 | | for the week ending June 9, 2019 | | |
 | Solving crypto key issues...with crypto(graphy) Cryptography advances are converging to help developers bring blockchain uses to their core decentralizing principles, writes Michael J. Casey.
Read more in THE TAKEAWAY below. | | |
 TOP TRENDS ON COINDESK | | |
Some of the big stories this week on CoinDesk.com...
TAX DAY: The Internal Revenue Service (IRS) – the U.S.’ tax collector – recently announced it would be publishing new guidance on how taxpayers should treat cryptocurrencies. The agency is expected to address a number of outstanding questions, including how investors should value cryptocurrency received as income; how cryptocurrency received as part of an airdrop or a fork should be treated; and how to calculate taxes on cryptocurrency spent. It is unclear when exactly the IRS will publish this guidance, but certified public accountant and author Kirk Phillips said “they may” plan to publish guidance before the extended due date for individual returns on October 15. Full story
JUNE REVEAL: Social media giant Facebook may debut its “GlobalCoin” cryptocurrency as soon as this month. According to a report from The Information on Wednesday, the social media giant could also allow employees to be paid in the token. Other new details on the project, if confirmed, include that Facebook is planning to launch physical portals allowing users to purchase GlobalCoin. External parties may also be invited to participate in the network as nodes for a fee that could be as much as $10 million. Full story
KIK REVELATIONS: One of Kik’s board members referred to its pivot to crypto as a “hail mary pass,” according to the U.S. Securities and Exchange Commission’s complaint against the messenger app company. The complaint details how and why Kik allegedly launched an unregistered securities sale, noting that it had no revenue, no investors and supposedly knew its (then) pending token sale would violate securities law. That did not stop the company from raising $100 million through its kin token sale, which in turn led to the SEC to file a securities violation complaint. Full story
SCALING PUSH: Tadge Dryja, one of the original authors of the paper describing the lightning payments network, has published a research paper outlining a new scaling solution. Released Monday, Utreexo would make the UTXO set, also known as the “state” on bitcoin full nodes, smaller and easier to run. Through the use of cryptographic proofs, nodes would be able to store less data without compromising security, thereby requiring fewer resources. Full story |
 QUOTE OF THE WEEK | |  | The Kik action is significant because it represents the SEC’s first [contested] enforcement action for a pure regulatory violation – that is, a case where a token issuer simply failed to register with the SEC based on its good faith interpretation of the law.”
– Jake Chervinsky, general counsel at Compound Finance, on this week's lawsuit filed against messenger app maker Kik for its 2017 initial coin offering (ICO). | | |
The Takeaway |  | | |
Advances in cryptography are converging to help developers bring blockchain applications closer to the core decentralizing principles on which this technology is founded.
Inventions such as atomic swaps, zk-SNARKS, and Lightning-based smart contracts are allowing developers to realize the dream of true peer-to-peer transactions in which neither party, nor an outside intermediary, can act maliciously. Witness the rising number of non-custodial and decentralized exchange (DEX) services for trading crypto assets.
This is exciting. But it also shines a light on another big problem that has curtailed the widespread adoption of cryptocurrency and blockchain technology: secure key management.
For too long, the most reliable means of protecting the private keys that afford the holder control over an underlying crypto asset have been too clunky, insufficiently versatile, or difficult to implement on scale. User experience has been sacrificed in return for security.
Now, some big strides in another hugely important field of cryptography – secure multiparty computation, or MPC – point to a potential Holy Grail situation of both usability and security in a decentralized system.
A keyless wallet
Progress in this field was marked last week by Tel Aviv-based KZen’s public announcement of the specs for its new ZenGo wallet. ZenGo uses MPC, along with other sophisticated cryptographic tools such as zero-knowledge proofs and threshold cryptography, to share signing responsibility for a particular cryptocurrency address among a group of otherwise non-trusting entities.
