Originally posted on Medium

ChainSafe is proud to announce the completion of a collaboration with xx network, one of the world’s first quantum-resistant and privacy-focused blockchain ecosystems.

A few months back, xx network enlisted our help to implement Winternitz One Time Signatures (W-OTS+) for Substrate-based chains and automated Placards generation. The primary goal of this engagement was to introduce post-quantum-security into signatures on Substrate.

Technical highlights
For context, W-OTS+ is a quantum-resistant digital signature scheme that uses relatively small key and signature sizes. And the xx network is a layer one blockchain co-founded by cryptography pioneer David Chaum. XX network is unique in its efforts to guard against cryptography-breaking quantum computing.

This collaboration had two focal points. The first is an implementation of an independent W-OTS+ crypto library that can be used in any context. The second is a Substrate Pallet and Off Chain-Worker Implementation to introduce the W-OTS+ signature scheme and Placards into a Substrate runtime environment.

Both implementations are novel to the Rust-Substrate ecosystem. There’s an existing Golang implementation, but to foster interoperability with Substrate-based chains, the W-OTS+ scheme has been written in Rust.

This package of technologies, therefore, can be regarded as an attractive option for future implementers from various language backgrounds.

Broader implications

W-OTS+ is suitable for post-quantum environments as it’s a hash-based signature scheme. Unlike the current signature schemes generally used in blockchains (e.g., ECDSA, Schnorr, BLS, etc.), which are based on the hardness of the discrete logarithm problem, hash-based schemes are based on the hardness of finding the preimage of a hash.

Unlike the former, there is no efficient quantum algorithm for the latter, making hash-based signature schemes quantum-resistant.

Hash-based cryptography is not the only approach being proposed for a post-quantum world. Isogeny and lattice-based approaches both hope to address the one-time-use limitation of hash-based signature schemes.

However, following the unexpected critical vulnerabilities recently discovered in a NIST finalist SIDH, hash-based cryptography remains a safe approach.

Given that W-OTS+ are one-time signatures, each time a signature is revealed, part of the private key can potentially be recovered. Thus, re-using a private key for multiple signatures eventually leaks the entire private key.

To work around this issue, for the xx network’s use case, a set of keys derived from the same seed and merkleized is published as a validator’s public key. Then, to validate a signature, a merkle proof of inclusion within the tree with the published root is used. The merkle tree of keys is referred to as a “Placard” in the implementation, which can be seen as a simplified version of the XMSS signature scheme.

Summary

As the need for post-quantum cryptography draws closer, the xx network is ensuring its privacy-preserving tech stack is quantum-secure.

This stack includes a private messenger app backed by a mixnet; a novel wallet generation mechanism called Sleeve, which allows embedding a W-OTS+ public key as a backup for any other cryptocurrency wallet — and now, the first step towards integrating quantum secure cryptography into the xx network’s Substrate-based blockchain.

The newly developed W-OTS+ crypto library already empowered the xx network team to implement Sleeve wallet generation in Rust and cross-compile it to WASM for usage in web browsers. Any user can now generate a quantum-ready wallet for any cryptocurrency directly in the xx network web-based wallet and staking app.

Originally posted on Medium

Cross-chain applications

Interoperability solutions have shown great promise in unlocking the potential of decentralized applications in our emerging multi-chain ecosystem. However, due to the high volumes of digital assets and critical data flowing across them, blockchain bridges are amongst the most targeted protocols in the web3 space. This leaves researchers hunting for more advanced security designs.

Multi-Party Computation (MPC) is one of the most interesting potential solutions. Secure MPC represents a powerful next step in digital asset security because it eliminates the risks of a single point of compromise.

Instead of relying on Multisig and other (older) ways of key management that either expose relayer identities or introduce exploitable single-points-of-failure, relayers would run a secure MPC ceremony each time a user wishes to bridge funds or transfer arbitrary data.

