanagming Syste, meaning that eventually it mas that you have somekind of a secret that you need to manage and in the specific use case of blockchain.This secret is kind of it's tricky, because if you want to just keep itsafe, then you'd stow it like some place that no one can have er touch itand what would call cold storage and would be done with it. But in the blocksin case you do need to usethis secret information and the way that you are using it is by signing onsome kind of statements that and the process of doing this signatures evolved the use of the private Ki. So this iskind of for Trade Olf, an the first ral...

...that I I touched. U, that is betweenthe security and the isibility of of the cmanagement system or Thecmis, andwhat weare tryig. What we are trying to do is to h to kind of take a different lookon on this problem, so weare star, we're starting from the basics andtrying a new pardime that is based on threshold signing, which now we canprobably go into much more deft about in a moment and using this tressursigning. We are trying to provide what is, I guess, better usability, andalso to to give h some some impovements to the security aspecal, the Kumanagement, so to explain a bit more about thresholdsignatures. We can maybe start with existingtechnology um in in in bokshing today for key management. So what is I meanthat the most basic level, what functionality that every blocksin wouldprovide is uh Um is a way to verify the SIG t thesignatures so meaning that the blockshon doesn't really care. How yougenerate your H, digitive signatures, but the minor o t,the Blockche maintainor maintainers would be the ones that would very fightand the vellification would be the same Um, no matter what. So there are a fewblockchains Um bitcoin. The first example that cansupport more elaborate verification, Sch, which is what we call themultisignature. So in this case you want to verify not a single thing asthe signature, but emortiple signatures at the same time, so you can attach astatement or transaction to to a set of public keys. Such the divirsificationwill be that this transaction is varied. Only if you see some kind of access structure that isdependent on all of the public is signing using private kids that cospond to public isuh in this Matner, so this can happen inin Theso blocches that support this type of multisignature or multicig. They support support it natively. Thisis part of the application of the software that is part of the blockchain.The on the other end, some blockhons that do not support it at all that youcannot actually do a Multici to give an example: Zicinze you cannot do shielytransaction with a multisignature in this in this manner and also all sort of h in the middle.Like in a theory you should you need to like a smart contract to implement thistype of multisignature and in Beed Cin, there's the skape language that you meto. So it's really different. It's different between block Chans, how todo this more disignature if it's possible at all now h, treaculsignatures, and here I'll just give like what, like, I guess, the end result,but there are a lot more detos that we can talk about in in the in this regard.H is something that wil just is not depend, is independent of theBlokcen in Thelook in application nt, you don't really care if you're using script smart contract, if it's I multiin isnatively supported or if it's not supported, Youare, just messing withthe Cryptographyler, which is basic, elliptic, photography and AriticalChitography, and this is part of every Blocktam, so sotretal, cipography or tritlsignatures is how you can get the same functionality, I would say, is EMULTISIG, but unanimously for all blockching. So toEd. Support H for aperium would be the same as to do it for BITCO, don't peetto write a special smoth contract, Youare completiny, independent of theapplicationof, the Bloctin, and just relying the ffect that old, locktins utilize, the same type of chrotography.This is, I think, like the major. U The major aspect, tol quite more: There are a lot moredifferences. Actually, between multisignatures and and and tresholdsmultisignatures, Mutisexan and prescial signatures, iwould, say advantages anddisadvantages it. It's H, it depends on what you try toachieve yeah. So,...

...let's, let's break down kind of thescheme of Multisig. Here I mean most people know it at this point. I thinkthat are in the space, but basically Y in order for our trains actually besigned. Multiple parties have to send their own signature, which means THAssignatures have to be some. You know stort or verified ind, some sort oftrustlsmechanism like the black chain or Um. There has to be some sort ofthird party which can check the multisignatures and then sign off on itor in the case of he theorym. It's like a smart contract which only enables ifthe valid signatures are actually set from or not even sent, they're mostlike it's like a transaction which activates bulliand, true false. Yes,this is valid based off of the number of people that actually sign off on itdue to the logic of the contract itself. Um, as, of course, has storage, Um, himplications, and but it it provides a littl flexibilityind that you can do things like rback role base access, control surroundingthe Multisig, so that you must have there could be like a super user orsomething that's required in order to do like you know three or four hsigning, so you need to have at least one super user and then two other usersin order to do the signing Um, but that's not really how the thresoldworks so ind threshold signatures from what I understand t please correct me:If I'm wrong, it's basically everybody signs the same piece of data, multiple.You know multiple time so like party a signs once Party B Signe once and PartyC signs once and if you only need three signatures once you have all thosethree signatures signing the same piece of data over and over again, youactually creating the final signature which could be committed to the blockchain and signs science actual transaction. Is that correct? So I want to Um what what I'm thinking from relquestion is actually untiwe. Thirty two points twent is about access stucturesand one is about the definition of the hiat of signatures and the differencebetween the the Phoenicia and the classical one and the threshold one. Sofirst stay Ilevel, acestacture or if you want a signature which is any dealt of end, it might be twelt oftwo. It might be two to three. It might be so don't know five out of Eight.This is something that can be echievable in general, using smart contract in a therium. Likethe example you gave it doest require it doesn't require any trust, anytrustless codination. Usually, what it means is that once the contract isdeployed, so you need to accumulate these signatures until you get five of them. Let's San the five out oFith, O example, and then you can just you can just do it. You can just sendit like you said, Bi a bullion, I would become from Zeo to one and everythingwould be fine. This h this, however, in Multicigar some kindof implications, as you said so, there's some kind of H, space requirements, there's also thesecurity issue of of smart contracts, there's also kind of a visibility, sothe block chain is some kind of understanding that this is a contractfor five out of Eight, let's say type of motisignature H, and also I I inBitcon. There also might be a cost implication to it, because thetransaction would be in O, I larger size, so uh all of thisimplication can be compared to what we get with Petal Tingnageles. So withspecial tignatures, you can again technical toithinl achieve any accessto actually y want again. accessstature can also be a complex one, like youneed one oftolization and another five out. Ofatal toizations, I meanonoosation from a specific publicn, another five out of Aith for adifferent eigt publicis, something L K. It can be very, very complex access,starture, what we get using prescial signatures and and in a second ll,explain why n how we get it is so, first of all the transaction.Wou Look the same so because you are changing only thePhitographicalla, it's kind of underneath the applicatofthe Bloktin, atronsaction wo. Look like a single sign, so in terms of privace in termsof consuction size, you get it a you get it like any other tronsuction, also interms of privacy. Tho observ from the blockchain point of view, would not beable to tell what the accsstacture was okayso here. You get some kind ofadvantages, O of using pacial signatures. Now I want to explain I bit:Maybe this will be starting from the basics about digutive signatures. Ithink it will make some things clear,...

