Hashing It Out
Hashing It Out

Episode 38 · 3 years ago

Hashing It Out #38 - KZen - Omer Shlomovits

ABOUT THIS EPISODE

We have the great pleasure of speaking with Omer Shlomovits. Omer is a multi-party computation and cryptography expert with KZen. He speaks to us about KZen, his research on threshold signatures for building simpler and more secured wallets, key recovery schemes, and the future of multi-party computation. Fantastic episode choked full of deep knowledge!

LinksL

  • https://www.kzencorp.com/
  • https://github.com/KZen-networks
  • https://twitter.com/KzenCorp
  • https://www.youtube.com/watch?v=veIXYIZrSC8
  • https://www.facebook.com/groups/800441673459620/

No enteringcast work. Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology the problems they face along the way. Come listen and learn from the best in the business so you can join their ranks. All right, hashing it out episode thirty thirty. It's probably thirty seven or thirty eight. We had some delay with our previous episode, so it's kind of waiting in the queue. It's either thirty seven or thirty eight when we release it. Hello, I'm Colin Cuche. Welcome to the podcast and I have the great pleasure of introducing you guys to Omer Schlum of its, Co founder of Kazan cryptography expert, multiparty computation expert, and he gave a fantastic talk at SBC, but unfortunately he was the last present presenter and it wasn't really fair. I felt like the you know, he gave a really good, good presentation and I want to give him an opportunity to reach our audience with this presentation, because the last talk was right after it toll like and everybody kind of left. The room was like half halful. I felt like that was it just total injustice, because they're working us really awesome and interesting things over there at case and I had a really great conversation with themer. So, you know, I just I figured that this would be a good opportunity for you to kind of Hash out what you what you were saying for that half hour, in an hour to our wider audience. So very don't you open with just telling us a little about yourself and and what you're doing? Sure. So thank you for having me. First and also a comment about as best I don't think it's unfortunate that I spoke list specifically, I got some some good words from done Bunett, which is, I guess, what you can call a lifetime achievement, and looked so number one is the professor of Kutoblap in stanfold. So this is this is about that. So yeah, my name is Olmer. I'm currently a CO founder of company and thought that they see these a named Kas in Tays a networks. We are dealing with key management systems. They still on would be a part the computation. I'm also CO founder of community here in Israel and and kind of maybe a bit global, that focus on zeal, knowledge and privacy, the cocmologies. So we have four hundred members and we are have thing meetups once a month and you can check it out the facebook loop and they meet the book and videos as well. Yeah, we'll provide those links in the show notes. So thanks. So your talk was about building a more minimalistic, more user friendly scheme for Crypto Wallets, and I thought it was potatally interesting. You. You you went over some topics that I am not particularly strong in myself and it actually got me kind of looking into them a little more. One of them is just, you know, more depth knowledge of secret sharing using thresholds signatures, and I want you to kind of step us through the process of what you're proposing with with that talk, and kind of what you think you're doing better than the current system systems are in place. Yeah, sure, so I think that the fuel or feel we can stop with some bitound on a few top picks. So first of all, as I said, we're dealing, oh, I'm dealing with a team management system, meaning that eventually it means that you have some kind of a secret that you need to manage and in the specific use cases of blockchain, this secret is kind of it's tricky because if you want to just keep it safe, then you'd store it like someplace that no one can have a touch it and what would call a cold storage and would be done with it. But in the blockchain CAINS, you do need to use this secret information and the way that you are using it is by signing on some kind of statements that and the process of doing this signatures evolved the use of...

...the private key. So this is kind of for tradeoff and the first joy of that time I touched that is between the security and the usability of the key management system or the Keynus, and what we are trying, what we are trying to do is to to kind of take a different look on this problem. So we are started. We're starting from the basics and trying a new paradigm that is based on threshold signing, which now we can probably go into much more depth about in a moment, and using this threshold signing, we are trying to provide what is, I guess, a better usability and also to give some some improvements to the security aspects of the key management. So to explain a bit more about threshold signatures, we can maybe start with existing technology in blockchain today for Kym management. So what is I mean that the most basic level, what functionality that every blockchain would provide is is a way to verify the stick the signatures, so meaning that the blockchain doesn't really care how you generate your digital signatures, but the minor or the blockchain maintainer, maintainers, would be the ones that will verify and the verification would be the same no matter what. So there are few blockchains, Bitcoin as the first example, that can support more laboid verification scheme, which is what we call the multi signature. So in this case you want to verify not a single thing signature but in multiple signatures at the same time. So you can attach a statement or transaction to to a set of public key is such that the verification will be that this transaction is valid only if you see some kind of access structure that is dependent on all of the public keys or signing using a private keys that correspond to public is in this manner. So this can happen in the are some blockchains that support this type of multi signature or multi Sig. They support supported natively. This is part of the application of the software, that is part of the blockchain. Down on the other end, some blockchains that do not support it at all that you cannot actually do a multi sick. To give an example, Zekeche in the case. You cannot do a shield the transaction with a multi signature in this in this manner, and also all sorts of in the middle, like in a theorem. You should you need to write a smart contract to implement this type of multi signature, and in Bitcoin there's the script language that you need to use. So it's really different to it's different between blockchains how to do this multi signature, if it's possible at all. Now threshold signatures, and here I'll just give like what like, I guess, the end result, but there are a lot more details that we can talk about in the treat in this regard. Is something that will just is not depend is independent of the blockchain apily in the blockchain application, meaning that you don't really care if you are using a script smart contract, if it's multi sing is natively supported, or if it's not supported. You're just think with the CRYPTOGRAPHILA, which is basic elliptictography and Lytic cryptography and this is part of every blockchain. So so troustal Cyptography or threshold signatures is how you can get the same functionality, I would say, as a multi Seine, but unanimously for all blockchains. So to add support for etherium would be the same as to do it for Bitcoin. You don't need to write a special smart contract. You're completely independent of the application, let of the blockchain and just relying the fact that all blockchains utilize the same type of cryptography. This is, I think, like the major, the major aspect to all quite more that a lot more differences actually between multi signatures and and and threshold sick and multi signatures, multi Sigis and and threshold signatures. I would say advantages and disadvantages. It's depends on what you try to achieve. Yeah, so let's let's break down kind of the scheme of multi...

