Recently at E-Crypto News we reached out to Professor Yehuda Lindell who is the CEO and Co-Founder of Unbound Tech which is a cryptographic security company based in the USA and Israel on issues surrounding security in the cryptospace. Here is what he had to say.
Professor Yehuda Lindell CEO and Co-Founder UnboundTech
1. What are your Security predictions for 2020 and for the blockchain space?
We are seeing more institutional interest and investment, and the hype is falling away. This is good news for the space in general, and means that real work can get done. The other side of this is that there are more real solutions that utilise blockchain, and as cryptocurrencies continue to thrive, they will become more and more of a crime target. Fortunately, since the organizations in this space are typically young and agile, and the threat is real and immediate, they will respond quickly. As such, I believe that attacks and crime in the space will continue to rise, together with a tightening of security and deployment of new methods. Secure multiparty computation as a solution to protect the signing keys used to authorise transactions on blockchains will grow quickly, as this provides the best tradeoff between security and functionality, in my opinion. Other solutions will continue to be used as well (cold wallets, multi-sig, etc.) and the use of multiple technologies together for different use cases will grow.
2. Will the rise in computing speed pose a challenge to blockchain security?
No, in the permission blockchain space (BFT), it is not of any relevance at all. In the permissionless blockchain space, the protocols are designed to take this into account so I don’t see this as becoming an issue.
3. Will there ever be quantum-proof wallets going by what the guys at Google and co are doing?
The quantum supremacy demonstrated by Google needs to be understood in context. Quantum supremacy was defined to be the situation where a quantum computer can solve a problem faster than a standard computer. I stress – “a problem”, not “many problems”, not “interesting problems” and not “important problems”. Just to clarify this more, let’s see what supremacy would sound like among living beings in this context: monkeys are supreme to humans since they can climb better, fish are supreme to humans since they can swim better, and so on. Whether or not quantum supremacy was even demonstrated is not absolutely clear (see IBMs response). However, this quantum computation has no effect whatsoever on cryptography, blockchain, and cryptocurrencies. Will quantum computers at some stage threaten the Elliptic-curve based digital signature schemes used in blockchains and cryptocurrencies? Maybe. In my opinion, it is still an “if” rather than a “when”. However, if it does happen, I strongly believe it’s a long way out (I believe 20 years at least; I have very high confidence that it’s at least 10 years). If it does get close, then we already have good candidates for post-quantum secure public-key encryption and digital signature schemes, and NIST Is working on standardisation now. As such, we shouldn’t change anything yet.
4. What’s the best way to store keys in your opinion?
I think that it truly does depend on the specific use case and threats that each organization faces. However, in many cases, I truly believe that MPC provides the best tradeoff between flexibility, applicability, speed and security. The fact that it generates a single standard signature means that it can be used on any blockchain, and it does not require any special support. Different quorum sizes can be defined, and policies can be built in, so that advanced business logic for exchanges, trading platforms, custodians and so on can be incorporated. This makes it an excellent match for current business and security needs in this space.
5. How do you deal with security breaches and can vulnerabilities be prevented when it comes to access management of cryptographic keys?
This is a continual struggle and there is no silver bullet. I strongly advocate for purchasing a solution that has been built by a company with expertise (rather than building from scratch in-house). In addition, it is crucial to pay attention to the entire security architecture of the solution. It is not enough to protect a key from being stolen, if I can breach the machine that issues the transaction requests and initiate a transaction to transfer all funds to me.
6. Will there be a better practice for confirmation of information integrity than code signing?
I think that code signing is an excellent solution, and does not need to be changed. However, best practices do need to change to look at the entire software development life cycle, and incorporate code signing and other methods to ensure no compromise at any point along the way.