Create Gluon_decentralized_hardware_crypto_wallet_services.md

[kevingzhang]

Grant Application Checklist

• The application-template.md has been copied, renamed ( "project_name.md") and updated.
• A BTC address for the payment of the milestones is provided inside the application.
• The software of the project will be released under the Apache license version 2.0 as specified in the terms and conditions.
• The total funding amount of the project is below CHF 30k at the time of submission.
• The initial PR contains only one commit (squash if needed before submitting your PR).

[Noc2]

Thanks for the application. It looks like you put a lot of effort into it, but to be honest I have a lot of concerns regarding the sharing of private keys. There are a lot of things that could go wrong (e.g. hardware, software or sybil attacks). I personally think that the combination of the Recovery Pallet with a nicer UI and promotion might be a better approach. Would you be interested in working on something like this? Regarding the application itself, it would be nice if you could focus on KSM or DOT instead of BTC.

[kevingzhang]

---

Hi David, thank you for your comments. Your concerns are absolutely within my expectation. Believe it or not, almost everyone asked the same questions when they heard our project for the first time. Bear with me, and my answers could be pretty long.

Before answering your concern, we decided to focus on DOT as our first protected cryptocurrency instead of BTC. We will use Recovery Pallet as designed before but much more.

Please stay calm and read till the end. I bet you are not wasting your time by reading the detail, considering we have spent years on this project dealing with all possible attacks.

---

Since you have not specified which attack you care about the most, I would like to explain most attacks we have dealt with. 

Hardware

TEE is the most common solution for trusted computing. Although there are side-channel attacks that exist, I still consider it one of today's best solutions. We choose a very different approach not because TEE is not secure, but trying to make it a much larger scale.

---

You can see the differences from the diagram above.
Instead of putting a secured enclave into (part of) a computer, we put a minimized computer into a secure enclave. This enclave is an HSM (hardware secure module, such as a hardware crypto wallet). Since it is a minimized computer, code can run at a native speed without frequent encrypt-decrypt between trust and non-trust zone. Data only need to encrypt when leaving the mini computer. 

Is the TCB(Trust CodeBase) too big to protect?

Inside our HSM, there is a "minimized" computer. This computer is not a general-purpose computer like a PC or Mac. It is more like a hardware crypto wallet that can do much more. We are developing a special-purpose Linux OS with one goal - securely loading the waSCC (wascc.dev) based WebAssembly runtime. Everything else not related was ripped off. For example, the keyboard, mouse, video, USB are all gone. The only external IO is the Ethernet. The final product could have only one power port, one RJ45, and one LED, nothing else. A "so-called" black box. (Can we still call it a Tea Box?)
All custom code and some system code are running inside the wasm running. WebAssembly is a better isolation solution for both performance and security. Code running inside wasm runtime can hardly do any damage to the system. We also have TPM to check and load trusted wasm modules that have been verified by blockchain consensus. 
As a black box with minimized OS and minimal outside interface, the most effective network attack could be DDoS and Sybil attacks. I will explain those in later sections.
If anything is modified within the HSM, no matter it is a file change in the OS or a UEFI hash not matching. The TEA node cannot pass the blockchain consensus verification and is isolated from the rest of the network. The TPM guarantees this.

Is TPM secure?

TPM protects the box itself with the self-destroy feature, which will be trigger by brutal break activities. Once destroyed, no data can be recovered. To do this, there is a backup battery installed.
TPM is nothing new. The computer you are using right now has one TPM chip on the motherboard. The technologies have been with us for almost 20 years. We did not pay enough attention until it jump front to stop us from doing some "funny" things. This is exactly how MS Windows or Apple knows you or a virus changed the BIOS/UEFI/Bootloader and refused to boot the OS. (Note: Apple is using similar technology but not directly follow the TPM standard from Trust Computing Group TCG) 
We used TPM to generate the hashes of all loaded components and stored them into PCR. Those hashes and all runtime check-ups are all called PoT data(Proof of Trust), stored on the blockchain and sent to verifiers upon consensus request. Our consensus (also called PoT: Proof of Trust) determines a TEA node is running well or compromised. Compromised nodes will be highlighted on the chain and quarantined from the rest of the good network. There will be a financial penalty for attacking or bad maintenance caused compromise. We will explain the financial part later.

Is the hardware expensive? Can I utilize my existing computer as a mining machine?

