From ethresearch by jieyilong
Autonomous AI Agents equipped with crypto wallets are attracting growing attention due to their capability to interact directly with blockchains and smart contracts. These agents can perform a variety of tasks, including sending and receiving tokens, calling smart contracts, and even writing and deploying smart contracts on-chain. Unlike traditional systems, these autonomous AI agents are proactive, capable of making independent decisions without direct human intervention. An example is an autonomous crypto trading agent which leverages sophisticated deep learning algorithms to execute trades by interacting with on-chain DEXes. In this scenario, a user might provide the agent with an initial fund and delegate trading decisions entirely to the agent, aiming for long-term profitability. This hands-off approach, powered by the agent’s ability to analyze market trends and execute trades autonomously, exemplifies the transformative potential of combining AI and crypto in decentralized finance (DeFi) and beyond.
To enable these promising capabilities, an AI Agent needs to possess a private key to initiate blockchain transactions. If the agent runs in a local device, such as a smartphone or a laptop, managing the private key becomes relatively straightforward. However, AI Agents often require substantial computational resources — for example, to run advanced large language models (LLMs) — making this simple design impractical for many use cases. To help address this challenge, below we informally define the problem:
Problem definition: A user seeks to deploy an autonomous AI Agent that proactively acts on their behalf. The user provides the Agent with a private key which enables direct or indirect access to valuable on-chain crypto assets. Due to the significant computational demands of the Agent — such as running advanced deep learning models or performing resource-intensive tasks — it may need to operate in a potentially adversarial environment, such as a remote server. The challenge is to design a system such that, even in the event of a server compromise, the crypto assets accessible through the private key remain secure.
Below we sketch a few possible approaches to tackle to the above problem:
- TEE based: The first approach involves the user securely storing the Agent’s private key within a Trusted Execution Environment (TEE) and executing the entire AI Agent code inside the TEE. Provided the TEE remains uncompromised, adversaries would be unable to either alter the Agent’s code or extract the private key. However, while TEEs are designed to be secure, they could still be susceptible to sophisticated attacks targeting specific vulnerabilities in their implementation. Additionally, the use of TEEs may introduce performance overhead, as running code within the protected environment can be slower compared to execution outside of it.
- iO based: Indistinguishable Obfuscation is a powerful cryptographic tool. As Vitalik discussed in this article, one direct application of iO is to hide the private key in the AI Agent code. The primary advantage of iO lies in its ability to ensure that, even if the key is included in the obfuscated code, adversaries should be unable to extract it, even when the code is executed on a remote server. However, iO is still in a nascent stage, both in terms of theoretical development and practical implementation. Current constructions of iO are highly resource-intensive, requiring significant computational overhead and large memory footprints, making them impractical for many real-world applications.
- MPC based: A more practical approach is to leverage cryptographic tools such as multi-party computation (MPC) and threshold signature scheme (TSS). In this setup, multiple instances of the AI Agent code are run in parallel across several worker nodes. In this setup, we run multiple instances of the AI Agent code in parallel with multiple worker nodes. The user splits the private key into multiple shares, and securely sends each share to a different worker node, ensuring that no single node possesses the entire key. To interact with the blockchain, the worker nodes execute a consensus algorithm to propose and agree on specific actions. Once consensus is achieved for a particular transaction, the nodes collaboratively execute an MPC-based threshold signature protocol to jointly sign the transaction. Crucially, this process allows the signature to be generated without reconstructing the private key in its entirety. This ensures that even if an adversary compromises some worker nodes, the private key remains protected, provided a majority of the nodes remain secure. Although this approach requires the additional overhead of running multiple instances of the AI Agent, it significantly enhances security while allowing the Agent to operate safely in untrusted environments.
Screenshot 2025-01-12 at 11.16.29 PM1246×1126 31.5 KB
- SNARK based: In this approach, we run a SNARK prover along with the Agent in the powerful server. Meanwhile, we run the corresponding SNARK verifier in a local personal device (smartphone, laptop, etc.). The local personal device also possesses the private key. The user first generates a cryptographic commitment to the AI Agent code and publish it on the blockchain. Then, each time the server generates a transaction requiring the signature of the private key, the local device uses the SNARK verifier to ensure that the transaction is generated by the committed Agent code. If the SNARK verification succeeds, the local device signs the transaction with the private key and submits the signed transaction to the blockchain. Unlike the MPC-based approach, this method eliminates the need to run multiple copies of the AI Agent code. However, despite recent advancements in zkML, generating SNARK proofs for cutting-edge deep learning models remains highly challenging due to the computational complexity involved. Nonetheless, if the Agent code is relatively simple or if the SNARK proof is required only for specific parts of the Agent’s logic, this approach becomes a practical and efficient solution.
Screenshot 2025-01-12 at 11.03.19 PM820×1262 22.6 KB
The above outlines several potential solutions we are exploring to address the AI Agent key management challenge. We welcome any feedback or suggestions to refine and improve these approaches!
All Comments