***A friend advised me to post this idea here for public scrutiny from the
cryptographic community, so here it goes:
I have been thinking about a cryptographic problem I had, and I believe I
have found a solution to it that might be of some use for cryptocurrency developement.
Someone coined the
term "Aggregate Signatures" for what I was trying to achieve.
I hope of some kind of feedback as to the feasibility of this
method, as to the best of my knowledge this is used nowhere else yet and
creating ones own mixture of cryptography comes with a huge risk! However
since below you will find that my method is merely a direct application of
existing cryptography, I strongly believe this would be successful in real
world applications.
Hotwallets are a known and unfortunately necessarily vulnerability in any
deployment of cryptocurrencies, so I wondered how to make them more
secure. Then I wondered if they could be split up into pieces?
Some research suggested this for ECDSA signatures:
https://bitcointalk.org/index.php?topic=81865.msg901491#msg901491https://bitcoin.stackexchange.com/questions/3853/can-one-safely-buy-vanity-addresses-from-a-third-party-without-risking-ones-coiThe way this works is that 2 keys can be (modulo) added to generate the
final combined key.
The next question for me was to ask if the same application could be
transferred to the signatures themselves? In essence: would it be possibe
that one entity creates a (invalid) signature to the final combined key,
but that it would become only a valid signature after the last (modulo)
multiplication with the second part of the key?
If a*b=c, then Sig(a)*b=Sig(c)
After trying for several weeks to unsuccessfully transform the ECDSA
s= (z+r*x)/k
(where x was a combination of a*b) in order to create a protocol that
would allow this "aggregate-signing" that I envisioned, I learned quite
some things from my mistakes, like letting k leak out or allowing one
entity to learn both parts of the key, defeating my goal of splitting it
up. :-)
It was only when I came across a paper describing "RSA treshold
signatures" (now I know the cryptographic name at last!) and the pallier
cryptosystem, that I realized I had found the missing link: homomorphic
encryption that supports addition AND multiplication.
There are different possible schemes, but basically you need n+1 entities
for n keyparts. (The transmitting/Homomorphic decrypting entity can be recycled for 3 parts and above.)
Each entity n creates a building block for the signature and
encrypts it with the public key of a chosen common homomorphic encryption
scheme. Then each next entity adds its own encrypted building block to the
signature. Finally the last entity decrypts the (now valid) combined
signature without ever learning the combined key, and broadcasts it to the
network.
Like this:
Enc(z)/Enc(k1) + Enc(r*a) /Enc(K1)
Enc(z)/Enc(K1)*Enc(K2) + Enc(r*a)*Enc(b)/Enc(K1)*Enc(k2)
equals:
Enc(z)/Enc(k1*k2) + Enc(r*a*b)/Enc(k1*k2)
if k1*k2=k and a*b=x
equals:
Enc((z+r*x)/k) which decrypts to a valid ECDSA signature by the
broadcasting entity.
Also note that the combined k (ephemeral key is the correct term I
suppose?) renders the Klepto-SETUP described early january 2015 unusable,
unless both of the entities are compromised.
https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdfAnd off course faulty RNG are also similarly thwarted.
Now what about other non-Bitcoin cryptocurrencies like Monero?
Well, I do not know if ECDSA signatures are used as building blocks of
Ring Signatures, but I guess it is possible to modify whatever
signature scheme you have to create this "Luke wallets" (from lukewarm, as
in neither Hot nor Cold. ;-) that vastly better protect users wallets.
Exchanges that employ these Luke Wallets can distribute their
wallets over different operating systems, hardware, physical locations
etc... to better withstand various forms of theft, and as long as certain
safegards in the protocol are in place, no one can gather the needed parts
to re-build the combined secret key that was once generated at a given
place and time in the past.
As I do not have coding ability, a POC cannot be provided, however there are some
Open Source libraries available, like
https://code.google.com/p/thep/so for somebody who already got his/her feet wet, it should be straightforward to
implement. Unless offcourse some of the real cryptographers here can immediately
point out weaknesses or errors, but then please consider this as the beginning of an Open Source effort and pool all the comments etc... together for the general benefit.
As I want to remain anonymous, I will sign this with the private key of my adress
- 12ADZcBhHrWpKNoyWTRDEerkz7wJbWeyjK - so I can proveably claim this idea later, if ever.***
Everything between *** is used for signing and verifying this message.
The resulting signature is:
HMgk/qXEc4q2y/MtTp4Mp0nyzjs0mjMY/JNGLkpLCmkHL+7iUy2wX2a5qICer7ZOHiPsf2+ycBSUDsfvCv7f2kI=
Edit: this is rather cumbersome (using preview) to get consistently verifying messages with Bitcoin Core.
Perhaps PGP/GPG-style message format with the --------- could be adopted in the future?