Ceremonies
Ceremony is the process of executing the algorithm designed for creating a workspace.
The private key is divided into three key shares using MPC technology. Signing authority is exercised through three sources, requiring the signing process to involve a ceremony with all three key shares. This adds an extra layer of security and prevents any single source from possessing full authority. One of the three key shares of the workspace’s private key is stored on the workspace owner’s mobile device, while the other two are stored in Paribu Custody SGX environments.
During the creation of the three key shares, the private key is not generated as a whole. The private key is never generated as a whole at any stage of the process.
Users join four different ceremonies:
- Key Generation Ceremony
- Transfer Ceremony
- Key Derivation Ceremony
- Key Resharing Ceremony
1. Key Generation Ceremony
Section titled “1. Key Generation Ceremony”The Key Generation Ceremony takes place when an owner is added to the workspace.
The owner’s key is generated during the creation of the workspace. The workspace owner who created the web setup logs in to the app from their mobile device and joins the “Key Generation Ceremony” communicated by the operations team. In the Key Generation Ceremony, three key shares are created, and one key share is saved to the owner’s mobile device.
During workspace creation, a Key Generation Ceremony takes place in each curve (as many as supported) for the creation of the main address and proxy addresses. The owner’s mobile device and Custody servers join the ceremony together. During the ceremony, the private key is not generated as a whole. Instead, three key shares are created, which are significant when combined.
2. Transfer Ceremony
Section titled “2. Transfer Ceremony”The Transfer Ceremony takes place to send a transfer to the network.
Each transfer concludes with a signing process. While the Transfer Ceremony is taking place, the user with the key share (owner, admin, or signer) joins the ceremony from their mobile device. The Paribu Custody servers, where the two key shares reside, also join the ceremony. Together, the three key shares provide a signature for the requested transfer.
3. Key Derivation Ceremony
Section titled “3. Key Derivation Ceremony”This ceremony takes place when users with signing authority roles (admin, signer, and proxy signer) are added to the workspace.
When users with signing authority roles (admin, signer) are added to the workspace, a new key share is derived from the owner’s key share. When an admin or signer wants to be added to the workspace, they go through the necessary approval stages. Once the approval stages are completed, the Key Derivation Ceremony is automatically transferred to the workspace owner’s mobile device. A separate ceremony is created for each curve. Key creation for users with signing authority begins when the owner joins the Key Derivation Ceremony.
4. Key Resharing Ceremony
Section titled “4. Key Resharing Ceremony”This type of ceremony takes place to assign ownership of key shares when users with signing authority roles (admin, signer, and proxy signer) are added to the workspace.
The Key Resharing Ceremony is automatically transferred to the mobile device of the new user (if not an API user) upon successful completion of the Key Derivation Ceremony joined by the workspace owner. The user designated to receive the key share joins the Key Resharing Ceremony on their mobile device. Once the process is successfully completed, the user receives the key share.