TPM itself is very low tech and low power chip. Since our code runs at native speed. There is no performance penalty on security caused by cryptography. Any computing device can be used as a TEA mining machine as long as it can install TPM and provide PoT to get verified by blockchain consensus. 
We are using Raspberry pi with a Nations Tech TPM as our testing machine. The Pi cost about $30, the TPM may cause less than $10 retail (probably $1 if OEM). The most expensive part is the custom made enclosure box. Of course, the box is just a rigid box that looks cool, nothing related to technology. Since we do not need HDMI, USB, GPU, Audio. If we can mass-produce such an ARM-based mining machine, the cost could be less than $20 per unit. Compare with the basic Bitcoin miner machine today, see the price gap.
Of course, you can run TEA on high-end computers to make more profit in the competition. Or special-purpose computing devices to run special tasks that require such hardware capabilities. An AI machine with TPUs, an FPGA hardware algorithm accelerator, or some IoT devices equipped with a temperature sensor and GPS. The price varies but not because of TEA.
Your existing or retired desktop can be used as a TEA mining machine too. It will need to run the mini OS. It can no longer be used as a regular computer. It turns into a black box that makes money for you. 

Hardware performance compare with today's blockchain

If we pick any task that today's highest performance blockchain can do and run it on the $20 Raspberry Pi TEA mining machine, you will find it runs much faster! This is not magic. The only reason that our consensus - PoT goes a very different approach. We do not consent to the result but the execution environment. This is similar to TEE, such as Intel SGX. The differences are that we need consensus on the blockchain, but Intel is centralized. If you trust Intel, everything goes smoothly. We do not require you to trust anyone but the blockchain consensus. 
If you watched our milestone 1 demo video, demo youtube video https://youtu.be/6GYwrITSfJo you would see we run a Tensorflow AI algorithm to recognize a picture of a lion on our blockchain. You know it is tough for a regular blockchain to run an AI algorithm. We have made it. 

Fake TPM

Every TPM has an endorsement key burned into the chip when manufactured. Unless the manufacture intended to produce faked TPM chips, it is almost no way to fake TPM chips. This is almost like the Ledger makes hardware wallet with malicious code built-in, or Intel makes CPU with a backdoor to steal user secret. I highly doubt this would happen.

Software

Once your TEA node starts running, you still physically own it, but technically you do not. The TEA consensus fully controls the node. The consensus decides what code to be installed, run, or removed on your node. Any attempt to alter the hardware or software will cause the node quarantine and loss of your deposit and credit score. 
The software is carefully designed to use many zero-knowledge and modern cryptographic algorithms to increase the cost of a successful attack. The full design doc could be very long. I will list a few examples to explain.

Delegation Chain

No one knows what task is done by which node. We designed "Delegation Chains" to scrambled or encrypted such knowledge. From outside of the HSM, we can only see encrypted traffic in and out from a TEA node to other TEA nodes. There is no way to determine if a TEA node is running a valuable task. Even the size of traffic and destination IP address won't expose too much useful information. By doing this, attackers can hardly distinguish the high-value targets from those idle ones. In most cases, we run BFT or similar consensus for higher-value tasks. Even some TEA nodes are compromised and not quarantined in time, the damages and chances are minimal. This knowledge will be released to the public only when tasks are done and posted on the blockchain. At that moment, all traces have been wiped out. There is no value to attack an empty node. Use the Gluon Wallet as an example: Assuming there are thousands of nodes running. Unless you can hack into 2/3 of those nodes simultaneously, you probably won't get any useful data. Given all TEA nodes are running different hardware architectures, it is not that easy to find a common vulnerability. 

Never Store Secret Persistently

The TEA node HSM does have storage (SD, SSD, HD), but only executable code and non-secure temp data are allowed to save to the storage. All secrets will stay in the RAM of all running nodes. It can transfer between TEA nodes when encrypted. When entering the destination node, the secret is encrypted and stored in RAM only. When any reason causes the TEA node to lose power, no secret remains in this hardware unit. It needs to run the secure "Repin" protocol to reconstruct the secret from other healthy nodes. Because every secret has many replicas on many "repin nodes" at any given time, there is a meager chance that a secret is lost forever. This design eliminates the chance that any secret is stored in an abundant hard drive. 

Network

We currently run our network communication based on the IPFS libp2p protocol. We choose Libp2p because we happen to use IPFS as our blob data storage. The communication between TEA nodes is end-to-end encrypted. No matter IPFS nodes, or any sniffer will get the content. A nonce is also used to defeat man-in-the-middle attacks.

DDoS

From my point of view, DDoS or Sybil attacks can never be avoided in the long run. What we can do is duplicate. There will be many TEA nodes running in the network. From the outside world, due to zero-knowledge protection, they all look the same. It is tough to identify any valuable target to attack. As long as less than 1/3 TEA nodes down due to DDoS, our network won't get affected.

Sybil Attack

TEA nodes only talk to other verified TEA nodes. Based on the TPM hardware protection mentioned above, a bad actor cannot pass the remote attestation unless more than 2/3 TEA nodes are compromised. Although TEA node is generally less expensive, getting a piece of hardware won't cost much, but having it pass remote attestation is not an easy job.

