Vo1t and Aon have been working together for the last 2 years to bridge the gap between the traditional financial industry and the emerging digital asset space. Translating new system designs and architecture, like blockchain, into acceptable bite sizes in which the traditional markets understand and recognise. One avenue has been through educating the insurance market, identifying risk and implementing recognised control frameworks which a traditional bank, auditor, or security consultant can be comfortable with. The most recent being the hybrid integration of MPC (Multi Party Computation) into Vo1t secure infrastructure.
What is MPC? It is the ability to allow multiple independent parties to collectively perform some computation, and receive the resulting output without ever exposing an individual party’s sensitive input. For example a group of friends can determine who has the highest salary without revealing what each individual earns. Great! However like everything else, MPC carries its own share of practical limitations and drawbacks. The expensive burdens and high overhead of cryptographic operations have led to a rise in the number of trusted execution environments such as Intel’s Software Guard Extensions (SGX). However behind any secure computing system is a root of trust — the lowest level in the system from where trust originates. SGX has been the subject of attacks before. Using Vo1t as the trusted execution environment ensures strong separation between components of the MPC structure, and calls upon a system built on trusted hardware in the form of hardware security modules (HSMs) and air-gapped computer systems — designs which have been around for decades and are well understood. In this hybrid design of MPC and trusted hardware Vo1t can act as a co-signer to the transaction, an event which has now given the insurance underwriters comfort to extend the Aon crime policy to insure any MPC solution which connects into the Vo1t infrastructure.
“We’ve worked with Vo1t for a while now and the underwriters have been comfortable with their systems to offer a substantial amount of insurance cover. MPC has been an interesting development, by securing a signing event in the Vo1t environment we’re happy to extend the existing cover to MPC wallet originated transactions.” Tom Davis, Client Director, Aon
If Vo1t is the designated co-signer, a veto share is held in Vo1t’s infrastructure as part of the approval process; in effect acting as the client’s elected gatekeeper for their MPC wallets. The service goes beyond the technology to include the authorization team who conduct the necessary data integrity and audit checks, with contingency plans for any users under duress. Vo1t has also been working with MPC providers to secure the disaster recovery key in Vo1t’s cold storage environment. In the event of shares being lost and access to the private keys required then a DR key is held by Vo1t to generate all private keys locally to regain control of the account. All under the Aon insurance wrapper.
“MPC adds another layer of security, one which improves the operational efficiencies on client authentications. It also presents another string in our bow to offer a fully customisable treasury management solution. In the reverse direction we can secure the disaster recovery process and encryption key for users of third party MPC protocols, or be a fully elected co-signer.” Miles Parry, CEO, Vo1t
Technology is the bedrock however there are numerous business criteria to consider when looking for large scale adoption for institutional custody. Cutting edge technology brings with it certain risks:
Legal — Current laws do not have adequate language to describe it. Whether that is MPC, a blockchain native smart contract, or other. There are also legal and organizational deployment obstacles. Trusted hardware can sidestep the problem of using two or more legal entities in different jurisdictions.
Data — Data visibility is a concern. The real-world practical applications are still nascent and must be accompanied by proper monitoring and auditing to establish trustworthiness. Some institutions don’t want to relinquish direct control over their data to a cloud service provider and hardware can be a viable alternative here.
In combining the best of MPC and Vo1t as a trusted execution environment, there is a familiar risk framework in the broader architecture. This facilitates an understanding of the risk profile, the appropriate controls, and what constitutes an insurable event. All of which allows a corporation’s risk committees, auditors, and officers to get comfortable with engaging a product that leverages leading technology, whilst also possessing long standing security standards, all protected by a robust insurance wrapper.