...so thegite signature I go with them isa set of flee. Portucles one is the kiy generation. The second is he signing,and the third is, the verification now h generation is is in in the single key case is simply theway to generate in Arandom pivakey and the comresponding public. Okay, now youmust have a kgeneration before you can have you can do a any S. signingovertificational paagiens assigning is a pivate opulation. It's something tyou can do using your private secret key when you signe over a message andterrification takes the publicing for the same Secote and the message and thesignature and outputs Ta Bullyon one if the signature is Efie. If, ifeverything's, okay H, the statement is indeed h was signed using the thesignature and and the the secet tee so without efeeling, the Sicet tew canjust do it now. Pacial signatures is where you change two out of thesettepotocols, so you need to do a trushold, ky generation, and then youneed to do a theshold signing. So first of all, velification stays the sameokay. So this is and this what gets you what I mentionedbefore the Hell Ebel, that any access, stacture, you'd usinspetial signatures,you'd still get the same h. What would look like a single signel,transuction and and regular induction on the block chain- and this is becausetarrification would stay the same so h again what you are trying to achieve inthe lification you're trying to get one signature as opposed to amultisegneature in the multisign saitcase. So we need to get onesignature. So, first of all, you are generating h, o doing some form of Fechal,kigeneration or distibited kid generation, which is the process where,let's say anpowties can jointly generate a public, keep onepublic y and each one would get some secet data. Okay and then the signingthe trachal signing Meani is the phortocal, where the input would be thesecre data of all of the signers of Al of the MPARTISO, some trashold numberout of them and the Oupu could be this single signature. That would bepossible to verify using the public op. That answers your question. Yes, it does so um, so I am actually familiar with ECD kgUm ellyppical cur deeds. You know distributd key generation, and that is done completely likeoffchain m, and so you need to build a system which can actually interact with other people who areenabled and have permission to create that h that key and then there's all permission layersaround that. So you know that means. But the thing isthis is a point you brought up a second ago. Um is that you do not need totrust any of these systems, but there is some sort of set up process for thatUm. So, with regard to your talk, how doesthat set up kind of work and what does it look like, and how do you get thesekeys into the hands of people and like what? What is your? What is what areyou working on with regard to that? So this is very good questions. Um, as you mentioned, t Ki Generation is one instance of a multiply compuitation.We can say and an mutipart the computation h. You know W at maybe it'sgood time to just define what it is. So basically it's it's. You havefunction h and you want, and it's apotibl between andparticipants and parties and players and each will gets alch party gets toown a secret data and the guarantees that you geting from any MPC potocal isthat all parties would get to see the output of thefunction on they'll seek the data okay. So this is a function of the Sicret atof Al, the in parties, but the secret TAT Willnot get exposed to otherparties, so each party gets the guarantee that the one is calledcolrectness wherthe computation would be correct, assuming that you, you wantthe potocal according to to the spack, and the second is the privacy aspect,meaning that Ydat will not get licked. Now this is, you pointed out exactly a distributed portical, so everything that Yo knowdistributed computing APLISO. Now, how do you do it? It's it's a good question,and also and honestly I would say that we found out that this is...

