Luke Plaster, Chief Security Architect at io.finnet, has shared his unique perspective with CI on a range of topics including digital asset security.
In a world where digital asset security is paramount, io.vault by io.finnet is said to be breaking new ground with it’s self-custodial solution, powered by Trustless Multi-Party Computation (tMPC). Here’s why io.vault is redefining the standard:
True Self-Custody: Businesses retain full control over their key material, eliminating risks tied to insider threats and single points of failure—no third-party ownership, just pure security.
Decentralized and Trustless: Unlike traditional solutions, io.vault distributes key material across multiple parties, ensuring no single entity holds complete control. This approach minimizes vulnerability and removes the need for trusted intermediaries.
Instant, Flexible Security: Customize your security setup with unlimited signers and thresholds. Modify configurations instantly, without extra costs, ensuring your system adapts as your needs evolve.
Seamless Disaster Recovery: Recover your assets instantly, without relying on third parties, guaranteeing uninterrupted access to your funds.
io.vault’s innovative tMPC technology is setting a new benchmark in digital asset security.
Our discussion with Luke Plaster is shared below.
Crowdfund Insider (CI): Could you explain what Multi-Party Computation (MPC) is and why it’s becoming increasingly important in the digital asset space?
Luke Plaster: Trustless Multi-Party Computation (MPC) is our cutting-edge technology that allows multiple parties to collaborate on computing a function without revealing their individual inputs. In the context of digital assets, it means that a group of signers can jointly generate a cryptographic signature without ever reconstructing the full private key. This is crucial because it eliminates the single point of failure traditionally associated with digital asset custody.
In a typical setup, if someone gains access to your private key, they can control your assets. Trustless MPC changes that by ensuring no single party ever has full access to a private key, making it significantly harder for any malicious actor to compromise the system. As the digital asset market continues to grow, the security of these assets is paramount. Trustless MPC offers a robust, flexible solution to safeguard assets in this increasingly digital world.
Crowdfund Insider: How does Trustless MPC compare to other security mechanisms like multi-signature (multisig) wallets? What makes it superior?
Luke Plaster: Multisig, while very useful in some use cases, has its limitations. For one, multisig wallets are often specific to certain blockchains, making them less flexible. As multisig requires multiple keys and signatures for each transaction, each key could be tracked to identify usage patterns and the personnel involved. On networks that use transaction fees (or “gas”), you will end up paying extra fees for each signer signature. So, in a way, it’s like paying a penalty for wanting to be more secure.
With io.vault, that is not the case, and the number of signers (or server side virtual signers) involved in signing a transaction does not influence the transaction fee. You could have a hundred signers, with your private key split into one hundred pieces, and only ever pay the same transaction fee that a single key wallet does. But you will feel a lot more confident in its security!
Trustless MPC doesn’t create a full private key at any point in the process. Instead, it generates key shares distributed across multiple devices or parties. These shares are never combined into a full key, which means even if one share is compromised, it’s useless on its own. This approach not only adds safeguards but also offers greater flexibility, as it can be implemented across various blockchain networks without needing native support like multisig does.
Crowdfund Insider: You mentioned distributed key generation as a critical aspect of Trustless MPC. Could you elaborate on why this is so important for businesses?
Luke Plaster: Distributed key generation (DKG) is at the heart of what makes Trustless MPC so powerful. In traditional setups, private keys are generated on a single device, making that device a high-value target for attackers. If the device is compromised, so is the private key, and by extension, the digital assets it controls.
With distributed key generation, the key shares are generated independently across multiple devices. This means that no single device ever holds the full key or knows any secrets used to generate the other key shares, drastically reducing the risk of compromise. For businesses, this is crucial because it allows them to distribute the responsibility and authority of asset management across multiple stakeholders, aligning with traditional business governance structures.
This distribution not only enhances security but also ensures that critical decisions, such as authorizing large transactions, require the consensus of several key stakeholders, thereby reducing the likelihood of internal fraud or unauthorized access.
Crowdfund Insider: How do you see Trustless MPC evolving in the future, and what impact could it have on the broader financial ecosystem?