...sake here. I mean most people know that this point. I think they're in the space. But basically, you in order for a chance actually be signed, multiple parties have to send their own signature, which means a signatures have to be some you know, stored, a verified and some sort of trustles mechanism, like a blot chain, or there has to be some sort of third party which can check the multi signatures and then sign off on it. Or, in the case of etherium, it's like a smart contract which only enables if the valid signatures are actually sent from or not even sent. They're most like it's like a transaction which activates a bully and true false. Yes, this is valid based off of the number of people that actually sign off on it, due to the logic of the contract itself, because of course has storage implications and but it provides a level flexibility and that you can do things like our back roll base access control surrounding the Multisig so that you must have. There could be like a super user or something that's required in order to do like a, you know, three of four signing. So you need to have at least one super user and then to other users in order to do the signing. But that's not really how threshold works. So and threshold signatures, from what I understand, and please correct me if I'm wrong, it's basically everybody signs the same piece of data multiple, you know multiple times. So like party a signs wants party be signs wants and party CE signs wants. And if you only need three signatures, once you have all those three signatures signing the same piece of data over and over again, you actually creating the final signature which could be committed to the blockchain and signs sign the actual transaction. Is that correct? So I want to what I'm taking from real question is actually on to refer to two points. One is about access structures and one is about the definition of digital signatures and the difference between the definition, the classical one and the threshold one. So first, staying at the level access structure, or if you want a signature which is any talt of n might be two out of too, it might be two out of three, it might be some I don't know, five out of Eight. This is something that can be achievable in general using smart contracting a Theorem like the example you gave. It does require it doesn't require any trust, any trustless coordination. It usually what it means is that once the contract is deployed, so you you need to accumulate the signatures until you get five of them, let's say the five out of faith example, and then you can just you can just do it, you can just send it and, like you said, a bullion become from zero to one and everything will be fine. This this, however, in multi singers some kind of implications, as you said. So there is some kind of space requirements. There's also the security issue of smart contracts. There's also kind of a visibility, so the blockchain as some kind of understanding that this is a contract for a five out of Eight, let's say, type of multi signature. And also in Bitcoin there also might be a cost implication to it, because the transaction would be on a larger size. So all of this implication can be compared to what we'll get with threshold signatures. So with special signatures you can again technically, authoretically, achieve any access structure you want. And again, access torture can also be a complex one, like you need one authorization and another five out of faith authorizations, and I mean one authorization from the specific public and another five out of faith from a different eight public. Is something that it can be very, very complex. Access structure. What we get using threshold signatures, and in a second I will explain why and how we get it, is so. First of all, the transaction will look the same. So because you are changing only the cryptographically, it's kind of underneath the application of the blockchain, the transaction will look like a single signer. So in terms of privacy, in terms of transaction size, you get it. You get it like any other transaction. Also, in terms of privacy, the observer from the blockchain a point of view will not be able to tell what the access structure was. Okay, so here you get some kind of advantages of using threshold signatures. Now I want to explain a bit. Maybe this would be starting from the basics about digital signatures. I think it will make some things clear. So the digital signature algorithm is a set of free protocols.