...even something that is is kind ofmissing in the space today I coul just do a good MUI party computation, like ageneral flamework for multipart computation. So what usually people end up with isdoing expensive slknowledge so, for course, tocompensate for it. So this is like in one of the research directions that weare investigating is exactly this communicationall for MPC type of Autocles, we're trying to build for our purposs something and we try tomake it force it open souce, and we try to make it try to make it such that anyone that has some kind of multipartycomputation. That e needs to run. I can use this type of framework and I couldgo into Moditos about it if you want later, but to be so h w how? How isdistibited kid generation is, is intercinal signatores, Wuldbe, pautthecomputation, so you have w. What you have is that you can just you end up in this stimate cigineration,you went up with H. Each party gets to choose Rondom. Mysome kind of input thiswill be. We can call it the secret shair of this palthyand the outfot of the distributed kgeneration will be a public. So thefunctionir that all partise wonts to compute together is the public is asingle one and you need to compute it in such a way that it could be a function of all thesecratures of the parties and h a now. We can also in this H, using this th the same abstraction wecan also do of MPC. W can also describe the second portocal of signing oftethotaning, which is us as input. You seek a chair, and and again youdon't want it to Leick and the output will be Ah digative signature over specificmessage. All T apout is we get H to see the signature, and one of them wouldneed to publish it to the Blockchai, but the secret chaswill remain and anddo not get licked outside outathe p participants in the Portucal. Now it'strue that you kind of assume in general, getting chatography that you have somekind of like what's called t pkio a public, an for starture, meaning thatif you and I a e running a Potocle, so I need to make sure that you are youand deaby to make sure that H, the opposite, Tha, I'm and we'reactually communicating with each other. So this is kind of assumption that usually in phetographicsystem, you just assume that you eve it's easier to reason about it in inthe Blockchin Ausecase, because the blockchin can besold of a publicin for stucture, meaning I can say to you: Look I'mgoing to use publicy. That is on the block chaining to pove. To that I knowthe Secrety to this public, and this would be like my secreture, theSecretki now. So it means that publicly anyone canuse it and- and I just need to to somemow poof to that. This is me, and Ican do it by showing but providing you some kind of pof h that I know tha theP. still it's it's! It's an open question h! It's not an open question,but this is kind of an ssunction of the system and also in in my talkin in instampld. This was kind of anaderling assumption that partis that are jointlyrunning the Portocol, the en partis O, like the threshold parties. I have somekind of way to know what is the other part ispublicso again, they don't know any secret at of the other parties, butthey do know so public information about en which we open it risoableassumption. So they use that public information toKindof do the whole set of process that you can agree on what is essentiallythe new public key that would be used to for signing. Is that correct? Yes,es exactly okay, and how do you leverage that to do so, you're buildinga network that can actually handle that is that correct? Is that what you'rekind of like working on or that? So it's I mean it's not. It's not accuate, because uh to be like a full blown network with the AON General InpartiComputation. This is something that I think I it's very compix to do. I mean a lotof mechanics that that you need to understand and what type of policausandwhat the purpose that you want to do so in in our products Wer, we started, I mean even like fromreseurch perspective. We started looking Um just on the simple case of tw out oftwo of you have two parties and H and...

...they want to jointl produce t asignature, meaning that they will also an distributed kgeneration, but between two parties, and it meansthat you also need the two parties to collaborate in in both cases in the KIgeneration and in the signing. This is the tolt of two KKES. Now we startedwith this because, as I said, this is the simplest you can get in intressolcytography, which is usagain. It it', it's a complex topican and to to actually do in partis in the generalcase. To give an example right now, there's a kind of standatiization Osoeffort, formist from the national stonatization h authority to to kind of like do? U O look to look at partical, tesuldchetography and try to understand how to measure it. I mean there are a lotof open question about to to measure it h. There can be any standal about how todo it, so organizing h, actually a walk shop. I think in F in a few weeks, thisis like it's going to be an on going effor, so we looked at, we are lookingat the two particates and what we notice is that that uh we can firstfrom the netal perspective, what you ask you can just kind of use aclassical netwook, architeture, OFI, lint and sell I e this is what we knowto do. whateveryone knows to do best. This isthe engineers understand it. So if you have two parties only two parties, youdon't really need all the distribute et CTRA and complex network H, mcier. You can justhave one party to be a Selver, the second to the other party to be aclined and you can get off the shelf like potocols. For the communication, Imean not the Kidtoographic, you know the phitography about the communicationther. So this is something that you can get very easily, so it helpd us a lotin. In building the Qoder H, but we also noticed that this still opens up alot of Hoom for for research and for H I mean moving to this spolotime of instead of V, having like a private,key or inset of few public or few private kids to justone distributed private key is, is open up, open up a lot of interestingresearch questions and and also challenges. So I guess what we try to.We try to explain in my toket. SBC was one of the challenges that it broughtup, ind how we managed to try to h to solve it, but again th. There also manyopportunities about it, so we are actually looking at e network Um that ires two types of Um ectols one is like selvers and one arclients in in a sense and the the seuthencuent both needs. You need bothto to Ongeneration N and Pecial tining. No, I'm trying to recall your talk alittle better. I'm sorry about that. I remember there was something where youhad. You identified some particular issues with the traditional scheme.With regard to that a hat. There was a an owner of the kin that was kind of likeinitiating the whol keyshare process, which might want to go through as well,and then there was a problem where what, if that owner disappears? How can Irecover our our secret chairs right, SOS Er Coul go through some of that it, the audience yeah Su s. So so you are a good memory, so it's it'sfantastic, and indeed one of the challenges that you get in this twoparty setting. So eventually h you we're talking about K, managemingsystems, so you are a private owner and you want to have yo key managed in asecure and and H N, also usable way, meaning that you, you still want tohave some kind of control. When h signatures are happening, you don'twant someone else to decide it for you, okay, you don't want to giveutolization or to give just anyone to do the pivate, the key management foryou, so you eed to have some control of the Sability, but you still want to getthisdistributed security, meaning that you still want to have this poperity.That in Atakel would have to attack two places and ud also at at the same time,because this is like one of the benefits that you get from using thisetype of schemes, so you don't want to have you still want to have an attackelthat needs to attack two places at the sametime to get if he wants to get your private kid soh, one of the challenges there is is is regarding the recovery, meaning sotheare, actually, instead of one problem of Ricavary, which is what youhave in the single...

