I’m delving into the MPC Architecture and have several questions regarding the attached
TKEY MPC Flow Diagram:
Could you specify the nature of the metadata stored on AWS by Web3Auth? Does the web3auth network hold the entire metadata key or merely a share of it? In a 2/3 setup, how many metadata key shares are required to access this metadata, and does Web3Auth possess the capability to access the metadata independently?
Are the Metadata Key and TSS Key stored in an encrypted format across the Web3Auth network nodes, or are they held in raw form? I understand the keys are split across the nodes.
Regarding the device share, what exactly does the “Factor Key” refer to? Is it a method like a passcode or Face ID for accessing the device’s Trusted Execution Environment (TEE), or is it a secret generated by web3auth used for encrypting the Metadata and TSS Shares?
The diagram indicates that both the Metadata Share and TSS Share are “stored in Metadata” for the device share. Does this imply that the actual encrypted shares are kept in AWS and not on the device, or is there merely a pointer to their existence stored in AWS?
For clarity, is this description of a device share setup accurate for a smartphone: A pincode or Face ID grants access to the TEE, where a raw Factor Key resides alongside an encrypted Metadata and TSS Key. The Factor Key decrypts the Metadata Key and TSS Key for transaction signing. Post-transaction, the Factor Key re-encrypts both keys?
I appreciate your assistance in understanding these concepts.
Thanks for your questions. A lot of answers to your questions here can be found by reading our infrastructure documentation, which highlights where, how and what is stored in the Web3Auth Network Nodes, Metadata server and a user’s device.
Coming to your specific questions:
The encrypted metadata store basically contains information about where and in what format a user’s information is stored across the nodes and the MFA setups. For MPC, it also holds the encrypted TSS Keys by the Factor Keys of a particular factor. The metadata key is never held in total, similar to TSS Keys, the storage of metadata key is conducted.
The whole of Web3Auth Network contains the half shard of the full TSS Key and Metadata Key, the other half is with the user’s MFA setups. In MFA setups a factor key corresponding to the particular MFA, encrypts the TSS and Metadata Keys and stores that encrypted information in the metadata server itself. With half shard of the metadata key, you get read access to the metadata, however write access and decryption can only happen only the full key is available. Web3Auth doesn’t have the capability to read/ write anything in the user metadata in the backend, since the whole of metadata is additionally encrypted with the metadata key.
Within the Web3Auth Nodes, in key value pairs to the user identity, 1/18 part of the metadata and tss keys are stored. This data is private to the node, and no other node or the network members have any access to it. However, the node doesn’t encrypt this information on an individual entry level, it is overall encrypted and kept safe within the node itself.
Factor keys are primarily used for data encryption/decryption. These keys provide a constant secret in different locations as shares to the TSSKey and/or metadataKey may rotate. You can generate your own factor key using any method you like and pass it over to Web3Auth. The key you pass will be used to encrypt Metadata and TSS Shares.
The actual encrypted shares are stored in AWS, against the Pub Key of the Factor. Pub Key can only be used for encryption and not for decryption. Decryption can only happen once the Factor Private Key is present in the local environment. This is to ensure that if the keys rotate, the actual TSS Key and Metadata key for the factor is not lost, since the encryption key will always remain the same.
No, the Factor Key is with the user, stored within the device or is generated by some algo defined within the app. For eg, you can generate a BN using a UUID given by a Passkey service which authenticates using your FaceID. This BN will be the factor key. The factor key is never stored on any web3auth infrastructure. On a successful login via OAuth, the metadata is sent to the frontend of the user, where the SDK utlizes the factor key to decrypt metadata key and tss keys. Unless you call the function to update the metadata on the web3auth network it remains the same. Updation of metadata is only needed when you’re rotating shares, or adding/ deleting your existing shares.