One is the key generation, the second is the signing and the third is the verification. Now key generation is in the single key case, is simply the way to generate in a random private key and the corresponding public key. Okay. Now you must have a key generation before you can have you can do any signing verification operations. Assigning is a private operation. It's something that you can do using your private secret key when you signed over a message, and verification takes the public key for the same secret key and the message and the signature, and I'll put a Bulli on one. If the signature is verified, if everything is okay, if the statement is indeed was signed using the side, the signature and and the secretly, so without revealing the secret key, you can just do it. Now, threshold signatures is where you change to out of this slip protocols. So you need to do a threshold key generation and then you need to do at threshold signing. So first of all, verification stays the same. Okay. So this is and this one gets you what I mentioned before the high level, that any access structure you use in totial signatures, you'd still get the same what would look like a single sign of transaction and regular transaction on the blockchain, and this is because verification would stay the same. So again, what you're trying to achieve in verification, you trying to get one signature as opposed to a multi signature in the multi significin case. So we need to get one signature. So first of all, you are generating, you're doing some form of threshold key generation or distributed key generation, which is the process where, let's say, any parties can jointly generate a public key, one public key, and each one would get some sicker data, okay, and then the signing, the threshold signing, meaning is the photocol, where the input would be the sicker data of all of the signers, of all of the EMPATHIES, or some threshold number out of them, and output will be this single signature that would be possible to verify using the public key. I hope that answer your question. Yes, it does. So. So I am actually familiar with ecdkg. It's called curved distributed a key generation, and that is done completely like off chain, and so you need to build a system which can actually interact with other people who are enabled and have permission to create that that key, and then there's all permission layers around that. So you know that means. But the thing is, this is a point you brought up a second ago, is that you do not need to trust any of these systems, but there is some sort of setup process for that. So, with regard to your talk, how does that set up kind of work and what does it look like, and how do you get these keys into the hands of people? And like, what is your what is what are you working on with regard to that. So this is a very good questions, as you mentioned. These with the key generation is one instance of the moth about the computation. We can say and in Molt about the computation. You know what, maybe it's good time to just define what it is. So basically it's you have a function and you want and it's a poltico between and participants and palities and players, and each bill gets which about it gets to own a secret data and they get and things that you you getting from any MPC protocol is that all parties would get to see the output of the function on their secret data. Okay, so this is a function of the secret data of all the end parties, but the secret that I will not get exposed to other parties. So which party gets the guarantee that? The one is called correctness. What the computation would be correct, assuming that you are you and the protocol according to the SPEC and the second is the privacy aspect, meaning that your data will not get licked. Now this is, as you pointed out, exactly a distributed protocol, so everything that we know and distributed computing applies. Now, how do you do it? It's a good question and also and honestly I would say that we found out that this is even something that...

...is is kind of missing in the space today, out to just do a good multiparty computation, like a general framework for multiparty computation. So what usually people end up with is doing expensive zero knowledge. So the protocols to compensate for it. So this is like in one of the research directions that we are investigating, is exactly this communication level for empathy type of protocols. We're trying to build for our purposes something and we try to make it force its open source and we try to make it try to make it such that anyone that has some kind of multiparty computation that he needs to run can use this type of framework. And I could go into modtails about it if you want later, but to be so, how how is distributed keys generation? Is Is intertial signatures multiparty computation. So you have what you have is that you can just you end up in distribute key generation. You end up with each party gets to choose randomly some kind of input. This would be we can call it the seek a chail of this party and the output of the distributed key generation will be a public key. So the function is that all parties wants to compute together is the public key is a single one and you need to compute it in such a way that it to be a function of all secreatures of the parties. And and now we can also in this, using this the same obstruction, we can also do of empasy. We can also describe the second protocol of signing, of theresial signing, which is us as input. You'll seek a chair and again you don't want it to leak, and the output will be a digital signature over specific message. So the parties will get it to see the signature and one of them would need to publish it to the blockchain, but the secret chairs will remain and not get licked outside out to other participants in the protocol. Now it's true that you kind of assume in general getting cryptography, that you have some kind of like what's called the Piki or a public key infrastructure, meaning that if you and I are running a protocol, so I need to make sure that you are you and they need to make sure that the opposite the time me and that we are actually communicating with each other. So this is kind of assumption that usually in cryptographic system you just assume that you have. It's easier to reason about it in in the blockchain. I use case because the blockchain can be sort of a public infrastructure, meaning I can say to you, look, I'm going to use a public key that is on the blockchain and to prove to you that I know the secret key to this public and this would be like my secret chair, the secret key now, and so it means that publicly anyone can use it and I just need to to somehow prove to you that this is me, and I can do it by showing, but providing you some kind of poof that I know that the private still it's it's an open question or it's not an open question, but this is kind of an assumption of the system. And also in my talking in Standford this was kind of phenanderling assumption that parties that are jointly running the protocol, the end parties or late till the threshold part is if some kind of way to know what is the other part is publicly. So again, they don't know any secret data out of the other parties, but they do know so public information about them, which we opens. It's a reasonable assumption. So they use a public information it kind of do the whole setup process. You can agree on what is essentially the new public key that would be used to for signing. Is that correct? Yes, yes, exactly, okay. And how do you leverage that? To do so? You're building a network that can actually handle that. Is that correct? Is that what you're kind of like working on or that aspect of it? So it's I mean it's not. It's not accurate, because to be like a fullblown network with that can run general and party computation, this is something that I think it's very complex to do. I mean a lot of mechanics that you need to understand and what type of photocols and what the purpose that you want to do. So in our products we are we started, I mean even like from resource perspective, we started looking just on the simple case of twelve of two of you have two parties...