The beauty of the KZen model is that security is no longer a function of one or more entities maintaining total control over a distinct private key of their own – the core point of vulnerability in cryptocurrency management until now. Instead the key is collectively derived from individual fragments which are separately generated by multiple, non-trusting computers.
The model draws on the genius of MPC cryptography. With this approach, multiple non-trusting computers can each conduct computation on their own unique fragments of a larger data set to collectively produce a desired common outcome without any one node knowing the details of the others’ fragments. The private key that executes the transaction is thus a collectively generated value; at no point is a single, vulnerable computer responsible for an actual key. (KZen’s site includes a useful explainer on how it all works.)
KZen is not the only provider of MPC solutions for blockchain key management. Unbound, another Israeli company, is going after the enterprise marketplace with its MPC solutions for crypto security.
Unbound’s prolific (if blatantly pro-MPC) blog offers different angles on the same argument. It makes a repeated case for why MPC is superior to the two preferred approaches to crypto security of the moment: hardware security modules (HSM), on which hardware wallets like Ledger and Trezor are built, and multi-signature (multisig) technologies, which are favored by exchanges.
Attacking the trade-offs
If KZen and Unbound are to be believed, MPC solutions resolve both the hot-versus-cold trade-off in key management and the dilemma of self-versus-managed custody.
Cold wallets, in which keys are stored in an entirely offline environment out of attackers’ reach, are quite secure so long as they remain in that offline state. (Though you really don’t want to lose that piece of paper on which you printed out your private key.)
But bringing them into a transactable, online environment poses an overly cumbersome challenge when you want to use those keys to send money. That’s perhaps not a problem if you’re just a HODLer who transacts rarely but it’s a serious limitation to blockchain technology’s prospects for transforming overall global commerce.
On the other hand, hot wallets have, until now, been notoriously vulnerable. Whether it’s the relentless “SIM jack” attacks on people’s phones that are emptying out both hosted (third-party custodial) wallets and on-phone self-custody holdings, retail participants’ horror stories are legion. And, of course, we all know the stories of custodial exchanges being hacked – from Japan, to Hong Kong, to Canada, to Malta.
At the same time, the solution that regulated institutional investors are currently seeking – that custodians and exchanges build Fort Knox-like “military-grade” custody solutions – inherently contain a compromise. Not only does this approach fail to resolve the dependence on a third-party, but there are serious doubts about whether any such solution can be forever safe from hackers, who are constantly improving their methods for getting over firewalls. In best-case scenarios, the constant IT upgrades becomes a massive money suck.
Alternative to HSMs and multisig
None of this is not to say that existing security technologies are useless. Ledger and Trezor’s hardware devices – a more nimble form of cold wallet – are widely used by individuals who are uncomfortable with both external third-party custody and online, on-device self-custody wallets. And, separately, multi-signature (multisig) solutions, in which an m-of-n quorum of keys are required to execute a transaction, have proven robust enough to be used by most exchanges.
But in both cases, vulnerabilities have been exposed. And to a large extent those risks come down to the fact that, regardless of the surrounding security model’s sophistication, the all-important keys are always sitting at single points of failure.
Just last week, researchers demonstrated how they could hack into a remote hardware security module. The irony: the researchers were from Ledger, which relies on HSM technology to secure its customers’ keys. Multisig models arguably offer protections across such attacks, because a breach requires simultaneous control of more than one key held in separate locations, but the fact is that multisig solutions have also failed because of both technical and human vulnerabilities (inside jobs).
What’s more, both solutions are inherently limited by the need to customize them to particular specifications or ledgers. Crypto developer Christopher Allen pointed out last week , for example, that HSMs are particularly constrained by the fact that they are defined by government standards. And in each case, the ledger-specific design of the underlying cryptography means there is no support for the kind of multi-asset wallets that will be needed in a decentralized interoperable world of cross-chain transactions.
By contrast, KZen is boasting that its key-less wallet will be a multi-ledger application from day one.
