Non-Custodial Key Management via Torus
Torus is a user-friendly non-custodial key management system for decentralized applications. The Torus team is hyper-focused on building an accessible and secure gateway to onboard mainstream users to the decentralized ecosystem. Their approach is to leverage existing login credentials such as Google, Facebook and other OAuth logins in combination with the innovative use of distributed key generation to provide a secure non-custodial solution for managing crypto payments, signing digital transactions, and performing other in-app on-chain authorizations.
Customizing Dapp User Experiences
Over 250 applications have integrated with the Torus wallet including Aave, Augur, Cryptograph, GoodDollar, MyCryptoHeroes, Yearn Finance, KyberSwap, and OpenSea. In addition, a growing number are using their DirectAuth SDK to customize signing capabilities and further enhance usability within their application. These applications all integrate Torus into their apps much the same as someone might integrate PayPal as a merchant payment solution, but much more seamlessly given the nature of cryptocurrency and tokens as first primitives.
Torus uses a progressive onboarding approach to allow users to improve the degree of security and trustlessness in their login credentialing. By this, we mean users are able to start with a single login credential (their Google OAuth username/password login, for example). Over time, and as users become more invested, they may choose to add a combination of authentications so as to reduce the risk that a single compromised password (or compromised system) will lead to breach of their wallet or Dapp login.
List of Supported OAuth Logins
Torus Wallet and DirectAuth Integrations
Torus offers two forms of integration: 1) integration via their wallet interface and 2) direct auth integration via an SDK. Integrating the wallet takes very little time and effort – minutes in many cases. Integrating via their SDK might take a bit more time – largely due to working through app design issues – but provides for much more flexible authorization capabilities.
This DirectAuth capability lets any app sign, store, and retrieve keys on the Torus Network outside of the wallet. This direct form of access lets developers customize in-app transaction flows by letting users set signature permissions, spending thresholds, and other on-chain transaction parameters. The current state of crypto is one where each transaction in the user sense might be a set of individual actions or events in the blockchain sense. Having to sign five or six times to conduct a single commercial transaction is not an optimal user experience. Torus’ DirectAuth capability gives developers a way to let users pre-authorize non-committal actions, pre-approve low-value transactions, set daily spending limits, or customize other low-risk confirmation thresholds, thereby improving the user experience.
An added benefit of using the direct auth method is that users gain the ability to customize their login credentials on an app by app basis. With the wallet, there’s a single login credential. With DirectAuth, app users can customize their login credentials on an app by app basis.
Distributed Key Generation
Torus is able to provide this type of seamless authorization via a distributed key generation and storage capability that runs on and is powered by an independent network of nodes. Torus uses a type of threshold secret sharing scheme, a category of algorithms that has been around since the 70s.
Private keys on the Torus Network are stored as shares. These shares follow a threshold access structure — as long as you have more than half of the total shares, you can recover your private key. For example, if there are 3 shares in total, you would need at least 2 of the shares to recover your private key. Threshold secret sharing schemes like this have been around since the 70s, and the most basic threshold secret sharing scheme is Shamir’s Secret Sharing.
The algorithms allow a set of nodes (or answer participants as they are referred to in the algorithms) to generate a key among themselves for which each of them have only a small portion of the key. No single node is able to reconstruct the key with the information they have. But if you gather a certain threshold answer participants, m of n for example, where n is above the threshold, you can arrive at the key.
What happens when you log in to the Torus wallet, you get your auth tokens which is the standard user login in the Web2 world. You then relay these tokens to a set of nodes on the backend – which each individually verify that you are who you say you are. The nodes use each auth token to return pieces of Shamir’s secret shares, the set of which only gets reconstructed in the front end browser context that’s running the Dapp. The key is never stored or reconstructed anywhere apart from this specific context. This browser context is ideally been made trustless by secure hashes or or being loaded via IPFS.
The Torus Node Network
A key part of this non-custodial scheme is the use of a set of independent nodes. This network has two primary areas of operation:
- Key Generation and Storage - The key shares are generated by nodes in the network and stored within the network as a collective. DKG interpolation.
- Key Access Control - This component consists of a generalizable verifier script which uses the network to verify what it is being asked to verify – namely the key shares that derived from one or more login accounts and stored in the nodes.
The nodes are run by a large ecosystem of stakeholders in the space, which all share the same vision to see the ecosystem grow. A list of the node operators can be viewed on the Torus site but a few of them include Binance, Etherscan, SKALE, Fortmatic, and ENS. At this point, it is a permissioned network, however, it is being progressively decentralized. In addition, an incentivization structure may potentially be added via an assessment of fees to applications using the network – the proceeds of which then being distributed to the nodes.