...and and they want to jointly produce a signature, meaning that they will also run a distributed key generation, but between two parties, and it means that you also need the two parties to collaborate in both cases, in the key generation and in the signing. This is the too out of two case. Now we started with this because, as I said, this is the simplest you can get in intertial cryptography, which is which is again it's a complex topic and to to actually do in practice in the general case. To give an example, right now there's a kind of standardization or some effort, for missed, from the national standatization authority to kind of like do to look at to look at practical threshold keyptography and try to understand how to measure it. I mean, there a lot of open question about how to measure it, if there can be any standard about how to do it. So organizing as actually walk shop, I think in a few weeks, and this is like it's going to be an ongoing effort. So we looked at, we are looking at the two particas, and what we notice is that that we can, first from the network perspective, what you ask. You can just kind of use a classical network architecture of a client and server. Right. This is what we know to do, what everyone knows to do best. This is the engineers understand it. So if you have two parties, only two parties, you don't really need all the distributed set up and complex network machine. You can just have one party to be a server, the second to the other party to be a client, and you can get off the shelf like protocols for the communication. Let I mean not the cryptography, not the cryptography, but the communication. So this is something that you can get very easily. So it helped us a lot in building the product. But we also noticed that this still opens up a lot of Fulm for for research and for I mean moving to this paradigm of instead of having like a private key or a set of few public or a few private keys, to just have one distributed private key is open up open up a lot of interesting resort questions and also challenges. So I guess what we try to what to try to explain in my talk at ASBC was one of the challenges that it brought up and how we manage to try to to solve it. But again, the also many opportunities about it. So we are actually looking at a network that is two types of actors. One is like selvers and one clients in a sense, and the the SEVNA client. Both needs. You need both to to on a key generation and there shuld signing. Now I'm trying to recall your talk a little better. I'm sorry about that. I remember there was something where you add is, you identified some particular issues with the traditional scheme with regard to that, that there was a owner of the key. That was kind of like initiating the whole key share process, which might want to go through as well, and then there was a problem where what if that owner disappears? How can I recover our secret shares? Right? So where could go through some of that with the audience? Yeah, show. So. So you have a good memory. So it's fantastic and indeed one of the challenges that you get in this two party setting. So eventually, you we are talking about key management system. So you are a private owner and you want to have your key managed in a secure and in also usable way, meaning that you you still want to have some kind of control when signatures are happening. You don't want someone else to decide for you. Okay, you don't want to give authorization or to give just anyone to do the private that the key management for you. So you need to have some control of the USABILITY, but you still want to get this distributed secuity, meaning that you still want to have this property, that an attackle would have to attack two places and, I would also add, at the same time, because this is like one of the benefits that you get from using this type of schemes. So you don't want to have, you still want to have an attackle that needs to attack two places at the same time to get, if you wants to get, your private key. So one of the challenges is is regarding the recovery meaning. So they are actually instead of one problem of recovery, which is what you have in the single key case, when,...

...well, you just need to recover your own key, now it's a two foot party. It's a two fold problem. Well, you need to find some way to recover in if something happens to your secret chair, and you also need to find a way to recover something happens to the other party secreture. Right. I mean this is this is again the like you said, the concept of ownership, because we assume that in the system, does one owner? Okay, there's no, you cannot divide ownership. So you can divide private key, but you can divide. You cannot divide ownership. So does one owner. But to secret hulls, and this owner, and the owner was defined by us as the one that puts money into the system or put some asset or do transaction inside to the system. So, yes, some kind of stake in the system. Yes, some kind of assets that belongs to him and it just wants to get this battle security. So what we what we focused on that in the talk was in the case where the only wants to recover the other party secreture if something happens to the other party, like it was denial of there was denial of service on the other party for a long time. That does a lot of attacks that you can describe. If someone just attacked or who hacked the other party, you need to find a way to defend yourself and to get your money outside of the system and move it to another system. So this is the question that we dealt with and and the way that we looked. We try to tackle it is by first making some kind of assumption on on how the Selver and the client positioned in a gout to each other, meaning that we assume that we have one silver and the server would never be an owner. It would be like a service provider. This is the name that we give to a meaning that is entire all in life is to assist owners to get this extile of security, and you can reason why this would be a this would be a valid use case, because it can be you can incentivize them in a sense, meaning that, let's say that it gets part of every transaction, like goes to him or something like this. At the end is going to be part of every transaction, meaning is you need to approve every transaction. So this is kind of what made sense to us, that you can, let's say that I can be incentivized to have one selver and many owners connected to him, and it also do not. It's there's no any there. There isn't any effect on the security because each owner will walk with the selver separately, so they are not connected in any way. Each owner will run at twelve of two key generation with the sellver with the same cell or service provider. In the service provider eventually will hold this roll many seecretures that belongs to many owners, but you cannot do anything with with with them without the secatures of the owners. So if you attack just the sellver, you it's might be better from attacking an owner because you get a lot of seckatchures, but it still gets you nothing because first you need to also attack in owner to get the full private key and also because of this mechanism for recovered that we build. So under the assumption that they are many owners to one service provider, now we kind of like it opened up a lot of possibilities. The research problem was out to generate a protocol that will recover require a collaboration among all the owners under the same service provider, such that all of them would be able to at the same time get out of the system. So the system is service provider and many owners. And do you want to have all the owners? Let's say that they understand that something happened to the service provider. So they would be able to kind of like do a voting and decide that, okay, they want to withdraw all of them at the same time and move to another system. So it makes sense that all of the they will have aligned incentives because all of them have some kind of stake in the system and we assume that it's kind of like an equal stake in the system. So all of them would have the same incentive to move out the same time, or at least if there's enough, if there's a beg, enough called that wants to do to do it. So they would just vote and do and do this massive withdraw. And the Nice thing about the protocol is that we made sure that it will look no matter what, so no one can cheat them. So the service vither at the moment when you do this twelt...

