Zengo: Keyless Crypto Wallet - Epicenter #304 Transcript

56 minute read

Epicenter Podcast #306

Under Creative Commons license by Epicenter Media ltd

Hosts: Sébastien Couture, Frank Rain

We’re joined by Omer Shlomovits and Ouriel Ohayon, Co-founders of ZenGo. Their product is a ‘keyless’ crypto wallet, which means users never need to generate or store a key which gives them access to their funds. Keys are created with an MPC, where both ZenGo and the user are required to sign a transaction. TTS opens up exciting new possibilities like social recovery, user permissions for teams, and inheritance planning schemes. The important distinction between ZenGo and existing multi-signature wallets is that they achieve this using only cryptography, and do not rely on on-chain elements like smart contracts or op_scriptSig in Bitcoin.

Transcript

Sebastien: Hi, we’re here with Ouriel Ohayon and Omer Shlomovits, both of whom are cofounders of Zengo. Hi Guys. Thanks for joining us today. So we’re going to get to talk about Zengo the product you’re building, which is a keyless cryptocurrency wallet. We’re also gonna talk quite in depth, I think about cryptography and some of the new techniques that you’re working on, specifically multiparty computations and threshold signature schemes. But first, let’s spend a little bit of time thinking about your backgrounds perhaps with starting with you. Ouriel, you have a background in web 2.0 and previously you co founded Techcrunch France, I believe over 10 years ago. how do you transition into crypto?

Ouriel: I actually started at 1.0, so I saw the internet… blossoming on our computers. And then indeed I saw the birth of web 2.0 with blogs and social networks. I had multiple experiences as an entrepreneur, one of which is the one you described. I was the founder of TechCrunch in France. I also worked many years in venture capital, both here in Israel countries where I moved 16 years ago. but also in France where I started a venture fund there and build multiple companies. A lot are related to consumer technologies and now, obviously I increased our currency. So we’re going to talk about that. And I’ve been bouncing back back and forth between building and investing.

Finding Crypto and deciding to building a wallet

Frank: So if we have the cryptocurrency space… how did you get into that and what appealed to you about the crypto space and specifically the problem of building a wallet?

Ouriel: Well, it was, it was a very interesting because they’ve been an early adopter of virtually everything that has been around for the past 20 years except crypto. I came very late to the space and I am ashamed to admit that. And today because it’s 100% of my time, and I wish I did that earlier, but I’ve been building apps for, for a… for other platforms for many, many years. And sadly you, you really quickly realize that your business is depending on the back of others. And when I saw the possibility to build apps that would not depend on a dead switch and only on the platform and to decide whether you should exist or not, it was attracting to me. And that started to get me into excited and curious. And very quickly I discovered it was a real revolution not just for apps but for money and trust. And in general, anything that we do in the society. So I wanted to invest all my time in it quickly. I met Omer and my cofounder right here and I, we decided to build this company with two other co founders and now we building this crypto wallet, which we don’t

Background and relationship with the cryptography scene in Israel

Sebastien: and Omer are you come from the work world of academia, which for long time listeners who have followed our podcasts for awhile, probably be aware of that. Israel has a very vibrant scene in the sort of cryptography space. Tell us a little bit about your background and what’s your relation to the broader cryptography scene in Israel?

Omer: Yeah, so I think I grew up naturally into the space. starting a few years ago I, because I’m doing my CS PhD supervised by professor Yu DeLinda, by the way, I was focused on multi-party computation, but I searched for a what to do, my what to work. And then I encountered, this whole concepts of, proof of work and smart contracts. And it attracted me, it was back in the day where it was easy to follow on with everything published in the space. And a special thanks to Stephan de Bezoski, which I think is working papers inspired me and also Vitalik obviously. And yeah. And after a few years I met with Edward, pitched me about his idea, the problem of wallets and I was fascinated by it, so I just drop everything and join him.

Ouriel: I think Ouriel you had to pull out of his previous startup to get him to join as an NGO. Well, he pulled himself a great, yeah. And I think he’s a… smart guy and the studio, the opportunity and was just a good timing.

Deciding which aspect of wallet development to focus on.

Frank: So on the wallet question, what was it about, I mean, cryptocurrency wallets have been around since… for a very long time. I mean, you had initially the Bitcoin QT wallet, people started doing mobile wallets. There are certainly hundreds of wallets today. Why did you guys feel there was, an opportunity or like why focus on that particular aspect of… all of the different things you could build.

Ouriel: So just zooming out and the problem that we were really focusing on was private key management, which is indeed directly correlated to what wallets are about but not just, and when I stepped into that space, I was expecting something that would be… have the level of experience that we’re, I’ve been used to for the past 10 years, no on the mobile smartphone and all these great apps that we’ve been using developed by other developers. And what I discovered instead was something that was looking to be honest, a bit of a prey story and jump back in terms of what user experience means. So that was really the first a break for me. But what I quickly discovered, it was not just a user experience issue, it was also something that has deep consequences in terms of security and what it means in terms of liability.

And if the first 10 years of crypto have been about trying to become your own bank, the episodes and the accidents and the hacks has proven that being your own bank comes with a price which is very expensive. And sadly that was related to the fact that the solutions in place were just not good enough. And I could not imagine blockchain and crypto being a revolution in reaching hundreds of millions of users with the same type of experiences. And so for me, that was the first thing that got me started. Like identifying this problem that seemed pretty obvious that was actually solved many, many times, but in such a way that was not really scalable to the, for the existence of that industry. I was just not able at that time, with Omer, to identify the right technical solution to build something that would be more appropriate, that would be extremely simple, but also extremely secure. And all the solutions I could find were either extremely, not simple or too secure in a way. And I was just something that we thought was very important to work upon, no matter how much solutions were coming to the market actually still coming until today. So we still think it’s early days and that we are still have an opportunity to build something that matters.