Code Injection

If attackers try to convert a good node into a bad actor, the only way is to inject malicious code or alter existing code. This will cause the chained-up hash value mismatch with PCR records, therefore cause the remote attestation failure. The only way to pass remote attestation with compromised code is to hack the TPM chip. TPM is designed to be very simple and stable. It is not too much to be hacked in such simple silicon. 

Gluon Wallet Specific Concerns

Among all TEA projects, Gluon is one of the simplest. It sounds scary because it stored private keys. However

• We use the Shamir Secret Sharing Schema to split the private key into pieces. Each piece store as multiple replicas in many distributed nodes. No one outside of TEA HSM knows which node stores which pieces of which private key. 
• Due to replicas, it is unlikely of all replicas of k in n pieces are lost. 
• Key generation and reconstruction are done within an unpredictable TEA node. No one knows when and where it is reconstructed and sign the transaction. Please refer to the zero-knowledge session above.
• For the social recovery feature. Who are assigned recovery friends is also zero-knowledge to the outside world until the social recovery actually happens. Once it happens, it is released to the public. Because social recovery is a one-time-use disposable solution, it doesn't matter release to the public. Of course, we will suggest the user choose other friends to recover his new account.
• We are researching the replacement of the Shamir algorithm. So far, we did not find a high-performance algorithm yet. We can replace it once we find one. As long as we can find a higher performance BLS, Unbounded similar algorithm can be used practically. We will eliminate the only change to reconstruct the private keys to be much more secure.

Principles

We know no one can design 100% secure system. We are doing to reduce the benefit as well as increase the cost of attack so that economically hacking TEA project is not profitable.

---

There are too many design details to be explained here. If you have more specific concerns, we can continue the discussion. I hope we can find any threat model out of my preparation to improve our security design. I hope my explanation can make you less stressed about Gluon Wallet Project.
Thank you very much

[Noc2]

Thanks for the detailed reply. The application still mostly mentions BTC in the milestones. Could update this with DOT? What do you mean with zero-knowledge and modern cryptographic algorithms to increase the security or “zero-knowledge protection”? Implementing zkps correctly is already not an easy task and can open a lot of attack vectors. What’s so difficult about the “remote attestation” that prevents sybil attacks? Let me also share this application with Robert Hambrockwho might have additional input.

[kevingzhang]

Thank you for your quick feedback. I just updated BTC to DOT and other small changes. Let me explain your concerns one by one.

What do you mean with zero-knowledge and modern cryptographic algorithms to increase the security or "zero-knowledge protection"? Implementing zkps correctly is already not an easy task and can open a lot of attack vectors.

---

ZKP is not an easy task for sure. However, like we did to improve our consensus by introducing hardware as a new Root of Trust, we did the same to zero-knowledge protection. BTW, our ZKP means zk protection, not zk proof as ZKSNARK did, although we need proof as well.

On the one hand, because we use hardware to protect the secret, we can assume what happened inside the hardware enclave is secure. So we do not need complex algorithms to prove something without knowing the content, which is the hardest part of traditional zkp, but we luckily do not need it. We only need to protect the content when the secret leaves the enclave and stored publicly on the blockchain. This task is much easier.

We will not store any secret on the open blockchain. We store a hash of a secret, a signature, or an encrypted text while keeping the key inside TEA nodes (enclave as usually called). If Alice wants to know if Bob has a secret, she asks Bob to send the secret to any TEA node to run a SHA256 or signature verification algorithm inside. Because the TEA node is trusted, it can tell Alice that the hash matches or signature verified. Alice doesn't know what happened inside the TEA node, so she doesn't know Bob's secret. Of course, the trusted node is the mutually trusted party between Alice and Bob. Both Alice and Bob can trust the TEA node due to the PoT consensus I mentioned in my previous comment.

On the other hand, we use a lot of one-time-use disposable proof stored temporarily in the blockchain. Just like the commonly used "nonce," once the evidence is verified, it is useless. One example is in the social recovery feature. The sequence of the friends to sign the recovery transaction is one of the secrets. Once the transaction is approved, the secret open to the public in the blockchain. However, since all assets have been relocated from the old account, it doesn't matter if this secret is no longer secure. I can give another example—the fact of which node is selected as the "Executor" processing a valuable task is a secret. It could be vulnerable if attackers know this secret when the node is running this valuable task. This secret is kept unknown until the job is completed. At that moment, this secret is open to the public on the blockchain so that everyone can verify if it is a valid transaction. Since it has been completed, there is no value in attacking this "Executor" node at this moment.

