MPC in WaaS
Wallet as a Service uses a sub-field of MPC called Threshold Signing (TSS) (with a 2-of-2 scheme).
With TSS, key shares are generated in a distributed way without actually producing a whole key on any one machine. As a result, and with the exception of exporting keys, WaaS private key shares are never combined nor exposed and have no single point of compromise.
When you export keys, you are taking full control of all key shares which necessiates unifying them.
2-of-2 Scheme
WaaS uses a 2-of-2 scheme to generate key shares (and wallets), meaning that two key shares are generated and both are required for signing.
WaaS does not currently combine MPC with multi-sig and employs an M-of-M scheme. See What is MPC?.
A private key is like the combination to a safe, while a wallet is like the safe itself. You need the combination (private key) to unlock the safe (wallet) and access its contents (cryptocurrency funds).
Sometimes, however, the term private key and wallet are used interchangeably. This is the case for wallets that only store one private key (such as paper, hardware, and some mobile wallets). WaaS mobile wallets store one private key share so that when you create a key share, you also create a wallet.
Key Storage
WaaS stores key shares as follows:
- Server key share (1-of-2) is stored within Coinbase infrastructure.
- Device key share (1-of-2) is stored on the end user’s mobile device.
Each of these key shares is a random cryptographic string that can not be used alone – both key shares are necessary to generate signatures with the underlying key. A single key share alone cannot create a valid signature.
When signing a transaction or message, a distributed signing protocol is run between the mobile device and WaaS services. To generate a valid signature, each key share independently signs the payload to create a partial signature. One partial signature happens on Coinbase infrastructure, the other on the end user’s mobile device.
Key Generation
Key shares are generated on a mobile device (iOS or Android). A distributed key generation protocol is run between a user’s mobile device and a Coinbase server, resulting in one key share being generated on each.
Key shares generated on a mobile device ("device shares") are simultaneously encrypted by an enclaved key. Enclaved keys (Secure Enclave on iOS and hardware-backed keystore on Android) are used for encryption and decryption operations and generated with operating-system level APIs.
Enclaved keys are non-exportable, and access to these keys is gated on biometric-based security offered by the operating system.
Key Management Principles
The WaaS APIs are designed to protect keys and simplify complex cryptography, so customers can focus on building rich, intuitive web3 experiences for their end users.
Our principles:
- Coinbase cannot act unilaterally on behalf of an end user.
- End users can export their keys and take funds off platform without Coinbase participation.
- End users can easily restore key access (e.g., no mnemonics or seed phrases).
Again, our MPC protocols secure keys with decentralization--instead of a single entity holding a key, multiple parties each have a share of the key.
Shares are never united, not even when the key is being applied. This eliminates single points of failure and greatly enhances security. To steal a key, multiple devices would need to be compromised at the same time.