In this way, MPC enables multiple parties to carry out a distributed computation on their secret inputs without revealing anything but the output.

This concept has been studied by academia for decades. Still, it’s only due to recent technological advancements that it has become viable for real-world applications like Sygma, the interoperability layer for building cross-chain applications.

Let’s unpack how MPC works, what makes it unique, and why we choose to adopt it.

Threshold cryptography: deep dive

Threshold Signature Schemes (TSS) is an area of MPC that we will focus on today. It’s particularly useful for crypto as it facilitates the distribution of a private key to multiple parties, introducing redundancy into asset management security.

In other words, it enables a set of parties to perform certain cryptographic operations, like signing transactions, while none of them holds a full private key. Instead, the key is split across the parties and can only be used when a subset of them — the size of which is larger than a certain threshold — combines their key shares.

Thanks to the homomorphic properties of the underlying scheme, a fully formed private key doesn’t ever need to exist. “Homomorphism” is just a fancy mathematical way to say the operations you can perform on the unencrypted (plaintext) values, like addition or multiplication, will behave identically on the encrypted (ciphertext) ones.

You can imagine the benefits of this for privacy.

For example, a user sends encrypted financial data to the server, and it responds with an encrypted credit score that only they would be able to decrypt. If that sounds interesting, see this article for more details and this library if you want to tinker with it.

An example

Imagine you have a secret key sk and a special algorithm that can divide this key into n pieces such that $[sk_i]$ = share_key($pk, n, t$). Imagine now you want to sign a transaction m, so you apply a similar algorithm to get partial signatures $[s_i]$ = sign($m, [sk_i]$). Now, to reconstruct a valid signature, you would simply sum all partial signatures together $s = s_0 + s_1 + … + s_i$ and call it a day.

You might’ve also noticed a third argument t when we shared our key. Although the key is shared between n parties, we only need a threshold number of them to actually sign something. This is akin to a multisig scheme, which interestingly is just an emulation of threshold signatures using a high-level smart contract language like Solidity.

Of course, multisigs come with a cost where one would pay miners to process each call to the multisig contract. Conversely, threshold signatures are processed off-chain, and only a single compact ECDSA signature needs to be transacted on-chain once. Furthermore, such a signature won’t leak anything about its signers, which secures them from targeted attacks and is great for privacy.

When discussing security, MPC algorithms generally provide guarantees based on the threshold number of corrupted parties a system can tolerate. This places TSS in a unique position, as such schemes present the control of their robustness directly in the developer’s hands. Furthermore, this allows it to withstand even the dishonest majority — an extreme state where adversaries can corrupt all but one participant.

You may already know about the blockchain’s Scalability Trilemma and the Interoperability Trilemma of the cross-chain ecosystem. Let’s introduce a third one for the MPC domain — the Threshold Trilemma. Below are the three properties that MPC protocols try to maximize but can only have two of at the same time:

• Risk minimization (robustness): the higher the threshold value set, the harder it is for parties to collude against the system, e.g., forge a signature.
• Fault tolerance (liveness): the lesser the threshold value compared to the total number of parties, the more unforeseen failures such a system can tolerate, e.g., a peer accidentally going offline.
• Performance (latency): the more parties the system employs, the more decentralized, secure, and reliable it would be, but at the expense of increasing performance overhead due to MPC’s high communication complexity.

Generally, protocol engineers prefer to minimize risk first and then balance liveness and performance based on the chosen threshold. However, it’s essential to base the threshold calculation on concrete metrics, such as the number of collateral nodes would have to stake or the amount of computation work needed for participation.

One last trick that can present an even greater degree of confidence in threshold cryptosystems is their unique “Key Reshare” mechanism — which allows parties from the old set to rotate key shares with new participants without changing the underlying public key. This is useful to onboard new members into the signing committee, but more importantly, it prevents hackers from corrupting parties one after another, potentially in the course of many sessions (known as proactive adversaries).