Regarding the modern cryptographic algorithms, we mean Shamir Secure Sharing Schema and newer BLS(https://en.wikipedia.org/wiki/BLS_digital_signature#:~:text=A%20BLS%20digital%20signature%E2%80%94%20also,that%20a%20signer%20is%20authentic.&text=of%20the%20pairing)%2C%20allowing%20shorter,a%20similar%20level%20of%20security.), and Fast Secure Multiparty ECDSA (https://dl.acm.org/doi/10.1145/3243734.3243788). We are currently implementing Shamir Secure Sharing in our plan while researching new alternatives. Shamir Secure Sharing is very fast but has its limitations. Others have performance concerns, even running in native speed.

The Shamir Secure Sharing Schema can split a private key into n pieces while k of n pieces can rebuild the private key. The k of n threshold makes protection robust while remaining secure.

What's so difficult about the "remote attestation" that prevents Sybil attacks?

---

In our p2p communication protocol, TEA nodes only talk to other verified TEA nodes. If an attacker wants to run a Sybil attack, he needs to own or control a number of verified TEA nodes and run a modified version of the software inside those nodes. When a TEA node( a testee) trying to handshake with another TEA node (a tester), the tester will ask the testee to send TPM stored PCR hashes for verification. TPM's hardware key signs the PCR hashes so that no one can fake such a signature. The tester first verifies the TPM's signature using TPM's public key stored in the blockchain, then rebuild the "Trust Chain" (see http://teaproject.org/#/doc_list/%2FWhat_is_TEA%3F%2FTEA_vs_Trusted_computing.md ) locally using the testee's open "claims" held on the blockchain. The verifier compares the locally rebuilt Trust Chain hashes with the testee's TPM's PCR hashes. If they do not match, then the testee's is compromised. The verifier will send a "Remote Attestation Result" transaction to the blockchain. The blockchain then runs a consensus with multiple such transactions to decide if the testee is a bad actor. The owner of such a compromised TEA node will lose his credit score accumulated over the years and an amount of security deposit. All of these come at a considerable cost.

Because selecting verifiers is a verifiable random process, attackers have to control over 2/3 nodes to collude. As long as we can maintain the birth rate (http://teaproject.org/#/doc_list/%2FBusiness_model%2FBirth_control.md) at a healthy level, we could keep a reasonable high cost to prevent Sybil attacks.

BTW, I am pleased to answer your questions. By doing this, not only us but other community members to understand Gluon and TEA Project better. Also, welcome @Lederstumpf to join our conversation. Please leave your concerns, and I am happy to answer too.

[kevingzhang]

See Vitalik is talking about the crypto wallet too. The same idea as Gluon
https://getpocket.com/redirect?url=https%3A%2F%2Fvitalik.ca%2Fgeneral%2F2021%2F01%2F11%2Frecovery.html

[kevingzhang]

Are there any more changes requested?

[Noc2]

Thanks again for the update. Why did you increase the BTC price? Could you share some previous work regarding zkps? I will share your application with the rest of the team, but I personally still have a lot of concerns about your project. The recovery pallet has the great advantage that you don’t need to share a private key in the first place (something ethereum doesn’t have).

[kevingzhang]

Thanks again for the update. Why did you increase the BTC price? Could you share some previous work regarding zkps? I will share your application with the rest of the team, but I personally still have a lot of concerns about your project. The recovery pallet has the great advantage that you don’t need to share a private key in the first place (something ethereum doesn’t have).

When I submitted the application, the BTC price was about 40k that day. but after a few days when I commit the first update, the BTC price dropped to about 30k. That's the reason I adjust the cost.

Could you share some previous work regarding zkps?

Because we use the hardware root of trust, we do not need traditional zero-knowledge proof, but zero-knowledge protection. zero-knowledge proof doesn't require a secured enclave to protect. We can just use regular cryptography inside a secure enclave to protect the security so that it is zero-knowledge to the outside world. I have a few examples(;

1. It is in our current TEA project's first milestone demo. If you run the demo, you can see it work. It is about showing proof that a pinner owns a deployment. It happens when a "repinner" trying to repin a deployment from someone claim to own the deployment pin_key. Deployment pin_key means a key to the corresponding encrypted IPFS object. The pinner cannot show the pin_key to the "wanna-be" repinner but still need to prove it has the pin_key. When the delegator generates the pin_key, it also generates an SR25519 key pair. The public key is called deployment_id which is openly stored in the blockchain. The private key is called deployment_key which is kept as a secret. When sending pin_key to a new repinner, both the pin_key and deployment_key are sent together. So whoever owns the pin_key also owns the deployment_key. The deployment_key is the private counterpart of the deployment id (the public key of this deployment that they both know). In this case, the repinner just needs to send a nonce and ask the pinner to sign using the deployment_key to approve he actually owns the deployment_key. This is how TEA distributes pin_key across the network. This workflow is the main part of the delegation chain.
2. In the Gluon project, when a user generates a tx in the web client but needs to verify using his paired mobile app, the mobile app needs to prove to the blockchain that it actually scans the QR code from the WebClient but cannot let WebClient send the full content of the tx to the blockchain before signing. The simple solution is that the WebClient sends the hash of tx to the blockchain. Then show the full content of tx in the QR code. There is a nonce in the tx. The mobile app scans the QR code shown on the WebClient. So the mobile app has both the full content of the tx including the nonce. The mobile app signs the transaction using its own P1, then commit to the blockchain. The blockchain receives the signature and full content of tx and the nonce. It is very easy for the blockchain to verify by hash the tx with nonce if it matches the hash of tx sent from the WebClient. Because the nonce only shows on the screen, no one else can guess without physically see on the screen.