...key case, when w you just need torecover your own key. Now it's IT'S TWO FOOT APAUTY! It's a twoful problem w!Well, you need to find some way H to recoverif something happens to your secretair, and you also need to find a way torecover. If something happens to the other pauty CECATULE. I I mean this is. This is again, like you said:The concept of ownership, because neassune that in the system does oneOnyr, okay, thereis. No, you cannot divide t e ownership, so you can divideprivate Ki, but y. You can divide, you cannot divide ownorship, so there's oneoner, but two secretures and this owner and the owner was defined by us as a the one that puts money into thesystem or put some asset or do transaction inside t to the system. Sohe has some kind of steak in the system. He have some kind of Um assets thatbelongs to him and he just wants to get his batal security, so uh. What we, what we focused on the the talk was in the case wher the only wants torecover the other pouty secrature. If something happens to the elde partylike it was, then there was then a of service on the other party. For for along time, there was a lot of a tax that you can describe if someone justattacked or harked the other party, you need to find a way to defend yourselfand to H, get your money outside of the systemand move it to another system. So this is the question that we dealt with andand h the way that H H, we lookd or we try to tackle it- is by first making some kind of assumptionon h on how the the the selver and declient are positiond an tey got to each other,meaning that we assume that we have one selel and the server would never be anowner. It would be like a selvice providal. This is the name that we gaveto, meaning that his entire ar in life is to assist owners to get thisextaliof security, and you can reason why this will be a this would be a vily usecase, because h it can be y. You can insentivize themany in a sense, meaning that let's say that it gets part of everytransaction like goes to him or something like this. ATEND is going tobe out of every transaction. Meaning is you need to approve every transaction,so this is kind of UH. What made sense to us that you can? Let's say that IUcan be incentivized to have one selver and many owners connected to him andalso Dono it. There's no any the there isn't any effect on on the security,because each ownerwll awalk with the salvel separately so t they are notconnected in any way. Each other will run twelt of two K generation with theselver with the same sel service provider and the seviy survivor.Eventually wil hold h this wol many secretures that belongs to many owners,but h, you cannot do anything with with with them without the secatures of ofthe ownors. So if you attack just the server Y, you might be better from attacking an ownerbecause you get a lot of siceshures, but it still gets you nothing because H. First, you need to alsoattack an owner to get the full pirote key and also because of this mechanismfor for recovery that we built. So under the assumption that themanyowners to one service provider now H, we kind of like h. It opened up a lot of possibilities. The research problem was out togenerate a portocal that will rec require collaboration among all theowners under the same service provider such that all of them would be able to.At the same time, get out of the system, so the system is service provider andmany owners, and you want Twele all the owners. Let's say that they understandthat something happened to the service provider, so they would be able to kindof, like H, do voting and decide that okay, they want to go all of them atthe same time and move to another system. So it makes sense that all ofthe they will have aline incentives, because all of themhave some kind of steak in the system and wo assume that it's kind of like anequal stake in the system. So all of them would have the same incentive tomove out at the same time or at least if, if there is enough, if, if there'sa big Enou Woll, that wants to do to do it so theyill just vote and do and dothis massive withal and the Nice thing aboutthe photocal is that we make sure that it will work no matter what so no onecan cheet them. So the service witer.

