Terminal 3 has developed a proprietary data security system that leverages Lit Protocol — a decentralized key management network — for encryption, access control, and programmable signing of data.

Why Lit Protocol?

Lit Protocol provides us with a few advantages:

  • Decentralized, threshold encryption: removes the dependence on centralized key custodians, who exist as a single point of failure.
  • Multi-Party Computation (MPC): uses an MPC mechanism to divide encryption keys among multiple parties, ensuring no single party possesses the full key.
  • User-Controlled Access: Users manage access, which can be revoked when desired.

Encryption Scheme

We use symmetric key encryption (AES-GCM). Keys are encrypted to the Lit Network’s BLS public key. The BLS private key shares are used by the nodes to decrypt.

Symmetric key encryption is substantially faster than asymmetric encryption, being 3 to 5 orders of magnitude quicker. Asymmetric cryptography is often used just to exchange the secret key, after which symmetric cryptography takes over for data encryption.

Another significant advantage of using symmetric cryptography like AES is its resistance to quantum computing attacks. Quantum computers could potentially solve the discrete logarithm problem and factor large numbers significantly faster than classical computers, thus breaking the security of RSA, ECDSA and BLS asymmetric encryption methods.

In our case, we use Lit Protocol to exchange the secret key for encrypting/decrypting user data. Lit Protocol comes with the significant advantage of key revocation. This means we do not need to employ an additional layer of asymmetric key encryption for sharing information.

Data security

  1. Encryption client-side and in-transit: When a user sends information to our system, we make sure it is secure. First, the user’s key encrypts their data client-side. Then, encrypted data is transferred over a secure HTTPS connection, preventing the data from being stolen or modified.
  2. Encryption at rest: We securely store user data encrypted (”at rest”). Because our storage system is based on IPFS, the encrypted data is stored in atomized blocks, and referenced by a digital fingerprint (”CID”), making the data tamper-proof and immutable.
  3. Threshold key management: keys used for encryption/decryption are stored across Lit’s decentralized key-share network. If an attacker tries to replace this key, it will simply make the key invalid and will not affect the underlying data.
  4. Querying data: When we need to retrieve or “query” the data, we again use a secure HTTPS connection. Queries are done on encrypted data using structured encryption (STE). In addition, we provide zero-knowledge (ZK) proofs that data has not been tampered with.