Both algorithms are just regular SR 25519 and SHA256 not some complex ZKSNARK like algorithm. It is inside some commonly use rust crates. Once the hardware root of trust is in use, a lot of complex algorithms become super simple.

I will share your application with the rest of the team, but I personally still have a lot of concerns about your project. The recovery pallet has the great advantage that you don’t need to share a private key in the first place (something there doesn’t have).

Please feel free to share your concern and I am happy to answer all of them. We will use a social recovery pellet in our Gluon. We design the same feature long before I heard Polkadot has such a pellet. However, having such a social recovery pellet doesn't replace our design to generate and reconstruct private keys inside a secret enclave. The reasons are:

1. Social recovery pellet only works in Polkadot, just like Argent only works in ETH. Gluon is designed to work with all blockchain platforms as long as they support multisig. One example is we can support BTC.
2. Concerns regarding the private keys should be solved by replacing Shamir Secure Sharing Schema with newer algorithms such as BLS. We are doing a search on this. It works now, just too slow. We also trying another newer algorithm which is supposed to be faster, but not done yet. Those new algorithms do not need the private keys to be reconstructed anywhere. So you won't have concerns anymore.

I do not quite understand the sentence "something there doesn’t have" in your question. Do you mean there doesn't have social recovery? Ethereum does have one. It is called the Argent wallet. Or, do you mean something else, please clarify.

Again, I am very happy to answer your question and resolve concerns from you and other team members. I totally understand TEA is a complex project that needs a lot of different kinds of background to understand. It sounds very scary too. We choose TEA not because it is easy, but because it is hard but valuable.

[mmagician]

@kevingzhang Thanks for the application & detailed explanations. Your demo is great, I really enjoyed watching it.
In my opinion it might be difficult to get approval for another wallet application, especially built with a (yet) unproven trusted-execution device. Personally I would not entrust an unknown service with my funds.

That said, it would go against innovation to only support solutions using verified devices (e.g. SGX), though my expertise on the topic of TEE is limited. I would love to see, for example, more development of the trust-less code execution platform as seen in your demo. In that use case (image recognition) neither the code nor data carry such concerns as wallets and might be a first step to test this type of a solution and convince the users.

That's just my opinion, let's see what other members have to add.

[kevingzhang]

Hi @mmagician , I totally understand your concern and willing to share my experiences with you.
About 10 years ago, in 2011, I was told the concept of Bitcoin and blockchain. I did not pay much attention and did not believe it at that moment. I missed a big opportunity with my wife. The second chance was in 2017. I caught the late train and jump in. If I did in 2011, well, I would have been a billionaire.

Let's assume Satoshi did not choose Bitcoin but a twitter-like microblogging application to demonstrate what kind of trust blockchain can provide, I bet most of us wouldn't hear the term Blockchain today. Microblogging can also demonstrate most features of blockchain, but it cannot approve the trust value of blockchain. There is a $720,533,316,011 value stored in Bitcoin today, it was started from 20k BTC per pizza a few years ago. It takes some time to approve the value, and it will approve eventually.

We had our first demo application in Nov 2020. It is about the Tensorflow image recognization story. That is the one you tried. It is a good demo. It shows the full potential of the TEA project. However, it is similar to microblogging on blockchain fiction I mentioned above. If we need to approve TEA is trustable, it has to store value as BTC did. If some years later, there are thousands of users who store billions worth of digital assets on Gluon of TEA project, I do not have to convince others.

Of course, we have to go step by step. There is a Toyota Prius prior to Tesla, so we have already prepared our hybrid solutions. Let me show you what we hide:

Since the first day, TEA supports both TPM and Intel SGX ( or other TEE such as Trustzone). See our online document link http://teaproject.org/#/doc_list/%2FWhat_is_TEA%3F%2FTEA_vs_Trusted_computing.md, please scroll to the end. The section called "When to use TPM, when to use TEE".