The state of crypto custody and differentiating oneself among all of the wallets.

Sebastien: Well Brian and I have been in this space long enough to remember a time when one had to install Armory on an air gapped laptop and sign transactions on one machine and carry those transactions with a USB stick to another. And things have certainly improved a lot since then. But I’m happy to know that you guys are working on improving that user experience even more. And I think that that really helps to bring new people into the space. I mean like hardware wallets for for instance, we… we’re a great step in the way of user adoption and, and improving user experience around security. But as we, as we discussed when we were together in Tel Aviv, like that’s still a long ways away from just being able to… open an app and use crypto and have the same types of insurances that you have with something like a Harbor wallet. Where do you see the state of crypto custody today? How do you differentiate the different types of wallets? You put wallets in classes and and how do you see that sort of broadly?

Ouriel: Actually the analysis we have is very simple. There are today’s wallets with private keys and that’s the entire category of the space and this principal forces to a certain type of user experience. Whether you are on a hardware wallet or on a software wallet or on the paper wallet, you have to manage your private key, which forces a tedious onboarding process. Recovery process is likely to be prone to accidents, human error and hacks. And so this is how we’re looking at the entire space. We are bringing something of a different color which requires no capability to be able to manage to handle your private key because there is no private key to another. There is no secret to remember. There is no password to store. So we call that keyless and password-less experience at Omer in a second we’ll explain how we have enabled that technically and there’s a lot behind it but the end result is extremely simple and so the space today is really a fragmented between solutions that are built around private key as an atomic unit of secrets that you have to manage.

And if they get compromised it’s game over and there is no button called “I forgot my password.” The reality is that today most people who own crypto prefer to store their funds on exchanges, so on centralized solutions and because the other alternative is just too painful. And so today the majority of custody happens on centralized exchanges, which also is not great. It’s another form of poison because you are not in control of your funds. If a hack happens, everything is gone. The assurances that they provide are just fractional and so they’re not good enough. And so there is something better than needs to happen.

And we tried to bring up this hybrid solution, best of both worlds where at the same time you are in control, you are the owner of your phones, phones are on chain, but there is no typical complexity tediousness associated to onboarding that type of solution. And we are, as a service, unable to become a point of failure to the user like custodian or exchanges. So this is the new flavor we bring into this market. The best way to understand is to try it because it’s obvious from the first second you try in the app and I think it may be worse today right now to explain a little bit more how this magic is being possible because there is a lot behind it.

Wallets in the same category as Zengo

Sebastien: Before we go there though, what other companies in this space, you put it in the same category as Zengo. I would personally put Argent for example in that space. Are there other, any others that you see there?

Ouriel: I have not seen a lot and doing what we’re doing. We’ve seen companies that are using multi-party computation to provide private key solution management. We’ve seen institutional solutions trying to bring this also solution, but we have not seen anyone at being implemented that way. At least none that is cross blockchain and that Bitcoin specific or Etherium specific. So the tie users to a specific blockchain or set of features and we haven’t seen any, definitely none that is using threshold signature and multi-party computation that is consumer grade. So I do see though, we do see though new generation of players that are trying to improve the experience with all sorts of ways. Whether this is by using multisig or smart contract or all sorts of creative ways to do things. But it’s interesting to see these new generations of solution coming.

Threshold Signatures within the cryptographic landscape and MPC

Frank: So we’re going to get into… the details. I mean right now we talked about keyless a wallet probably people have no idea what that means. So we’re getting to how this is actually done with Zengo. But before we get in there, we wanted to speak a little bit about… this landscape of cryptographic work and research that… what you’re doing is, is situated in and of course there’s been so much advances where there’s things like, Zero knowledge cryptography, multiparty computation, homomorphic encryption… in addition to the existing technologies and now you guys are focusing on threshold signatures. Are you able to provide maybe just a little bit of… a landscape and help us to understand where threshold signatures fit in this… in the overall as space of cryptography,

Omer: Cryptography has really nice breakthroughs over the last few years. And, we are focused on the field of multiparty computation where eventually a set of parties or people want to joinly compute a function, any function, but in a trustless manner. So it’s without trusting each other by exposing some private information. Okay. So let’s say that we want, all of us to, compare our salaries without exposing the exact amount that we make. Just we want to see who is the one that is, making the most case. So this is the function here. So this is like a very basic example of MPC.

Now, MPC has been, around for few decades, almost 40 years now. And, it started with like a very basic way of doing it between two parties, which was not very efficient and, it got better and better until now.

We have excellent ways of frameworks that you can do a in multiparty computation with any set, any number of parties that, you can define, the setting of the, how many of them are co-opted. There are also for specific functions like digital signatures for example, there’ve been walks that focus specifically on those problems and came out with excellent solutions that are super efficient on how to produce the multi-party computation just for this specific type of problems.

Okay. So digital signatures, usually refers to this bucket of solutions on how to do digital signature algorithm with multiple parties in a very efficient way. And just over the last couple of years there’s been an explosion of explosion of academic papers just around this topic on how you can do it in a way that is applicable to the cryptocurrency and blockchain space. Now the entire field of MPC is, as you said correctly, is related to a homomorphic encryption and also to zero knowledge proofs.

So zero knowledge proof are a tool that is being used in inside multi-party computation. Usually it’s being used when you want… let’s say there are two types of adversaries, generally speaking in MPC, one which we call the semi honest, which means that I cannot do anything to change the protocol, but maybe given the entire transcript he can deduce all sorts of information that would break privacy. And there’s the malicious adversary which is like a maybe similar to Byzantine fault, we do not restric him and you can do whatever you want. And when we are moving from semi-honest to a malicious adversity, what it means is that basically we need to prove along the way throughout the computation that everything is done correctly. So each step that about is taking, it also involves some zero knowledge proof that shows that this step was done in a correct way without exposing the private information.

