Abstract: An approval request is transmitted for a cryptoasset transaction in accordance with a policy stored in a hardware security module (“HSM”). The policy specifies at least one specific approver required for approval of the cryptoasset transaction. The approval request is transmitted to a computer device associated with the specific approver and is configured to cause the computer device to prompt the specific approver to approve the cryptoasset transaction. A security key is received from a hardware security token associated with the specific approver. The security key indicates an approval of the cryptoasset transaction. A risk analysis module authenticates an identity of the specific approver based on the security key. Responsive to the authenticating of the identity of the specific approver, the HSM signs the cryptoasset transaction using a cryptographic key stored in the HSM.

Abstract: Methods and systems for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include: receiving, in a cryptoasset custodial system, a request to authorize a staking operation associated with a blockchain, wherein the staking operation is associated with a private key of an asymmetric cryptographic key pair, the private key is usable to control ownership of a cryptoasset recorded in the blockchain, and the private key is securely held in the custodial system; performing, in response to the request, a portion of the proof-of-stake protocol in a hardware security module using logic designed for the protocol, wherein the logic in the hardware security module is configured to authorize the staking operation by digitally signing an associated staking transaction; and sending the digitally signed staking transaction to another computer to effect the staking operation on behalf of the user.

Abstract: Methods, and systems for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include: receiving a request to take an action with respect to a vault of multiple different vaults in a cryptoasset custodial system, and each of the multiple different vaults has an associated policy map that defines vault control rules; authenticating, by a hardware security module, a policy map for the vault on which the action is requested based on a cryptographic key controlled by the hardware security module; checking the action against the policy map for the vault when the policy map for the vault is authenticated based on the cryptographic key controlled by the hardware security module; and effecting the action when the action is confirmed to be in accordance with the policy map for the vault.

Abstract: Methods, systems, and apparatus for risk mitigation for a cryptoasset custodial system include transmitting an endorsement request for a cryptoasset transaction to a user device configured to cause the user device to prompt a user to endorse the cryptoasset transaction. Multiple data points are collected from mobile devices associated with the user. The data points indicate an identity of the user. A cryptographic endorsement of the cryptoasset transaction is received from the user device. A graphical visualization including a risk metric is generated based on the data points. The risk metric indicates a risk of accepting the cryptographic endorsement from the user device.

Abstract: Methods, systems, and apparatus for risk mitigation for a cryptoasset custodial system include transmitting an endorsement request for a cryptoasset transaction to a user device configured to cause the user device to prompt a user to endorse the cryptoasset transaction. Multiple data points are collected from mobile devices associated with the user. The data points indicate an identity of the user. A cryptographic endorsement of the cryptoasset transaction is received from the user device. A graphical visualization including a risk metric is generated based on the data points. The risk metric indicates a risk of accepting the cryptographic endorsement from the user device. Generating the graphical visualization includes determining whether the plurality of data points matches expected values.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include, in at least one aspect, a method including: identifying for an action an associated private-keys group out of different private-keys groups, each having an associated cryptographic group key; decrypting, at a first computer, a first level of encryption of a private key associated with the action using the associated cryptographic group key; decrypting, at a second computer distinct from the first computer, a second level of encryption of the private key associated with the action using a hardware-based cryptographic key used by the second computer; using, at the second computer, the private key associated with the action in a process of digitally signing data to authorize the action; and sending the digitally signed data to a third computer to effect the action.

Abstract: Technology is disclosed for transferring money anonymously between a sender and a recipient by use of a one-time use token. The method includes generating a one-time use token account for association with a one-time use token. The method includes generating the token and providing the token to the sender device in a machine-readable and transferable format. The method includes receiving a request to charge the one-time use token account after the token has been provided to the recipient device as a form of payment for a transaction. The method includes determining that an amount of the transaction is less than an amount of funds associated with the token and that the time of the transaction is within a time period for the use of the token. The method includes facilitating a transfer to the recipient account and deducting the amount of the transaction from a sender account.

Abstract: A hardware security module (HSM) generates a client key for an account holder of a cryptoasset custodial system. The HSM encrypts the client key to generate an encrypted client key using a hardware-based cryptographic key within a secure storage device. The encrypted client key is transmitted to client devices. The HSM deletes the encrypted client key from the secure storage device. Each client device stores the encrypted client key in an offline secure enclave. A request to authorize a cryptoasset transaction is received. The HSM determines that signed messages endorsing the cryptoasset transaction have been received from at least some client devices in satisfaction of a quorum. The encrypted client key is received from at least one client device. The HSM decrypts the encrypted client key. The HSM signs an approval message for the cryptoasset transaction using a cryptoasset key based at least in part on the client key.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include, in at least one aspect, a method including: identifying for an action an associated private-keys group out of different private-keys groups, each having an associated cryptographic group key; decrypting, at a first computer, a first level of encryption of a private key associated with the action using the associated cryptographic group key; decrypting, at a second computer distinct from the first computer, a second level of encryption of the private key associated with the action using a hardware-based cryptographic key used by the second computer; using, at the second computer, the private key associated with the action in a process of digitally signing data to authorize the action; and sending the digitally signed data to a third computer to effect the action.

Abstract: Methods and systems including: receiving a request to take an action in a cryptoasset custodial system for an account holder; authenticating a policy map associated with the action, wherein the policy map defines access control rules governing which actions are allowed under conditions including a threshold number of endorsements needed; and validating endorsement messages for the action by checking digital signatures of the received endorsement messages, wherein at least one of the validated endorsement messages has been generated by digital signing with a first private key of a person, who is associated with the account holder, and at least one of the validated endorsement messages has been generated by digital signing with a second private key of a program, which is associated with the account holder, responsive to the program confirming one or more circumstances specified by the account holder are met at a time when the program is run.