At the moment, when you do this tolt oftoky generation, he also gives so more information to each owner that to thelove, this type of massive exit, so Te scripyou protocol a little moredepth like what? What do? What do you? What do you? What do Yo from a userstory perspective? How is pe? How are people supposed to interact with withwhat you're currently doing Ho? How would you like? How do you expect theusers to understand this, and what what do you feel like uh? You know: How do you explain tothem that security model behind this yeah, so excellent question, ild firstont to comment that this is in case and in general I would say: Wehave h the product that we're building that is like inspirled by thetechnologies that w're now discussing and wehave the research and what weshowed at SBC was no going research. This islike a paper that h. We walked on an Teare, a few papers.Research directions like that that we can fo describe as well like ow to doatomic swaps using pecial photography, how to do payment, Channa, Metok, usingchytography and tersonal chytography alsoo interesting stuff like this. Sothis is kind of H, not the main focus right now of whatweare doing in the product, meaning that in the product we do want to havethis type of unconditional recovery and in the poluct wee lie like and it'smaybe it's my bed, because I started to explain like the practical aspects ofwalking with the two Tlot of two scenario, and this is. But what led usto do this research, so in in the polic we do work wit telt of two UH trashal signatures to supportblockchinge and in the potuct. We do want to provide this h as the same um guarantees about the covelry and and anexit, but it would be much h much more easy to explain because H. Iagree that this talk was more. I aimed for for Chytographers for distributed systems guy and UH. Thepurpose was to uh to create this discussion around theCho it'letarly imparative to your protocol at the moment, but it'ssomething that you guys are kind of researching on the side. Is thatcorrect? Yes, if' we're doing in general, research on on threshold,Cyptography Cosesection, with bloching and and what you're doing in theproduct in in terms of recovery is so again. We we do need to handle thesetwo types of H. different types of iceveryone is, iswhat I call in Tetok self recovery, so how the owner can recover his ownsecret tair, and the second part is how you can do this selver sidelecover. Sowhat if something happens to the serval? How you can recover- and the Nice thing is that in they life, you ave al sorts of h, colathe technologies that are on ahigher level, then the Chitography. So I mean what you try to describe in inthe talk is how you can sorve this using nothing but the same assumptionof Chitoglaphy that you are already using. So if you are just stuck on anisland and you all, you back is the only weapon. You Ghat is is pocialchotography. This is how Yo probably want to play it, but in real life youhave you have Mobil devices which Ave h, h,secur elements inside of them. You have Um selvers with backups and WOITD SOM fildparties H H, solutions that can help, so we areproviding the same guarantees in the product and how to actuallyconvey for music experience to the user. This is fantastic question I mean rightnow. We are in kind of a a private detta going to lunch Inin in a fewweeks. H- let's say, let's say q too, of of the- and this is kind of thequestion that we're trying t to tackle because the technology stock is EODITA.Is there and now trying to actually see how this can be conveyed in in in aneasy way to the use? But yes in in the POLIC, we do handle U recovery for bothsides of the quation. I mean to do the selfrecover to do the selveciderecovalry, so you know most people when they hearlike multip multipartycomputationlthey, don't think about threshold signatures,because the word it's the phrase itself kind of evokes this concept of a world.You know many many many computers operating on the same problem, if thatmakes sense M,...

...but the reason that I think that Ithink we need to kind of extrapolate on o why things like ecdkg and andpersonal signatures in general are are Um, are a multi party computation tooland almost fundamental like Um wwhat's, the word first, not firstprincipal but basic like a Tey Saxe it to them? What's thatFirsttutim sure yeah? It's it's like it's like a atomic like you know, base structure for this kind of stuffis because we, let's just let's just look at theuse case of file encryption okaylet's, just say you took a file and you wanteddostorted IPFs and you wented to encrypt it, and you wanted to grantaccess to certain people Um. But you don't wantthose people to have the ability to just encrypt it without checking thenetwork to see if they have the ability to eccryptit a multi. A multi threshold, signatureKINDOF, like disribute key generation network, can write M, can candistribute a key to a person who is authorized meanin that they would holdthe kind of gatekeeper status and you would need a certain Um quorum of these like key signers or Ke.You know key shares in order to unlock the file, which means that it's verydifficult to compromise the security of that file you'd have to compromisepretty much the entire network and that's kind of like one particularusecase, where it's it's interesting to me that threshold signatures are reallya basic fundamental part of of multiparty computation. I'm Kinda curious, since you have amultiparty computation background. If I recall so you you are Um, you are pretty heavy in that space m.What what kind of excites you in that and how are you seeing some of the workyou're doing being applied in that space? So thank for this. Thank you for thisquestion. It's eally like it, so I think that, yes, wecan start with Um uh, like with the abstraction of ofwhat, what what are you trying to achieve actually with this warthreshold and and what what's happening here. So what what I'm claiming or whatI want to claim is that in order to do cryptography, need trustor you need to have some kind of source of Tust in the warld, so wetouched it earlier when we described publicane forstacture that, essentially, all like chytographies is relying on we're.Trying to now. Ah Do some kind of secure communication, Werehe Ling onthis and h and- and you know what I mean Blokton- is a good good source ofTust. So this is kind of like massive scale threshold system, meaningyou have like massive set o Valedetos, and you know that what happens? Whatgoes on the block chain- and you have this kind of poperties- that what goeson the Blocen woill not be changed. Okay, if you look at enough H H, if yougo to to the blockshen and and look to the past and you go H, you go enoug hto the first, nothing wuld change, and this is like a very stong giling fig.So this is, I would say, very good in some sense source of Tust.You can also look at t, let's say, Um h what you do in in in in in aentertainment, channel or just you know, two party Tenminh Hanel. This is h. The most basic like, I would say, asource of tust between two people. You try to h to trust that the other partywould behave h according to to what you expect. So youdon't Y, you don't have any malgaineer, it's not like a full blown block chain,but what Nice about? Let's say Likein Metworko, all sort of like second Lovsolution is that they found a connection between these H, small smallscale too Porty tresciol system and the the big Blok Chack, meaning that, ifyou, if somehow somone cheated, then you can go and and and get a block chain, which is the biggessource of Tust that H, it's easier to uh that intractove ritolways using the biggersource of test. So first of all, I I would say the trachald photography is is the next step would be to have thiskind of like Um steps between the the small scale blockchains like the two party, the...

