Safeheron TEE-Based TSS-RSA Key Sharding Officially Open-Source, Empowering Arweave and More


As a transparent and open source digital asset self-custody platform, Safeheron is committed to contributing to the crypto world by providing a secure, transparent, and verifiable self-custody infrastructure.

In line with this principle, Safeheron has been continuously committed to open-source development.

Safeheron is thrilled to announce that our library, radical TEE-based TSS-RSA Key Sharding is now open source.

Safeheron recently formed a strategic partnership with everFinance, an Arweave-based decentralized financial platform. The Safeheron TEE-based TSS-RSA key sharding service will help everPay drastically reduce the time it takes to generate RSA key shards. Bringing trusted, verifiable institutional-grade security to everPay while maintaining efficiency and transparency.

This is the first time TSS-RSA key sharding has been used in conjunction with Trusted Execution Environment (TEE) technology, and we are excited to have TSS-RSA key sharding power the Arweave ecosystem. Safeheron's role as an infrastructure to strengthen the blockchain ecosystem is just getting started.


Advantages of TSS-RSA Key Sharding

TSS-RSA is a threshold signature algorithm library developed by the Safeheron security team in C++. It's based Practical Threshold Signatures, which not only allows for completely non-interactive signature generation and verification, but also reduces the content size of a single private key slice signature.

With this solution, crypto wallet providers can generate RSA private keys in a secure, efficient, and transparent manner.


EverPay's open-source library for generating key shards is Golang-based TCRSA, which takes about 30 minutes for the entire process. TSS-RSA, on the other hand, only takes an average of 30 seconds to generate all key shards.

As shown below: TSS-RSA takes 35.55s to complete a full round from signature generation to verification, whereas TCRSA takes 1673.92s, approximately 47.4 times slower than TSS-RSA.

Clearly, the efficient solution provided by TSS-RSA as shown above represents an order of magnitude speed increase that will drive a qualitative leap in everPay's wallet service experience while also unleashing greater ingenuity for the Arweave ecosystem.

Secure, Trusted & Verifiable

Currently, Watchmen in everPay are in charge of managing the assets that users have locked through proposals. ExecuteHub, a centralized server, generates the signature keys. However, centralized servers have been chastised for the security risks of data leakage, and their level of security has always been called into question.

Safeheron's TEE-Based-RSA-Key-Shard Service uses Intel CPU hardware's SGX confidential computing technology to solve the potential security problem of centralized generation of RSA keys by putting the entire key generation and sharding of the TSS-RSA (Threshold Signature Scheme of RSA) algorithm into the trusted execution environment. The RSA key is guaranteed to be available and visible only to the hardware of the encryption chip using this approach, resolving the potential security issues of the centralized process of generating RSA keys.

In conjunction with Intel's remote authentication technology, the entire process of key shard generation is technically verifiable and guaranteed to be trustworthy.

Transparent and Zero-Trust

Safeheron's TEE-based RSA key sharding is based on a zero-trust architecture, which means that every step of the process is verified, reducing the risk of malicious actions, and thus, our service is assured with security and reliability.

Technical Process of TSS-RSA Key Sharding

Generate Key Shard

Send an HTTP POST request to a server via trusted RSA key sharding, and the server will generate the corresponding key shard in response to the request. Once generated, Intel® DCAP remote attestation will validate the key shard once again.

Finally, the key shard and the remote attestation result will be sent to the callback address via an HTTP request.

HTTP Request Body Example:

Retrieve Key Shard

Send an HTTP POST request to a server with trusted RSA key sharding, and the server will determine whether any matching tasks are being generated based on the request. The outcome will be returned later.

HTTP Request Body Example:

Remote attestation is a critical component of Intel® SGX Trusted Computing technology, a cutting-edge feature that significantly elevates the trust of those who rely on the service.

Each program has a unique hash value on the corresponding computing platform on which it runs in order to accurately identify whether the logic of the service program itself has been tampered with. Any changes to the logic of the service program will cause the hash value to change.

Furthermore, each trusted service run is accompanied by the generation of a trusted certification report, which verifies that the current application is running on an Intel SGX-enabled trusted computing platform. As a result, the Safeheron team also open-sources the SGX-DCAP Remote Attestation Algorithm Library for verifying Trusted Attestation Reports, which effectively determines the legitimacy of Trusted Attestation Reports based on Intel root certificates.

For more information about Safeheron SGX Remote Attestation Verification:

Adding TEE Technology, Open Source Empowers the Arweave Ecosystem

The core infrastructure of blockchain technology is RSA asymmetric encryption. Despite the emergence of various forms of blockchain infrastructures in recent years, such as public chains, side chains, layer2s, cross-chains, decentralized storage, and so on, RSA's bottoming position in the private key generation link has remained unfazed.

However, with the advancement of DeFi, NFTs, and other application environments, security incidents continue to occur frequently. As a consequence, we've seen an increase in the prevalence of private key security-related security issues. For example, consider the previous Phantom wallet private key generation issue in the Solana ecosystem, which resulted in the loss of group assets.

Safeheron launched an open-source TSS-RSA key sharding solution that incorporates TEE trusted technology. In a multi-user co-management environment, the Arweave ecosystem achieved a breakthrough in decentralized storage from 0 to 1. Furthermore, the everPay project made significant progress in their wallet private key generation experience. It is a significant step forward for the blockchain industry as a whole, assisting forward-thinking technical organizations in realizing the security and reinforcement improvements in the private key generation processes.

Following that, the Safeheron team will continue to explore the collaborative possibilities with the Arweave ecosystem and join forces with several developers to provide more user-friendly, optimized security infrastructure that incorporates feature-rich solutions for the Arweave ecosystem.

Simultaneously, we will continue to improve MPC multi-user co-management solutions for private key security, as well as provide more scientific technical solutions for connecting assets to DeFi protocols, NFTs, and other application environments.

Last updated