Digital Asset Custody Explained: “Hardware Security Modules vs Multi-Party Computation”

 

Choosing a custody solution to protect your digital assets can be challenging. Today, there are many different approaches to security being used by custodians; some follow recognised standards, and some are more experimental. We speak with James Byrne, Chief Technical Officer of Digivault, to gain a better understanding of the different custody solutions available and how they work to protect digital assets.

 

What are the main challenges for investors with holdings in digital assets?

Over the last decade, the digital asset industry has grown significantly. The most common concern that investors have is what is the best way to prevent losses from cybertheft and hacks. As a result, we are seeing more and more institutional investors demanding greater security and protection on their digital assets.

 

How do digital asset custodians solve those challenges?

The main responsibility of a digital asset custodian is to protect the private key(s). A private key is a unique alphanumeric string that represents the ownership of a digital asset. It’s important to protect private keys because they create cryptographic ‘signatures’ that execute instructions to transfer assets on behalf of the client to other holders. Each custodian should protect the private keys from theft, copying or duplication, and from being lost, stolen or damaged. In addition, a custodian should ensure that private keys are only used for transactions that have been approved by the client and that strictly follow the terms and conditions (i.e., daily withdrawal limits, pre-defined transfer amounts, etc.) set by the client.

 

What are the most common types of custody methods?

Two of the more common custody approaches are:

 

  1. Hardware Security Modules (HSM)

An HSM approach means using hardware devices to create and store the private key. HSMs comply with a number of internationally recognised standards to verify the secure creation and storage of private keys, principally to the international government standard FIPS 140-2[1]. These recognised standards have been widely used in the commercial and military sectors for decades.

 

  1. Multi-Party Computation (MPC).

With an MPC[2] approach, it uses partial signatures or Pallier signatures[3] — a set of mathematical computations — to split the private key into separate parts. Various parts of the key are stored on separate devices held by the client or his/her authorised personnel. These devices are less protected compared to an HSM; MPC assumes that protection comes from the dispersion of parts and that there’s no single point of failure. MPC is a new and recent commercial application of a branch in mathematics.

 

How does each method work to protect private keys?

HSM solutions follow international government standards such as FIPS 140-2, which were created specifically to address the issue of protecting private keys. They have been tested and used in a diverse number of industries for nearly 20 years. HSM use both tested hardware and software protection layers to safely generate and store private keys. There are also well-established lab testing programs to validate that HSM equipment meets these recognised standards and can successfully integrate into real world industry applications and production processes.

 

If a custodian is using an HSM, we recommend that it should be certified to at least a FIPS 140-2 level 3. This means it will have a physical protective barrier around their processors and memory so in the event of a physical security attack, the HSM will self-erase preventing the loss of keys.

 

MPC solutions use relatively new mathematics to create a signature from separate parts of the private key without re-assembling them. The main assumption behind the MPC approach is to avoid storing a private key entirely within a single location or device. Although each MPC device that stores a split key may be less heavily protected than HSM, it would be harder to steal several devices rather than a whole key to be compromised.

 

How does each custody method validate client approvals and follow agreement terms?

HSMs themselves do not provide built-in capabilities for validating client approvals or enforcing the terms and conditions (i.e., daily withdrawal limits) set by the client. A good custody solution can provide these functions using software deployed alongside or within the HSM technology. The software allows for greater flexibility on the approval structures and will check if transactions comply with pre-set daily limits.

 

With the MPC solution, the split key does not need to be re-assembled to validate a client instruction, but all the parts need to communicate with each other. The private key is split into parts in such a way it can only be used if the approvers use their parts of the key. The approval structure can be complex with an MPC, and there are some constraints with scaling. All devices that hold parts of the key must communicate with each other at multiple times, this grows exponentially with an increased number of devices. In addition, MPC does not provide capability to enforce transaction limits. These need to be checked using software deployed in addition to the MPC protocol.

 

What happens when a private key is lost or damaged?  Is there any backup?

HSMs have well-established built-in mechanisms for backing up keys. Typically, the HSM will generate a backup key that is encrypted. Reading the backup requires the physical presence of multiple HSM smart cards.  An HSM smart card looks similar to a smart chip on a credit card but is more secure and cannot be duplicated. The ‘backup’ smart cards are securely stored across separate physical locations.

 

With MPC solutions, backups are more challenging because the parts of the private key are being distributed across multiple devices. To back up a private key on MPC, it requires many steps and encrypting. First, the MPC would need to create a backup encryption key in order to use or read the backup. Then, it stores a copy of that encryption key in a safe location. The MPC devices would need to communicate with each other to construct and encrypt a backup of the key. One of the MPC devices would need to write the backup out as a file. Finally, this file will need to be stored in a safe location separate from the encryption key. There are often concerns about the consistency and usability of the key backup because there are so many key parts and MPC devices involved.

 

What advice would you give to those looking for a custody solution?

There are many old and new approaches to protecting digital assets. The MPC approach remains comparatively unproven in a practical sense and is based on a new type of advanced mathematics. HSM solutions, on the other hand, have been tested and deployed in commercial and military sectors for decades. We believe investors should better understand the different custody methods, analyse some real case examples and seek proof of industry recognised standards when choosing a custody approach.

[1] The U.S. Federal Information Processing Standard (FIPS) 140-2 is a governmental security standard used to approve cryptographic modules. (link)

[2] A multi-party computation is a type of cryptographic method for parties to jointly compute a result using a set of inputs while keeping those inputs private. (link)

[3] The Paillier crypto system is a probabilistic asymmetric algorithm for public key cryptography. (link)