Dhepenent Chinnes in the large cave,the Blokchin. So this is something that you need to convince yourself that youwould be able to H. maybe you'd be able to trust if let's saythat something goes wrong between a payment channel that we are doing so,instead of going straightaway to the blockching a and you know, and payingin time and money, you'd go to come of H. H, it's going to be a medium size, that'se block chain or a medium size threshold. Signature or some kind oftheshood Phitography portocal, and this would be the one that would resolve theissue and if they couldn't do it, then you uh scale it up and go to the next kuntil you get eventually to the blockching. So what I'm saying is that H, conceptuallythe way that we look at Threthal chatography in general? Is this thisway to get all sorts of local island of thusts h that just don't exist Toda in the world?Let's say that and again, this is something that eachone of us should couldviz him te right now, weare cu. We we convincedourselves that again in the centalized war, that you have some kind ofcentilized ORSO authority that can generate scertificates and based on thefact that you trust this centalize authoity. This would give you the trustin the world in the dicentalizt world. Now we havethe blockchins, but using pessial kipoglraphy can be more flexible aboutit. Let's say what, if I mean H, you should ask yourself whether you cantrust Um, let's say a network of ten banks across the world that an again you probably should alsoRiasen about the the incentives dayave. But let's say that h. If you can trustthat at least five out of these ten banks or then I don't know, enterprises somehow would be able to generate theCHATOGRAPHIC potocole such that five out of them. W. I woildbe honest and will actually want h to do good and play by the wols. Thenyou're supposed to be good. You don't have to go all the way to theBlockchaik k. So this is like H. I would say what what inspires what we are doing and- and I we go backto our like even product- It means that there is this kind of sellice providal that we mentionedbefore and h you and I both communicate with thisservice provided and Bot and both of US andthe. If we, what I'm saying is thatwe built the Poticalitay for Atomic Sop that needs to assume some kind ofassumptions on this service provider. So we don't need to assume that it can still our money, okay, but we doneed o assume that that e O, when I'm saying sois wether, it can be like,let's say, Netwalk of Twenty Service providals- that runninga threshold Chitography Porto cal among themselves w. We both of US CONVINCEOUSELVES THAT WO Trust. We trust them at the same level that ten oft out ofthis twenty will play by the hoofs and thif. We can assume this trust we canhave like atomic swap fourfeet. This is what what I'm saying and again it'sit's valid for everything you can do with a blockchain. You can do with asmaller scale, assuming that you, ah trust that H, you th the ones that, on the potocalare distributed enough andaligned in the same, in the sense that somemanthey are all incentivized to to be honest, and then it's just a questionof what can be attacked or not. So this is kind of, I would say I hope, Peoplas not too too much hiler, O Osta, but no! No! No in what you're describing isbasically what is commonly known as layer, two solutions right I mean it's,it's like plasma and generally they geniay exactly exactly so plusmy music.That plusman is using a smalt contract o the blockchain again is is the sourceof tast. And again you have this kind of h, open Eto of this small contract thatyou need to somehow trustit. All I'm saying is that you can replace and andby the way I have the discussion with one of the other Pekese I in sbs aboutit, the one that is walking on on plasma, it's Raally, it s, yeah T it'sAtally the same the same problem, but I'm trying to replace this smartcontract by doing something which is even which is offcane and assume thatyou need to have some kind of threshold security to it. So the assenption isthat you have spocial security and if you are happy with this assumption, yesyou can. You can get this leative? Yes, so so I mean there's, there's the idealscenario: Um, where Um you could build...

...like A. I don't know W at's called it a aCommittea, a collective, a a there's, a there's, a word in a missing it, aKabal, a a consortion consortium. THAT'S THE WORD! You build a consortialnetwork and people can interact trustlessly within the consortiumnetwork Um, but h. The question is, you know: Do you see that withstanding thetest of social consequences, meaning that let's say we're going into atrustless the ideais to stop depending on central authorities? Quite as much Imean, if you look at the the actual firs genesis block of Dickcoyn, I meanit's a big middle finker to the banks, where it's actually a headline encodedin it. That says what is it Um? Something like Prime Minister Grants?You know awards new UM eleast to the banks or somethinglikethat I can't remember it's actually in my twitter profile. I shuld pull thatup, but uh th. The point is that centralizedauthorities collude Um. Can we use these kind of schemes? Doyou think to actually prevent collusion and on the layer too? Obviously, we cando it on layer, one or later Zer, whatever you want to call it the protocol air, but on the morefatter protocol ar the layer, two solutions which actually kind of buildtheir trust off that network. Can we use those same mechanisms in a trustless way in with the samedegree of with the same degree of confidence thatwe are getting out of the blocchain right now? Yes, this is this is Um. This is very interesting what you're,saying and and Um- and I want to to to make a few commentssoaped up until this point h the companies- or I mean when you tryto actually pull threchold system. Eventually, it starts with a singlecompany that th writes called so there you go single, Ponofelio and andcentralized something. Then let's say that you deploy Wi this code, so thiscompany now goes and deploys this cod to and difent selders in the samecompany. So again, if you go up enough or Downas, you you'll find thisadministrator tecite guy that has access to all inselles right, so thisis veib second single ponofalio or or centralization h. So this is, I mean one of the claims that H, I Ieventually took off of the of the talk was the fact that in reallife uh, we don't say like true dycentralized threshold systencebecause h to bootste them, there's a lot of centrilization. That's going onright now. So what probably, if we could, as as a society, would be ableto find a way to have like threshold system between? I don't know, companies that on one hand, ar incentiis o Alignin in the I, in the sense that they want to h, toplay honest and, on the other end, would be noticean nothingcentivizedthis to Um to collude. So this is kind of an openquestion that I'm asking myself a lot about it, and I mean one I can say two things about it. So,first there's this concept of ceremonies that we see right now is uh, something that started with Zicationand now teim is gonna. Is GOINGTA, do one for Tein to Ponto, and this isbasically again going back to the fact that you need to someo generally trustin the world. So a ceremony is is a good way because you find like everyanyone can participate. So this is a good way to do it. Threshold I mean,and a ceremony is equal equal to threshold thrytoglaphy potical, okay.This is basically each time. Zikesh is doing this POK andtrying to einitialize the parametal or the system. This is an MT C potocalagain. What what ate will do is is the infondation is, is one thousand participant potical? It isagain multiparty computation poicor. So this is a good way to boot. Stop andmaybe we'll see like in the next few years. Many ceremonies- maybe hopefullywith the flameork for communication that TOA provide that people woiprovide. It could be very easy to to just do ceremonies hand. You just get aCol with enough people and they ill do the ceremony and there you go, you canget tastis h, source of UH. Ah, whatever you need there's anotherinteresting aspect to it. We can do this kind of Um,...

