We use a simple 6 digit PIN to protect our assets in Mixin Messenger, those who don’t know the technology behind this design believe it is not secure. This article is to demystify how does D3M-PIN work in Mixin Messenger to prove this simple PIN is both secure and convenient, as a decentralized wallet.

What is D3M-PIN

D3M-PIN is the abbreviation of Distributed Multiparty Mobile Mixin PIN, unlike traditional 6 digit PIN in central applications, D3M-PIN is a distributed PIN technology secured by three parties with different roles.

The three parties are User(U), Trusted Account Manager(M) and Trusted Distributed Ledger(L). Three parties cooperate together to avoid single point failure in all roles, to be both decentralized secure and convenient.

User is typically a true human who uses Mixin Messenger, or some bot code, and they are not connected with any specific devices. The duty of User is remembering their 6 digit PIN securely, easy enough for them. This PIN is part of the whole private key, and it is the most import part.

Trusted Account Manager provides SMS verification code and connect User with another part of the private key. The centralized Mixin Messenger servers cluster is a typical Trusted Account Manager.

Trusted Distributed Ledger is a public permissionless distributed ledger runs in Trusted Execution Environment, e.g. the PoS-BFT-DAG ledger of Mixin Network. The ledger makes the final multisig private key of User.

D3M-PIN Workflow

Every Mixin Messenger User owns a multisig private key of Mixin Kernel, we will use the assumptions and definitions below to simplify the procedure:

• $L$ has a total of $n$ nodes, and we assume the multisig private key of $U$ requires all signatures of these $n$ nodes, and these nodes remains permanent.
• $L_i$ is the Kernel public key of node $i$, and $l_i$ is the corresponding private key.
• $PIN$ is the secure 6 digit password, and it remains permanent.
• $H_s$ is a deterministic hash function, without collisions.
• $I$ is a standard UUID randomly produced by $M$ to connect with a unique User.
• $m$ is a private key owned by $M$, and it remains permanent.
• $F_s(a, X)$ is the EdDSA signature function, it produces the signature on message $X$ by $a$.
• $aG$ is the corresponding public key, if $a$ is an EdDSA private key.

With the above assumptions, a standard D3M-PIN transaction sequence goes as follows:

1. The first time $U$ uses Mixin Messenger on a new device, they get their connected account number $I$ through the SMS verification code of $M$.
2. For each node in $L$, $M$ produces a seed $s_i = H_s(I \vert\vert m \vert\vert L_i)$, result in $n$ total seeds.
3. For each new seed $s_i$, $M$ sends a Mixin Kernel transaction $T_i$ to its public key $s_iG$.
4. $M$ sends back these $n$ seeds and corresponding transactions $T_i$ to User’s device and persisted in the device storage. $U$ may choose to backup all $s_i$.
5. If $U$ uses Mixin Messenger for the first time, they needs to spend the transaction $T_i$ with $s_i$ to ensure the seed is used only once.
6. For each node in $L$, $U$ produces a private key $u_i = H_s(PIN \vert\vert s_i \vert\vert L_i)$, result in $n$ total private keys.
7. For each private key $u_i$, $U$ produces signature $S_i = F_s(u_i, H_s(L_i \vert\vert COMMIT))$, then sends $S_i$ and public key $u_iG$ to node $L_i$.
8. $L_i$ verifies signature $S_i$, then responds error or sends back a new public key $p_iG$, with $p_i = H_s(u_iG \vert\vert l_i)$.
9. After $U$ receives total $n$ new public keys, they gets their integral multisig public key in Mixin Kernel, $P = \sum\limits_{i=1}^n p_iG$.
10. Whenever $U$ sends a transaction $T$, they produces signature $S_i = F_s(u_i, H_s(L_i \vert\vert H_s(T)))$ for each node, and sends $S_i$ and $u_iG$ to $L_i$.
11. $L_i$ verifies signature $S_i$, then responds error or sends back a new signature $S_i = F_s(p_i,H_s(T))$.
12. After $U$ receives total $n$ new signatures, they gets their complete multisig signature for $T$ as $S = \sum\limits_{i=1}^n S_i$.

In the workflow above, there is one most important part is that each node $L_i$ does strict rate limit to every signature verification request.

Security Analysis of D3M-PIN

We will analyze the possible risks of D3M-PIN workflow, and prove that this technology is robustly secure and decentralized. Because User and Ledger are already both secure and distributed, we will only analyze the Account Manager.

If there is only one M, and it stops working, are User’s assets still accessible?

Yes, of course. At first, before M stops business, it will notify all Users to download user data, and Users have enough time to backup all their seeds $s_i$; Second also the most important, after User connects with M and gets $s_i$, they can continue access their assets without any interactions with M; Finally, User can backup all their $s_i$ at any time, thus User can send transactions or change devices at any time despite M running or stopped.

If User lost access to their phone number, are User’s assets still accessible?

Yes, of course. At first, M allows User to set up an emergency contact, whenever a User lost access to their phone number they can get their all $s_i$ through their emergency contact; Second, most people can go to ISP to get back their phone number access; Finally, like the analysis in question above, User already has $s_i$ in their device and can backup them at any time, thus User can send transactions or change devices at any time despite phone number access.

If someone else got the access to User’s phone number, are User’s assets still secure?

Whenever an attacher gets the access to a User’s phone number, they actually gets the User’s $s_i$. So why not we just assume the attacker is M, it’s obviously that M has all Users’ private key seeds.

Because M has no knowledge of the PIN for User, and PIN has a total of 1,000,000 possibilities. Assume L has typical 30 nodes, and the node signature verification rate limit is 5 times per day. Then it takes about 1000000/30/5/365 = 18 years to brute force all these possibilities.

And in a typical D3M-PIN implementation, there are random iterators stored on User’s device, it will decrease the possibility to brute force the PIN to zero, unless the attacker also get the access to User’s device.

In summary, D3M-PIN is robustly secure and is the most convenient distributed technology to protect crypto assets.