A question about Nillion

[johnnynanjiang]

Hi Nillion,

I came across Nillion via Twitter, and am keen to understand how it works in more detail, as I've been looking for a decentralized MPC network as the infrastructure for our next generation crypto wallet.

As per Nillion vision paper, with the following details:

Compute: Allows the processing of data utilizing particles under ITS. For example, the owner of the private key can now send particles from a transaction to Nillion and have the nodes sign the transaction on their behalf without ever having to reconstruct the private key. Thus, the owner is able to reconstruct the signed transaction and send it to a blockchain (e.g. Ethereum) at roughly the same speed as a centralized client-server transaction.

A unified multi-chain wallet with ITS authentication: Nillion enables a true multi-chain wallet by allowing a user to securely store all the private keys from different blockchain wallets in a single, completely decentralized, Nillion account or wallet (that is itself secured via authentication factors that are decentralized and stored in Nillion). The keys are kept in particalized form so that an attacker would have to compromise an unfeasibly large proportion of all Nillion nodes in order to piece them back together. NMC also has the ability to perform computations across these particles, allowing a multi-chain wallet to sign transactions and interact with decentralized applications without ever having to reconstruct the keys on a centralized server, and without the need for the nodes to exchange messages.

May I assume that the private key would be distributedly stored among the network nodes as key shares, once the access conditions and consensus are met, the nodes would use the key shares to sign the tx and aggregate the signatures to form the final signature?

If that is the case, I would like to see if, architecture wise, is it possible to hook up some custom code at the pre-signing point, in order for third parties to do something like scam check and suspicious recipient address check etc.

Thanks and regards,

[twilker]

The data, which in this case is the private key is not split. It is masked using a blinding factor. The blinding factor itself is than split into parts and each node gets the data (masked private key) and the blinding factor part. To calculate the signature each node is doing the calculation simultaneously and independent of each other. This calculation can do arbitrary checks before the signing process, as in the final stage of the network it should be possible to execute arbitrary code on the data.

TL;DR: Yes it should be possible.

P.S.: I am not an official part of the team, just a fan following and studying all available information.

[johnnynanjiang]

Thanks @twilker for your detailed answer, it helps.

A couple of further questions

1. What is the reason for the fact that the private key is not split, but the blinding factor? As I guess technically splitting private key and blinding factor are the same, so I assume there must be some valid reasons for that.

2. Are there any example projects that I can reference to in order to see the code to learn how Nillion works? Especially how to generate a private key and use it to sign?

Thanks in advance

[twilker]

For the first question. The reason is that splitting the private key is what SMPC protcols are doing these days. >This leads to the mentioned restriction, that you can only do addition but no multiplication without internode communication. By using the blinding factor, which is essentially the exponent of tha masking function they changed this property and enabled to do multiplications as well.

For the second question you should find what you need here: https://github.com/nillion-oss/tinysig I must say, that I had not the time to read and understand it, but from what I read in the technical paper, this should be a good protypical implementation, that is even specific to generating signatures.

[johnnynanjiang]

Thanks @twilker , your answers helped a lot.

I found the following statement in Nillion Whitepaper.pdf, and got the point of your answer, the blinding factor is to improve the performance by reducing the inter-node communication If I understood correct.

In state-of-the-art SMPC, every multiplication requires the exchange of 2N2 messages in a network with N nodes. In NMC, it involves a local multiplication between particles that requires no message exchange. 

One concern is that, since the private key is not split, would it be a risk of the private key being exposed entirely?

[twilker]

It does not matter. The key is masked and you can think of masking as a one time pad. Meaning it is information theoretic secure. There is no extractable information in the masked value. That is why it's called Nillion btw.

[johnnynanjiang]

Thanks @twilker for your help, it has been great.

[Anillion]

Hey @johnnynanjiang, thanks for all your questions. I would love to talk with you about the possibility of helping you with your build. We have a specific program for early builders, the Nucleus Program, which provides builders with early access to the SDK and supports them with technical and business support. Do you want to have a chat about it? I would love to learn more! Best wishes, Lukas (email: [email protected])