Decentralizing Key Management: A Deep Dive into Lit Protocol

Lit Protocol is a security network that offers a decentralized key management system used to build/ create apps and experiences that leverage keys for various use cases (i.e. verifiable credentials, wallets, token gating, etc.).

Lit’s key management network enables developers to create apps and wallets that use secrets, such as private keys, without single points of failure. This means that even if one part of the system fails, the entire system won’t collapse, ensuring the safety and accessibility of users’ digital assets. The keys are distributed and fault-tolerant, enhancing the system’s robustness and reliability by decreasing trust assumptions and inversely increasing security. The network also gives developers the ability to build products that utilize public key infrastructure (PKI) without relying on a centralized authority to manage the keys. By using these features to provide a decentralized network for managing keys, developers have the ability to create apps for users that are secure and accessible.

Encryption and decryption occur on the client-side, based on “Access Control Conditions” that are defined by the end user, using either on-chain or off-chain data. For example, a condition could require a user to own a specific NFT in order to decrypt content. This process also applies to off-chain data through “Lit Actions”, which are JavaScript functions that are stored immutably on the IPFS. Essentially, Lit Actions are more powerful smart contracts written in JavaScript. In the protocol, Lit Actions trigger the Lit Node through a series of steps. Firstly, a Lit Action with a submitted input is executed by each node. Each node then verifies that the input meets the required conditions. If the conditions are met, the node provisions an independent key share. The Lit Node is then asked to sign data using the ECDSA algorithm with distributed ECDSA key-pairs, known as Programmable Key Pairs (PKPs), private key share. The resulting signature share is returned to the Lit JS SDK and it automatically combines the shares to form the full signature. It’s important to note that the complete signature can only be formed after an accumulation of over ⅔ of the shares have been collected.

Unlike traditional public and private key pairs, PKPs have an additional layer of programmability that enables developers to have control and manage access to their resources. Each PKP is generated using Distributed Key Generation (DKG), a process where the Lit nodes generate a new public or private key pair and each node only has a share of a private key. By splitting keys among multiple nodes, the Lit network eliminates the risk of a single point of failure. PKPs are represented as ERC-721 NFTs, with the NFT owner becoming the designated controller of the PKP, capable of assigning additional signing logic and authentication mechanisms using Lit Actions. Each PKP serves as a wallet, with the private key distributed across the Lit network. This unique design offers a level of censorship resistance and fault tolerance that surpasses typical 2-of-2 MPC designs. However, a majority of these 2-of-2 systems necessitate the end user to manage a key share, complicating the user experience (UX). Consequently, achieving a smooth onboarding UX, similar to web2 style without the need for seed phrases or private key management, becomes unattainable.

Lit Actions are blockchain agnostic, meaning they have an inherent capacity to communicate data across blockchains, enabling interoperability across previously disconnected ecosystems. A Lit Action as a conditional refers to the ability of these actions to execute specific logic and verify that it meets the required conditions. If the conditions are met, an independent key share is provisioned. This conditional aspect allows for fine-grained control over cryptographic operations. Users are able to define automated signing logic, such as setting up an on-chain limit order for the assets in the wallet or configuring a monthly dollar-cost average investment scheme. This signing logic is flexible and can be tailored based on the specific context and applications in use. Lit Actions are important for developers because the programmability allows PKPs to adapt to various use cases and specific business requirements. The use of Lit Actions in conjunction with PKPs also enhances the capabilities of what’s possible with account abstraction, such as allowing the computation of off-chain data with on-chain conditional signing. Furthermore, the Lit Actions can make arbitrary HTTP requests, opening up a new realm of possibilities for smart contracts, as they are now able to access data from external sources such as HTTP endpoints, blockchains, state machines and decentralized storage systems.

This feature enables secure data storage on the open web and facilitates content sharing across communities. It can be used in a variety of ways, such as designating roles in a DAO with NFTs or granting discounts based on token ownership. Further, Lit manages description keys but does not store encryption, allowing developers to choose their preferred storage provider, including Ethereum, IPFS, Ceramic, AWS or Google Cloud.

Lit Actions have also enabled Lit to incorporate its infrastructure to encrypt users’ personal identifiable information (PII) in verifiable credentials. These credentials are a way for users to express their qualifications or achievements in a tamper-proof and private way, using cryptographic signatures to ensure their authenticity. Using Lit, users gain full control over which credentials are public and which ones are encrypted for specific individuals based on Lit Actions. For developers, the instant verification of authenticity can save them time and resources that would otherwise be spent on manual verification processes. In addition, verifiable credentials are designed to be interoperable, making it easier for developers to integrate their apps with other systems.

Lit Actions also enable token access control to users through the decentralized key management network using threshold cryptography. This type of cryptography protects information by encrypting it and distributing it among a group of fault-tolerant computers. The message gets encrypted using a public key, and then the corresponding private key is shared among participating parties. With Lit, threshold cryptography is used to distribute encrypted key shares across the Lit network, ensuring that no centralized authority can withhold access. This system allows developers to create decentralized token-gated apps where users must sign a message in order to prove ownership of a token to gain access. Token access control is critical for developers because it provides a secure way to manage access to resources, as the tokens can easily be revoked or issued without changing the app’s code. It also allows for more fine-grained access control because different tokens can be issued for various levels of access. Further, it simplifies the authentication process, as users only have to manage a single token rather than multiple usernames and passwords. This enhances the user experience while reducing the risk of security breaches due to weak or reused passwords.

Lit offers decentralized encryption and decryption by using multi-party computation (MPC) and threshold secret schemes (TSS) to distribute encrypted key shares across the Lit network. MPC enables multiple parties, each holding private data, to evaluate a computation without ever revealing any of the private data held by each party. For example, in a digital wallet, MPC can be used to securely manage cryptographic keys and secrets. Conversely, TSS is a special case of MPC where the function to be computed is a cryptographic digital signature, and the private inputs are secret shares of the singing key. In the context of Lit, TSS is used to distribute encrypted key shares across the Lit network, ensuring that no single participant holds the complete signing authority, further enhancing security and reducing the risk of unauthorized access. This enhances the user experience by providing a more secure and convenient way to manage digital assets. For developers, MPC and TSS offer a robust, industry grade solution for key management and protection. It allows developers to build more secure, user-centric apps without worrying about the management of private keys.

Furthermore, Lit can be used to provide wallets (setting up, generating and securely storing necessary cryptographic keys) that are pre-generated from human-readable identities, such as phone numbers or emails. These wallets handle the setup, generation and secure storage of necessary cryptographic keys. They also use session keys to authorize a variety of actions without the need for repeated authentication. Given these features, Lit emerges as an ideal solution for developers aiming to build user-friendly apps that prioritize security and ease of use.

Unlocking Lit Protocol From a Non-Developer Perspective

Lit Protocol is a technology that is designed to make a user’s online experience safer and more seamless. Users have a variety of different keys for different services on the internet, such as logins for social media, online banking and email platforms. Each of these keys represent a part of a user’s digital identity and the management of many different keys can be complicated and risky if not done properly.

Lit Protocol, being a key management system, is a solution to this as it acts as a secure, digital keychain that holds all of a user’s different keys. It uses advanced technology to ensure that only the specified user has access to their keys, much like a highly secure safe. Lit Protocol allows users to have control over how their digital identity is used. For example, users can set rules for when and how a service can use their key, giving them more control and security over their digital identity.