Digital ownership is one of the core benefits that blockchain technology brings to the table. Giving people complete and autonomous control of their assets is a liberating concept, but in practice can create difficulties that many in crypto have become painfully well-aware of.
I’m talking about securing your private keys.
Whether you’re new to the cryptocurrency space or a veteran, one of the first pieces of advice you probably received was, “Don’t keep any crypto that you aren’t actively trading in your exchange wallet”. It’s right up there next to Do Your Own Research (DYOR) and HODL in every beginner's guide to cryptocurrency that was ever written (including my own).
Turns out, that taking real ownership of your assets comes with some serious responsibility. We’ve all heard the horror stories of people losing their private keys, or not protecting them well enough and being hacked, or even those who were one of many victims to fall prey to a greater exchange hack.
The cryptocurrency market is scary, and that in itself is an issue. Fear is a substantial roadblock on the path to mass adoption. If we want the industry to grow, for cryptocurrency to become more widely accepted, we need to create better systems that allow secure and simple business to occur.
When I met the NGRAVE team, this was something we really seemed to agree on.
NGRAVE is getting ready to release a hardware wallet, the most secure wallet in existence. What really fascinates me about NGRAVE however, more than the product or its benefits is the intellectual powerhouse that formed the cryptography and security present in their product.
Coupled with the fact that, it doesn’t seem like any other hardware wallet providers have done nearly as much due diligence.
After meeting the NGRAVE team in person, I started doing research into other hardware wallets to see if NGRAVE was really as comparatively secure as the team made it seem. The more research I did, the more I realized that other hardware wallets have done very little to show customers what or whose intellectual property is securing their funds.
For security reasons, a hardware wallet provider can’t make their project open source. As a counter to this, they often conduct bug bounty programs to incentivize ethical hackers to expose flaws in their system and report them. Bug bounty programs are a great way to motivate people to help secure your product, but I want to know what security experts helped secure the product in the first place.
Questions of - Who contributed to the project? Why that person is an expert in security? How have they helped the project move forward? - all came to mind. These are all important factors that I can’t seem to find any information for when I was researching about many hardware wallets.
We need to apply the same level of scrutiny to hardware manufacturers in the space that we apply to cryptocurrencies as they launch. At the moment, there are only a few legitimate players in the space, and I’m of the opinion that there isn’t enough competition to promote innovation.
Which is why I circled back with Ruben Merre from NGRAVE to learn more about his project, and see what he was doing to make security in blockchain both easier for new market entrants, and more powerful than the competition.
Can you tell me a little bit about yourself and how you got into the space?
Ruben: I’ve been working as a strategy-, management-, and innovation consultant for several years now and eventually ended up launching multiple innovative products and tech projects as an external entrepreneur “for hire”. These projects typically had a heavy mathematical component, for example I launched one of the first robo advisors (automated quantitative investment platforms) in my home country. I’ve also been - and still am - passionate about more traditional stock market investing. And that’s the reason why I stayed out of crypto for - well, I’d say, too long. As a renowned value investor and one of those guys we all know, Warren Buffett states that you should stay away from markets that you don't understand and/or markets that have that “bubble” characteristic. Obviously, crypto has been behaving very “bubbly” on many occasions. So even though I knew of its existence, I stayed away, following the advice of Buffett.
But when Edouard, one of our co-founders told me in late 2017, to “Just have a look under the hood of this beautiful technology.” - I obliged and I was actually pretty baffled by what I saw in terms of underlying technology. You know it’s like you kind of already knew, but you needed someone to give you that little push. But blockchain had and has to be the future.
I remember that it was around the top of the market and Bitcoin was close to its top at +-$19,000. At the time I did a lot of technical analysis myself, so I made my first chart of BTC on TradingView. And my very first post went something like this: “Okay, Bitcoin looks pretty bearish right now. But I don't really know this market, so maybe it is bullish on the daily and bearish on the weekly and we still have plenty to gain.” And so I did buy a bit, just because of the FOMO. And then, BTC crashed, as I more or less anticipated. So overall technical analysis does still seem to apply for the most part to crypto, which makes sense as TA is basically a self-fulfilling prophecy. In the same month, January 2018, I founded a crypto community where we did fundamental and technical analysis of cryptocurrencies.
In just a couple of months we reached over 50k views on our tweets on a weekly basis, and over 100k views on our TradingView charts. At the time, I was also leading a huge endeavor to set up a new business unit in the algorithmic trading and asset management department for an international financial institution and I enrolled in the Blockchain Strategy Program at Oxford University.
The channel doesn't exist anymore, but it got me to start thinking about how the security part really is a big problem. Edouard happened to know Xavier, our CTO, who has had a very interesting experience with security while in crypto.
