TL;DR We want to add privacy to the IC by enabling canisters to perform threshold key derivation
Summary
Empower dapps to perform encryption, threshold decryption, and signing on the IC by allowing canisters to call a threshold key derivation interface. This feature will enable canisters or individual users to encrypt messages under the public key of the subnet, so that they can be decrypted by calling the threshold key derivation interface for the corresponding decryption key that is secret-shared among the replicas. Integrating this feature will enable canisters to store end-to-end encrypted user data (e.g., storage, messaging, social networks) without having to rely on browser storage for user-side secrets, as well as enabling transaction privacy within canisters (e.g., closed-bid auctions, front-running prevention).
Status
Discussing
Key People Involved
@gregory, @andrea, @ais, @franzstefan, & @victorshoup
Timelines
- 1-pager on the Forum (to follow shortly after we see your first comments/requirements)
- 1st Community Conversation (Concept, context, and use cases, community questions. Confirmed for Nov 29th - Register here!)
- 2nd Community Conversation (Presentation of proposed design)
- NNS Motion Proposal (to approve design + project)
- If the NNS Motion Proposal passes, implementation and deployment would take a few months
Description
The promise of blockchain technologies is to remove a central point of trust allowing anyone to read, write, and verify data on the system. This is often achieved by making operations and data stored on blockchains publicly visible. While this transparency can be useful to build the trust needed in a decentralized system, it can also be prohibitive. This includes using blockchains for public, but also for private and business reasons. Removing a central point of trust should not mean that everyone should sacrifice confidentiality of their data.
Given the existence of public-key encryption, it’s easy to encrypt data and send it or store it on a blockchain, but problems arise when we want to decrypt, especially in the distributed setting. Storing the decryption key on a user’s device is secure and useful in the traditional E2EE case, but if we want to share decryption capabilities, while still maintaining privacy (no single node knows the key), a flexible approach is to require the participation of some threshold of parties. In this proposal we aim to build such a threshold (decryption) key derivation scheme.
High level objective
- Make a threshold key derivation Interface
- Canisters can obtain encrypted threshold signatures
- Allow symmetric encryption and public key / identity-based encryption
Proposal description: Motivated by E2EE and front running use cases, we aim to build a flexible and scalable solution to achieve user privacy by means of a new cryptographic building block called verifiably encrypted threshold key derivation (vetKD). In brief, vetKD can be seen as the key derivation of an (identity-based) encryption scheme where the master secret is secret-shared among a set of servers that can assist users in deriving keys by sending encrypted shares of those keys to the users. The shares are encrypted under a public key provided by the user, so that the servers do not learn the derived key, but can verify that a ciphertext indeed contains a valid key share. Users are therefore guaranteed to recover the correct key if they receive sufficiently many encrypted shares.
A first sketch for an Interface that you can call on the mgmt canister would like something like:
derive_encrypted_key(master_key_id, transport_public_key, identity) -> EncryptedKey
Potential applications include:
- End to end encryption
- Secret bid auctions and MEV protection
- Time-lock encryption
- Dead man’s switch
- …
Next steps
The first step is to get feedback from the community. We’re particularly interested to hear what are the issues you have faced wrt privacy or confidentiality. Is there something you couldn’t build because you didn’t have this feature, or do you have specific examples of where it could be useful?
We then plan to outline a design and present it in a community conversation, after which we’re happy to take comments and to adapt. Beyond this, we plan to open the more general privacy conversation by hosting twitter spaces and growing a community in the privacy portal.
Then we’ll issue a motion proposal, which, if accepted, will spark development.