...of key generation. He also gives some more information to each owner that will allow this type of massive exit. So describing protocol a little more depths like what what do you? What do you? What do you? What are you from a user story perspective? How is people? How are people supposed to interact with with what you're currently doing? How would you like? How do you expect the users to understand this, and what do you feel like? You know the how do you explain to them the security model behind us? Yeah, so excellent question. I would first want to comment that this is and in case and in general, I would say we have the product that we'll building that is like inspired by the technologies that we are now discussing, and we have the research, and what we showed at SBC was an ongoing research. This is like paper that we walked on and there are a few papers or research directions like that that we can of course describe as well, like how to do atomic swaps using tutial phyptography, how to do payment channel networks using cryptography, aterrstional cryptography, also interesting stuff like this. So this is kind of not the main focus right now of what we are doing in the product, meaning that in the product we do want to have this type of unconditional recovery and in the product we of called like, and it's maybe it's my dad, because I started to explain like the practical aspects of walking with the two total two scenario, and this is but what led us to do this research. So in in the product we do walk with two out of two threshold signatures to support blockchains, and in the product we do want to provide this, I guess, the same guarantees about recovery and exit, but it would be much, much more easy to explain, because I agree that this talk was more aimed for for cryptographers or for distributed systems guy, and the purpose was to to create this discussion around it. My gotch so it's not really impairedives your protocol at a moment, but it's something that you guys are kind of researching on the side. Is that correct? Yes, it's we're doing in general research on threshold cryptography cost section with blockchain and and what we're doing in the product in terms of recovery is so again, we do need to handle these two types of different types of recovery. One is what I called in the total self recovery, so how the owner can recover his own secreature, and the second part is how you can do this silver side recovery. So what if something happens to the several? How you can recover? And the Nice thing is that in real life you have all sorts of cool other technologies that are on a higher level than the cryptography. So I mean what you try to discus in the talk is how we can solve this using nothing but the same assumption of cryptography that you are already using. So if you are just stuck on an island and do all your back is, the only weapon you got is is special cryptography. This is how you probably want to plate. But in real life you have you have mobile devices which have secure elements inside of them, you have servers with backups and with some field parties solutions that can help. So we are providing the same guarantees in the product. And how to actually conveyed from using experience to the user? This is a fantastic question. I mean right now we are in kind of a private betta going to launch in a few weeks, let's say, let's say q two of the se and this is kind of the question that we're trying to tackle, because the technology stuck is moldy, stake is there and now trying to actually see how this can be conveyed in an easy way to the user. But yes, in the product we do handle recovery for both sides of the quation. I mean do the self recovery and to do the server side recovery. So, you know, most people when they hear like multipart multiparty computation, they don't think about threshold signatures because the word, it's the phrase itself kind of evokes this concept of a world, you know, many, many, many computers operating on the same problem, if that makes sense. But the reason that I think that I think we need...

...to kind of extrapolate on why things like ecdkg and our so old signatures in general are are a multi party computation tool and almost fundamental, like what's the word? First, not first principle, but basic, like a basics them. What's that first two pism? Sure, yeah, it's like it's like atomic, like, you know base structure for this kind of stuff is because, well, let's just let's just look at the use case of file encryption. Okay, let's just say you took a file and you wanted to start at IPFs and you wanted to encrypt it and you wanted to grant access to certain people, but you don't want those people to have the ability to just encrypt it without checking the network to see if they have the ability to encrypt it. A multi a multi threshold signature kind of like distribute key generation. Network can write it can can distribute a key to a person who is authorized, meaning if they would hold the the kind of gatekeeper status, and you would need a certain quorum of these like key signers or key, you know, key shares in order to unlock the file, which means that it's very difficult to compromise the security of that file. You'd have to compromise pretty much the entire network, and that's kind of like one particular use case where it's interesting to me that threshold signatures are really a basic, fundamental part of multiparty computation. I'm kind of curious since you have a multiparty computation background, if I recall so, you you are, you are pretty heavy in that space. What kind of excite you in that and how are you seeing some of the work you're doing being applied in that space? So thankful this. Thank you for this question. It's really like it. So I think that, yes, we can start with like with the obstruction of what what what you're trying to achieve actually with this wall th sholder and what's happening here. So what that? What I'm claiming, what the want to claim, is that in order to do cryptography, you need trust, or you need to have some kind of source of trust in the world. So we touched it earlier when we describe public infrastructure that essentially all applied toyptographies is relying on. When we're trying to now do some kind of secure communication, were relying on this and, and you know what I mean, blockchain is a good, good source of Tust. So this is kind of like massive scale threshold system, meaning you have like a massive set of validatose and you know that what happens, what goes on the blockchain, you have this kind of properties that would goes on the blockchain will not be changed. Okay, if you look at enough, if you go to to the blockchain and look to the best and you go, you go enough to the best, nothing would change, and this is like a very strong guarantee. So this is, I would say, the very good, in some sense, source of trust. You can also look at at, let's say what you do in in in a payment channel or just you know, to party payment channel. This is the most basic, like, I would say, source of trust between two people. You try to to trust that the other party will behave are according to to what you expect. So you don't you don't have any margin here. It's not like a full blown blockchain. But what Nice about let's say lightning network, or sort of like second level solution, is that they found a connection between this small, small scale two party threshold system and the big blockchain, meaning that if you if somehow someone cheated, then you can go and get the blockchain, which is a bigger source of tast that it's easier to that and try to resolve it. Using the bigger source of Tust. So first of all, I thought I would say that threshold photography is the next step. would be to have this kind of like steps between the small scale blockchains,...