Xavier bought his first bitcoins back in 2013, for which he basically had to play the game “Second Life”, buy the “local” digital currency, the “Linden Dollar”, with which he could then buy BTC. In 2014, he lost funds for the first time in the Mt. Gox hack, and later the project he was working on (Swarm City) was one of the ones most impacted by the Parity hack, losing around 44,000ETH in the act. Hours after the now notorious “Parity hack”, he engaged with a couple of white hat hackers who eventually preventively hacked around 500 projects for a total worth of >$200M. . Those experiences made him increasingly aware of and interested in security. And from both my and Edouard’s side, we shared the insecurity feeling when logging in to our wallets.
What is so wrong with current wallets that you felt the need to make your own?
Ruben: We believe that the first thing that's missing in the market is an end-to-end solution. Because even if you have made a super-secure wallet, that does not cover the whole customer journey. Let's say you have a Ledger Nano, which is by itself a very interesting device. In the same box, they give you a piece of paper to write down your seed. The thing is they don't really think about the next step, it’s all about the wallet. If you lose it, you're basically on your own with your piece of paper. If you talk about cryptocurrency exchanges, there are even more points of weakness there - password, ownership, etc. The exchanges can only provide you security once within their platform and even that is not something they can guarantee. Even more importantly and dangerous is the fact that they give you as a user login credentials, but that they keep the ownership of private keys at all times.
A second big takeaway we had in the beginning was the concept of what we call, “Crypto’s Box of Pandora”. In ancient mythology, opening this box results in unleashing all evil into the world. In crypto, the equivalent of this is establishing an online connection (to your hardware wallet). As soon as you make a connection, hackers can open their entire toolbox and try to attack your solution.
So we decided to build something that is 100% offline, because that's the only way that you can really remove the risk of remote attacks. Our solution is the NGRAVE ZERO: , our proprietary hardware wallet, characterized by the fact that it is completely offline.So no 4G, no Bluetooth, no Wi-Fi, no USB, no need to connect it in any way whatsoever. It is a true standalone device with a simple button to turn it on. The screen then pops up and you can generate your seed / private keys, sync your accounts with our app,receive and send transactions, basically anything you’d want to do with your crypto.. The beauty is that nobody can steal your crypto because the private key is never exposed and inherently computationally unbreakable .
The inherent unbreakability of the private key is the strength of blockchain today, yet also its weakness, its “Achilles Heel”.If you lose your private keys, you lose ownership of your coins. With exchanges, even with two-factor authentication and everything else, they still own the private keys. Hardware wallets are great, but being connected by USB or Bluetooth, they still give that feeling of being “online” and there are proven vulnerabilities. Well, with our solution you don't have that. Suddenly you can sit down and comfortably, conveniently, calmly manage your crypto with a true offline solution that cannot be remotely attacked. And obviously, we also made the device physically impervious to tampering attacks as well.
When did you start focusing on NGRAVE as a product?
Ruben: Around April of 2018, we drew out the entire customer journey of someone buying a hardware wallet and basically every what if scenario. We wanted to address someone losing his hardware wallet, losing his back-up even, and a way for next-of-kin to recover the private key after the death of someone.. All of these things are huge problems in crypto. If you think about Quadriga, a couple of months ago, the CEO basically dies and the exchange is locked -- solely because his private keys can’t be recovered. Everyone with funds on that exchange suddenly lost access to them. Then there’s the practice of writing down your private keys on a piece of paper, which is almost a medieval way to protect your precious back-up. You have all these crazy random events that shouldn’t be able to stop people from accessing their funds.
We wanted to do something to help spread worldwide blockchain adoption as far as we can, and our experiences led us to security. The original idea of A SIMPLE hardware wallet - has over time evolved into a full end-to-end solution. One where we have a hardware wallet, a backup solution, and an app. Secure, and convenient.
In our opinion, we have found a very effective way to address all the pain points a customer can experience: if you lose your NGRAVE wallet, you will have a super-secure backup. If you lose your backup, well, we actually have the first backup that you can really recover without having to resort to something complex. And we can actually recover your backup and send it to you without the risk of anyone finding out your key in the process.
Something that’s really amazed me about hardware wallets is how little information you can find about how they’re secured. I understand that they can’t be open-source, but it’s concerning not to have more insight into the minds that crafted the security protocols in place. What have you done at NGRAVE to ensure the security of your customers' funds?
Ruben: So in parallel with thinking out our solution, building our first functional prototypes and filing the patents, we decided to find the right partnerships to help us build the best product possible. We thought that if we were going to do this, we would have to do it better than everyone else. And that meant we had to partner up with the best in their fields, the best in the world.
One of our core partners, IMEC, is the world's leading innovator in nanotechnology and nano-chip manufacturing. To give you an example, they invented the first atom-size chipset in 2018.
