Cipher, CEO and founder of Nervina Labs, opened an English AMA on the Nervos Reddit on March 29, Eastern Time. The theme is JoyID , a revolutionary crypto wallet that is passwordless, non-custodial and fully decentralized on Nervos CKB.
Nervina Labs has been building the infrastructure and products for the Nervos Network for the past four years. They have successfully built the NFT platform Token.city, CoTA standards. JoyID is a user-friendly crypto wallet that allows users to easily control cryptocurrencies using just their fingerprint or FaceID. The following content is the edited version of this AMA, translated into Chinese, and has been partially deleted. The original text shall prevail.
Q1: What do you think is the biggest obstacle facing Nervina Labs, Nervos Network and the entire blockchain industry? Also, what do you think it would take for the average person to take advantage of blockchain and not fall into scam investing? While these questions are not directly related to the work of Nervina Labs, I think there is high value in the perspective of industry leaders like yourself on the current state of the industry.
A: Since entering the blockchain industry in 2016, I have been committed to allowing more ordinary users to benefit from the value network of blockchain and enjoy equality and freedom. At Nervina Labs, my main job is to think about how non-technical enthusiasts can use blockchain more easily, and how to attract users with the lowest learning curve and cost. At the Nervos Foundation, my job is to design application layer protocols to support these products. I must admit that these tasks have been very challenging, but I am happy to say that we have achieved some results. In particular, our product JoyID Wallet opens the door to blockchain to billions of ordinary users. Regarding how to get ordinary people to see blockchain as a resource rather than a scam investment, I think there needs to be more education and popularization, as well as the emergence of more safe, easy-to-use and useful applications, so that people are truly aware of blockchain. The value and potential of blockchain technology.
Q2: Please give a brief introduction and its development stage, is it ready for production? Is JoyID a real wallet/app or just a toolkit for other wallet providers? Or both? It is understood that restoring the wallet requires the use of biometric information (such as face or fingerprint), but only on the same device. This means someone can’t restore my wallet using biometric information from another device, which is great, but how do I restore my wallet if the device is lost?
A: CoTA is an ultra-low-cost token protocol running on Nervos CKB, capable of minting millions of NFTs at a state storage cost of only 32 CKBytes. Additionally, CoTA can serve as a universal on-chain key-value storage database for third-party dapps. JoyID utilizes CoTA to manage abstract accounts.
You can find more information about CoTA here: https://www.cotadev.io/docs/protocols/cota_main
CoTA is ready for production, and there are already a few dapps and applications using it on mainnet, such as free NFT minting and distribution platform NFTBox.me and NFT wallet token.city. JoyID is a web-based wallet that allows you to manage assets on the Nervos CKB and L2 chains. At the same time, it is also an on-chain toolkit and smart contract. Anyone can copy our open source code and deploy web pages to provide the same service, achieving complete decentralization.
Q3: Is JoyID a unique product of Nervos? Is it limited to development on the Nervos network?
A: Yes, JoyID is designed for Nervos' L1 and L2 and can only be used on these networks. On Nervos' L2 network, Axon, you can use JoyID just like an EOA account. Nervos provides two key features to support JoyID. First, it provides full account abstraction support, enabling JoyID to use webauthn keys from multiple devices as a signature verification mechanism for the same address. Second, efficient RISC-V virtual machines ensure practical cost feasibility of webauthn signature verification. Although there are some other chains, such as StarkNet or Fuel, that are also trying similar implementations, their technical progress is relatively behind and they are not yet ready for production.
Q4: Is JoyID an application that will be launched on the Web2 App Store, or is it more like ckb.pw?
A: Currently, JoyID Wallet is a web-based application, similar to ckb.pw. We may build a native app to provide more functionality including notifications, nfc access, etc. But it's not on our roadmap right now.
Q5: Please explain how the biometric authentication process in JoyID works and what measures are taken to ensure user privacy and security?
A: The biometric authentication process is provided by the WebAuthn API maintained by FIDO. JoyID does not have direct access to your biometric information, which is technically impossible. Instead, JoyID requests asymmetric authentication through the WebAuthn API and triggers the system's biometric sensors for verification. So, your system (Windows/MacOS/Android/iOS) is responsible for biometric authentication, while JoyID only gets the signature and public key. Public keys have high entropy and are completely random and cannot be used to track your device and personal information.
Q6: How does JoyID ensure that the private key never leaves the user's device, and what happens if the user loses the device?
A: The security of the private key is guaranteed by the hardware used. The FIDO/WebAuthn standard utilizes hardware's Secure Enclave to generate, store, and process private keys, and they are designed not to be exported. Even the manufacturer cannot obtain these private keys.
If the device is lost, you can take the following two measures: 1) Recover your account on the new device; 2) Remotely delete the authentication of the old device. Both operations are supported by the JoyID protocol and the front-end application.
Q7: Can you explain how the social recovery function in JoyID works and how to achieve decentralized account recovery?
A: JoyID provides account abstraction, allowing you to "log in" to the same account on multiple devices. This means you can link public keys generated from multiple devices (such as a phone, laptop or PC) to a single account. Even if you lose one of your devices, you can use the other device to access your account. Additionally, you can bind a Metamask address to an account and use a Metamask wallet or mnemonic phrase to recover the account.