Because in MPC we do not want to reveal the inputs and zero knowledge proof has this property that you are able to prove some statement without exposing the weakness. So this is how usually they are related. There’s also more in involved ways. I mean, you can also do zero knowledge proofs nowadays based on MPC. That’s also possible using some technique called MPC-in-the-head. Now about homomorphic encryption. So this is a very useful tool also that’s being used used extensively in MPC, right? Because again, if you think about it, MPC allows you to do this secure computation on private inputs and homomorphic encryption gives you a way to do it because you are basically manipulating ciphertext. So, homomorphic encryption means that you can encrypt some message and then you can manipulate it.

So a good is if you answer them a database to do some database query. So you want to put your data on a database, but you put it encrypted and then you still want to be able to get some queries on the encrypted data. Okay. So there are also a bunch of companies that are doing this. This is a very useful tool in MPC because it’s exactly the two that we need in many cases to actually perform them specific to take the ciphertext are where all the parties for example, can encrypt into some type of homomorphic encryption, their input shares, and then you can do the manipulation over the cyphertext and eventually you can do some a decryption or distributed decryption and you get a result without a learning the inputs. So those are both like I would say, very useful tools that used by MPC protocols.

Sebastien: So I guess what it sounds like you’re saying is that MPC is at the root of a lot of these techniques. Whether it’s ZKP, homomorphic encryption, or threshold signatures. They’re all rooted in multiparty computations.

Omer: MPCs is the technology. Now what, it’s a beautiful technology because it allows you…. it’s an enabler. Right? It’s an enabled for in trustless way to getting some results and to do it. People from academia along the years, used all the tricks that possible in cryptography.. and zero knowledge proofs and homomorphic encryption are definitely one of the most coolest tricks in the disposal of the two cryptographer protocol designers. So they’ll use going MPC and MPC is very, very much, it’s not new, so it exists for for many years now. It’s a technology that is used and there are different protocols that are doing MPC and each one is utilizing like different types of these cryptographic tricks to achieve this goal.

How are threshold signatures used in Zengo

Frank: Cool. Well thanks so much Omer, for giving this overview. I would say let’s dive into into the details here. So threshold signatures, how are they used in Zengo? Can you just walk us through? Yeah, how they used to secure the wallet’s, how are they generated and how are they used to the sign transactions, as well?

Omer: Okay. So first we need to understand traditional signatures. In general digital signature is actually referring to three protocols or three algorithms. So the first one is key generation, which allows you to generate the keys (the secret key and public key) which later can be used to derive public address. Then you can… there’s the second algorithm, which is the signing. And finally there’s the verification, which happens on chain.

This is what the verifiers: the miners, the validators are doing and in TSS (stands for threshold signature scheme) the verification algorithm stays the same. Okay? So the magic here is how you can generate the signature without exposing the private key in a specific location, but still get the chain to think its a regular signature. So in order to do it, you start with this distributed key generation. Okay? So we replaced the key generation with a distributed key generation.

What it means is that basically each party will generate the secret, the secret will never leave this party device and using some computation will be able to compute the publickey. So here, if you remember from to explain about MPC, the joint function is the publickey and the secret information is signatures of the secret key. So this is the first step.

Afterwards you need another protocol for threshold signatures. What would eventually output the digital signature… A regular looking digital signature? Okay, so it means that the function to be computed is a digital signature and the inputs are the signatures from the key generation, that was the output of the distributed key generation.

There are a few ways that you can use this framework, because now you have multiple parties that do not necessarily need to trust each other. So you introduce an assumption into your system which says that you are trusting that some threshold of the parties will behave honestly, that they will not get attacked or hacked. So this is a new assumption that is not existing in today’s blockchains. In todays blockchains you are using a very classic at public key cryptography assumptions. And now all of a sudden I’m introducing this threshold assumption. So assuming that, let’s assume that we are fine with this assumption.

Now the question is who are those parties to whom I distribute to the private key? Because remember, it’s not like I’m generating a private key. There is no single point in time where there’s a single private key. So it’s not like I’m generating it in a single point and then distributing it. I’m doing a computation where the end result is that I have this secret information, secret shares generated in a distributed manner to the parties that are doing the computation.

So one option to do it is by just doing it over multiple devices that you own. so this is not what we are doing, but this will give you definitely this extra security because now you need to, it’s like a multi-factoral signing. You need multiple factors to become online. Depends on your threshold. The problem here is that it’s very hard to actually do a signing now because you need to actually collect your devices to be online at the same time. Okay. One of the issues with MPCs, this needs this interactivity and you need this all devices to be at the same time. So *it’s a trade off between the security and the availability.

The other option is that you can have, let’s say some servers that will act as parties and they will run the key generation and signing for you. So instead of servers as do it for you. Now the question is how can you trust those servers? So it’s true that we introduced this assumption that there is at least a threshold of honest servers, but still who is the one that deployed software to the servers? I mean eventually if you go high enough in the channel or in the chain you’ll get to this admin or this guy that actually wrote the software. Okay. So it’s a single point eventually. Also those servers eventually like in real life can collude and sign for you on transactions and steal your keys or steal funds. So it’s a also, it’s not what we are doing in zengo. So what we are doing is an hybrid solution where we have only two signatures. Okay. So it’s a two party computation, which sounds simple compared to a multi-party, but it’s actually not because it’s assumed that both party must behave honestly to make a signature, which is a high demand for MPC protocol.

It’s, it is what’s called a this honest majority because it’s enough that one party is misbehaving. You need both of them to to act. Honestly, one of the signatures will be on the user device, on their mobile device. The other one would be on our service. Okay. So if you can imagine it, it’s like a star topology when you have our servers that, by the way, you can also use MPC or threshold cryptography to maintain our secrets, our signatures in the style that the devices, each one is connected only to us, not to the others, and we are on a joint computation with him. So this is the setting that we are using in here. We have a drawing both worlds that we give this no single point of failure assumptions throughout the system. Because we started for cryptography, we actually built the entire stack or the entire system using this assumption of no single point of failure. So it’s leveraged a continuity And also in terms of availability and usability, it’s easier because communicate with our server and assuming you are testing authentication, you are allowed to do the signing. So it’s very fast.

