Explain SEAL:Sui's decentralized key management solution

Author: Alex Liu, Foresight News

As the Web3 ecosystem continues to mature, issues such as privacy protection, access control, and key management are becoming increasingly prominent. On April 5th, Mysten Labs launched a brand new decentralized key management solution - SEAL - on the Sui Testnet. Below, we will provide a detailed introduction to SEAL from multiple dimensions, including technical architecture, application scenarios, developer experience, and future outlook.

Background

In the traditional Web2 era, data encryption and access control often relied on centralized key management services (KMS), such as AWS KMS or GCP Cloud KMS. However, these solutions fail to meet the requirements of the Web3 ecosystem for decentralization, transparency, and user autonomy.

To address this pain point, Mysten Labs has launched SEAL, which aims to achieve secure encryption and access control of data through a decentralized approach, helping developers avoid reliance on a single trusted party during the process of building decentralized applications (DApps), thereby achieving more flexible and secure data protection.

The emergence of SEAL addresses the limitations often brought about by traditional solutions that are either scenario-specific or reliant on centralized services when it comes to protecting massive amounts of data on the blockchain. With SEAL, developers can achieve data encryption and access management across storage systems and application scenarios without sacrificing security or performance, providing a universal and efficient security solution for Web3 applications.

Technical Architecture

SEAL adopts a multi-layered technical solution to ensure the data encryption process is secure and efficient, mainly including the following key components:

On-chain Access Control

SEAL utilizes Move smart contracts on the Sui blockchain to implement access control. Developers can define access policies within the smart contracts to finely control who can access the decryption keys and under what conditions access is allowed. These on-chain rules ensure transparency, making the permission verification process immutable, thereby enhancing data security.

Threshold Encryption

In traditional single-point trust key management methods, centralized storage of keys can easily become a target for attacks. SEAL adopts threshold encryption technology, dispersing the decryption keys across multiple independent backend services. Only when the predefined minimum number of keys (for example, a t-out-of-n model) is reached can the complete key be restored. This mechanism effectively disperses risk; even if some key servers are attacked, the overall data can still remain secure.

Client Encryption

SEAL emphasizes that data encryption and decryption operations are performed on the client side, meaning that users complete the encryption process locally. As a result, even if SEAL's servers or intermediate nodes are compromised, plaintext data cannot be obtained, further enhancing the system's privacy protection capabilities.

Storage Independence

Unlike some solutions that can only encrypt specific storage systems, SEAL has storage independence. Whether it's the decentralized storage Walrus based on the Sui chain, or other on-chain or off-chain storage systems, SEAL can provide compatible encryption solutions. This flexibility allows developers to choose the most suitable storage solution based on project requirements without worrying about the adaptation of the encryption mechanism.

Application Scenarios

The flexible and diverse application scenarios of SEAL also demonstrate its extensive practical value. Here are several typical application cases:

Content Payment and Threshold Access

In the current digital content distribution field, more and more creators hope to achieve paid reading or membership subscriptions through encrypted content. By utilizing SEAL, creators can encrypt high-quality content, allowing only users who hold specific NFTs or pay subscription fees to decrypt and view it. This model is similar to an on-chain version of Patreon or Substack, which not only protects the copyright of the content but also enables precise user paid access.

Private Messages & Data Transfer

In decentralized chat and social applications, user privacy protection is particularly important. SEAL supports end-to-end encrypted message transmission, ensuring that even on public chains, the message content can only be read by the two parties involved in the communication. Developers can utilize SEAL to build secure and reliable decentralized instant messaging applications, addressing the risks of privacy leaks in traditional social platforms.

NFT Transfer and Time-Locked Transactions

NFTs, as important assets on the blockchain, have their transfer process security under close scrutiny. SEAL can be applied to time-lock encryption for NFTs, meaning the transfer or unlocking of NFT ownership can only occur within a specific time window. This method is not only suitable for closed auctions but also provides technical support for DAO voting and other decision-making processes.

User Sensitive Information Storage

In fields such as healthcare and identity verification, users' sensitive data needs to be strictly protected. SEAL can encrypt data stored in Walrus or other storage systems and ensure that only authorized users can access it through on-chain access control, providing a decentralized and efficient solution for data privacy protection.

Developer Experience

SEAL is technically innovative and provides developers with a complete SDK and toolchain, reducing the difficulty of integration and deployment. Through the SEAL SDK, developers can access interfaces for encryption, decryption, and key management without needing to delve into the complex underlying cryptographic principles. While there are currently no established ecosystem projects, the official documentation and a sample APP are provided, with code that offers detailed guidance to help developers quickly build and debug applications in a testnet environment.

In addition, the SEAL beta version is now available on the Sui Testnet, allowing developers to conduct various scenario tests in this environment and submit feedback to Mysten Labs for continuous improvement of features in future versions. Its developer-friendly and easy-to-integrate characteristics make SEAL the preferred tool for Web3 developers.

Future Outlook

Although SEAL currently has mature foundational features, Mysten Labs has not stopped there. In the future, the development direction of SEAL may include:

• Multi-Party Computation (MPC): By introducing MPC technology, more distributed decryption operations are achieved, making the key management process more secure and reliable.
• Server-side encryption: In certain specific scenarios, to meet the needs of lightweight front-end applications, support for server-side decryption solutions may be provided in the future, offering developers more flexible options.
• Digital Rights Management (DRM): Drawing on the experience of the traditional media industry, we have developed DRM technology similar to Netflix, YouTube and other platforms to protect the copyright of digital content on the premise of ensuring the security of users.

The addition of these features will further expand the application boundaries of SEAL, making it not only limited to data encryption and decryption but also a comprehensive decentralized data security platform, providing solid security guarantees for the entire Web3 ecosystem.