Building user-focused web3 wallets at Coinbase

MPC is a cryptographic technique that allows multiple parties to jointly compute a function on their private inputs while keeping those inputs confidential. Applying MPC to wallet private keys enhances security because it requires at least two participants to produce valid signatures. It also simplifies key management because individual key shares are distributed among the participants and more than one of the key shares have to be compromised to break into the wallet. MPC wallets have been deployed in institutional products in the industry for some time, but Coinbase shipped one of the pioneer consumer MPC wallets in early 2022, with over 5 million created as of June 2023. 

Chainanalysis research estimates that over 20% of bitcoin tokens are lost due to key mismanagement; that is over $100 billion worth in market value. Losing their funds without a simple method of recovery left enthusiastic early-adopters jaded and looking for a better solution. Therefore, Coinbase decided to solve one of the foremost  barriers of entry into web3 – wallet management. 

In this article, we delve into the integration of MPC technology within our products, highlighting the benefits it brings to end users. For a more in-depth technical exploration, we invite you to read our white paper on MPC.

Removing single point of failure for web3 wallets

A user’s private key unlocks wallet ownership — which is similar to an account password in many ways. However, unlike most account passwords, there is no reset or recovery option for standard wallets. Losing the private key of a funded wallet results in loss of access to your funds. Redundancy measures, like backing up the key to the cloud or writing it down, creates security risk, while still not eliminating the concern of key loss.

We believe that to increase adoption of web3, private keys need to be secure, while also recoverable. Multi-Party Computation (MPC) can simplify wallet private key management while significantly enhancing security by distributing key control among multiple parties. The key shares are generated in separate locations simultaneously where they are stored and then signing uses each key share to compute a signature independently. Therefore, users no longer need to manage a single private key themselves. MPC technology not only allows more reliable key recovery, but also stronger security by eliminating a single point of failure. 

MPC solutions at Coinbase

Coinbase has offered a standalone self-custodial wallet, Coinbase Wallet, since 2017, which can be used for web3 activities on-chain. Evaluating user behaviors, Coinbase started introducing MPC web3 wallets for a simpler user experience and robust security profile. The first MPC product is in the Coinbase flagship app followed by our enterprise Wallet as a Service product that launched earlier this year.

MPC Cryptography

When thinking about wallets, there are three major workflows to get right: Key generation, signing, and key backup & recovery. Since key generation and signing both happen in multiple locations, compromising one share of the key alone will not result in the wallet being stolen. 

Key Generation

When a user taps on the “Create a wallet” button, they kick off the address creation process as well as private key shares generations. Coinbase uses distributed key generation (DKG) to generate and distribute all the keys to signers. When a user wants to add or remove a device that has a key share, a new cohort of signers is created. At least one key backup is also created right after key generation to avoid unexpected key loss. 

Coinbase leverages threshold ECDSA (tECDSA) MPC cryptography protocol. Threshold signing requires at least k holders, k ≥ 2, out of n total key shares participate in signing to reach quorum. In the Coinbase application, both the Coinbase key share and the user key share have to participate in signing to produce a valid signature. The key shares are computed using the elliptical curve y(^2) = x(^3) + ax + b. The elliptical curve possesses additive and multiplicative mathematical properties that serve as the foundation for MPC private key cryptography.  tECDSA uses points on the curve to split the key into n shares. Each key share appears random and cryptographically difficult to derive. A signature can only be produced when the threshold of cosigners is met. 

To explore tECDSA further, please read section A of the white paper.

Alvarado, Alejandra. (2023). AN EXPOSITION OF SCHOOF'S ALGORITHM.

Signing

At the heart of the MPC security model is consensus — where any action requires approval from more than one party. Each party who holds a share of the private key has signing capability and is referred to as a cosigner.

It is the most frequent wallet task and required for submitting transactions, voting, connecting the wallet to some dapps, and more. When the user wants to buy an NFT on OpenSea or do a swap on SushiSwap, for example, they can go to the in-app web3 browser in their Coinbase app. Once the user approves the transaction, the app submits the transaction to Coinbase which then creates an MPC task. At that time, a coordinator asks the server cosigner and the mobile client cosigner to sign the transaction. Once the transaction is signed by both parties, independently with their key shard, the server broadcasts it to the blockchain.

Key Backup & Recovery

Coinbase MPC wallets have two key shares, one on the user device and one managed by Coinbase, with both being required to sign transactions. When switching devices, the user goes through a recovery process to migrate the user key share to the new device. Coinbase manages and updates the device pool – a list of devices that can sign – to make sure only approved devices have access.

Choosing how to backup and recover the wallet key is a tradeoff between security and convenience. Coinbase offers different products that serve different user priorities. 

Coinbase supports user-owned backups like cloud, local, and hardware backups because they are faster. While these backups are still susceptible to loss and theft, the security risk is much lower because only a fraction of the private key is backed up and it is cryptographically impossible to sign transactions with that fraction alone. Local and hardware backup allows offline recovery, giving users the ability to transfer or recover their wallet without involving Coinbase servers. 

User-owned backups are the user's responsibility. At Coinbase, we understand the importance of ensuring access to funds while minimizing the risk of losing backups. Coinbase wallet products add an additional layer of protection by securely storing an encrypted copy of the user's key share in the Coinbase cloud. In order to recover the Coinbase assisted backup, users have to verify their ownership.

With Wallet-as-a-Service (WaaS), the encryption key of the backup is split between the user and Coinbase. By using their share of the encryption key, users can authenticate themselves and regain access to their wallet. This authentication process utilizes cryptographic proof, preserving the user's privacy and legal identity.

However, it's essential to note that the user must safeguard their share of the encryption key to maintain access to the Coinbase assisted backup. Alternatively, the Coinbase app offers a convenient and highly recoverable option where the user does not need to hold an encryption key. By verifying their government-issued ID, users can recover their wallet with Coinbase's help. This streamlined process eliminates the complexities of key management and resembles the experience of reclaiming traditional financial accounts with banks. It sets us apart from other wallets, providing top-level cryptographic security and ensured recovery.

One challenge with the wallet recovery is communicating to users that their wallet can only be set up on one device at a time. We have seen users perform recovery on a new phone and expect to use the wallet on the old phone. To close this gap to intuitive behavior, multi-device support is desired. This is crucial to our goal of modernizing and simplifying web3 experiences.

To understand all backup and recovery options offered by Coinbase products and their technical details, please check out the white paper.

What’s next?

Coinbase is focused on the goal of bringing the next billion users on-chain. This will take both technological and product innovations, removing friction and complexity from transacting with crypto and interacting with dapps. 

Coinbase is building and shipping products for both developers and users to that end. For dapp developers, a new SDK for native apps to connect with Coinbase Wallet as well as an intake form to submit dapps to be listed on our platform have been gaining momentum. We also released an open dapp marketplace—no Coinbase account required. 

The web3 ecosystem moves quickly and we are excited for the opportunity to define the industry standard and best product experience in this space.

---

Download Coinbase: Android, iOS

Download Coinbase Wallet: https://www.coinbase.com/wallet/downloads

WaaS: https://docs.cloud.coinbase.com/waas/docs/mpc-waas