IMEC has an acceleration program that we applied to, just two months after we had our idea. They're the number one university-linked tech accelerator in Europe,d number four in the world. When we first approached them we spoke to someone from the network who told us to apply next year; he said we were too early for IMEC to be involved. Two weeks later we spoke with a second person and she told us that she loved the idea and that we really had to apply, two days before the deadline. And just four minutes before midnight on the day of the deadline, 1st of June 2018, we filed our application.
By the end of June, we were in the program. I haven't seen anything like this program before, it's completely crazy. They support you in so many ways. IMEC actually came knocking at our door at one point because they saw that we were really going for it. They asked us, “How about we build this together”, and the only thing we could reply to that was, “that’s probably not a bad idea.”.
At this point we’ve been working directly with IMEC for a while. We're almost finished with our product development. I’m really happy about it, the solution looks incredible, from the electronic circuit board to the anti-tampering framework, the overall design and casing, and so on.
That's just the technology side, we also needed to work with the best when it comes to security, which is why we were introduced to COSIC. It's the world's leading research group for industrial cryptography and computer security. They invented AES 256, till this day still the worldwide data encryption standardAnd they’ve invented, co-invented, or juried on many of the most powerful cryptographic algorithms in the world. At this moment, they have two projects running in the competition for the post-quantum cryptography standard by NIST.
For us, they were the rock stars of cryptography, so it was amazing to meet them, and now we have a great working relationship. We work with COSIC and IMEC to cover everything that we might not have thought of. Finally, we also have some other incredible partnerships which we cannot yet disclose right now.
The most impressive part of NGRAVE, in my opinion, is this insane think-tank you’ve put together on the technology and security front. When I’m using a product to secure funds, I want to know that not only is the team capable, but they also reached out and found the most capable people in the world to brainstorm with. It’s honestly quite impressive that you’ve managed to get so many intellectual powerhouses behind your product.
I want to talk a little bit more about the design. Correct me if I'm wrong, but I haven't seen any other wallets that have a digital display on them. I definitely know I haven’t seen any with a camera! What inspired you to put a screen and camera in the device itself?
Ruben: Well, if you really want to make it easy, put a touchscreen on it. Ever since the iPhone, people have become really used to working with touch screens. There’s no reason we shouldn’t have that level of user-friendliness in crypto. Regarding the camera, if you want to scan a QR code to transfer funds, for example, how can you do that with a Ledger?
In our case, you have a camera on the back of the ZERO, you scan easily scan QR codes, you see you see everything you want or need to see on the display, and that simply makes it so much more intuitive.
So if you and I both have an NGRAVE and I want to send you some Bitcoin: you would pull up your QR code on your screen, I would scan it with the camera, and then it would pull up a menu that would allow me to transfer the funds?
Ruben: I would basically scan your QR code with my NGRAVE app, then show a QR code to my ZERO, which signs the transaction in an instant. I then show a QR code back to the app and done.
That really is crazy. There are fewer steps in the process of actually utilizing funds, and they’re more secure when you’re not utilizing them. It’s Apple-esque with how intuitive using the product seems. What other considerations have you had in the process of making this as user-friendly as possible?
I think what also sets us apart from most startups is that we’re very data driven. We employ Lean Startup principles, where you first have to get out of the building, test your assumptions, and then go back to the drawing board. So we went about seeing where security ranked on people’s list of priorities. We asked around 200 different cryptocurrency investors, what they considered the most important feature of their wallets. It became very apparent that security was a big, big issue.
Then we set up a user group of 40 people. Every couple of weeks we’d get together to show them our new designs, and basically brainstorm together on what they really wanted. We also did a lot of one on one interviews. Every aspect of the product was discussed, even the position of the fingerprint sensor on our device, or why we're using a fingerprint in place of facial recognition. We test every feature and design element with the end-user to make sure they’re something they’d want.
One of the many things we took away from those sessions, for example, was that users do not want to have a camera on the front of their hardware wallet: because they feel watched. That's the reason why we use fingerprint recognition. We have relentlessly involved end users in testing the user flows and thinking about the product. This will eventually set us apart because we included our consumers in the process from the very beginning.
You have a touch screen, a camera, and a fingerprint sensor? You’ve managed to pack a lot of functionality into this device.
Ruben: The only thing we can’t do is buy crypto for you and engage in complete offline trading But your private keys are as safe as it gets.
Quantum related theories also have a lot of crazy concepts and promising applications, I’m particularly interested in e.g. quantum entanglement where the state of one particle changes instantly based on the other entangled particle, even challenging the laws of light speed. And well, maybe the offline world.
How would you apply that concept to buying crypto or offline trading?
Ruben: I'm going to keep that to myself for now.