[Question] Is it possible to implement sgning in a MPC manner instead of using private key

[johnnynanjiang]

Hi folks,

It is great to have @domwoe refer to this iOS SDK for ICP from dfinity/sdk#3607

I've cloned and run the code, and it worked well.

Just a question around the following code at

IcpKit/Examples/AppIcp/AppIcp/AppIcp/SimplePrincipal.swift

Line 23 in 90f7b03

func sign(_ message: Data, domain: IcpKit.ICPDomainSeparator) async throws -> Data {

    func sign(_ message: Data, domain: IcpKit.ICPDomainSeparator) async throws -> Data {
        try ICPCryptography.ellipticSign(message, domain: domain, with: privateKey).dropLast()
    }

Is it possible to perform signing in a MPC manner (e.g. sign_with_ecdsa of threshold signing at https://github.com/dfinity/oisy-wallet/blob/749d922d30a763469e6efd38fc14a4074fc162ef/src/backend/src/lib.rs#L7 ) , which I think ICP is capable of doing, instead of having to use private key / seed phrase which has a risk of exposing the private key?

[kosta-bity]

Hi Johny,
Yes it is possible. You can create your own implementation of SigningPrincipal. You do need to find a library that actually does the signing though (or write it yourself if it doesn’t exist).
Hope this helps.
Best

[johnnynanjiang]

Thanks @kosta-bity for your prompt response.

I assume the signing would happen in ICP Canisters instead of local, so the Swift SDK would just need to be able to call the Canisters, is my understanding correct?

Best regards

[kosta-bity]

Correct.
The method is async so you can really do whatever you like, for example making a canister call.

[domwoe]

@johnnynanjiang I think you are mixing up two things.

ICPKit allows you to interact with canisters on the IC and you should authenticate your client against the canisters, therefore you need to locally sign the message to the canister.

Then your canister-based wallet could create a threshold signature for another message like an Ethereum, Bitcoin, ... transaction.

[johnnynanjiang]

Thanks @domwoe for clarifying.

Regarding authenticating the client against the canister, if I understand correctly, there are some other authentication methods possible, such as Passkey (through Internet Identity) and OAuth2.

NFID wallet (https://nfid.one/, not open source yet) could be a good example as it supports Passkey as well as Google and Email authentication.

So I assume that it is feasible to implement those authentication methods in the iOS SDK for ICP, do you have a plan for it for the near future @domwoe @kosta-bity ?

[domwoe]

@johnnynanjiang I suggest watching the following talk to get a bit more info about how authentication on ICP works: https://youtu.be/7hIRDHoZy-k?si=gGdgat7_Dvo93iaG

OAuth2 is not easily supported in a canister (not sure if you it's possible securely at all).

You can either create and manage the private key yourself in the native application, use Internet Identity, or use another service like NFID or even Wev3Auth etc.