Try   HackMD

CryptoKona MPC Wallet Setup

To use your FIDO2/Passkey-compatible device (like the CryptoKona card) as part of an MPC (Multi-Party Computation) setup, you need to focus on leveraging the cryptographic capabilities of the FIDO2 protocol while integrating it into a distributed key management system. Here's how you can achieve this:

1. Understanding FIDO2/Passkey Limitations

FIDO2/Passkey devices are primarily designed for authentication (e.g., logging into websites or apps) and not for key storage or blockchain transaction signing. However, they do have some cryptographic capabilities that can be repurposed for MPC:

  • FIDO2 Key Pairs:

    • FIDO2 devices generate a public-private key pair for each service (relying party).
    • The private key is stored securely in the device's hardware and cannot be exported.
    • The public key is shared with the service for verification.

  • Signing Capabilities:

    • FIDO2 devices can sign challenges (e.g., for authentication), but they cannot natively sign blockchain transactions (e.g., Bitcoin or Solana).

  • No Direct MPC Support:

    • FIDO2 devices do not natively support MPC or threshold signatures, so you will need to build a custom solution around them.

2. Using the CryptoKona Card as an MPC Part

To use the CryptoKona card as part of an MPC setup, you need to repurpose its FIDO2 capabilities and integrate it into a distributed key management system. Here's how:

Step 1: Generate a Key Share on the Card

  • Use the FIDO2 protocol to generate a key pair on the CryptoKona card.
  • Treat the private key generated by the FIDO2 device as one key share in the MPC setup.
  • The private key never leaves the card, ensuring security.

Step 2: Combine with Other Key Shares

  • Generate additional key shares on other devices (e.g., a secure server or the user's phone).
  • Use an MPC protocol (e.g., threshold signatures) to combine the key shares for signing transactions.

Step 3: Signing Transactions

  • When a transaction needs to be signed:
    1. The card signs a challenge or partial transaction using its private key (key share).
    2. The other devices sign their respective parts of the transaction.
    3. The signatures are combined using the MPC protocol to produce the final transaction signature.

3. Custom Integration with FIDO2

Since FIDO2 devices are not designed for MPC, you will need to develop a custom solution to integrate the CryptoKona card into the MPC workflow. Here's how:

Step 1: Develop a Custom FIDO2 Applet

  • Use the Java Card 3.0.4 and GlobalPlatform 2.2 capabilities of the CryptoKona card to develop a custom applet.
  • The applet should:
    • Generate a FIDO2 key pair.
    • Participate in the MPC protocol by signing partial transactions or challenges.

Step 2: Use FIDO2 for Authentication

  • Use the FIDO2 protocol to authenticate the user and authorize the use of the key share stored on the card.
  • This ensures that only the legitimate user can access the card's key share.

Step 3: Secure Communication

  • Use BLE 4.1 to securely communicate between the card, the phone, and the server during the MPC process.
  • Encrypt all communication to prevent eavesdropping or tampering.

4. Example Workflow

Here’s how the system would work in practice:

  1. Key Generation:

    • The CryptoKona card generates a FIDO2 key pair (public and private key).
    • The private key is treated as one key share in the MPC setup.
    • Additional key shares are generated on the server and phone.

  2. Transaction Signing:

    • The user initiates a transaction on the phone.
    • The phone sends a partial transaction to the CryptoKona card.
    • The card signs the partial transaction using its private key (key share).
    • The phone and server sign their respective parts of the transaction.
    • The signatures are combined using the MPC protocol to produce the final transaction signature.

  3. Recovery:

    • If the card is lost, the user can recover access by combining the key shares from the server and phone.

5. Security Considerations

  • Key Share Protection:
    • The private key on the CryptoKona card is stored securely in the hardware and cannot be exported.
  • Encryption:
    • Encrypt all communication between the card, phone, and server.
  • Phishing Protection:
    • Use FIDO2 for strong authentication to prevent unauthorized access.

6. Tools and Libraries

  • FIDO2 Libraries:
  • MPC Libraries:
  • Java Card Development:
    • Use Java Card development tools to create a custom applet for the CryptoKona card.

7. Conclusion

While FIDO2/Passkey devices like the CryptoKona card are not natively designed for MPC, you can repurpose their cryptographic capabilities to act as one part of an MPC setup. By:

  1. Generating a key share on the card.
  2. Combining it with other key shares using an MPC protocol.
  3. Developing a custom applet for the card to participate in the signing process.

This approach allows you to leverage the security of the CryptoKona card while achieving the distributed key management benefits of MPC. However, it requires custom development and careful integration of the FIDO2 protocol with the MPC workflow.

Last changed by 
Emin Mahrt
0
41

Read more

Tutorial: Installing Open Source FIDO2 Applet on IDEX Card (macOS Silicon)

Date: May 4, 2025Compiled For: Internal Use / Reproducibility

May 4, 2025
NURI Supplier Request Brief

Below is a concise TL;DR capturing the main goals—and some next steps or critical points to consider—across (1) MPC for BTC/EVM, (2) FIDO2, and (3) Visa on a single biometric smart card.

Jan 14, 2025
Nuri AI Pitchdeck Feedback

After analyzing the pitch deck for NURI, a biometric smart card solution for cryptocurrency and traditional finance, I have identified strengths, gaps, and improvements necessary to make it investment-ready. Below is a structured briefing for enhancing the deck, supported by additional research insights and concrete suggestions.

Jan 5, 2025
NPM Fund: Continuous Token Bonding Curves for Open Source Funding

Abstract

Jan 3, 2025
Read more from Emin Mahrt
Published on HackMD