On-chain vs Off-chain Multi-Sig

Frank: Cool. Thanks so much. That was, that was really a great explanation and so just wanted to basically rephrase it and provide a brief summary. If we *contrast this to something like multisig right. People will know that. And then basically let’s say us, he and I, we can have a multisig on Bitcoin and then we both generate signatures and then jointly sign his message. we may have to send it between each other, broadcast it, and then on the chain and says, okay… both both key signed and it’s okay. Now what you guys here doing is that the bitcoin address would look just like a normal Bitcoin address. But afterwards we both have a private key and we can basically jointly create the signature for this Bitcoin address. And then we basically have sort of… almost the best of both worlds, right?

On the one hand we, we don’t have the higher transaction fees of a multisig, you don’t see on the chain that a multisig basically it’s almost like a multisig was used, but you have a similar security. And of course that model is sort of well known in a multisig paradigm, right? You have something like Bitco or there were other wallets too, right? Where there was wallet provider holding one key and me as a user would hold the other key and then jointly we would sign it. And now in, in your example, you’re doing that, but you’re using your threshold signatures so there’s no multisig being used. But maybe, maybe you can talk a little bit. So the, how would you look at this versus multisig? Like you see it as one benefit that you can use it on many different chains even when they don’t have multisig or what are some of the other pros and cons versus multisig?

Omer: It’s a great question. so my claim is that multi-sig is kind of an emulation of threshold signatures. So a traditional signature, Oh, another way to look at it is a threshold signature is this thing that happens in the cryptographic level. So it’s even before it meets the blockchain, you don’t need… the multisig is the application level, and threshold signature is at the cryptographic level. So it means that all of the benefits that you mentioned in terms of, privacy of the access structure on the blockchain in terms of the fees that you are paying in terms of the support for other chains that might not allow some kinds of multisig, in the blockchain. So this is a immediate benefits that, that you can, can have… for instance, once we had a threshold signature for Bitcoin, it took us like a day to implement it for ethereum, because it’s the same elliptic curve and the same digital signature.

So it was really, it was very fast. and forward. If it was multisig… as you are aware to actually write a multisig contract contract in ethereum, it’s hard. It requires you to do all sorts of today formal verification for the smart contracts, there are many errors that can happen. So it takes more time.

Now looking at Bitcoin example, which is using a digital signature that is, called ECDSA, which is very purposeful and a very old also, this is what’s used today and that we are hoping that, in the future we’ll move to a, …Schnorr type of signatures. So it was not very trivial that threshold signatures got to the point where they are today. Like I mentioned earlier, there was an explosion in threshold ECDS state research just in the best capital, feels like something like nine different protocols.

And the end result is that you have like a mix of protocols that you can choose one depending on your use case. And for example, one interesting result that this academic researchers has led to is in the sense of the security. Because like I mentioned, multi-sig is using the cryptography of the blockchain, which is a classical public key cryptography. So the assumptions of the security assumptions are very solid, traditional signatures on the other lens or threshold signatures ECDSA specifically, was usually assumed some additional assumptions. So the security, so you had to compromise in some sense. But nowadays there’s the protocols which are both very fast and second they are secure in the same security that the blockchain is assuming. So don’t need to assume anything more on the security, like the existence of some encryption scheme, some hardness assumption.

You can just use the same assumptions. I think there’s still a very… the still room to improvement. and I think that the most immediate one is in term of, interactiveness. So multisig is noninteractive protocol, right? So it means that you can sign and then pass it along and someone else will sign it. Then it will pass the transaction along until you get them enough signatures. in a MPC based signature or threshold signature. I mean, I’m speaking in general, I will because there are some cases where you don’t need this interactivity, but in general you do need an MPC interactivity. So you need that all the parties to be online at the same time. And this is something that I think can be avoidable in the specific signature schemes that are used in blockchain. And we have one work on how to do it. But I know that the others that are also doing it, and again, it’s a generalist statement for specific signature schemes and for specific assumptions, you can already use noninteractive threshold signature or threshold ECDSA for Bitcoin.

Pitfalls of TSS vs multi-sig.

Sebastien: Yeah, yeah, yeah. No, I mean I wanted to bring up the pitfalls where, where a TSS falls short with regards to, multisig

Ouriel: just to repeat what, what Omer said, there is three benefits to restaurant signature compared to multisig. The first one is it’s blockchain agnostic so we can support any type of assets, right? There’s no, we’re not constrained to the fact that the multisig capability is baked in the protocol, built in the protocol. And we see the limitation of that for example, in Ethereum with the multiple bugs that have happened. and for us it, it take us really very little time to add another blockchain. This way we could support very quickly, for example, Binance’s chain, or Libra and others will add very, very soon. The second one is privacy, right? Which because we don’t expose the scheme of signatures between the parties, although today we just… a client and a server, but you can imagine in the future we are going to be more, the privacy scheme is not exposed.

And so the signature scheme is not exposed and so you’re not exposing something that is very sensitive, which means which wallets are involved or which part is involved in the process of signing. And associated to that is the cost of a signature because in a multisig, every time a party sign there is a public signature meeting, meaning mining fees associated to it. So eventually you end up with something that is at the same time private, more private, and much cheaper, and also agnostic to any assets. So I would say those are the three main properties associated to the fact using TSS over a multisig.

Criticism of TSS in the Crypto-space

Sebastien: I’d like to touch on some of the criticisms of TSS that we’ve heard in the space. So there is, especially in the Bitcoin space, people tend to be a little bit more favorable to this other type of signatures scheme called Schnorr signatures, which apparently have some advantages, with regards to the size of the signature and the efficiency. And then also the security. Some claim that a Schnorr signatures are more secure because they have been, verified. Whereas TSS on ECDSA has not been sort of formally verified. Can you walk us through like what are these criticisms and why do you think we should trust threshold signatures, today?

