Belgian startup and imec.istart alumnus NGRAVE is about to launch breakthrough technology to tackle the Achilles’ heel of blockchain technology: the security of private keys.
Will recent developments of global players entering the blockchain realm initiate a definite breakthrough of cryptocurrencies? Or will NGRAVE dazzle the world by finally and effectively tackling one of blockchains’ major challenges, i.e. security? If it were up to NGRAVE founders Ruben Merre (CEO), Edouard Vanham (COO) and Xavier Hendrickx (CTO), they are about to create a revolution, allowing us to finally move about in the blockchain world with the peace of mind that our valuables will still be there the next time we log in and check our digital wallets. This month, they’re off to San Francisco, where they are teaming up with BelCham (the Belgian-American Chamber of Commerce) to take a deep dive into the U.S. market and its entrepreneurial scene. In parallel, NGRAVE prepares a Kickstarter campaign to kick off the pre-sales of its products in September.
Even the safest get hacked
As a recent article on MIT Technology Review illustrates, hacks and security breaches have become one of the fundamental challenges for blockchain adepts and developers. Securing assets and transactions on the blockchain is a must in order to safeguard the reputation of this predicted-to-be-revolutionary technology and allow for its wider adoption. And, while small emerging blockchain initiatives have always been known to be vulnerable, recent events show that even the biggest and safest are not untouchable. Just a few months ago, media reported hackers stole $40 million worth of bitcoin from Binance, one of the largest platforms in the world for the purchase and exchange of cryptocurrencies. In the past two years, the total number of cryptocoins being stolen through hacks is estimated to exceed an equivalent of four billion U.S. dollars. And that’s only counting the thefts that have been publicly reported.
NGRAVE’s founders have not been spared from crypto attacks either. Ruben Merre says: “All three of us have been early adopters of blockhain technology, each for our own reasons. Our CTO has been the victim of several cryptocurrency thefts and Edouard and myself still only invest rather conservatively in cryptos, because we feel it is not yet secure enough. What is most frustrating with cryptocurrency theft, is that you can keep tracing the stolen money, yet are powerless to ever get it back. While these acts of injustice force us to remain vigilant, at the same time they are exactly what brought the three of us together: a pursuit for safer interactions on the blockchain so no one has to become the victim of this kind of theft anymore.”
Focus on end-to-end protection of private keys
The NGRAVE founders put their heads together in early 2018 and quickly came up with a business idea and first prototype design. While blockchain security can be approached from a variety of angles, they decided to focus on the end user. Supported by a thorough market and customer investigation, NGRAVE’s specific focus became the end-to-end protection of blockchain-users’ private keys: from their initial purchase to passing on their crypto-assets to their heirs; and everything in between.
For those not familiar with cryptocurrencies: each wallet – the crypto-equivalent of a bank account – has two keys assigned to it. A public key, which is the equivalent of your bank account number, allows people to transfer currencies from one account to the other. And a private key, the equivalent of a 4-digit code or any other passphrase, which allows you to authenticate yourself and your transactions. Important note: due to their inherent nature (being generated by asymmetric cryptography), the two keys are paired to one another. With asymmetric meaning that your private key can never be obtained or guessed from your public key. Whereas your private key does give full access to the information on your public key. However, unlike the 4-digit code associated with your regular bank account, you cannot change your private key as it is irreversibly linked to your public key. Hence, keeping the private key private is probably the most important thing one should do when entering the blockchain world.
Because of the inherent nature of public and private keys, guessing a private key would be one-hundred million times a billion (1017) times more difficult than guessing anyone’s bank account number, PIN code ánd two-factor authentication code. Yet, other than with conventional authentication codes, a private key cannot be changed once it has been generated and anyone you reveal your private key to has immediate access to all the information on your public key.
The online Achilles’ heel: where existing solutions fall short
While trivial at first sight, NGRAVE’s founders quickly learned that no existing solution was satisfactory to keep private keys unseen – or untraceable. The Achilles’ heel being that all existing products and services on the market at some point require the user to go online and in one way or another risk revealing their private key. For example, through a never-ending list of malware, phishing attacks, dedicated search algorithms for private key string sizes, etc. Or simply because a private key is delivered to you (and sometimes even stored) by a third party which might not be as trustworthy as it seems.
