Institutional Crypto Trading Is Coming, Is Your Wallet Ready?
Cryptocurrencies are shifting from the obscure dark corners of the web to mainstream press, and soon mainstream institutional investors. Over recent months we’ve seen formal announcements of bank-backed cryptocurrency exchanges from SBI Holdings and Fidelity Investments. We’ve also seen clear signals of intent to offer institutional trading of cryptocurrencies from Goldman Sachs, Morgan Stanley, and JP Morgan. As these brand name financial services companies move into the sector investors will expect the same level of security and bank-backed confidence that they’ve enjoyed with other services from these institutions.
At today’s valuations, the compromise of cryptocurrency exchanges over the past few years have resulted in more than $1.6B in cryptocurrency losses. In most cases the adversaries were external, in other cases they were insiders, in virtually all cases the thefts were facilitated at least in part due to insufficient security of the private keys used to secure cryptocurrencies stored in hot wallets. As cryptocurrencies become traded by institutional investors the stakes will increase and the security requirements for institutional-grade wallet security will rise. Is your exchange or hot wallet service ready to compete in this environment?
Evolving Wallet Security Options
When a cryptocurrency transaction occurs, both the party transferring the coins and the party receiving the coins must share their respective public key addresses to specify the account from which coins are sent and received. The identities of the account holders are not publicly known. These public keys are recorded on the blockchain ledger as part of the indelible transaction record.
Before the transaction can occur, the transferring party must also provide a signature which is generated with a private key, to authorize the withdrawal. If the private key is stolen or copied, an adversary may use it to transfer cryptocurrencies to a different wallet of their choice. Once transferred, the funds are virtually impossible to recover. So effective private key security is paramount for effective wallet security. Fortunately, there are multiple models for key security, with recent new additions to address institutional-grade requirements.
The default wallet security model uses a single signature which is generated by a single private key that is typically stored locally with the hot wallet. This model is effective for administering transactions, however if the wallet is hacked and the key is stolen, the cryptocurrencies can be transferred to another account and are virtually impossible to recover. Similarly, if the key is lost, and the owner failed to separately record and store critical data for key recovery, the cryptocurrencies may become irrecoverable as well. So single-key, single-signature schemes may be convenient, but this model is generally regarded as insufficient for institutional investors dealing in potentially large sums of cryptocurrencies.
MultiSig: Multiple-Keys, Multiple-Signatures
MultiSig is the longstanding multiple keys generating multiple signatures scheme used to provide advanced levels of wallet security. With MultiSig, multiple approvers must sign-off on the transfer of funds from the wallet. The typical MultiSig model works with a two of three construct where three separate parties are designated as approvers but only two of them are required sign to approve a transaction. This allows for multiple party approvals to reduce the potential that a single bad actor (internal or external) could drain an account on their own, and it provides flexibility in the event one of the parties or their device is compromised or otherwise unavailable.
In the case of an institutional-grade exchange, the approvers might be the end user, the exchange, and a trusted third-party service. This model is far more resilient than a single signature model, as a hacker would need to hack at least two different systems to gain control of enough keys to approve a transaction. It also provides higher transaction availability and more reliable key recovery in the event of a system becoming unavailable or a key loss as any two of the three keys may sign for a transaction or authorize the generation of replacement keys.
However, MultiSig has some concerning attributes when used with cryptocurrencies such as Bitcoin:
MultiSig broadcasts the security policy which specifies the hashed public key address of authorized approvers and this information is recorded on the blockchain ledger. Using this publicly available information, a clever attacker may learn more about the identity and role of the signers. This information increases the publicly identifiable attack surface and is generally regarded as increasing the risk for potential hacks.
MultiSig security policy updates are recorded on-chain and must be updated along with the generation of new keys each time an approver is changed, added or deleted. This creates administrative burdens and mandates the change of an account’s public key address each time a change is made. This can be problematic for businesses which prefer to maintain one account that may be referenced by many users and automated systems.
The broadcast of security policy changes each time an account or key is changed also provides an electronic trail of breadcrumbs which can reduce the anonymity of buyers.
For MultiSig, Bitcoin records each of the approver’s hashed addresses on the ledger. This increases the transaction size, resulting in fewer MultiSig transactions per block and increasing the likelihood of higher transaction fees than a single signature scheme. Depending on multiple variables, MultiSig signed transactions may be 19% to 39% larger in size than a single signature transaction. Further insights on transaction efficiency may be found at: https://en.bitcoin.it/wiki/Techniques_to_reduce_transaction_fees
ThresholdSig: Single-Key, Multiple Approving Parties
ThresholdSig is a relatively new single-key, multi-party Threshold Cryptography scheme that has been a subject of study for many years but has only recently become available as a production ready wallet security solution. ThresholdSig appears on the blockchain ledger as a single signature, but it is implemented using multiple approvers similar to MultiSig. It also introduces some entirely new security attributes which mitigate the concerns associated with MultiSig.
ThresholdSig is an abbreviation for Threshold Signatures, meaning that a minimum threshold (t) of a potentially large number of approvers (n) must sign off before a transaction becomes approved. This is similar in concept to the two out of three signatures model described for MultiSig. However, it differs in some important ways.
MultiSig generates a private key for each approver, and the approvers each possess their own unique key. In the typical MultiSig model, this will result in a total of three keys being generated and distributed. In contrast, ThresholdSig uses a mathematical construct called threshold multiparty computation (MPC) to produce multiple shares of a single key, with one share present on each approver’s device.
Generating a key and then breaking it into shares is not a new concept. However, using threshold MPC to locally generate unique key shares on each the approver’s device, without ever generating a whole key is one of the innovations of this form of threshold cryptography. When a transaction approval is requested a minimum of t approver’s devices must be available to provide their respective key shares so that threshold MPC can generate the signing key, without ever combining the key shares into a whole key on any device, at any time. This attribute of never producing a whole key reduces the potential for the key to be stolen. (More information on Threshold Cryptography using MPC can be found here.)
ThresholdSig also differs from MultiSig by taking security policy definition and key management off-chain. This allows for changes to potential approvers as employees enter and leave various roles, and allows for re-generation of key shares, without having to change the public key address. Since the security policies are managed off-chain, there is no need to broadcast and record any changes on-chain. This eliminates the above noted MultiSig concerns #1, #2, and #3 for ThresholdSig.
ThresholdSig also differs from MultiSig in that only one signature is recorded on the ledger regardless of the number of potential approvers, or the number required to achieve the threshold. This enables ThresholdSig to support 2 out of 3, 3 out of 4, or virtually any other t out of n model, without increasing the transaction size on the blockchain ledger beyond that of a more basic single signature transaction. Reducing the transaction size relative to MultiSig means that more highly secured transactions can be processed in a single block, increasing the supported transaction volume. It’s also likely that the transaction fees charged by miners will be lower than MultiSig, as they will appear to the miners as just another single signature transaction. This eliminates the above noted MultiSig concern #4.
Multiple options now exist to support institutional-grade wallet security. In all cases, both MultiSig and ThresholdSig offer substantially higher wallet and cryptocurrency security than basic single signature schemes. In cases such as Bitcoin and others, the different attributes between MultiSig and ThresholdSig can have materially implications regarding security policy privacy, on-chain administration, anonymity, transaction volume, and transaction fees. In other crypto use cases those implications may be more moderate.
Which institutional security approach is right for your wallet, and which will optimally satisfy the requirements of your customers? Now is a good time to step back to compare and contrast the options so you can decide which model is best for your application.
More information on ThresholdSig is available at www.sepior.com.