...like the two party the payment channels, and the large scale the blockchain. So this is something that you need to convince yourself that you would be able to maybe you'd be able to trust if, let's say that something goes on between a payment channel that we are doing. So instead of going straight away to the blockchain and and you know, and paying in time and money, you'd go to a call of it's going to be a medium size, that's a blockchain or a medium size threshold signature or some kind of threshold keep stography protocol, and this would be the one that will resolve the issue. And if they couldn't do it, then you scale it up and go to the next in dialky until you get eventually to the blockchain. So what I'm saying is that, conceptually, the way that we look at threshold cryptography in general is this this way to get all sorts of local island of trusts that just don't exist today in the world. Let's say that. And again, this is something that each one of us should convince himself right now we are can we convinced ourselves that, again, in the centralized world, that you have some kind of centralized or so authority that can generate certificates and based on the fact that you trust this centralized authority, this would gives you the trust in the world? In the the centralized world, now we have the blockchains, but using tontial cryptography, you can be more flexible about it. Let's say what if we, I mean you should ask yourself whether you can trust, let's say, a network of ten banks across the world that and again, you probably should also reason about the incentives they have. But let's say that if you can trust that at least five out of the ten banks or ten, I don't know, enterprises, somehow would be able to generate the cryptographic protocol such that five out of them will be honest and will actually want to do good and play by the rules, then you're supposed to be good. You don't have to go all the way to the blockchain. Okay, so this is like, I would say, what inspires what we are doing. And if we go back to our like even product, it means that there is this kind of service provider that we mentioned before, and you and I both communicate with the service provider and well, and both of us under the if we are. What I'm saying is that we built a protocol and, say for Atomic Swope, that needs to assume some kind of assumptions on this service provider. So we don't need to assume that it can still our money, okay, but we do need to assume that you that EO. When I'm saying service whither, it can be let's say, network of twenty service providers that running a threshold cryptography protocol among themselves. We both of US convinced ourselves that we trust, we trust them at the same level, that ten of the out of this twenty will play by the rules, and if we can assume this trust, we can have like atomic swop for free. This is what I'm saying, and again it's valid for everything you can do with a blockchain, you can do with a small a scale, assuming that you trust that the ones that are the protocol are distributed enough and aligned in the same in the sense that someone at they are all incentivized to be honest, and then it's just a question of what can be attacked or not. So this is kind of a I would say. I hope it was not too too much high level watch fact. But no, no, no, any way you describing is basically what is commonly known as layer two solutions, right. I mean it's like plasma and general stagey. Exactly, exactly. Yes, so, plasma music, but plasma is using a smout contract of the blockchain. Again is as the source of Tlust, and again you have this kind of operate off of the smout contract that you need to somehow trust it. All I'm saying is that you can replace and and by the way, I have the discussion with one of the other speakers in SBC about it, the one that is walking on on plasma. It's basically it's yeah, it's basically the same, the same problem. But I'm trying to replace this smout contract by doing something which is even which is off chain, and assume that you need to have some kind of threshold security to it. So the assumption is that you have trecial security. And if you're happy with this assumption, yes, you can, you can get this little too. Yes. So, so, I mean there's there's the ideal scenario where you could build...

