The promise of blockchain enabled applications is rooted in empowering users and creating positive sum games where everyone can win, without needing rent seeking intermediaries. Until now, the nature of decentralization has made blockchain applications hard to use for the average internet user.
At Deconet, we’ve implemented a solution for users to control their private key without requiring these users to understand any new systems, conventions, or standards. Deconet is a marketplace where companies can get work done by elite freelancers and curated teams that leverages blockchain and programmable money,
Underneath the hood, the Deconet marketplace is powered by Smart Escrow, a peer to peer, smart contract system running on blockchain and decentralized file storage. This Smart Escrow system eliminates the need for a trusted third party intermediary to hold the funds while work gets done.
When funds are placed into Smart Escrow, companies incentivize the teams they are working with to get milestone based work done, within a per agreed upon window of time. Due to it’s peer to peer nature, approving proposals from teams, accepting / declining milestones, and managing disputes are functions that require a private key for the user to ‘talk to’ Smart Escrow.
The remainder of this post will detail how client users interact with Smart Escrow without the knowledge that they are using a decentralized application and without having to manage private keys. These Deconet users are not required to use a third party wallet (MetaMask, Scatter, etc) and do account recovery in a modern way, without a twelve word recovery phrase.
Our system leverages the user’s browser to execute a variety of functions, from creating private keys, to sending emails, and interacting with the blockchain. This all happens behind the scenes, users see a delightful loading gif.
When a user signs up for Deconet, a deterministic private key and corresponding blockchain address is generated using their email and password. The secret (email + password) gives the user control over their private key, and needs to be remembered which makes this a type of ‘brain wallet’. Brain wallets are not an original idea, and have received some notoriety in the past in the Bitcoin community. Our implementation is inspired by WarpWallet, which uses key stretching techniques to make brute force impractical. The WarpWallet technique also salts the user’s password with their email address, meaning any attack must target a specific individual, which also breaks the ability for an attacker to create a rainbow table.
When the private key is derived, it exists only within the user’s browser for the current browsing session. Deconet does not have access to the private key. Once the private key is in the browser, the browser interacts with the blockchain via meta transactions powered by user interface actions. From the user’s point of view, they are just clicking on buttons on an application they’ve signed into. Deconet pays the blockchain fees. Each action performed by the user is signed by their private key, which get broadcast to the Deconet Smart Escrow contracts, running on blockchain.
The main issue with using a WarpWallet-style brain wallet is account recovery. In the past, if a user forgot their brain wallet password, they lost control of the account. From the lens of user experience, this is not acceptable. In order to understand how a user to recovers their account on Deconet, we’ll need to detail what happens when a users creates their account.
The user’s brain wallet is generated upon clicking “Sign Up”. At this point, the browser splits this private key into two of two parts via Shamir’s Secret Sharing scheme. The browser then sends half of the secret to the user’s email and sends the other to Deconet. It’s worth noting, one of the key parts is not enough to get control of the account, both parts are required. Of course, this is fully automated, the user just sees a loading gif.
When a user needs to needs to reset their password, they have to find the email that contains their reset link. Upon clicking this link, they are sending their half of the secret up to Deconet where it’s combined with the half of the secret we hold. At this point, the process starts over again, a new wallet is generated in the browser, split into parts, etc. The authority of the forgotten brain wallet is transferred to the newly generated private key. Additional layers of security (more key parts, pin codes, 2 factor authentication, what’s your first pet’s maiden name, etc) can be layered into the recovery process.
For users, the only difference in their journey is that the recovery process starts at their email, opposed to a ‘Forgot Your Password?’ link. If you’ve got any questions about how this process works, please drop them in the comments or find us on Reddit and Telegram.
The talent community and platform Deconet is currently working on an invite only basis. If you’ve working on a project and need some elite talent to help build your dreams, request an invite right here.
If you’d like to see a Deconet demo, check out this post.