Cryptocurrencies and digital assets are the quintessential new industry, typified by fast moving markets and rapidly evolving technology cycles. When exploring this new asset class, the concept of a private key is quickly discovered and there is an abundance of literature that evidences the need to keep our private keys secure at all times. The preferred method for key management and security has evolved over the years and here are some of the most common solutions available on the market today.
Early custody solutions provided private key security by using cold/offline storage. A form of secure depository in that they take delivery of customer assets into their care and house it in a secure facility which protects a private key associated with the deposit address through the use of hardware security modules (HSMs). HSMs, seen as a form of gold standard for cryptographic key management at the time, came with the desirable FIPS level 2 certification. However custodians often included some custom executable code, for example using CodeSafe, to execute sensitive processes within the HSM perimeter. With new code comes a new layer of trust towards hardware security and withdrawal processes included manual video verification by customer approved persons.
Many customers were happy with the physical, cyber, and operational security of these cold storage providers. They maybe even got comfortable with assurances around how customer assets remain bankruptcy remote. However customers of these providers also suffered long withdrawal times that extended from several hours to even 2 days. In a highly volatile market characterized by 10% price drops in minutes, and when coupled with requirements to pre-fund trading accounts, this presented a real operational cost to a trader’s profit and loss performance.
New entrants to the space took note and brought to market MPC Wallets (Multi Party Computation). This solution leveraged a new piece of technology that had a longstanding focus in academia but little use in industry. MPC promised the benefit of similar security guarantees to cold storage, with the added functionality of instant access for withdrawal.
Specifically, MPC strengthened key signing operations by addressing the private key as a single point of compromise through the creation of multiple private key shares that are divided between parties. A common setup includes the 2 of 2 MPC signature scheme where one key share resides on the end user’s device and the second is secured on the vendor side. The market voted with its dollars and MPC Wallets rapidly became the first choice solution for investment professionals needing to secure their digital assets and access them quickly.
There was then a further switching of customers to MPC Wallets following major risk management failures, and more sinister charges, around the bankruptcy of Celsius, FTX, and others. This led to a renewed focus that customers need some control over their keys in the face of counterparty risk. The logic being that MPC wallets allow an institution to hold a key share which gives them some sense of control. It is better than trusting a provider with the entire key and swapping your direct ownership claim to an asset for a fractional ownership claim if the provider is not backing their liabilities with assets 1-to-1. However this only scratches the surface of what control and ownership of digital assets means, and to believe that holding a key share is enough to give you control would be turning a blind eye to everything else that determines correct use of private keys.
In trying to solve for the private key, the market has knowingly or unknowingly ignored the other components in the architecture that play a role in the correct use of private keys and providing service availability. Mature organizations, or those with high security posture, know that they can better manage risk when processes, people, and systems are within their perimeter and not externally provided by a blackbox SaaS provider. As such, the next step is to redraw the lines in a shared responsibility model between customer and vendor - can a self custodial customer safely take more control than just a key share?
The underlying principle is simple, why trust a vendor to run secure custody software on a server if there is a tool which allows you to independently run the same custody software on multiple servers yourself. This could even be co-hosted with the vendor, or as part of a group structure who all need to participate in signing and custody processes. In these scenarios each server in the cluster receives the same requests and processes them in the same order, resulting in the same uniform view of state across all servers. Meaning you independently run and then collectively find you agree on your transaction activity, your policies, reconciliation, settlement confirmation, and general activity since inception. As long as there is an honest majority the agreement is reliable. There is also a tolerance for server failures or crashes which gives this setup stronger operational resilience than a centralized vendor model. Since each server runs the same processes underneath they each independently sign and attest to compliance with IAM rules, business logic, authentication, authorization, versioning control and more to minimize the need for trust.
In summary, these custody progressions are also progressions on the spectrum of trust. Moving away from cold storage and SaaS based MPC wallets which require maximum levels of trust, moving on to a “trust but verify” model which would be a co-hosted deployment between customer and vendor, or graduating to “never trust, always verify” by running the vendor’s software exclusively on the customer side. So, if holding a key share gave the customer a say in the signing process, then allowing them to run their own custody software on their server effectively allows the customer to check the vendor’s work if following a co-hosted model, or disintermediate the vendor entirely from the custody service and operational processes if entirely self-hosted.
This really puts the power back into the customer’s hands and caters for those who want significantly higher levels of self sufficiency and to move away from custody solutions requiring uncomfortable levels of trust which run software as a blackbox. Regulated financial institutions and security first enterprises understand that outsourcing does not absolve them of responsibility for risk, and it is these firms which are the first movers to migrate over to a co-hosted or fully self hosted model which is increasingly the norm for enterprise clients.
