Ahmet Tuncay, CEO, Sepior

Cryptography is one of the most important arms of IT security. The purpose of cryptography is to protect data in transmission or in storage in the very likely presence of a criminal being able to intercept or access it. Cryptographic transformation of data is a procedure by which plaintext data is disguised, or encrypted, resulting in an altered text, called ciphertext, that does not reveal the original input. Sepior is an expert in doing this but what sets it apart?

The founders of Sepior are some of the most famous researchers in a particular field of cryptography called multiparty computation, (MPC).  MPC has its roots in secret sharing – the first seminal publication of a practical use of MPC was published around 2008 by the founders of Sepior including Ivan Damgard, Thomas Jakobsen, Jakob Pagter among notable others..

Ahmet Tuncay, CEO, Sepior said: “The idea was to determine a clearing price for commodities and the early use case was for sugar beets.. The notion of a secret auction, which is enabled by this protocol, was suggested for buyers and sellers to conduct an auction where the sellers need not disclose the price they will accept and the buyers need not disclose the price they’re willing to pay.  But you have to arrive at a clearing price for the economy to work. This was basically one of the first uses of secure multiparty computation which was later applied to other high-stake auctions involving electricity and licensed spectrum.  The essential elements were implemented by our founders over 10 years ago and their research probably predates that by another 10 years.”

Therefore, Sepior’s team has at least 15 years of work and experience working with the core cryptographic technology. In 2014 there was an understanding that multiparty computation could be used to protect any secret including cryptographic encryption keys. If you want to protect a high valued asset – and there is nothing more important than a cryptographic key – the traditional method is to build ‘walls’ around it.  Today a lot of cryptographic materials are kept in either a physical or a virtual appliance, but typically it’s a piece of hardware.  It’s called a hardware security module, HSM and this thing is basically a tamper-proof or evident appliance.  So if someone tampers with the HSM, it may destroy the keys and provide some evidence that it was attacked for forensics.

Tuncay says: “Of course, this is what modern networking relies on, and its cryptographic materials are kept in these HSMs.  The regulatory environment in the financial sector including the payment card industry and the defence industry, dictates that such machines be used to protect important secrets.  There is also a certification process called the Federal Information Processing Standards, FIPS 140-2 which mandates hardware appliances for advanced levels of protection.  But Sepior’s founders asked a deceptively simple question – why do we need all this expensive machinery and specialized skills in the consumption-based cloud era?”

This is so true.  The whole world, even the normally conservative financial sector, is moving compute, storage and database operations to the cloud, everything has been virtualised except the machines that are storing our encryption keys.  Sepior’s founders were simply saying – now why can’t that be fully virtualised, a pure-software solution running on common virtual machines that delivers the same levels of security as those relying on specialized hardware?

Tuncay says: “The founders of the company received the patent for using secret sharing to realise a virtual hardware security module – a pure-cloud, pure-software HSM.  This technology allows any company that wants to use their own encryption keys to encrypt data in the public cloud, typically multiple clouds. We now call this ‘bring your own key’ or BYOK for short.  . The driver for BYOK is that you cannot trust any public cloud service provider such as Amazon, Microsoft Azure, Rackspace, Alibaba, or any other to protect the privacy of your data from malicious actors, incompetence, or state-government overreach.”

If you are going to put your crown jewels into the public cloud to be stored in the networks of Amazon or Google, it makes sense that you should encrypt them before you load them up there, so that the cloud provider has no access to it.  If your data gets subpoenaed, then you are not at the mercy of the public cloud provider who would be required to hand your data over to whoever wanted it.  But if you encrypt your data, put it in the cloud and keep the keys yourself, then it’s secure, there are no two ways about it.

This notion is so compelling that the European Union provided company grants to go and develop the system.  So they offered quite a bit of money, grants really, which were funds that traditional investors can’t provide. Basically the EU paid for the development and commercialization of Sepior’s Key Management as a Service or KMaaS platform.  But it turned out, as we heard in the discussions this morning, large and established companies sell complex key management systems to big institutions which have very long sales cycles. While early stage small companies like Sepior can disrupt these markets, they also depend on quick revenues and can’t afford to wait around forever.  So we repurposed our technology for a specific use case in blockchain that doesn’t suffer from having a rip-and-replace legacy infrastructure.

As Tuncay says: “Our technology can be used for signing transactions and for trading digital assets like cryptocurrency.  We were able to get a partner in a company formerly known as SoftBank Investments or (SBI). SoftBank spun out its financial services business into a separate company called SBI Holdings which has become a giant fintech business with 23 million retail customers, that has among its many subsidiaries a trading unit with approximately 4.5 million retail exchange banking clients. Retail operations include trading in foreign currency, stocks, bonds, derivatives, and whatever else is desired by their clients. They also have a lot of customers who want to trade virtual currencies.  I think we forget sometimes in the US that 70 per cent of cryptocurrency trading is not done in the US in US dollars; it’s done in Asia in Japanese Yen, South Korean Won, , and Singapore and Hong Kong Dollar.”

SBI said: ‘We’re in Japan and they have access to the huge Asia–Pacific (APAC) market and want to build a bank-backed virtual currency exchange in the same way we do regulated exchanges today’ – if you have assets and you lose them to malicious actors or hackers, there will be certain assurances that your account there is going to be replenished.  Cryptocurrency trade regulations in Japan are ahead of where countries like the US are today.  SBI Holdings effectively created an institutional grade cryptocurrency exchange, so that their 4.5 million retail trading customers can buy and sell cryptocurrencies like they buy and sell commodities and stocks, or bonds and be aware that they’re dealing with an institution that’s going to watch out for them.

As Tuncay says: “Now, this is harder to do than say, so in our analysis we determined that the key piece of technology that’s missing is an online or hot wallet that manages the private keys necessary to sign for cryptocurrency transactions that is as near hack-proof as possible.. A digital wallet has to be on-line for transactions to occur, that’s how I would send currency to you or get currency from you.  Such wallets are very attractive honeypots for hackers. Off-line or cold wallets are much more difficult to hack but also not as interesting from a transactional point of view – they don’t allow any.

Also given that our customers are custodial exchanges, they hold the customers’ assets and participate in the execution of buy and sell orders, begging the question – how do you sign on the transaction?  Nobody necessarily trusts all the actors in a custodial transaction.  You have the broker, there’s the exchange, there’s the client, there’s the escrow, there’s a trusted third party.  So how do you know that a valid transaction is being presented to the network. This is the key piece that Sepior is providing, signing for a cryptocurrency transaction among potentially distrustful parties.  This is a very important enabling technology, we’re not operating the exchange, we’re not owning any cryptocurrency, but we enable these institutional grade exchanges to be realised, using our threshold cryptography technology.”

Sepior recently announced ThresholdSig – a technology similar to multisig which the crypto and blockchain community both use. But the idea of a ThresholdSig is basically doing blockchain transactions that look like traditional transactions with a single signature, but doing them with multiple approvers in a much more secure way, because you don’t make the public key available for anybody to steal.

Tuncay says: “This is a long journey and we’re at the beginning, so we’re going to find out if any of this stuff really is going to be accepted in the market, but we’ll make sure the technology works!  With our underlying technologies being essential to a broad set of applications in security, we can help improve the way data protection, transaction signing, privacy, identity management, and compliance and other adjacent use cases are designed. Even in permissioned and private blockchains where you want to control access to the data on the block used by smart contracts – our technology will help.  There’s no great way to do it today that’s scalable, so we’re also looking at that problem.  The future in this arena is going to be very exciting.”

by Bill Boyle
IBS Intelligence Senior Editor