...maybe interesting, UM, mind Ga. Let's say that we want to havea attainment channel between us. So again, if I trust you- and you trust me,then this is e game over everything is fine right I mean we don't needanything. I can just give you funds, you can give me back, and I I'll trustyou that you'd Givem An- and you o honest, but of course this is not U Reallife Senario. So the next Tet iswhat if we both can agree on a set of an parties that Wi run thepolitical force. Okay, so Yo don't have to be the block chain. Okay, theBlockton is the easiest, but what I'm saying going back to my previous pointis that okay, one step above, is that we both agree on the same five Um uhparties that Wul run the POTOCOD forus. I trust them. You trust them again gameover everything. Fine, we can just answer money between us and everythingwill be fine. Another step is a this is by the way, a step that is th her a lotof people from academe Taepik wil that are thinking that its going to be avalid step is what what, if I trust my bank, my Dank and another set of- let'ssay fur banks, and you trust H. I sett Le Five banks and the banking system istrusting each other meaning they have also thethe way to trust each other soagain gave over, because I can transfel funds and I'm not saying using thebanking system, I'm just saying using th the already like Um Social Frarewok, of trust that thebank serve between themselves. So I trust my banks, wit tes steel banks,and they was ony Presiol Khetography between them. Another step this wouldprobably would be the lest tet is okay. Let's say that we that both of uscannot agree on on a joint H, a set of parties, but I I have somekind of Tus circles in the O maning. I trust. Let's say I don't know amazonein a certain sense, an and woget in in inother sense and uh, a and so forth,and you have your silces of Tust. So now we can also run a Trechalchiptography or a multiparticomputation. Well, without evealing thise privateinformation, we found we find the cost section between the Partis outrust atthe same circl and the Atrust, let's say: Ato a thousand pauties indifferent CICAS. You Trust another thousand parties in different sigles,but there is some kind of course section. So we an this pot ocal an weget to this cos section betwen between ourself and again. This is somethingthat let's say we got to some kind ofagreement. Now we can just decide how much trust we put inthis channel. Let's say we don't trust it like with all of our money, but wetrust it with SOM so that actually, I feel, like you, actually missed one inthat list cause we had menus on our program very early on very fortunate tohave her on. She explained definity to us probably better than anybody. I ihadheard before and actually completely dealtet me. I went one eighty on thatproject and now believe they are on to something m an in tha. In that talk.She she discussed the concept of so you said: Okay, well, I'm party and I'mparty Bab, and we both want to pick a set of of Um of Um. You know partiesthat we we we mutually trust to to do our you know: Generation, forse,rightbut, in the definity model, the network itself picks the nodes which are trusted and theycan do the generation and that works for their their statemachine, but that same model could also apply to just picking. You know justsigning mechanisms, meaning that there goe be an open network of a ton ofnotes which Um esn BLS y. You know you can select aparticular ring signature. You coulduse pick particular bring signature groupof those of the nodes that are available at random and then they usetheir subset as a quorum to to to actually denerate the keys and, likethat's completely automated, it doesn't require any negotiation or interaction.You just decide that you're going to trust the entire network and by themore nodes on the network, the lower risk there is for um fraud. I guess you could say YeahIwould, say thit, the next Tet Public Yeh, but again it is heavier in incomputation and in the amount of of stuff. You need to do so. I would saythat I mean this is a very good way to generate like concernus using this thisi generation. So and once you have contensuls it's like asuperstong form of Tust like it's, you have super powers. You can do a lot ofstuff in your system. If you have consensus, so they are using exactlyPoshoul phetogophy too to general disconsont. So I would say this wouldrequire h. It woild be like probably one step above uh, what I'm I'm descibing yeah. This islike good analysisso. Do you think...

