Human Keys, bringing a human touch to private key generation.
Imagine you have a bank vault where you store your most valuable assets. Now, picture the bank handing you a single, irreplaceable key and saying, "If you lose this, you lose everything." No backup, no recovery process.
Imagine you have a bank vault where you store your most valuable assets. Now, picture the bank handing you a single, irreplaceable key and saying, "If you lose this, you lose everything." No backup, no recovery process.
This is the challenge with seed phrases in crypto wallets. While wallets have evolved from simple blockchain interfaces to feature-rich applications with advancements like MPC (Multi-Party Computation), smart accounts, and wallet abstraction, the process of key generation and recoverability remains largely unchanged. Users still face the challenge of managing private keys themselves or entrusting them to centralized custodians, both of which carry risks.
Wallets are designed for everyday use, but wallet compromise is an everyday reality.
In this article, we explore the evolution of key management, the challenges of securing private keys, and how Holonym’s Mishti Network, along with our onboarding wallet, Silk, tackle web3’s onboarding problem. By leveraging familiar, human-friendly attributes to create Human Keys, we make key management intuitive, eliminating the need for complex and centralised key recovery mechanisms altogether.
Taking Control: Direct Key Management
Public Key Infrastructure (PKI) started with privacy-conscious individuals and has since become a mainstream tool for secure web interactions. It's now an everyday part of life, used in banking, emails, VPNs, and more. The complex cryptography behind PKI is usually hidden from users, meaning they don't have to deal with it directly, as trust is placed in central authorities. This setup has allowed PKI to become widely adopted, but it also means users have limited control over their digital identities and must trust centralized entities.
PKIs built on blockchain enables direct key management by users and offers a decentralized structure for trust that solves single points of failure. In PKIs, public and private key pairs are used for secure communications: you keep one key private (secret) and share the other (public) to sign transactions and authenticate digital interactions.
Private Keys don’t have Spare Keys
Non custodial wallets are built on the foundation of public-private key pairs where private key is randomly generated and derived from a secure seed phrase; its corresponding public key allows others to verify signatures and encrypt messages for the owner. The seed phrase, a human-readable backup, is the only way to recover your private key if it's lost. Private keys act as the crux for recovery, potentially securing billions of dollars, NFT collections, identity, future airdrops and on-chain footprint. However, if you lose your private key, you lose access to everything linked to it; there’s no backup, no spare key.
Non-custodial wallets are built around public-private key pairs, where the private key is randomly generated and linked to a secure seed phrase. This seed phrase, a human-readable backup, serves as the anchor for your private key recovery. It holds everything together—your crypto assets, NFTs, identity, and even future airdrops; so if you lose your private key, you lose access to everything tied to it. There’s no spare key, no backup mechanism.
The industry presently uses several key management practices such as key rotation (regularly changing your keys), using cold wallets (offline storage) and multisig wallets (requiring multiple approvals for transactions). Managing private keys requires high diligence; the hack of password manager Lastpass, where 150 private keys (estimated loss of $35 million) were stolen from individuals who are privacy conscious and deeply integrated into the crypto ecosystem, brings to light the difficulty to keep your wallets safe. If sophisticated users can fall victim, how can the average internet user manage their on-chain interactions without overwhelming complexity?
Social hacking targeting private keys have become very common, with hackers offering jobs, freelance gig, befriending and earning your trust to test out an app, maybe even offering podcast opportunities, all with the motive of installing malware on users' devices, and drain their wallets by stealing private keys.
Social logins and Passkeys have become a popular onboarding solution, but recovery is dependent on centralized web2 accounts, cloud backup or social recovery undermining security and making “self custody wallets” an ambiguous term. Favoring usability over security or vice versa is a dangerous compromise to have and a difficult dilemma to solve.
Familiar Keys to Digital Authentication
In the web2 world, personal attributes like biometrics, email addresses, passwords, social logins, and security questions have become the go-to methods for authentication and account recovery. Their widespread use is largely due to their user-friendliness and familiarity. Over time, these methods have evolved into what we now see as intuitive aspects of our digital identity, further validating their adoption.
It's important to be aware of how these identifiers can be used for online tracking and potentially shared with third parties, sometimes without the user’s full understanding. While they make accessing digital services easier, they also open the door to privacy concerns.
Human Keys: Private Key Generation with a Human Touch
Building on the themes of familiarity and usability, why not use these attributes to derive private keys, instead of random seed phrases. What if we could use key derivation sources that are both user-friendly and familiar to humans?