...like a I don't know what to call it, a committee, a collective, a there's a there's a word and I'm missing it. A Cabal, a a consortium, consortium, that's the word. You build a consortium network and people can interact trustlessly within the consortium network. But the question is, you know, do you see that, withstanding the test of social consequences, meaning that, let's say we're going into a trustless that idea is to stop depending on central authorities quite as much? I mean, if you look at the the actual first genesis block of Bitcoin, I mean it's a big middle finger to the banks, where it's actually a headline encoded in it that says what is it? Something like Prime Minister Grants, you know, awards new relief to the banks or something like that. I can't remember. It's actually in my twitter profile. I should pull that up. But the the point is that centralized authorities collude. Can we use these kind of schemes, do you think, to actually prevent collusion? And on the layer two? Obviously we can do it on a layer one or layer zero or whatever you want to call it, the the the protocol layer, but on the more fatter protocol layer, the layer two solutions which actually kind of build their trust off that work. Can we use those same mechanisms in a trustless way in with the same degree of what? The same degree of confidence that we're getting out of the blockchain right now? Yes, this is. This is this is very interesting what you're saying. And and and I want to to make a few comments. So up until this point, the companies, or I mean when you try to actually pull a threshold system, eventually it starts with a single company that rights code. So there you go, single point of Failo and and centralized something. Then let's say that you deploy this code. So this company now goes and deployed this code to and different severs in the same company. So again, if you go up enough or down a few will find this administrate or this I guy that has access to all and sell ths right. So this is the you go second single point of Failo or centralization. So this is I mean one of the claims that I eventually took off of the of the talk was the fact that in real life we don't see like a true decentralized threshold systems because to boots of them there's a lot of centralization that's going on right now. So what a probably, if we could, as a society, would be able to find a way to have like a threshold system between, I don't know, companies that, on one hand, are incentivized or aligned in the in the sense that they want to to play honest, and, on the other end, would be notic and not incentivized this to to colude. So this is kind of an open question that I'm asking myself a lot about it, and I mean one I can say two things about it. So first, there's this concept of ceremonies that we see right now. Is something that started with Z Keche and and now a tium is going to is going to do one for them. Two point to and this is basically again going back to the fact that you need to so now generally trust in the world. So a ceremony is a good way because you find like every anyone can participate. So this is a good way to do a threshold. I mean, and a ceremony is equal, equal to threshold cryptography protocol. Okay, this is basically each time z Kesh is doing this folk and trying to reinitialize the parmitals. All the system. This is an emptyc protocol. Again, what what the theory will do is a team foundation. Is onezero participant protocol. It is again multiparty computation pot cool. So this is a good way to bootst up and maybe we'll see like in the next few years, many ceremonies, maybe, hopefully with the framework for communication that will provide that we're going to provide to be very easy to to just do ceremonies and you just get a quome of enough people and they will do the ceremony and there you go. You can get the tastless source of whatever you need. There's another interesting aspect to it. We can do this kind of maybe interesting mind game. Let's say that we want to have attainment...

...channel between us. So again, if I trust you and you trust me, then this is game over. Everything is fine, right. I mean we don't need anything. I can just give you funds, you can give me back and I'll trust you that you'd give them and you'd be honest. But of course this is not real life scenario. So the next step is, what if we both can agree on a set of end parties that will run the protocol for us? Okay, so don't have to be the blockchain. Okay, the blockchain is the easiest, but what I'm saying, going back to my previous point, is that, okay, one step above is let's say we both agree on the same five parties that to run the protocol for us. I trust them, you trust them. Again, game over. Everything fine, we can just answer the money between us and everything would be fine. Another step is, and this is, by the way, step that is that here a lot of people from academy that to speak with that are thinking that is going to be a valid step. Is What? What if I trust my bank, my bank and another set of, let's say full banks, and you trust a set of five banks, and the banking system is trusting each other, meaning they have also the the way to trust each other. So again, game all, because I can transfer funds, and I'm not saying using the banking system and just saying using that they already like social framework of trust that the banks have between themselves. So I trust my banks, to trust to your banks and they will run a threshold kyptography between them. Another step, this would probably would be the last step, is okay, let's say that we both of us cannot agree on a joint set of parties, but I have some kind of trust circles in the world, meaning I trust, let's say I don't know Amazon in a certain sense and go get in in another sense, and and so forth, and you have your circles of trust. So now we can also run a threshold yptography or multiparty computation. Well, without aaling this private information we found, we find the cost section between the parties you trust at the same circle, and that I trust. Let's say I trust thousand parties in different circus. You Trust another thousand parties in different cycles, but the least some kind of course section. So we on on this ballcord and we get to this cool section between between all stef and again this is something that, let's say we got to some kind of agreement. Now we can decide how much trust we booting this John. Let's say we don't trust it, like with all of our money, but we trusted with soul. So that actually I feel like you actually missed one in that list. Yeah, because we had Manu Scha on our program very early on. Very fortunate to have her on. She explained definity to US probably better than anybody I'd I'd heard before and actually completely dealt with me. I went one hundred and eighty on that project and now believe they are onto something. And in that in that talk, she discussed the concept of so you said, okay, well, I'm Party A and I'm party B and we both want to pick a set of, of, you know, parties that we mutually trust to do our, you know, generation for us. Right, okay, but in the definity model, the network itself picks the nodes which are trusted and that can do the generation, and that works for their their state machine. But that same model could also apply to just picking, you know, just signing mechanisms, meaning that there could be an open network of a ton of notes, which he's in bls. You, you know, you can select a particular ring signature, you could use use pick a particular ring signature group of those of the nodes that are available at random, and then they use their subset as a quorum to the to to actually dirt the keys and like. That's completely automated, doesn't require any negotiation or interaction. You just decide that you're going to trust the entire network and by the more nodes on the network the lower risk there is for fraud. I guess you could say. Yeah, I would say that's it's the next step public. Yeah, but again, each step is heavier in computation and in the amount of stuff you need to do. So I would say that, I mean, this is a very good way to generate like consensus, using the stamit key generation. So and once you have consensus, it's like a super strong form of Tusk, like it's you have super powers. You can do a lot of stuff in your system if you have consensus. So they are using exactly titial cryptography to to Jenner disconserns. So I would say this will require this would be like probably one step above what I'm describing. Yet this is like good analysis. So do you think blockchain is actually going to be the ultimate winner and consensus? Again, it depends...