Abstract: Methods, and systems for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include: receiving a request to take an action with respect to a vault of multiple different vaults in a cryptoasset custodial system, and each of the multiple different vaults has an associated policy map that defines vault control rules; authenticating, by a hardware security module, a policy map for the vault on which the action is requested based on a cryptographic key controlled by the hardware security module; checking the action against the policy map for the vault when the policy map for the vault is authenticated based on the cryptographic key controlled by the hardware security module; and effecting the action when the action is confirmed to be in accordance with the policy map for the vault.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for deposit address verification. One method includes receiving a request for the provisioning of an address for depositing digital assets to an account; determining a deposit address attached to the account; forwarding data representing the determined deposit address to a first user device comprising a display for displaying a visual code that encodes the determined deposit address, and to a second user device comprising a camera and an application that displays an image of the visual code overlaid on a live video feed from the second user device camera, wherein when a user directs the second user device camera at the first user device display the visual code on the first user device display can be aligned with the image of the visual code on the live video feed on the second user device.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include, in at least one aspect, a method including: identifying for an action an associated private-keys group out of different private-keys groups, each having an associated cryptographic group key; decrypting, at a first computer, a first level of encryption of a private key associated with the action using the associated cryptographic group key; decrypting, at a second computer distinct from the first computer, a second level of encryption of the private key associated with the action using a hardware-based cryptographic key used by the second computer; using, at the second computer, the private key associated with the action in a process of digitally signing data to authorize the action; and sending the digitally signed data to a third computer to effect the action.

Abstract: Methods and systems for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include: receiving, in a cryptoasset custodial system, a request to authorize a staking operation associated with a blockchain, wherein the staking operation is associated with a private key of an asymmetric cryptographic key pair, the private key is usable to control ownership of a cryptoasset recorded in the blockchain, and the private key is securely held in the custodial system; performing, in response to the request, a portion of the proof-of-stake protocol in a hardware security module using logic designed for the protocol, wherein the logic in the hardware security module is configured to authorize the staking operation by digitally signing an associated staking transaction; and sending the digitally signed staking transaction to another computer to effect the staking operation on behalf of the user.

Abstract: In an embodiment, a method performed by a payment service system (PSS) includes receiving from a first payment application associated with the PSS, a request to generate a token. The method includes identifying account information associated with the recipient. The method includes generating an anonymizing token associated with the recipient. The method includes storing an association between the account information of the recipient and the anonymizing token. The method includes providing for display of the anonymizing token within the first payment application. The anonymizing token anonymously embeds recipient information and the account information of the recipient.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a cryptoasset custodial system using power down of server computers to protect cryptographic keys. The cryptoasset custodial system includes a plurality of server computers. Each server computer of the plurality of server computers includes a volatile memory configured to store a cryptographic key associated with a cryptographic transaction to be performed, by the server computer, on a blockchain. A computing device is communicatively coupled to the volatile memory and configured to perform, using the cryptographic key, the cryptographic transaction on the blockchain. Responsive to detecting an interruption in an electrical power supply to the server computer, the stored cryptographic key is deleted from the volatile memory to prevent access to the cryptographic key.

Abstract: Methods, and systems for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include: receiving a request to take an action with respect to a vault of multiple different vaults in a cryptoasset custodial system, and each of the multiple different vaults has an associated policy map that defines vault control rules; authenticating, by a hardware security module, a policy map for the vault on which the action is requested based on a cryptographic key controlled by the hardware security module; checking the action against the policy map for the vault when the policy map for the vault is authenticated based on the cryptographic key controlled by the hardware security module; and effecting the action when the action is confirmed to be in accordance with the policy map for the vault.

Abstract: A computing device receives, from a first client device, a request for a security token to authenticate a transaction session for a user account administered by a network resource, the first client device being associated with the user account. In response to the request, the computing device generates and sends a security token to the first client device, which communicates the security token to a second client device. The computing device receives, from the second client device, a modified security token that includes the security token and a signature on the security token using a first key stored in a trusted hardware component coupled to the second client device. A second key corresponding to the first key is registered with the network resource. The computing device verifies the modified security token using the second key. Upon successfully verifying the modified security token, the computing device enables the transaction session.

Abstract: An approval request is transmitted for a cryptoasset transaction in accordance with a policy stored in a hardware security module (“HSM”). The policy specifies at least one specific approver required for approval of the cryptoasset transaction. The approval request is transmitted to a computer device associated with the specific approver and is configured to cause the computer device to prompt the specific approver to approve the cryptoasset transaction. A security key is received from a hardware security token associated with the specific approver. The security key indicates an approval of the cryptoasset transaction. A risk analysis module authenticates an identity of the specific approver based on the security key. Responsive to the authenticating of the identity of the specific approver, the HSM signs the cryptoasset transaction using a cryptographic key stored in the HSM.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include, in at least one aspect, a method including: identifying for an action an associated private-keys group out of different private-keys groups, each having an associated cryptographic group key; decrypting, at a first computer, a first level of encryption of a private key associated with the action using the associated cryptographic group key; decrypting, at a second computer distinct from the first computer, a second level of encryption of the private key associated with the action using a hardware-based cryptographic key used by the second computer; using, at the second computer, the private key associated with the action in a process of digitally signing data to authorize the action; and sending the digitally signed data to a third computer to effect the action.