...blockchain is actually going to be theultimate winner, an consensus again. It depends on on what you wantto achieve. I mean if I want to transfer a full amount of fenny we want to tranfel between ourselves.Then H, don't need footblown h block chain, youcan probably do it and I think there was some kind of Nice ideas out to doit. I mean. Let me let me let me refindthat question a little more Um. Do you believe that block a blockchain has inthe data structure and plustthat's builts? On top of the consensus,mechanist mean an the two are kind of intertwined, so you need either proofof work, roof a stake. You know, distribut, sorry, delegate pro proofistake Um. You know proup of storge every time which I think she is usingUm. Do you do U and that's tied to this datustructure, which is a constantaudit trail which builds its fat table and it goes all the way back in historyand you can validate all the way to the top there as some flaws with that,meaning that a block chain requires huge amount ofstorage space. That's ever technically ever growing, um to to validate means. You got to gothrough the tire history, although there's a certain tolerance for that,of course, as well. So there's a lot of things like late clients and stuff hicreduces this pain, but h you have the co problem of sinking, meaning thatsinking takes a long time. So I somebody wants to join the network. Wegot issues so tying the data structure to the consensus mechanism to me seemsinefficient. Do you believe that there will be cryptography based solutions? Isee definityis, possibly I'm saying this because I see thethinity's beingimpossible answer that the d couple storage from consensus- and you can just have purecryptography, based consensus on the current state of a system. Well, that's a that's a good question.I I mean. All I know is that is that consensus isis like in some cases it's an overkill and, asyou mentioned, there are some kind of h once ouwe concern wo, so the system needs it's going to be hal to scale and do also. This is why you have thislevel two solutions and what what I'm thinking is that sotrsing Chitographyis is, you know, is a building book. I mean by the Wa way. Yes, it's I mean ifyou look at it, how you do today, like in a sincle system, is'nting agreementuse trescial signatures, etertional photography it it's a billing of thatcan be pout of contensuls and it can help consensuls and conserms can helpptial chatography half fom the other from the other way on. I'm just sayingthat I see cuently like over the past over the next few years,social catography taking more place in in this level. Two solutions in youhave this block chain. Nd again, woting can be the consensus can be built. I in manyways H wive a lot of implementation of of a block, GaimThaistucture, and what I'm saying is that if you wantto kind of like do this, a gradual release of of the trust from the blockinto the use cases of the daily life, I don't know you want to play a game- allsort of stuff like this. So this is what tital Khytography cancome handy and specifically wi CAS. Then we are focusing on how to do kmanagement using DIFL gytography is like the Poblim Etwil tackeings cool that this has been a great show.Thank you, Oh do. I think this is time to wrap up we're kind of approachingthe hourmark. What Um? What what questions should I have askyou think that H, maybe we left out, is there anything that you really want totouch on that we kind of haven't gotten to yet so one one thing to clarify that H. I think it's important is about thedifference between Sh, music, a charing or secret sharing schemes in generaland an thereshold signing it's a very simple H. difference, fo musicalcuring is a way to take a CICARETTE and to g andto distribute it among, and participants and parties, meaning thatonce you go to the signing phase, you need to reconstruct the secret, meaningthat you get a single point of failure. intrertial tignature, as I mentined you,are both doing disdibuted, kigenelation and also distibited signing meaning younever reconstructor assemble the private keyin in one place Casso. This is like what I think is is important. Also to the completencs ofthe show yeah no- and I I I I think, Shu Mersecret SHAROTN. We bring up a lot and actually on this episodes we have yetrelease, but not sure for release before o after this one, I go into somea little bit of detail ramble as I'm im prone to do describing Jhamir M. Ithink the question that would rise from...

...what you just said that I think youcould clarify is: Where does the actual signing take place? Then, if nobody, no one personis actuallyreconstructing the key, if that makes sense. So so, as I say, as I said, the signing is isan instance of a mutiparty computation, meaning it ocause as a distributedpotocal. So this is a distimuted computation with the gualantees that the kys of the secret chail, the partof the the one key, would not get eviled to anyone, especially you know.The parties involved other than yourself and eventually youl get this results of the function, which is thesignature which you can just send to theblockchain and all bout is, should get this resultCATCI and so basically with shamirs. The actual result would be the privatekey. With threshold the actuaresult is a signature. Yeah yeah, okay cool takes a wot Oe. This is a amazingepisode. I really appreciate you coming on. Sorry. O couldn't be Cori but he'sin Brazil, and so is what it is. How can people reach you? How can peopleget in touch with you h? So, as I mentioned, we have. We started with a private elease of ofapplication, which would be completely public on on the wife on in next few H few weeks, so wecan sign up o on our website that Heisn't called thet con and we'll makesure that you'll get to tests and UH to test the application, which is rightnow what's most important for us. Also, we have a lot of open souce going on,so you can definitely should check the Guita of Casand, Coeand H and fife to to wetch out ival to me h, directly Orthoh the GIFTAP. Ifyou find anything in the research project or the cakeptograph that we aredoing interesting and and let's let's woken it together, we have a lot ofcollaboratos, which is fantastic cool and the links foral that will be in theshow notes real appreciate you having Y on you comin on it was good talk, anSBC, Um and great talk here. So as usual, youcould reach us at hashing it out hod on twitter. You coan reach myself at ColinColoin, Cuche CUSC, so it's at Calan, Cuche, ontwiter or Corey, who is nothere today, but is normally on the show at Corpetty, Cor, petty and Eyou knowcoming onscrape Mo thanks fo. I.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)