Another aspect of private key protection is storing and remembering it. For this, several offline solutions, called cold storage devices, exist. Yet, even the most advanced ones, for example based on robust steel engravings, also still include – no joking – a common pen and paper as a backup in the product package… Studies learn that over 90% of users rely on such a “paper wallet”, which is clearly not the most robust solution. And if they don’t, their alternative solutions typically consist of a device or item that is made out of one piece. Which means it still inherently holds a “single point of failure”: if you lose your cold storage device (or if it gets stolen), your crypto-assets stored on your public key are immediately at risk.
The customer journey: from hot to cold wallets
For those unfamiliar with blockchain, to understand what end-to-end protection means, it might be valuable to get an idea of the customer journey to obtain and use an electronic wallet. On a very high level, a crypto-adventure can be divided into three sorts of places where currencies are stored or moved around. Firstly, there are the exchange platforms: ‘websites’ where you can buy, sell and exchange crypto-currencies. To do so, they give you an account to log into the platform. The platform is the sole owner of the private keys and the user doesn’t even know them. To be more precise: technically, as a customer you actually never really own the crypto on the exchange (you just hold a proxy to an account). An account of which you basically have no insight into how the public and private keys have been generated, how they are stored and who has access to them. It’s therefore highly recommended to only use these accounts for trading purposes and transfer the obtained currencies to a more secure wallet as soon as possible, so you have more control over them.
This means you enter another of the three places: hot or cold wallets. Hot wallets are online accounts in which you can store your currencies and execute transactions. These appear to be a bit safer than exchange accounts, yet still generate the keys for you and often you cannot be 100% sure that you are the only one storing your private key. For most users, cold wallets are therefore a must-have. Here, you purchase a dedicated hardware device on which you generate, store and manage your wallets and keys. Other than the hot wallets, cold wallets are not continuously online or ‘in the cloud’, and as such inherently already a lot safer. In addition, cold wallets give the user more control over their private key and who gets to see it. Yet, as these keys are generated by the manufacturer, you can never be 100% sure that you are the only one storing it. The manufacturer might keep a log or – worst case – his supply chain can be compromised with middlemen tampering with the device before it gets delivered to you. Finally, cold wallets (often USB-enabled sticks or devices) still require you to plug them into your pc and go online in order to activate them or execute transactions. So here again, you are a target for malware or online attacks.
High-level overview of the main types of places you can encounter in handling cryptocurrencies and their vulnerability: left: exchange accounts and hot wallets. Middle: cold wallets. Right: NGRAVE offline solution.
NGRAVE ‘coldest wallet’ stays offline and keeps Pandora’s box closed
Within this realm, NGRAVE has in a way created a totally new segment: the ‘coldest wallet’. In contrast to other solutions currently on the market, they cover the entire list of potential vulnerabilities via a series of clever innovations. Basically, the NGRAVE solution consists of three elements: an electronic hardware device, a cold storage solution and an app.
The NGRAVE solution consists of three elements. Above: an offline electronic hardware device with a camera and fingerprint scanner on the back. Bottom left: a two-piece cryptographic puzzle as a cold storage for your private key. Below-right: an app that uses QR codes to make the link between the offline device and online transactions without ever exposing your private key.
Starting with the electronic device, which is the core of NGRAVE’s offering, the most important innovation is that it will not require you to go online for its activation or to validate transactions. Also, it will be manufactured with the latest techniques to make it completely tamper-proof as soon as it leaves the factory. In case anyone would attempt to break into the device, this will immediately create permanent visible marks or even make the device functionally unusable. In addition, it is not pre-programmed with any wallets. So even on that level, the manufacturer or hackers cannot create a backdoor. Upon arrival, thanks to a highly advanced randomization algorithm, the device allows you to generate an unlimited number of wallets, each with their own public and private key. The process to do this includes optional input from your fingerprint or other biometrics, environmental parameters such as the lighting conditions when you execute the key generation and the possibility to interact with the key, for example (hypothetically) by randomly altering a number of characters at your individual discretion. Once you’ve gone through this process, you can be quite sure you’ve generated a key that is statistically unique so that no other user will ever generate the same key. And, since all of this is done offline ánd with user interaction, only you know the key you have just generated. Even the technical staff of NGRAVE will have no possibility whatsoever to re-engineer this process with its random external variables. To give an idea of how statistically unique and unbreakable it is: guessing (or brute forcing) the key would require 1078 attempts, which is similar to the estimated number of atoms in the universe.