Challenges and opportunities
To be sure, MPC remains unproven in a practical sense. For some time, the heavy resources needed to carry out these network computing functions made it a challenging, costly concept to bring into real-world environments. But rapid technical improvements in recent years have made this sophisticated technology a viable option for all kinds of distributed computing environments where trust is an issue.
And key management isn’t its only application for blockchains, either. MPC technology plays a vital role in MIT-founded startup Enigma’s work on “secret contracts” as part of its sweeping plan to build the “ privacy layer for the decentralized web.” (An aside: Enigma CEO and founder, Guy Zyskind, is also an Israeli. Israel has fostered a remarkable concentration of cryptographic expertise in this space.)
It would be unwise to assume that MPC, or any technology for that matter, will provide a perfect, totally infallible solution to security problems. It is always true that the biggest security threats come when human beings complacently believe security is not a threat.
However, if you squint hard enough, and think about how this technology’s prospects for better key management can be married to Enigma’s vision for an MPC-based secret contract layer and to the broader march toward decentralized, interoperable asset exchanges, a compelling vision of true peer-to-peer blockchain-based commerce starts to emerge.
At the very least, you need to watch this space.
-- Michael J Casey |
 BEYOND COINDESK... | | |
WIRED: A all-white enclave in South Africa has embarked on a "divisive" experiment with blockchain tech in a bid to gain greater independence from the wider country. As the publication notes, residents of the town of Orania are testing "a beta version of their new crypto token, the e-Ora" using a private network that could one day become public. The idea is that the token can be used for local services via a mobile app.
FORBES: U.K. reality TV star Alex Hobern was successfully able to traverse the world (in 12 days, not 80) using bitcoin and other unspecified cryptocurrencies exclusively, writes Forbes contributor Billy Bambrough. Hobern said he was not familiar with cryptocurrencies prior to his trip, but made the trip as part of the Money2020 Payments Race (which he won). Flights and hotel rooms were the easiest to book using crypto, while trying to spend cryptocurrencies in stores and merchants was a bit more difficult.
|
 WHAT WE'VE BEEN UP TO | | |
CoinDesk Meetups will host London Bitcoin Devs on Feb 6. Come and hear Eric Voskuil and James Chiang talk about their work on libbitcoin.
The leader in cryptocurrency news and events, CoinDesk has been following the world's first cryptocurrency closely since its earliest days, and this week, we launched our largest-ever offering – 40 pieces of original content – to mark the historic moment.
An unprecedented project that combines video, audio and text, Bitcoin At 10: Untold Stories is filled with history and reflections from scores of early adopters, evangelists and insiders, allowing you to relive the crypto revolution with a front-row seat.
Bitcoin at 10: Untold Stories includes...
VIDEO: A tipsy history with the man who coined the term 'HODL,' the bitcoin buzzword that's become a rallying cry throughout the crypto industry.
MEAN TWEETS: Bitcoin's biggest celebrities reading the pointed words of those who love to hate them on Twitter.
AUDIO: An interview with the man who has watched bitcoin die more than 300 times... and lived to tell the tale.
SPECIAL REPORTS: Deep dives into the stories that led to the creation of bitcoin's core technological innovations and the sometimes mysterious figures behind them.
LISTS: What are the best bitcoin memes? The best entries in its sprawling community lexicon? We'll be counting down the best of the decade.
But this is just the beginning. In the weeks and months ahead, we'll be publishing even more articles, videos and audio segments that put a spotlight on bitcoin, the world-changing software project that started it all.
FOLLOW OUR FEATURE: #BitcoinAt10 and view the series here.
We also recently launched a new Twitter feed, @CoinDeskMovers, documenting significant hires, departures and executive searches in the blockchain and crypto space. If you just got a new job in the industry, if you're hiring or you want to share a tip on a major personnel move, send the account a direct message or email marc@coindesk.com.
Thanks for reading! |
| |
Crypto key 'magic'