Applications of TSS in blockchains

There are many ways TSS is used today. Keyless wallets like ZenGo or Torus are making a more convenient and secure alternative — no more paper-written mnemonics or cloud-backed keys are needed. Instead, the wallet provider’s server/nodes would actively cooperate with the user to sign transactions.

The folks at Chainlink are using thresh-sigs to efficiently and verifiably aggregate data for their oracle network. Even some rollups like Skale Network are flirting with this technology, although instead of ECDSA, they use BLS signatures that require less MPC-intensive setup due to their elliptic curve pairing properties.

Probably the biggest beneficiaries of the TSS are a new generation of custodian services led by Fireblocks and Entropy. These companies aim to disrupt the way big institutions and foundations operate their escrows and treasuries.

Finally, threshold cryptography has great promise for various cross-chain applications. While designing Sygma, a new vision of cross-chain interoperability, we became convinced that having MPC for relayer communication will not only strengthen the overall security but also significantly reduce fees making the user experience much smoother.

Originally posted on Medium

ChainSafe R&D is ChainSafe’s internal applied research and development arm. We provide high quality research to explore new technical and business frontiers in support of larger projects both internal and external to ChainSafe. The ChainSafe R&D team has previously completed (and in many cases continue to maintain) engagements with teams like Gitcoin (“decentralized Grants”), and Polygon (“v3 spec”), to name a few.

ChainSafe has recently concluded a 5-week sprint supporting development of the xx Network as they move toward their mainnet release.

The xx Network blockchain is built using Parity’s Substrate framework in Rust. This has allowed the team to make rapid progress developing the custom chain logic for xx Network while building on top of a battle tested and audited codebase in Substrate.

ChainSafe has been a long time supporter of Substrate with some of our projects including ChainBridge (a flexible solution for bridging Substrate and Ethereum chains), the PINT parachain, and our own runtime-compatible framework Gossamer. We jumped at the chance to help another promising project make it through the final hurdles. Supporting xx Network also highlights our growing capabilities as Substrate developers and code-reviewers in an extremely exciting space in blockchain development.

Network-layer privacy vs. Transaction-level privacy​

In its first form, the xx Network blockchain serves to support and incentivize the already operational mixnet protocol cMix. Mixnets provide network-layer privacy by routing messages between mixing nodes, which effectively erase any link between the sender and the receiver. cMix requires global coordination and incentivization for mix-nodes, and the xx blockchain solves both of these! Nodes participating in consensus must also be active mix-nodes. Their performance as mixers directly affects what they can expect to receive as block rewards. You can learn more in the cMix whitepaper.

Network-layer privacy has seen much less attention in the crypto space compared with transaction-level privacy, as present in other blockchain projects such as ZCash and Monero. However, both will be required for us to one day be able to transact with total privacy, which includes end-to-end encryption and metadata shredding. Moreover, the network layer privacy offered by xx Network will power xx messenger, a private off-chain messaging app available on major mobile platforms shortly after mainnet launch.

The first release of the xx chain adds on-chain logic to support the operation of cMix as well as the unique economic logic for xx coin. Since the pre-sale for xx coin was instantiated on Ethereum as an ERC-1404 token, the network adapted Polkadot’s Claims module in order to allow users to receive their native xx coins at mainnet launch. Furthermore, xx Network plans to use ChainBridge to allow users to swap wrapped ERC20 xx coins on Ethereum to their native form on the xx blockchain.

Contributions from ChainSafe​

As part of the engagement, all new additions were evaluated line-by-line, tests written to ensure full coverage (over 100 tests were added in total!), and benchmarking added to automatically derive weights for all externally callable functions. Several major issues were found and subsequently fixed by the team. Progress! The full report of the review will be available once the codebase is released to the public.

We look forward to the future of xx Network and the value they will bring to the blockchain ecosystem with their privacy preserving technology.

Acknowledgments

Thank you to Tim Ho and Bernardo Cardoso. Your contributions were invaluable to the making of this article.