Ouriel: Yeah, so let me try to unpack, this question. And first let me say that like implementing the TSS is extremely hard. Okay. It’s a, as we mentioned before, it’s an advanced form of cryptography. It uses zero knowledge proofs, it uses homomorphic encryption, it’s using distributed computing. And in general, those protocols can, tend to be multi-round, and requires some high … sometimes a lot of computation. And eventually this is one aspect that needs to be considered. And for example, what we are doing. So we, we’ve open sourced, all of our cryptography. And I think this is probably the best decision we’ve made so far. We get tons of contributions and battle testing of our libraries and improvements. So it’s fantastic. And I think that this is what makes us a unique because there aren’t a lot of TSS implementations out there. Now TSS I mean what you said about Schnorr compared to the TSS, we can divided into elements. So let’s first compare TSS with the ECDSA, which is what’s currently used in Bitcoin and Ethereum and some other leading up blockchains to TSS based on Schnorr.

Omer: So because Schnorr is the lineal type of digital signature, it is much more MPC friendly than ECDSA today. This is why we saw those many papers around the ECDSA or threshold ECDSA in the last years. And schnorr it’s not trivial, but it’s easier to do. It’s easier to… the concepts that are the building blocks of threshold schnorr were thought of like many years ago and it’s easier to implement. Okay. So there are, less risk of being introducing some vulnerabilities when you are doing this type of a threshold schnorr. We have, by the way, both threshold schnorr signatures and threshold ECDSA libraries. So we can definitely compare them.. with had an entire work in Breaking Bitcoin about vulnerabilities threshold ECDSA, because this is a very, as I said, very hard to actually do. Now having said that, let’s assume that you have the cryptography on board and that you are willing to take this risk.

There are other aspects that might be like a deal breaker, but I want to go back to them. So one of them is about the security of Schnorr versus the ECDSA. So Schnorr has the provable security. Okay. So there’s a paper that gives that the entire security proof of Schnorr under a very solid cryptographic assumptions. Let’s assume the distcrete logarithms, and random oracle model.

It’s not true for ECDSA. Okay, so you see the ECDSA was invented the opposite way. So first because of Schnorr, because Schnorr was <….> there was this assumption that the ECDSA should just work like this. There was the protocol and afterwards people started to came up with poofs. the level of the security poof on the assumptions needed just got better and better than, I assume that the analysis will keep getting better in the ECDSA. So like to say that you see this is less secure than Schnorr.

I would argue that it’s, not very much accurate. ECDSA has some very solid security proofs by now and also this the cryptanalysis aspect. Like Bitcoin is a huge bug bounty for finding bugs in the ECDSA, other blockchains as well. And also there was formal efforts to break ECDSA, which over the the years they not succeeded. There’s another issue with the ECDSA, which is about reliability and availability is… what it means is if you can take a signature and then change the signature such that it still had same meaning it will be valid, maybe on a different message, without going into the process of re-signing it. OK. now Schnorr was proven to be non maliable, which is the properties like strong unforgability. So you cannot do this, which no, the ECDSA was assumed to be mailable.

And one of the security proofs that I mentioned showed that there’s there’s one vulnerability which is known, which is that the signature and the opposite part of the signature will still be a valid signature. And this is arguably a problem, but because this is the only malleability and this is, this can be covered. So what you see in the recent papers is that you just need to define one of the two ECDSA signature results to be The one, the correct one. And this is also what was suggested in Bitcoin. It was one, it’s one of the BIP and it’s also a effectively SegWit, if you use SegWit you eliminate the problem altogether. Looking at Schnorr, on the other end, even though it was proven to be non malleable, in fact, because it’s not standardized like ECDSA, there are many standards for Schnorr, so anyone can just take some variant and say this is a Schnorr signature.

And eventually what can happen is that, for example, we have a blockchain called Zilliqa, that they have one variant of schnorr signature and Bitcoin Schnorr BitSchnorr is another variant. And what might happen is that one signature on one blockchain would have a meaning in another blockchain, which is the point of malliability. So I’m not sure if its a strong claim for schnorr. So to conclude that, I would say that like ECDSA is valid, a is secure to some a good extent taking ECDSA and doing TSS on ECDSA is definitely how they’ve been doing TSS over linear schnorr.

Setting up and using Zengo

Frank: Okay. Thanks so much. All right. Well let’s, let’s talk a little bit more about, just the Zengo wallet user experience. Ouriel. Can you walk us through what’s the process of setting up a wallet and using the Zengo wallet.

Ouriel: So at first it’s going to be hard to sound as smart as Omer after all those great explanations. So I’ll try to be, to make a point here. Let’s just first like remind, I mean I’m sure your audience already knows, but typically when you onboard a new wallet and (I will not talk about exchanges, which are like centralized service and you just create a login and the password and KYC) usually the typical noncustodial wallet, the experience will be the following. You will open it and you will be presented a set of 12 or 24 words. You will have to somehow, or write it down, think about mobile first experience where you don’t have the possibility to take side notes or something. So you probably will do a screenshot of that, which is a very bad idea, although the apps will tell you not to do it.

And then you will have to repeat some of those words to validate to have them. And then at some point you’d get into a fully be wallet somewhat will allow you to skip that phase. And at some point, for example, when you buy a new phone, you realize you have not backed up and because you have not your seed or your seed phrase with you, your money that you thought was here is gone and it’s gone forever. So that’s typically the experience that you would have on a normal wallets. Right? So the here, here is how it works with Zengo you do not have to memorize any secret. The only thing that you know you need to know is your email address, the access to your email address. So you open Zengo we’ll ask you your email address. You put your email address, you receive magic link, which is a bit like Slack is doing, which is like a way to pass a password without actually revealing a password.