The Social Recovery feature allows you to designate multiple friends' JoyID addresses as recovery guardians. If you lose all your devices and are unable to recover your account on your own, you can start the social recovery process on a new device. First, log in with your old account/address in JoyID wallet, you will be prompted that there is no valid key on your device. Then, start the social recovery process by sending the recovery link to your friends to get their approval (signature). Once you have collected enough signatures, you can add the key generated by the new device to the old account. Thereafter, the new device can control your account. The entire process does not need to rely on centralized solutions.
Q8: Can you discuss the technical details of how JoyID utilizes the CoTA extension on the Nervos CKB blockchain to register public keys and complete user address abstraction?
A: CoTA provides a "User Data Extension" feature that allows third-party scripts to access their script-scoped data in key-value format through SMT data accumulators. This means that JoyID scripts can store abstract account data (such as multiple subkeys or social recovery settings data) into CoTA cells without incurring additional CKBytes cost. All data is stored in a 32-byte SMT root via the CoTA protocol. Although the extension details on the documentation webpage have not been updated, you can refer to: https://www.cotadev.io/docs/protocols/cota_userdata to learn more.
Q9: How does JoyID manage user profiles and store them on the chain in CTmeta format? What measures are taken to ensure data privacy and security?
A: In the early design stage of JoyID, we added the user portrait field to the standard as the "identity layer" of Nervos. But later, we decided that JoyID was better suited as a mass-adoption version similar to Metamask, focused on accounts rather than identities. Therefore, in the latest design, we no longer upload user data to the blockchain.
Nonetheless, we still store other information on-chain that could compromise user privacy, such as custom device tags and key indexes for WebAuthn. We store this data in the witness field of CKB transactions and adopt the CTMeta standard to make this public data accessible to everyone to keep JoyID decentralized. Users can modify on-chain device tags to hide their tracks before pushing data onto the chain. For example, they could use emojis instead of hardware/location descriptions to protect privacy. Ultimately, it all depends on the user themselves.
CTMeta standard https://www.cotadev.io/docs/protocols/CTMeta
Q10: Can you elaborate on how the Nervos CKB blockchain supports the WebAuthn algorithm to enable passwordless user experience for dApps? How does JoyID achieve cross-platform and cross-terminal functions, and what are the technical challenges involved?
A: Nervos CKB uses RISC-V VM and verification model instead of execution model to achieve consensus, so its computing efficiency is much higher than EVM or other VMs. This makes P256 and RS256 (powered by WebAuthn) signature verification feasible compared to competitors. CKB also has powerful account abstraction capabilities, enabling accounts to adapt to the WebAuthn signature format and data serialization standards. By using account abstraction, keys generated across multiple devices and across platforms can be mapped to the same account. Therefore, users do not need to use a mnemonic phrase to save private keys, which are stored in a high-security area of the device. At the same time, users do not need to password-protect keys because the WebAuthn interface allows for signature authentication using biometrics.
Q11: Can you talk about the future plans or development of JoyID and your views on its future evolution?
A: We are working on developing the following JoyID features:
L2 support: The testnet Axon chain will be launched with native support for JoyID, which means that all EVM dapps can deploy instances to Axon and enjoy passwordless, tokenless wallets.
Optional recovery features: Includes social recovery and Metamask integration.
More asset support: such as mNFT, CoTA, sUDT, L2-ERC20/ERC721/1155, etc.
SDK for L1 and L2.
Dapp integration: such as NFTBox, token.city, dotbit, etc.
One exciting aspect of JoyID is its potential to become a universal account system that replaces the Google/Apple ID, providing a better user experience and decentralized nature for the Web2 world. As a result, legacy Web2 sites may choose JoyID as their future passwordless, permissionless account solution.
Q12: Please introduce Nervina Labs’ NFT platform on Nervos, Token.City and NFTBox.Me, as well as the energy points, identity authentication and payment verification process.
A: NFTBox.me is a centralized distributed platform that provides SaaS websites for traditional enterprises that want to attract more users. However, its underlying technology uses the decentralized CoTA protocol.
You can interact directly with smart contracts to mint/transfer NFTs, bypassing NFTBox.me. Energy Points are used in the mNFT protocol, one of our early NFT protocols. Each distribution requires 145 CKBytes, so we charge users energy points per distribution.
Q13: Any details or timeline on JoyID supporting other currencies besides Nervos, and is there a goal of supporting wallets for all (crypto)currencies?
A: JoyID will support various ERC20 on Axon through cross-chain bridges from other chains. The Axon team is working on IBC compatibility to make the bridge more robust and versatile.
JoyID cannot support other chains because it relies on key functionality provided by CKB. But if other chains adopt CKB-VM as the address authentication module, effectively serving as an L2 for CKB, then JoyID may not have the technical hurdles to support them.
Q14: What privacy protection technologies do you expect Nervos to adopt? (Such as Mimblewimble, ring signature, zero-knowledge proof, etc.)
A: I believe all of these features are possible on Nervos CKB. Thanks to its UTXO model and highly flexible scripting system, CKB provides a good environment for privacy-preserving technologies.
Q15: I noticed that you wrote the original CKB-address-demo code for RFCS21. Can you recommend a resource/reference to learn more about cryptography in general?
A: Although I am not a cryptographer or cryptographic engineer, I am a protocol researcher and product designer who is proficient in cryptography applications. If you want to have a preliminary understanding of blockchain-related cryptography without going into the details of technical implementation, provable security, etc., I recommend starting from an open course on cryptography basics on platforms such as Coursera, and then directly reading the latest block Introduction to chain cryptography in order to have a general understanding of the combination of cryptography and blockchain. If you need a more in-depth understanding, you can consult the relevant literature.
(over)
JoyID official website: https://joy.id/