SKALE + Torus
The combination of the SKALE Network and Torus is a natural one as their purposes and capabilities complement each other. Integration is simple regardless of whether developers are using the Torus wallet directly or using the DirectAuth integration. With the Torus wallet, access to the SKALE Network is built in. Developers can simply change the RPC endpoints and then they’ll be able to access their SKALE chain(s).
With Torus’ DirectAuth capability, developers have greater control over key management and user permissions. Insofar as connecting to the SKALE Network, they can do so as well with the SKALE SDK. In other words, connecting to the SKALE Network can be done via the Torus Wallet or directly through the SKALE SDK. The combination is important because both increase app usability and reduce the friction that is unfortunately commonplace in many blockchain-based applications.
Both SKALE and Torus view it as their mission to make it easier for developers to build a new generation of Dapps and to help power this next great move in decentralized solutions.
Technical highlights of the SKALE Network include:
- Zero to Near-Zero Gas Fees
- Random Node Selection/Frequent Node Rotation
- Virtualized Subnodes
- Containerized Validator Nodes
- Consensus via Asynchronous Binary Byzantine Agreement (ABBA)
- BLS Rollups
- Node Monitoring
- Ethereum Interoperability
Details on the SKALE Network can be found here:
- SKALE Explainer Video #1 (Pooled Security Model)
- SKALE Explainer Video #2 (Virtualization & Containerization to power decentralized systems )
- SKALE Network: Technology Primer
- SKALE Network: Technical Highlights
Interview with Zhen Yu, Co-Founder, Torus
The SKALE Labs team sat down with Zhen Yu, Co-Founder of Torus, to talk about Torus, Dapp developers, auth integrations, and more. Zhen lives and works in Singapore.
How is Torus doing and what industries are most active?
We’re doing well. We’ve been around for over two and a half years. Over 250 apps are using Torus and we’re seeing tremendous growth especially when it comes to the DirectAuth integration. We are seeing the most interest in DeFi and gaming. Here we’re seeing growth both in the number of integrations as well as growth in use by end users.
What’s the reasoning behind the approach you’ve taken?
One of the biggest value propositions of what we do is to provide much of the same user experience that mainstream web users already have but within a Web3 world. Torus makes it so systems do not have to change anything on their end and still be able to generate crypto wallets and use them within the Torus network.
For example, for one of our enterprise customers had their own traditional company login and without any change to their systems, their users are now able to make use of public and private key pairs within their company authentication system. This essentially allows each of their users to be able to interact with any blockchain-based corporate solution they offer regardless of whether it's running on any public or private blockchain.
Can you explain what’s special about DirectAuth connection and why you’re excited about it?
DirectAuth lets Dapps assign, store, and retrieve keys from the network directly without going through the wallet. This direct connect gives any application a way to customize their security features and set their own permissions controls in a way that suits their particular use case as opposed to wallets pushing their own restrictive controls.
To give you a good example of this, the Torus wallet, Metamask, and, basically, all web wallets use a highly restrictive flow on all signatures, be it transactions or just simple signature approvals. This is why you have all these confirmation windows for every transaction you trigger. This restrictive approach, though, might actually be necessary for all transactions – especially low-value transactions or interactions such as when you're playing a game and make moves with little to no monetary value or say, you frequently make a number of low monetary purchases and want to pre-approve them or set a daily threshold limit.
For wallets, it becomes hard to find a good balance between relaxing restrictions and introducing vulnerabilities and potential attacks from other applications. It's not possible to find a one-size fits all use case that works for every application out there. Using DirectAuth, applications can construct their own permissions use case that fits their users. A good example of this is maybe a gaming application that allows you to top up N transactions or N amounts of value and then spend it accordingly without having to go through five confirmation screens to buy a card pack, for example.
Are you seeing differences in the way applications are being built using the direct auth approach?
Yes, definitely. We are really starting to see applications finding a mainstream audience and seeing larger numbers of users and levels of adoption that we all want to see. A great example of this is Audius. It’s a music streaming app which has hit 200K users a month within six months. They handle the key management and permissions flows all on their side.
When you go into their application, you can really see that it’s about music and listening to music first and that crypto is just in the background. And that's how it should be. Decentralization isn't a need to a user. Listening to music and having your music protected is a need, not decentralization. Decentralization is only something that helps you build something better.
What excites you about the SKALE Network?
Simplicity of integration, it just fits. SKALE lets developers improve the speed of their network and operate with much lower transaction fees. Both networks/platforms are really easy to use. We both have a focus on being developer focused and on ensuring that developers have an easy time understanding the technology as well as go through a smooth process in getting started. It is really important to develop the community in general. I'm definitely excited at seeing some of the applications that are being built on both platforms.
Thank you for your time to talk with us.
Not at all. It was a pleasure. Until next time.