| title | Embedded Wallets' Shamir Secret Sharing Architecture |
|---|---|
| sidebar_label | SSS architecture |
| description | Secret Sharing Architecture - Embedded Wallets Infrastructure | Web3Auth Wallet Infrastructure |
import ExpandingSharesFlow from '@site/static/img/embedded-wallets/infrastructure/expanding-shares-sss-flow.png' import KeyInitialisationFlow from '@site/static/img/embedded-wallets/infrastructure/key-initialisation-sss-flow.png' import KeyReconstructionFlow from '@site/static/img/embedded-wallets/infrastructure/key-reconstruction-sss-flow.png' import SSSArchitectureFlow from '@site/static/img/embedded-wallets/infrastructure/sss-architecture-flow.png' import Options from '../_partials/_sdk-key-model-table.mdx'
This document provides an in-depth exploration of the technical architecture of the Shamir's Secret Sharing (SSS)-based SDKs, this includes the current Plug and Play and Single Factor Auth Mobile SDKs.
SSS is a base form of Multi-Party Computation (MPC) that splits a secret into
:::note
Alternatively, consider the MPC architecture which does not fully-reconstruct the key.
:::
The accompanying image illustrates the typical flow of wallet management within the SSS infrastructure.
<img alt="SSS Flow and Components" style={{ display: 'block', maxHeight: '500px', margin: '20px auto' }} src={SSSArchitectureFlow} />
Auth nodes provide a user-specific key based on some form of attestation from the user. This attestation could come in the form of an OAuth login from an existing account, a traditional email account login, or even biometrics. Nodes need not return a private key, but need to fulfill the interface:
$retrievePubKey()$ $encrypt(msg, pubKey)$ $decrypt(msg)$ $sign(msg)$
For ease of illustration the rest of this document assumes that this is implemented with secp256k1 keys and ECIES. The key retrieved from the nodes is referred to as an encryption key or
The storage layer serves as a persistent data store for storing encrypted metadata. Examples of such systems include IPFS, Arweave, Sia, or even Byzantine Fault Tolerant (BFT) layers. Data availability and cost are the main factors to consider but the choice of storage layer is ultimately up to the implementer.
Our SSS infrastructure utilizes
The SSS infrastructure is dependent on user devices to store shares. The base flow accommodates a single device, but users can use multiple devices to increase the threshold once they have an initial setup. Access to device storage on the user's device is implementation specific. For example, for native applications on mobile, they can make use of the device keychain.
This is generally not used during normal operation, and is intended for use in key recovery / share refresh if the user loses their device or shares.
Key handling begins in response to a user-triggered action, such as logging in. At this stage, the system attempts to retrieve any existing encrypted metadata associated with the user.
If metadata is found, the user is an existing user. The metadata is decrypted using the nodes'
If no metadata is found, the user is treated as a new user, and a new key is initialized. In this case, a 2-of-3 Shamir's Secret Sharing (SSS) polynomial is generated, producing a private key and its corresponding shares.
We select a polynomial
-
$f(0) = \sigma$ denotes the private key scalar to be used by the user -
$a_1$ is a polynomial coefficient to$z$ -
$f(z_1),f(z_2)$ and$f(z_3)$ are ShareA, ShareB, and ShareC respectively
<img alt="Key Initialisation Flow" style={{ display: 'block', maxHeight: '500px', margin: '20px auto' }} src={KeyInitialisationFlow} />
ShareA is stored on the user's device, ShareB is encrypted with the
<img alt="Key Reconstruction Flow" style={{ display: 'block', maxHeight: '500px', margin: '20px auto' }} src={KeyReconstructionFlow} />
If a user has logged in previously, they reconstruct their key by decrypting ShareB (retrieved through the storage layer) and combining it with ShareA on the user's current device using Lagrange interpolation.
Provided with a user input,
In the case of secret resharing, we can also conduct the deterministic generation of the
It is important that
Candidate qualified questions should have deterministic answers (such as, "your parent's birthday" or "your city of birth"), rather than "what's your favorite singer?". To accommodate for cases that users tend to forget their answers, there is a further potential of splitting the answers themselves via SSS such that the user can answer 3/5 questions, giving redundancy.
In the case of adding a new device, the user needs to migrate a share to the device to reconstruct their key. This can be done via user input or through a login to a current device.
<img alt="Expanding Shares Flow" style={{ display: 'block', maxHeight: '500px', margin: '20px auto' }} src={ExpandingSharesFlow} />
On reconstruction of
Utilizing the storage layer, we are able to generate new shares for all devices, regardless if they are online or offline. This allows us to remove devices from the sharing, allow the user to change their security questions and/or adjust their security threshold. The key concept here is utilizing published share commitments as encryption keys to retrieve shares on the most updated SSS polynomial.
This is illustrated from a 2/4 SSS sharing
Given the user loses device D holding
The user generates a new 2/3 SSS polynomial
On login to device B, the user retrieves
Resharing allows us to share a key on a new polynomial with a different degree/threshold, allowing us to also increase a user's security/factor devices or inputs to reconstruct their key as they require it. This can be incrementally done as needed.