You click on this email to validate your email. You get to the second step, which is validating the existence of your device by allowing the permission to your device biometrics, whether this is touch ID or face ID. And then you get to the wallet. At this stage, the wallet is set with zero funds. The wallet is, at this stage,not yet backed up. We have made the decision to not force a backup at the onboarding until the owner wants to deposit funds. So when you press receive to deposit your first funds, you will be forced to do a backup. But unlike traditional wallets, which ask for you to store 12 or 24 words, it works with advanced biometrics, which is not the suit of your device, but a service side operating biometrics, which we can do thanks to the TSS architecture that we have. So here it’s very simple for the user, all he has to do is to do live video which is encrypted on his phone of his face, right? So it’s like a face map that is encrypted on his phone. And then the encryption is sent to the server and stored there in a secured way. Obviously we cannot treat it, we cannot see it because it’s stored and that’s it. Your wallet is backed up, meaning that you have in three steps, no password required, set up your Zengo wallet.

Backup and Recovery

Frank: I did that before and it is a very nice user experience. Now of course the thing is for, so we have to this share or basically this key on the my phone, right? And then there’s another one on the Zengo server and we just talked about before how that works. And now you talked about the backup with this biometrics and I think my idea of the backup is right. So I have my iPhone, I lose my iPhone at a later point. I want to basically recover my share so that can keep accessing my phones. And then I use again the biometric camera. Can you talk to them? I’m curious on this point, how does that, because we work, I’ve lost my phone and I have my new phone, I download the Zen, go up again and that then I use this face camera. How does it recover and regenerate the share that I originally generated in my… in my previous phone.

Ouriel: So excellent question. So the most important thing is that it works. And the second thing is now to understand how it works. So indeed, let’s say you broke your phones, you lost your phone or whatever, you just bought a new brand new shiny iPhone 11 right? Which I’m sure you guys have done already, if not maybe probably very soon. There is still like you are using the mini Minitel here anyway. You got your new phone with you and you Zengo and you go through the same exact steps I described before. So you will repeat the same email that you are. You have used to create your account, you validated with the magic link, you give permission to the device biometrics and you will scan again your face. Now what it does is, and remember when you first can your your face and it works with any selfie camera, so your phone does not have to need to have a special capability, just have any cell phone camera.

What it does is that it again scan your face and encrypts it on your phone and then he’s going to compare it with the encrypted version that we have stored for you. And remember, it’s encrypted so we cannot see it. No one can see it if someone as that file is completely useless and matches it. So as it matches it, it restore the share of the phone that has been encrypted also and stored with us. And it’s being restored on the device. And then you get access back to your phones. So I know there’s been a lot of ping pong here between a lot of encryption and mechanisms and security. But the simple message is that the face unlocks one of the factors that has been served to encrypt your private share on your device, stored encrypted on Zengo servers and sent back to your phone as you have restored. And so, all that is obviously invisible to the Zengo users and restore this funds that, of course, let’s remind very important, it’s a noncustodial wallet. So all funds are on chain.

How biometric backup works

Frank: Just a quick question on that. So I think this puzzles me. So if I’m using my phone with this face thing and basically generates some… it uses the data for my face when I move it around in generates you some key, so this is deterministic. I’m going to do it again with a phone and it’s going to generate the same thing. Or is there some sort of like similarity and then it, it roughly matches.

Omer: So basically it’s not deterministic. It’s a, it’s using a machine learning model. So what it does is basically it encodes your face, the time for distraction and also it gives you this, when you try to advocate it gives you also a liveness test to see that it’s not a picture that it’s really a 3D human being. And by the way, interesting fact is that you can also use MPC. This is another use case for MPC because you can, I mean some people don’t want the face of encoding of their face will be sent to some remote server, which is understandable.

So you can do it over and keep the data. So you encrypt your face and you do the machine learning over the encryption of your face that that way this remote server will do the entire process of authentication over the encrypted data, like the entire machine learning, getting those elements from your face and then comparing it to some previous encoding. And we’ll send you the results without knowing that you are really who you are, in code, keeping a copy of your face.

Ouriel: So just to complete on that, what’s because you know there is a lot of market narrative right now around the capacity to break face ID technologies and deep fakes and all these things. So I want to make a few things clear. first, what’s this technology is doing is measuring the liveness of your face, the fact that your face is alive and real. So if you are trying to spoof it with like a picture, even of good quality or a video or a mask as you’ve showed me, at your office or L’Oreal has a three D printed mask of his face, like super weird. But yeah, it doesn’t work with that. Apparently it does or it doesn’t work. Exactly why? Because the technology is actually measuring the fact that your face is alive. So anything that is not that, that is not, you will not pass the test.

And, we, we break there and think about it. It’s the first time in the history, definitely in the history of crypto, maybe industry of FinTech that you can prove and guarantee that the funds will be only accessible by the owner, right? Because with any other solution, anyone who has the password is the owner and can spend the money. So here you have a solution that for the first time guarantee that only you can spend your own money, which is like great to know, right? No matter what device you have or no matter what secret you’re supposed to know.

Omer: So the liveness factor is very important to remember. And of course there is a lot of encryption that is done back and forth to guarantee the privacy and the security of the system so that the user can confidently use this solution.

3rd party risks

Sebastien: Okay. So I wanted to address a few things here. So this face scanning technique, you’re leveraging a third party solution, I believe it’s called zoom, I’m not mistaken. And so it’s not like the face ID that is used by Apple device or whatever. it’s, a separate solution. So there are a couple of things that I think men are meant to be addressed here. So one, this is a proprietary solution that I guess you guys are probably paying for or there’s some sort of a business relationship there. And so if this solution goes away and all of the proprietary intellectual property techniques or whatever that exist there, if they also go away, what happens to that you encrypted key that is encrypting that share. So that’s question number one. And my other question is what are the assurances that users have that yeah, because you have the user’s email address that you’re not also saving or somehow storing the key that’s generated on the device that’s meant to secure the secret share. Can you address both those issues?