It was there hidden somewhere in the TEA project for a while. It is called a "capability" in our system. If you remember the Tensorflow image recognization demo, the Tensorflow component is a capability. It could be a capability to have 4 TPU installed in your TEA node, or an SGX supported Intel CPU on board. For mission-critical tasks such as generation, reconstruction, decryption private keys, the user can add one line in the JSON file. { capability: { execute_in_sgx: true } }. When this task is executed, only those who have Intel SGX capability can take over this task. Because Intel SGX is a centralized service, the final Root_of_trust is Intel not TEA. TEA will just verify Intel's evidence and attach it to PoT(Proof of trust) without additional verification. In this case, the clear text of private keys only exists inside the SGX secure enclave. You do not need to worry about TEA. As long as you trust Intel, you got peace of mind while still enjoy all other features Gluon provides.

This is a hybrid solution. Uses can choose to use Intel SGX or TEA. There will be price differences between those two kinds of services. No doubt, Intel x86 will be expensive than ARM, so is the service charge. Peace of mind does come with a cost.

If this is a deal-breaker, we certainly can turn on this option by default to users. so that private keys are processed inside a secure enclave by Intel SGX. Please let me know if you agree.

I am very happy to face all kinds of challenges. Only challenges can make TEA stronger.

[kevingzhang]

BTW, I have element ID: kevingz, I live in Pacific time zone (San Jose, CA). Feel free to element me if you have any quick question. I'd like to talk with you as long as I am awake. @mmagician and @Noc2 and others.

[kevingzhang]

Design changes. Using Schnorr Multisig to eliminate the concerns from @Noc2 and @mmagician.

We got a reply from this GitHub issue: paritytech/polkadot#2270 (comment) We happened to know that @burdges is going to implement multisig features of sr25519 "soon-ish". Let's assume Polakadot will support the sr25519 multisig. We can make the following changes in our design. We will not "host" any private keys from our client in our "hard_to_convince" hardware security module. Both @Noc2 and @mmagician's concerns are gone. Here comes the detail:
In our original design, the user's assets are protected by 2/3 multisig keys p1, p2, and p3. We host p2 and p3 in our HSM. There are valid concerns regarding if the HSM is secure enough. As long as Polkadot support multisig SR25519, we turn both p2 and p3 into multisig addresses.
For p3, the social recovery key, all private keys are held by "the guardians". When the user requests a social recovery, their guardians sign such a recovery transaction verified in our layer1 blockchain. If it passes, Gluon will then aggregate the signatures and send them to Polkadot. Polkadot can verify the multisig SR25519 as a valid p3 signature.
p2 is also a multisig SR25519 key. No single node holds the private key. When Gluon generates such an address, a k of n multisig key sets are generated. There are n TEA nodes randomly selected as "initial-pinner" to store these n keys in their secure memory. They will continue to distribute those keys to other "repinners" as replicas. All of these nodes have zero-knowledge of the relationship between these keys to their belonging address. They only know the deployment_id, which is safe to be public. The p3's public key is aggregated from these public keys.
When signing a transaction using p2, there are two steps. Gluon layer1 will verify user authentication first. This process is the same as before, including web and mobile bi-authentication, fingerprints, etc. If passes, Gluon layer2 will run "ipfs find providers" to get k of those n deployment_id "pinners". Those k pinners sign the same transaction separately. Gluon layer2 aggregates those k separated signatures then sends the result to Polkadot to verify.

We can see significant advantages over the previous design.
P1 and p3 are directly controlled by humans: the client and its guardians. Gluon has no liability on those keys.
Gluon still controls P2, but since we retired Shamir Secure Sharing Schema, the private key is never generated or reconstructed as Shamir did. P2 is a k_of_n Schnorr multisig key. Many separated nodes distribute the control over the TEA network. There is no single point of failure. Since the nodes know nothing about the "partial key" usage, they can hardly collude.
Even terrible thing happens. P2 cannot control assets alone. The user still owns the control by using p1 and p3.

Another good news is that Bitcoin is going to use Schnorr multisig in the upcoming upgrade. When it is done (hopefully in one year), we can use the same technologies for Polkadot, Bitcoin, and any other blockchains supporting Schnorr multisig.

Since the Polkadot has not supported SR25519 multisig yet, we will test in our test chain for now. Once the Polkadot completes the upgrade, our Gluon is probably ready to serve. It may take a few months depends on how soon Polkadot will upgrade to multisig SR25519.

What do you think about this design change. I have not updated the application yet. I hope to hear your opinion first. Thanks

[Lederstrumpf]

Hi @kevingzhang, thanks for your particularly detailed application!

With respect to your latest update, when the 2-of-3 multisig is signed by {p2, p3}, I lean towards including a punishment mechanism such as provided by the recovery deposit required by the recovery pallet, claimable via close_recovery through the user.