Luke Plaster: Trustless MPC is poised to become a foundational technology in the broader financial ecosystem, especially as digital assets become more integrated into traditional finance. As we move towards a more digitized economy, the need for secure, scalable, and flexible solutions will only grow. Trustless MPC addresses these needs by providing a security model that is both robust and adaptable.
In the future, I believe we’ll see Trustless MPC being adopted not just for cryptocurrency transactions but across various sectors that require secure multi-party agreements. This could include everything from financial contracts to secure voting systems. The key here is the technology’s ability to enable trustless operations—where parties can collaborate securely without needing to trust each other fully. This could revolutionize how we think about trust and security in the digital age.
Moreover, as regulatory frameworks around digital assets continue to evolve, Trustless MPC could play a crucial role in helping businesses meet compliance requirements. For example, by enabling weighted signing authority, companies can implement more complex governance structures that align with regulatory demands while maintaining the highest security standards. Stablecoins and CBDC are becoming an increasingly hot topic when we think about the future of our money, and new legislation like MiCA is poised for ultra-safe custody (and self-owned) solutions like MPC to take the spotlight.
Crowdfund Insider: Could you explain the concept of weighted signing authority within Trustless MPC and why it’s particularly beneficial for enterprises?
Luke Plaster: Absolutely. Weighted signing authority is a unique feature of Trustless MPC that allows different levels of signing power to be assigned to participants based on their role within an organization. For instance, a CEO might have more signing power than a department head, reflecting their higher level of authority and responsibility.
This approach is particularly beneficial for enterprises because it aligns the digital asset management process with traditional business hierarchies. In practice, this means that critical transactions—like large transfers of assets—can require the approval of multiple high-level stakeholders, ensuring that no single person has unilateral control over significant decisions. This not only enhances security but also provides a clear audit trail, which is essential for compliance and governance.
For example, consider a scenario where a large investment firm manages multiple digital asset portfolios. Using weighted signing authority, the firm can ensure that any significant transaction requires the approval of a senior executive team, while smaller, day-to-day transactions might only need authorization from junior managers. This flexibility allows businesses to tailor their security processes to their specific needs, balancing accessibility with rigorous oversight.
Crowdfund Insider: With cybersecurity threats evolving rapidly, how does Trustless MPC stay ahead of potential vulnerabilities?
Luke Plaster: Cybersecurity is a constantly evolving field, and staying ahead of potential threats requires continuous innovation and vigilance. Trustless MPC is inherently designed to mitigate many of the risks associated with digital asset management. By distributing key shares across multiple parties and ensuring that no full private key ever exists, Trustless MPC significantly reduces the attack surface.
However, technology itself is only part of the equation. At io.finnet, we regularly conduct security audits and work with leading cybersecurity firms to ensure that our implementation of MPC is resilient against emerging threats. This includes rigorous testing, both in-house and through third-party audits, to identify and address any potential vulnerabilities before they can be exploited. Our internal processes are SOC 2 audited and we carry out independent third-party audits with domain experts.
Furthermore, the flexibility of Trustless MPC allows it to adapt to new cryptographic techniques and standards as they emerge. This means that as the landscape of digital security evolves, so too can the defenses built into MPC systems, ensuring they remain at the forefront of cybersecurity. This includes our real-time security monitoring (RASP) platform that identifies threats in real time and shuts down parts of our application infrastructure if any emerging threat or attempted access is detected.
Crowdfund Insider: Finally, what advice would you give to businesses that are hesitant to adopt new security technologies like Trustless MPC?
Luke Plaster: My advice to businesses would be to consider the long-term benefits of adopting advanced security technologies like Trustless MPC. In the digital age, the threats to asset security are only increasing, and the cost of a security breach—both financially and reputationally—can be devastating. While adopting a new technology can seem daunting, the risks of sticking with outdated methods are far greater.
Start by understanding the specific risks your organization faces and how a solution like Trustless MPC can mitigate those risks. Engage with experts who can guide you through the implementation process and help you tailor the technology to your specific needs. Remember that security is not just an IT concern; it’s a business imperative that affects every aspect of your operation.
By taking proactive steps to secure your digital assets with advanced technologies like Trustless MPC, you’re not just protecting your company—you’re also positioning it for future success in an increasingly digital world.