Omer: Yes. So one principal in, in the entire Zengo system is that there is no single point of failure. So what it means in relation to your question is that there is a single point of failure, then we can not guarantee anything. If there’s another point of failure. I took the two points of failure, but if there’s a single point, like for example, this third party service, biometrics, something happens to them. So we are still, this is still one factor. So we are still left with the main methods of extracting the keys from the wallet and we assume that this is still a valid way to do it. So it’s very simple in this way and that way you can just add the same transaction or recover it using another factor. Second question was about how can you protect the user that we, we cannot steal the funds by pretending to be them.

So if we analyze this specific scenario of recovery, we still got the no, at no point in time there is like a single point that holds, the entire solution. Okay. So the user has a iCloud, which is something that we cannot access. So we assume that it’s today, it’s iCloud tomorrow it, it’s another a storage, that the user owns. But Zengo has no access to, and this stores one part of the unlocking mechanism, like a key or something like this. What we have is only a way to authenticate the user based on the biometric information that we are using the this mechanism. So in our side, we have an encrypted secret share that we cannot do anything with without access to this iCloud or storage of the user and also the biometric. So putting a, a company that provides us this a solution as only let’s say, access in the worst case to the actual face, but they cannot use it. They also don’t have access to, the iCloud and also to the secret share that is encrypted on ourselves. So no one is this in, in this scenario is like, access to a secret key except for the user that needs to combine his iCloud. The fight from the iCloud, meaning the access code for the iCloud, the email that he owns and and his face. So only combining those now the server is no way to, even if we had access to the face, we still don’t have access to the iCloud.

Assurances

Sebastien:
Okay. So the secret share, which is residing on the device, gets backed up encrypted by this key that’s generated by the facial recognition software. It gets backed up to ones iCloud account or any cloud service perhaps in the future. But my question was more around what are the assurances, because this is, I mean, it’s essentially a closed source software… one could say that that’s the case for any other mobile wallet or crypto wallet because it’s the, ah, the app store and we don’t have access to the source code. Are there, if any, any assurances that that secret share isn’t being sent over the wire to Zengo or that the encryption key isn’t also being sent over the wire? Are there any assurances at all there or do we have to trust Zengo that your software is not doing this?

Omer: Okay. So first of all, one correction, we are not using the face to generate the key. I would argue that this is very dangerous. We’re using the strong, the strong randomness of the device to generate this key that encrypts the secret shares that is later sent to the server. And the key is are kept on the device connected to iCloud. Okay, so this one correction, now you are touching a very good point, right? I mean eventually the comes, it’s all about trust. And a question is what can you trust and what you cannot trust. I mean eventually your device is designed and you’re using software for many vendors and the hardware manufacturers and you need to put some trust in them. And I think that it’s also, I know there’s a project about how to minimize the trust based in the Bitcoin full node. And eventually you need to think about it like who is writing the full node code.

So there’s a compiler that needs to one in order to actually compile it. Now who is liking the component? So this is another compiler and who writing this compiler. And eventually this project aims, I don’t remember his name, but aims to get to that, like the minimal trust based that you need. And here I think we’ve done something similar. Like we try to the trust base. So eventually, right there are some closed source elements that I hope to be open, that will be open soon. We are doing our efforts to open as much as possible from the system. And even if it was completely open-source, it’s still hard to make sure that eventually what’s open sourced and you see on Github is actually used in your application. Right? And it’s true for any application. Yeah.

Sebastien: Yeah. it’s, actually impossible to do so with an app in the app store or even Google play.

Omer: I agree with you that, I mean, to my knowledge it’s, impossible to do it. It’s a great computer science question. So what we are trying to do, and this is what we all about, is trying to minimize the trust-based that they user the rest of trust. So again, this is a specific scenario of recovery and there’s like a huge tree of scenarios for recovery or other stuff that you can do in there. And in this specific case you are looking for a specific attack surface and we tried to do the best to minimize the trust base.

Open-source is not a garuntee of security, and Garunteed Access Solution

Ouriel: So what I was saying is that the, remember there is open source is never a guarantee of security. There is a longer track record of open source solutions that have been compromised including in the wallet space. So what we’ve tried to do is as Omer saidy to be in a more trust minimize environment, we have open source entirely our cryptography, which has been peer reviewed. We’ve run multiple security audits, penetration tests, they have been made public on our website we have created. We have a great team, we’ll talk about it, about a guaranteed access solution, that if even if we get out of business and stop operating, the funds will remain accessible. And over time as we progress, things will be more transparent, more open, more distributed, more decentralized. If we can say we had to start somewhere, we bringing a new flavor and this, the new favor will blossom fully over time.

Sebastien: Okay. We’re not going to have time to go into this procedure that you’ve outlined, in order in case Zengo goes out of business. But I will link to that in the show notes for anybody who’s interested. Zengo has a whole process around like what happens if the company ever goes out of business, how can one recover their funds.

So I wanted to ask you about the broader evolution of the wallet space. So right now, I mean, wallets are pretty much compatible. So for example, you generate a seed on a ledger, you can take that seed and move it into Electrum and still be able to recover your Bitcoins. I think you could probably even… put it in like a multi currency wallet, like Jaxx for example, and have access to the whole tree of HD keys. They’re giving you access to them… funds in different currencies.

So there’s, there’s interoperability there with something like Zengo now that we’re relying on multi-party computations and where there, there isn’t a standard at the moment. Do you foresee that different wallets will effectively different closed ecosystems and users will not have that interoperability or it’s you see some form of standardization emerging in the space.

