|
Title: Armory Homomorphic encryption explanation Post by: wingsuit on May 15, 2013, 10:04:13 AM Can you give a very brief explanation of the deterministic wallet in Armory, specifically how it achieves public key generation without needing the private keys.
Also your thoughts on how this quote relates to Armory -- 'Visions of a fully homomorphic cryptosystem have been dancing in cryptographers' heads for thirty years. I never expected to see one. It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure.' Bruce Schneier EDIT: Okay I see that this is discussed here https://en.bitcoin.it/wiki/BIP_0032 (https://en.bitcoin.it/wiki/BIP_0032). Title: Re: Armory Homomorphic encryption explanation Post by: etotheipi on May 15, 2013, 01:41:40 PM Armory will be upgrading to BIP32, but at the moment it uses it's own homegrown version of "Type 2" deterministic wallets. After all, it was the first application to implement them, so I couldn't really have followed any standard :) But it's not homomorphic encryption. Homomorphic encryption is pretty neat and enables some pretty cool capabilities, in general, but I haven't thought about whether it could be useful for Bitcoin. I bet, if we upgraded the scripting environment, we could find something interesting, but I'm not sure how useful it would be. It would certainly be a fun discussion to have...
For reference, Armory's wallet chain together like this: Code: PrivKey[0] = Random(32) Then Code: PrivKey[i+1] = (hash256(PubKey[i]) XOR chaincode) * PrivKey[i] Where the multiplication (*) is scalar-multiplication-mod-N in the first line, and it's elliptic-curve-point-mult-by-scalar on the second line. The magic of elliptic curve math is that if N is equal to the number of points on the elliptic curve, then you end up with matching private and public keychains on both sides. I had actually been meaning to document this precisely somewhere. I guess this was my excuse. Title: Re: Armory Homomorphic encryption explanation Post by: oakpacific on May 15, 2013, 03:16:01 PM Armory will be upgrading to BIP32, but at the moment it uses it's own homegrown version of "Type 2" deterministic wallets. After all, it was the first application to implement them, so I couldn't really have followed any standard :) But it's not homomorphic encryption. Homomorphic encryption is pretty neat and enables some pretty cool capabilities, in general, but I haven't thought about whether it could be useful for Bitcoin. I bet, if we upgraded the scripting environment, we could find something interesting, but I'm not sure how useful it would be. It would certainly be a fun discussion to have... For reference, Armory's wallet chain together like this: Code: PrivKey[0] = Random(32) Then Code: PrivKey[i+1] = (hash256(PubKey[i]) XOR chaincode) * PrivKey[i] Where the multiplication (*) is scalar-multiplication-mod-N in the first line, and it's elliptic-curve-point-mult-by-scalar on the second line. The magic of elliptic curve math is that if N is equal to the number of points on the elliptic curve, then you end up with matching private and public keychains on both sides. I had actually been meaning to document this precisely somewhere. I guess this was my excuse. As long as the chaincode remains secret, the unreused deterministic addresses will have the same kind of quantum computer resistance as the non-deterministic ones, right? Title: Re: Armory Homomorphic encryption explanation Post by: DeathAndTaxes on May 15, 2013, 03:25:06 PM OP should retitle the topic as it is misleading, I thought Armory was doing some experimentation in HE. As pointed out neither Armory nor any Bitcoin related software uses homomorphic encryption.
Title: Re: Armory Homomorphic encryption explanation Post by: etotheipi on May 15, 2013, 03:29:03 PM As long as the chaincode remains secret, the quantum computer resistance of unreused addresses will not be weakened, right? That's correct. The terminology I use is that the chaincode is "sensitive" but not "private". Meaning, that you shouldn't make your chaincode public, but in the absence of QCs, it's just a breach of privacy, not security (people can now see all your wallet transactions, but cannot spend your coins). If QCs are around, that's a whole different story -- in that case the chaincode would need to be kept securely, though the Bitcoin protocol would be changing to QC-resistant algos, and all this discussion about it is probably moot. |