I think it would be fruitful to have a call to discuss your grant and other directions we could branch your TPM usage into - I'm personally not fully convinced by the p2 arm of the multisig (controlled by Gluon), but this may be resolved in a conversation, or we can converge on an alternative deployment. Do you have some availability window this week? Then I'll coordinate with @Noc2 and @mmagician to find a suitable time.

[kevingzhang]

@Lederstrumpf thank you for your comment. Yes, we have similar punishment designs not only for recovery but also for many other cases. By using such logic can discourage attackers.
I am very happy to talk to you and other reviewers to explain the hardware security related issues. I use www.calendly.com/kevinzhang to manage my time. Assuming you are in Europe, it could be hard to find a time slot to fit all of us. If you cannot find any available time, please let me know your available time slots. I can either sleep late or get up earlier to match your time zone. Please let me know. I am looking forward to talking with you.

[burdges]

I have not read this thread, but..

I'll mention that kobigurk/aggregatable-dkg#1 might enable interesting wallet recovery designs. At present, we've no plans to adopt even its much nicer threshold DKGs for validators, and nobody has designed a key handoff protocol for it, so doing anything like this sounds unlikely short term. It's possibly helpful for individual wallets somehow though, like by using its VRF as an OPRF. I doubt this however.

We considered Anastasis previously in w3f/General-Grants-Program#226 which was designed to fit recovery requirements specified by some E.U. regulatory frameworks. Anastasis would presumably be required by some stable coin designs.

[Lederstrumpf]

Hi @kevingzhang,

As mentioned via DM, I think we're ready to proceed with your msig recovery/backup grant in lieu of moving to an SMPC-equivalent alternative.
Could you still update your proposal with the design change you outlined in the following comment?
#182 (comment)

To the extent that these changes influence the milestone structure, it would be best to delay any deliverables that depend on schnorrkel off-chain multisig support to the end, where possible.

With respect to your proposal to switch to an SMPC-equivalent deliverable instead if schnorrkel off-chain multisig has significant delays, what would you consider to be a significant delay?
Might be sensible to make the SMPC-equivalent a separate grant proposal instead: looking at your current milestone structure proposal, I don't see where this and the msig software would overlap materially in software deliverables, but I might be missing something.

[kevingzhang]

updated the application based on our discussion last week.
Major changes:

1. Use Schnorr Threshold Signature instead of Shamir
2. P3 is totally controlled by Social Recovery Pellet and users' guardians
3. Milestone 1 and 2 do not require Polkadot to update to Schnorr Threshold Signature.
4. Milestone 3 and 4 can be tested on our own test net without waiting for Polkadot's update to Schnorr Threshold Signature
5. Added miletone5 to migrate to Polkadot main net when Schnorr Threshold Signature is updated to Polkadot main net

As long as Polkadot can update to Schnorr Threshold Signature before Jun 2021, our project won't get affected.

[kevingzhang]

I have updated the PR couple of days ago. Have you got a minute to review it? If you have any further questions, just drop a line or two. thanks

…

On Thu, Feb 4, 2021 at 2:02 PM Robert Hambrock ***@***.***> wrote: Hi @kevingzhang <https://github.com/kevingzhang>, As mentioned via DM, I think we're ready to proceed with your msig recovery/backup grant in lieu of moving to an SMPC-equivalent alternative. Could you still update your proposal with the design change you outlined in the following comment? #182 (comment) <#182 (comment)> To the extent that these changes influence the milestone structure, it would be best to delay any deliverables that depend on schnorrkel off-chain multisig support to the end, where possible. With respect to your proposal to switch to an SMPC-equivalent deliverable instead if schnorrkel off-chain multisig has significant delays, what would you consider to be a significant delay? Might be sensible to make the SMPC-equivalent a separate grant proposal instead: looking at your current milestone structure proposal, I don't see where this and the msig software would overlap materially in software deliverables. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#182 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AANOEEOCBRSUIZZ3EOOQMO3S5MKOBANCNFSM4VULP7WA> .

-- ╭︿︿︿╮ {/ o o /} ( (oo) ) Kevin G. Zhang :) ︶ ︶︶

[Lederstrumpf]

This is a 2-of-3 MultiSig from the MultiSig pallet, yes? Is there a reason to do this if, as this grant's completion requires, we'll already have native Schnorrkel multisig?

[kevingzhang]

They do not have to be keys from MultiSig pallet. If the native Schnorrkel multisig is merged into the master, we are happy to use native implementation. This is a replaceable module that can switch to native multisig when it is done, or use the pallet if it is not ready. But looks like the review process is delayed so that we can catch up with the native multisig implementation then. Do you want me to change it in the application to native Schnorrkel multisig?

