In general, cryptocurrency wallets don’t store actual crypto coins. What they do store is secret key pairings (public and private keys) used to authorize transactions on blockchain distributed ledgers.
With the public key, anyone can make payments to the wallet but only the holder of the private key can access or transfer crypto from that specific wallet. The private key is also the only way to prove ownership of digital assets and that makes them your customer’s most valuable possession.
Keeping your private keys safe is, in fact, the key.
That’s where key management systems (KMS) come into play. These are a set of cryptographic protocols developed to provide privacy, data integrity, identification, and authentication.
As digital payment technology has advanced, cybercrime intent on compromising it has too, and both of those scenarios have led to the evolution of key management systems.
There are different ways for managing cryptographic keys, but three of them are the most popular when it comes to securing digital assets - Single-sig, Multi-sig, and MPC.
We’ll give you an overview of what they are, how they differ, and which one will give your crypto app the highest level of security and functionality.
KMS helps organizations manage and maintain cryptographic keys in order to prevent unauthorized individuals from accessing or corrupting sensitive data.
But are all KMS created equally?
Let’s explore your options.
With the single-sig method, you have just one signer with one private key. This means that only one encrypted key is needed to authorize a transaction. Have access to that one key? Then you have access to that wallet address and all of the digital assets therein.
It is one of the most common KMS for cryptocurrency wallets as it’s fast and easy to execute but the beauty of its simplicity is also its downfall.
With only one key and no further authorization process, the single-sig provides the lowest level of security, opening up the possibility of a loss of access to funds through human error, data breaches, thefts, and other cybercrime attacks.
Multi-sig or multi-signature method requires multiple signatures of two or more private keys to authorize a transaction. Each signer (or device) holds a separate private key, and all keys are needed in order to authorize a transaction.
Think of the 2-step identification process adopted by most online banking platforms. Try to sign in to your account on your laptop, you’ll get a notification on your smartphone, and only when you authorize that will you be granted access.
Multi-sig has been adopted by many digital wallets, large platforms, and exchanges as it helps to share responsibility when handling funds. More importantly, it avoids the single point of failure associated with the single-sig.
Generating and storing keys on completely separate devices increases the number of potential failure points making it harder for cyberattacks.
Harder, but not impossible.
There are still privacy issues as multi-sig takes place “on-chain” meaning that the access structure (number of signers) is exposed. Having on-chain information for the different signers also means the cost of multi-sig transactions is higher.
Setup is more complex than single-sig, transaction speeds are slower and if one of the keys is compromised, then recovery can be another long wait.
The main complaint of multi-sig is the fact that it’s just not very flexible. Its pre-set features mean it has to be reimplemented for every blockchain, or at least every one it actually support.
So what does that leave you with?
Many digital wallets are starting to utilize MPC (Multi-Party Computation) as one of the most secure ways for key management and signing transactions. With MPC, security is no longer controlled by one or more entities with their own private key. Instead, the key is derived from individual fragments separately generated by multiple non-trusting computers. This means that multiple parties can perform joint computation without any data being shared or leaked.
MPC also includes a Threshold Signature Scheme (TSS) - a digital signature protocol in which a threshold must be met before a transaction can be authorized. For example, four out of six key shareholders can sign on behalf of the entire group. It adds an additional layer of security, as any would-be hackers are unable to see which four of the six signs.
With only one private key created and authorized collectively and a fully decentralized transaction, MPC is a more data light method and therefore leads to lower transaction fees.
It’s more flexible too. Unlike Multi-sig, MPC happens off-chain with only one single signature broadcast on-chain, providing additional layer of security. Multi-Sig solutions also have pre-set features, whereas MPC-based solutions are quickly and easily scalable due to their adaptability to sudden changes, such as - blockchain forks, larger client pool, and technology advances.
The key sequence can expand to assign new signers without the risk of exposing, altering or damaging the private or public keys. MPC can also be easily configured for desktop, mobile or other service devices suitable for authorization processes.
Unlike multi-sig, MPC has no limitations in regard to blockchains. It can be easily integrated with any new blockchain and cryptocurrency, as MPC is protocol-agnostic.
In addition to that, with MPC multiple parties can perform joint computation without the risk of any data being shared or leaked, maintaining complete privacy.
All of these key management systems have their role and importance for securing private keys and have multiple uses cases in the blockchain ecosystem. Choosing the right KMS for your business depends on the nature of your operations, custody preferences, and often, is related to following certain regulations.
Crypto APIs provides MPC-based digital wallet, with the option for hosted, hybrid or on-premise wallet types. Our product suite also includes open-source KMS that gives the freedom and flexibility to choose the custodial model. If you would like to learn more and explore the best solution for your needs, contact our team.