These sources could include biometrics, passwords, security questions, Social Security Numbers and other personal identifiers that people are already accustomed to using. But, these sources are low entropy data sources not suitable for private key generation. To ensure private keys are secure against brute force attacks, they need to have a high level of entropy—256 bits of randomness.
Holonym’s Mishti network with the use of threshold Verifiable Oblivious Pseudorandom Function (tVOPRF) takes a low-entropy input, like a password, and transforms it into a high-entropy output, suitable for generating a secure private key. Private computation, collision-resistant mechanisms and use of Zero Knowledge Proof (ZKP) for verifiability keeps personal inputs private and prevents them from being traced back.
For example, a user could sign up via Silk, Holonym’s onboarding wallet, which uses the Mishti Network for key derivation and recovery:
- The password the user enters during sign-up is used to generate their private key.
- The user's password is encrypted during the sign-up process.
- To decrypt their password later, the user generates a ZKP proving they own the email associated with their encrypted password.
- Throughout this process, neither the user's email nor their password is exposed at any point, not to Holonym, any third party, or even the network nodes processing the data.
Comparing Human Keys to Other Solutions
To fully appreciate the value of Human Keys, it's useful to compare them with existing key management solutions:
Traditional PKI: As mentioned earlier, traditional PKI relies on centralized authorities to manage keys. While effective, this centralization introduces risks such as single points of failure and loss of user control.
Blockchain-Based PKI: Decentralized PKI systems give users more control but often require them to manage complex private keys. Losing these keys can result in the permanent loss of access to digital assets.
Custodial Wallets: Custodial wallets simplify key management by holding private keys on behalf of users. However, this reintroduces centralization, making users dependent on the custodian's security measures.
Human Keys: Human Keys offer a middle ground by allowing users to generate and manage their own private keys using familiar inputs. This approach combines the ease of use associated with custodial solutions with the security and autonomy of decentralized systems.
Use Cases: Real-World Applications of Human Keys
The potential applications for Human Keys are vast, spanning multiple industries and use cases. Here are a few examples:
Digital Identity: Human Keys can be used privately to create decentralized identities that can be used across various platforms for sybil resistance and legal personhood. Users can log in to different services using a single Human Key, prove facts about their identity such age, citizenship, compliant, etc without revealing the identifying information using Zero Knowledge Proofs.
Secure Wallet Management:. Human Keys can be used by Wallet as a Services for decentralizing private key generation and account recovery without relying on centralised architecture or sub optimal systems. Human Keys simplify this process by allowing users to generate and recover their private keys using a password or biometric data, making crypto more accessible.
Zero Trust Authentication: Human Keys provide a breakthrough in authentication by allowing users to verify their identity or complete transactions using biometrics or passwords, all within a zero-trust environment. This enables developers and users to onboard and authenticate transactions within seconds, without compromising the security of their private keys.
Airdrops with Proof of Personhood: Projects can combat industrial sybil attack by airdropping to unqiue individuals who derived keys from biometrics, and users can also use Human Keys to make ZKPs on standard credentials such as Govt ID and NFC Passports to prove personhood. The one click flow to receive airdrops faciliated by Silk’s UI improves the claiming process, ensures sybil resistance and protocols can tap into Zeronym’s reputed user base to decentralize beyond airdropping to network participants.
Onboarding Masses
The phrase "onboarding the masses" is frequently thrown around in the crypto space, yet the reality is that onboarding remains a significant challenge. The complexity and friction involved often push users toward centralized custodians, where they don’t have to worry about managing keys or funds themselves.
Tremendous advancements have been made in chain abstraction, allowing users to seamlessly tap into multiple blockchains with fewer clicks. While chain abstraction reduces fragmentation, Human Keys enhance access by simplifying onboarding and authentication. Together, these innovations create a unified, user-friendly blockchain experience, opening up design space for crypto apps to truly thrive.
Human Keys on the Mishti Network enables simple social/email logins similar to what users are accustomed to in Web2, but underneath the familiar interface lies a decentralized network designed for sovereign and secure transactions. The interface supports easy authentication with full ownership and protecting them against deceptive practices and access control hacks.
Human Key ensures that recoverability is owned by the user, but the interactions to make it happen remains seamless and frictionless. Silk, Holonym’s onboarding wallet, is the gateway to experiencing this firsthand.
Silk provides intuitive and non intrusive user experience, hence users can navigate the complexities of blockchain, without being overwhelmed, and being used for digital interaction, without being made aware of being interacting on a blockchain.