Once you have generated your key, you can safely store it on the cold storage solution that you can also buy from NGRAVE. And here as well, the company introduces some novelties. First: no pen and paper… More importantly: their cold storage device will not have the single point of failure handicap as it will be a cryptographic puzzle that consists of two parts. Part one is the embossing of your key in a way it can only be interpreted by having part two. Part two being the ‘secret code’, an ‘overlay’ that tells you how you should interpret part one. Both parts are made of stainless steel that can withstand temperatures up to 1400˚C and the most severe conditions. By storing them apart from each other (for example in separate deposit boxes in the bank), you can be guaranteed that no one will be able to retrieve your key, even if they would get hold of one of both parts. NGRAVE does offer solutions to retrieve the second part with the secret code in case you lose it or it gets stolen ánd ways to safely handover the ownership of your keys to potential heirs. All of this without NGRAVE itself knowing what your private key is.
Now that you’ve programmed the device with your wallet(s) and have securely stored your private key(s), you can start using them. And this is where the app comes into play. Through a clever interplay of encrypted communication and QR codes, you can use the app as an interface between the online world and your offline NGRAVE device. For example, for the authentication of transactions, it will be sufficient to use the camera of your mobile phone and scan a QR code on the NGRAVE device and vice versa. In this entire process, private keys are not made visible and they also cannot be derived from the QR codes as these are already the outcome of an offline authentication process. As such the private keys always remain offline and are never exposed to online attacks.
Building on credible partners
Asked why customers should trust NGRAVE, the founders comment: “We are working with partners who are globally the best in class. We’ve just graduated from imec.istart, which to us was an incredible acceleration vehicle for our idea and overall business strategy and implementation. The amount of support you get is really tremendous. Kris Mertens, our main contact at imec.istart has been almost like a team member to us: following-up on our progress, challenging us, and helping us get the most out of the program. As a world-leading technology developer, imec is also our hardware partner. We are working closely together with them, both for product development and the eventual industrialization. And to cover some of the security aspects and review our security architecture, we can rely on the expertise of COSIC: an imec research group at KU Leuven with world-renowned cryptography and hardware security experts. They recently hacked the famous Tesla cars and previously they also invented the worldwide standard for data encryption called “AES” (“Advanced Encryption Standard”).”
The overall market potential is huge. The cryptocurrency market as a whole equals just under $300B. And, while the overall cryptocurrency-market is still subject to substantial declines due to the volatile nature of the value of the cryptocurrencies, the number of wallet users has been growing non-stop. Doubling year on year since 2015, the number of users is expected to reach the 100M mark by mid-2020. For NGRAVE specifically, some other numbers are equally important: for example, the number of people who mainly “buy and hold”. In other words: users that invest substantial capital in cryptos and blockchain-based projects but mainly look at their wallets as a kind of savings account. Similar to how an average person distributes his budget 80/20 over conventional savings and current accounts, this target audience is estimated to make up 80-90% of the market. A recent report by Orbis Research (Dallas) indicates the market for hardware wallets will grow from $100M to $8B by 2025.
And what about real assets under management? Such as real estate, diamonds, equities, fixed income… at the moment being maintained on other backends than the blockchain. Currently, this is a $2-3B market, predicted by McKinsey and Boston Consulting Group to grow almost a thousand-fold to over €27.000B by 2027. For this type of users, blockchain offers numerous advantages over existing backend solutions in terms of speed, consensus mechanisms (so no single central player can adapt things), the fact that what is on the blockchain ledger cannot be altered anymore etc. And NGRAVE might be the only one capable of adding the safety of your private keys to that list…
Yet, the NGRAVE founders don’t let this potential fame and fortune get to their heads, as they generously say: “All and all, we feel the entire challenge of allowing blockchain technology to break through is a community effort. We are not about competition or pointing fingers to others who might do better or worse. What matters most is that we can globally unite the knowledge and expertise to tackle some important challenges such as blockchain security.”
Want to know more?
- Stay tuned on the latest developments and the product launch via the NGRAVE website.
- Watch an interview with NGRAVE CEO Ruben Merre on Vimeo.
- Recently, the Belgian national newspaper De Standaard published a feature on NGRAVE (article in Dutch and paid subscription only).
- A recent article on MIT Technology Review gives insight in more diverse aspects of blockchain security.
- Reuters article about a recent market report on hardware wallets by Orbis Research.
- The basic concepts of blockchain technology.
- The concept of a cryptocurrency and how it can obtain a certain valuation.