Ouriel: So our bet is that convenience is going to trump principals and that people will value more anything that makes them their life easier as long as set of core principles are respected.. and not everyone is security expert or not everyone has to know that everything is perfectly decentralized. As there are many, many projects that are going to onboard, very soon, a lot of people to the crypto space, whether it’s telegram, whether this is Geico in Asia, whether this is possibly, maybe even Facebook one day, who knows? And these type of users don’t even ask those questions. They will need something that just works and that Felix crisp and that can be used on a daily basis. It is true and you are correct to point to the fact that the users will need to understand that they are in control, then they have the proper guarantees and that the security is in a way safe and of quality.

So it is our job to be at that overtime to provide the right foundation of trust, the right services around it, the right protection mechanism. I cannot reveal secret plans already, but I can tell you for a fact that a few months from now people will look at Zengo and we understand why they have an interest to store their funds with us versus like a traditional wallet as they exist today. And so I think it’s still very, very early days. What we do see from our first users that are trusting us to deposit their funds and sometimes in very high volumes, is that for them that convenience is the primary factor that they have, chosen, over the rest. And this is why, by the way, the majority of the funds are still stored in exchanges. It’s not because they are by design more secure. They are by design the opposite.

They are everything but secure. They are traditional point of failures and we’ve seen that with the hacks that have happened recently. It’s just that they are so convenient, they are just easier to use and so as long as the space is still in this current status where non-custodial are less convenient to use, then their counter parties people will prefer constituent solutions and what we’re trying to bring here is something that is like I said in introduction, best of both worlds where you are still in control, your phones are on chain, you have guarantees that your funds will be accessible.

If we stop operating, you are not constrained to a specific assets because a smart contract worked for this and doesn’t work for that. You are not constrained to multisig here because it’s not baked in other chains is just more convenient and you still are in control but you still enjoy the services of a server that is always on and can assist you of course for onboarding you for helping you recover, do all sorts of wonderful things that server can done in the wild space. So our, our take on that is that the market is evolving, the needs are evolving and that we are in a phase where convenience is going to become a lot more important than pure core principles of decentralization and security. Not they are not important but the weight is being reevaluated.

Evolution of the wallet space, and interoperability

Frank: Totally. Just before we wrap up, I wanted to talk about, and you’ve touched on this point, when it comes to the evolution of the wallet space. So today already we are seeing your different roles have different specializations and focus. So there are a bunch that maybe it’s something like instaDApp or Ziri on or some Etherium wallets very much… fully focused on Ethereum may maybe focused on different defi applications there. There’ll be some other stuff focused on Bitcoin some others are focused on like supporting lots of cryptocurrencies, maybe others focused on staking. How do you see that space evolving and where do you think Zengo will fit in this… larger universe of different wallet providers?

Ouriel: So the space is definitely very crowded and definitely very noisy. We do believe in the future there will be many, many, many, many flavors of what is the same way we have today in our chat first world. Many, many flavors of banks and financial services. So it’s not going to be a winner take it all, not even winners. It’s going to be just very, very atomized. Need to make a difference though between like what you mentioned, there are companies that are just interfaces and some that are actual wallets meaning managing the private key. So some of them are not handling that at all. They are just like pretty cosmetic services and private key management is handled by others. We are in both spaces. We overlap both. And again, convenience is what matters. So we handle both parts. We do believe that in the future you will have solutions for every tastes you will have people will value absolute privacy and control and they will be comfortable with a solution where own their own security as it was the case until today.

And you will have, people will value certain specific chains more than others for doing whatever collectibles, or defi, and they will be fine with that thing.. and people will value convenience and they will be a veriety of solutions there. What we do not see happening is everything, consumers or investors download 30 wallets and 40 solutions on their mobile phone or around them. It’s just unimaginable. And the way we think about Zengo is as the remote control of your digital assets.

We are operating in the cryptocurrency space. We operate with Bitcoin, Ethereum, Binance, Libra to more and more. But we are essentially designed for helping consumers and investors managing all their digital assets no matter what they are, whether they are cryptocurrencies, digital identities, title of properties, collectibles and all those things. And so we believe in the existence of remote controls. And we believe in the simplification of the space. I don’t know if we, we will certainly not be the only one to do that, but this is how we see the space going. Also, I don’t think there will be room for many walls that don’t have a business model and this is actually sadly the case today. Most of them depend on third party revenues. They don’t control, so we think they will be of an evolution also in that area.

Business models

Frank:
Yeah, so that, I think that brings us to our last question, which is is around the business models that we haven’t talked about that so far at all. Yeah. How do you see that evolving? What are different… possible business models that you will pursue for Zengo?

Ouriel: So I won’t really reveal all the secrets that we are preparing because our route is pretty unconventional. But I will give you just some hints about where we’re going. First, like today, most wallets are depending on third party integrations, which means that most wallets do not control their revenues. They’re deriving revenues from affiliate fees, whether this is by generating traffic to exchanges, to worldwide sales, or plugging services to buy crypto with a credit card, or loans and stuff like that. The reality is that most of those revenues are not enough to sustain a company. A wallet, and it’s not said enough, is an extremely expensive operation to handle. It’s not a lightweight software. There is a lot of things behind the development, the security, the auditing, the maintenance of the platform, the support. So you need something better for that.

And so what we want is to launch probably early next year, a set of services that will be specific to the way we operate and that will augment the experience of the wallet and hopefully those services will provide sustainable revenues, revenues that we control, that we are able to operate and to perform at scale. And, I cannot reveal all the details of what they will be right now. So let’s do another podcast if you want Q1 next year and maybe we’ll have an opportunity to discuss that more, but I can tell you that they will not be dependent on the integration of third party services.

Frank: Okay, cool. Well, I’m curious to see what’s going to come there and yeah, certainly I think business models for wallet is a very interesting space and we will see lots of lots of evolution in that, so yeah, thanks so much for, for joining us.

Ouriel: It was a pleasure.