...on what you want to achieve. I mean, if I want to transfer small amount of money, we want to transfer between our selves, then you don't need a food blown up blockchain. You can probably do it, and I think there was some kind of Nice ideas out to do it. Let me, let me, let me refind that question a little more. Do you believe that block a blockchain, as in the data structure, and plus the that's built on top of the consensus mechanism. mean the two are kind of intertwined. So you need either proof for work, proof of stake, you know distributive, sorry, delegated proof of proof of stake. You know proof of storage over time, which I think she is using. Do you? Do you? And that's tied to this data structure which is a constant audit trail, which builds its fact table and it goes all the way back in history and you can validate all the way to the top. There's some flaws with that, meaning that a blockchain requires huge amount of storage space. It's ever technically ever growing. To to validate means you got to go through the entire history, although there's a certain tolerance for that of course as well. So there's a lot of things like like clients of stuff, which reduces as pain, but you have the cop problem of sinking, meaning that sinking takes a long time. So if somebody wants to join the network, we got issues. So tying the data structure to the consensus mechanism to me seems inefficient. Do you believe that there will be cryptography based solutions. I see diffinities possibly. I'm saying this because I see definities being a possible answer to that. That d couple storage from consensus and you can just have pure crypt ptography based consensus on the current state of a system. Wow, that's that's a good question. I mean, all I know is that is that consensus is like in some cases it's an overkill and, as you mentioned, are some kind of once you get a consensus, so the system needs, it's going to be how to scale and do also some this is why you have this level too solutions, and what I'm thinking is that so trust and cryptography is is, you know, is a building block. I mean, by the way, yes, it's. I mean if you look at it how you do today, like in a synclo system isn't in agreement. You use threshold signatures, use social cytography. It's a building block that can be put of consensus and it can help consensus and concerns can help social cryptography from the other from that other way around. I'm just saying that I see currently, like over the pest, over the next few years, special cryptography taking more place in this level two solutions in you have this blockchain. And again, blockchain can be and the consensus can be built in many ways with a lot of implementation of a blockchain data structure. And what I'm saying is that if you want to kind of like do this gradual release of the trust from the blockchain to the use cases of the daily life, I don't know, you want to play a game, you all sort of stuff like this. So this is what total hyptography can come handy and specifically with Kis, and we are focusing on how to do key management using tetial cryptography. Is like the problem that will tackling. Cool that. This has been a great show. Take you out. I think this is time to wrap up. We kind of approaching the our mark. What I'm what a what question should I ask you think that maybe we left out? Is there anything that you really want to touch on that we kind of did haven't gotten too yet? So one one thing to clarify that I think it's important, is about the difference between show music at charing or secret sharing schemes in general, and and the threshold signing. It's a very simple difference. Show music, creaturing is a way to take a secret and to Gen and to distribute it among and participants and parties, meaning that once you go to the signing phase, you need to reconstruct the secret, meaning that you get a single point of failure, interntal signature. As I mentioned, you are both doing distributed key generation and also distributed signing, meaning you never reconstruct or assemble the private key in one place. Okay, so this is like what I think is important also to the completeness of the show. Yeah, though, and I think Shamir secret share something we bring up a lot and actually on this episode we have yet release, but not sure if for release before or after this one. I go into some a little bit of detail, ramble as I'm as I'm prone to do, describing Shamir my. I think the question that would rise from what...

...you just said that I think you could clarify is where does the actual signing take place then, if nobody, no one person is actually reconstructing the key, if that makes sense. Yeah. So, so, as I say, as I said that the signing is an instance of a multiparty computation, meaning it too cools as a distributed porticol. So this is a distributed computation with the guidant things that the keys or the secret chills, the thoughts of the one key would not get revealed to anyone, especially not the parties involved other than your self. And eventually you'll get this result of the function, which is the signature, which you can just send to the blockchain and all parties should get this result, catch it. And so, basically, with Shamir's the actual result would be the private key. With rushold, the actual report result is a signature. Yeah, yeah, okay, cool. Thanks a lot, ombre. This is a amazing episode. I really appreciate you coming on. Sorry you couldn't meet Cory, but he's in Brazil, and so is what it is. How can people reach you? How can people get in touch with you? So, as I mentioned, we have we started with a private list of our application, which should be completely public on the fly phone in next few few weeks. So you can sign up on our website that case and Callcom and will make sure that you'll get to test and to test the application, which is, right now, what's most important for us. Also, we have a lot of open source going on, so you can definitely should check the Github of Kis and code and and feel free to to reach out idle to me directly or through the get up if you find anything in the research projects or the actual cryptography that we're doing interesting and let's let's open it together with a lot of collaborators, which is fantastic cool, and the links for all that will be in the show notes. Really appreciate you have having you on, you coming on. It was a good talk at SBC and great talk here. So, as usually, you can reach us at hashing it out pod on twitter. You can reach myself at Colin Ceoli, N Cuche CUSC, so it's at Colin Cu Jay on twitter, or cory, who is not here today but is normally on the show, at Core Petty Corty, and they see you know. Thanks for coming on, emmer. It's great all. Thanks for having me.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (128)