[Lederstrumpf]

yes please - I think that makes more sense given the grant's current requirements.

[Lederstrumpf]

If schnorrkel is not ready and the project is left stalling, we can revert to MultiSig pallet.

[kevingzhang]

Done. I have updated the algorithm to use Schnorrkel.
Thanks

[Lederstrumpf]

Thanks for the updates, @kevingzhang! LGTM.

[Noc2]

Sorry, I have one additional request. Could you change the BTC amount to USD? We recently changed the denomination to USD (see the updated template). Once you deliver the milestone we can either pay you in DAI or Bitcoin.

[alxs]

Appreciate the effort that went into this. I have nothing to add from a technical perspective, my only suggestion is that you hire an experienced copywriter and/or technical writer at some point during this grant so that your technology is clear to potential users, given the novelty of your approach. Also since you mention that you will start looking for investors now: note that you may only disclose the grant publicly once your first milestone has been accepted. Good luck with the project.

[github-actions]

Congratulations! As part of the Open Grants Program, we want to help winning teams acknowledge their grants publicly. To that end, we’ve created a badge for projects that successfully delivered their first milestone. Please observe the foundation’s guidelines when making any announcements; in particular, don’t announce the grant publicly before you've completed at least the first milestone of the project.

At that point, we will be happy to collaborate on an announcement about the work you’re doing. Please get in touch with us at [email protected] in case you're interested (at least two weeks notice is preferred).

[alxs]

@kevingzhang we may be able to implement w3f/schnorrkel#11 so you can get started with milestone 3. Could you reach out to @jeff:web3.foundation and @robert:web3.foundation on Element?

[alxs]

@kevingzhang sorry that didn't work out. Is there any way for you to work around this? This grant has been open for quite a long time now and, without a clear timeline for the next milestones, we should either amend it so that you can work on it now or cancel the rest of the milestones and you apply again when you can start.

[kevingzhang]

I am discussing this with Santiago. He is trying to have it done before Lederstrumpf leaves. Let's see how it goes.

[semuelle]

I am discussing this with Santiago. He is trying to have it done before Lederstrumpf leaves. Let's see how it goes.

Hi @kevingzhang. Are there any updates regarding the grant or the Schnorrkel issue?

[kevingzhang]

Hi Sebastian, Nice to hear from you again. Actually there has not been any update since our last conversation. Since we cannot be stuck there waiting for three years, we have moved on to the ETH as our layer1 since 2022. Our TEA Project is currently running on top of ETH as our first layer1 chain. But our technology doesn't rely on any specific chain, so we would be happy to add additional layer 1 chains, of course, Polkadot is the best choice. I had an email conversation with Coleman Maher in another email thread. He asked me the same thing, but it sounds like he is not a technical person. I've told him what we need and why we are stuck about three years ago. If there are any updates, I would be happy to know. Considering it is crypto winter, all of us (especially for us, a small startup ) need to be very flexible and creative to survive. BTW, the TEA Project is pretty much done as the first phase of the project. We are preparing for the alpha launch at any time. Since it has been years, if you need any update from the TEA Project, and the value that TEA can bring to DOT, I am very happy to talk to you. Kevin Z

…

On Fri, May 19, 2023 at 5:49 AM Sebastian Müller ***@***.***> wrote: I am discussing this with Santiago. He is trying to have it done before Lederstrumpf leaves. Let's see how it goes. Hi @kevingzhang <https://github.com/kevingzhang>. Are there any updates regarding the grant or the Schnorrkel issue? — Reply to this email directly, view it on GitHub <#182 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AANOEELYOTUFLX4S623EXE3XG5T6VANCNFSM4VULP7WA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[semuelle]

Thanks for the update, @kevingzhang. It's very understandable that you moved on and I'm sorry it hasn't worked out so far. In this case, I am going to close the grant formally. If anything changes with regard to the underlying issues, it should be pretty easy to sign another grant to complete the implementation.

Best of luck going forward!

[kevingzhang]

yes, you can close the case. when the block is removed we can continue on a new grant. thanks

…

On Thu, Jun 1, 2023 at 4:38 AM Sebastian Müller ***@***.***> wrote: Thanks for the update, @kevingzhang <https://github.com/kevingzhang>. It's very understandable that you moved on and I'm sorry it hasn't worked out so far. In this case, I am going to close the grant formally. If anything changes with regard to the underlying issues, it should be pretty easy to sign another grant to complete the implementation. Best of luck going forward! — Reply to this email directly, view it on GitHub <#182 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AANOEEK7B4AFIGFEZDSQYOTXJB5JTANCNFSM4VULP7WA> . You are receiving this because you were mentioned.Message ID: ***@***.***>