Bitcoin Forum
December 13, 2017, 10:31:09 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Armory Homomorphic encryption explanation  (Read 2406 times)
wingsuit
Member
**
Offline Offline

Activity: 64


embrace firstbits!


View Profile
May 15, 2013, 10:04:13 AM
 #1

Can you give a very brief explanation of the deterministic wallet in Armory, specifically how it achieves public key generation without needing the private keys.

Also your thoughts on how this quote relates to Armory -- 'Visions of a fully homomorphic cryptosystem have been dancing in cryptographers' heads for thirty years. I never expected to see one. It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure.' Bruce Schneier

EDIT: Okay I see that this is discussed here https://en.bitcoin.it/wiki/BIP_0032.

FLY
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513161069
Hero Member
*
Offline Offline

Posts: 1513161069

View Profile Personal Message (Offline)

Ignore
1513161069
Reply with quote  #2

1513161069
Report to moderator
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
May 15, 2013, 01:41:40 PM
 #2

Armory will be upgrading to BIP32, but at the moment it uses it's own homegrown version of "Type 2" deterministic wallets.  After all, it was the first application to implement them, so I couldn't really have followed any standard Smiley  But it's not homomorphic encryption.  Homomorphic encryption is pretty neat and enables some pretty cool capabilities, in general, but I haven't thought about whether it could be useful for Bitcoin.   I bet, if we upgraded the scripting environment, we could find something interesting, but I'm not sure how useful it would be.  It would certainly be a fun discussion to have...

For reference, Armory's wallet chain together like this:

Code:
PrivKey[0] = Random(32)
Chaincode  = Random(32)
PubKey[0]  = Priv2Pub(PrivKey[0])

Then

Code:
PrivKey[i+1] = (hash256(PubKey[i]) XOR chaincode) * PrivKey[i]
 PubKey[i+1] = (hash256(PubKey[i]) XOR chaincode) *  PubKey[i]

Where the multiplication (*) is scalar-multiplication-mod-N in the first line, and it's elliptic-curve-point-mult-by-scalar on the second line.  The magic of elliptic curve math is that if N is equal to the number of points on the elliptic curve, then you end up with matching private and public keychains on both sides.

I had actually been meaning to document this precisely somewhere.  I guess this was my excuse.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
oakpacific
Hero Member
*****
Offline Offline

Activity: 798


View Profile
May 15, 2013, 03:16:01 PM
 #3

Armory will be upgrading to BIP32, but at the moment it uses it's own homegrown version of "Type 2" deterministic wallets.  After all, it was the first application to implement them, so I couldn't really have followed any standard Smiley  But it's not homomorphic encryption.  Homomorphic encryption is pretty neat and enables some pretty cool capabilities, in general, but I haven't thought about whether it could be useful for Bitcoin.   I bet, if we upgraded the scripting environment, we could find something interesting, but I'm not sure how useful it would be.  It would certainly be a fun discussion to have...

For reference, Armory's wallet chain together like this:

Code:
PrivKey[0] = Random(32)
Chaincode  = Random(32)
PubKey[0]  = Priv2Pub(PrivKey[0])

Then

Code:
PrivKey[i+1] = (hash256(PubKey[i]) XOR chaincode) * PrivKey[i]
 PubKey[i+1] = (hash256(PubKey[i]) XOR chaincode) *  PubKey[i]

Where the multiplication (*) is scalar-multiplication-mod-N in the first line, and it's elliptic-curve-point-mult-by-scalar on the second line.  The magic of elliptic curve math is that if N is equal to the number of points on the elliptic curve, then you end up with matching private and public keychains on both sides.

I had actually been meaning to document this precisely somewhere.  I guess this was my excuse.

As long as the chaincode remains secret, the unreused deterministic addresses will have the same kind of quantum computer resistance as the non-deterministic ones, right?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
May 15, 2013, 03:25:06 PM
 #4

OP should retitle the topic as it is misleading, I thought Armory was doing some experimentation in HE.  As pointed out neither Armory nor any Bitcoin related software uses homomorphic encryption. 

etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
May 15, 2013, 03:29:03 PM
 #5

As long as the chaincode remains secret, the quantum computer resistance of unreused addresses will not be weakened, right?

That's correct.  The terminology I use is that the chaincode is "sensitive" but not "private".  Meaning, that you shouldn't make your chaincode public, but in the absence of QCs, it's just a breach of privacy, not security (people can now see all your wallet transactions, but cannot spend your coins).   If QCs are around, that's a whole different story -- in that case the chaincode would need to be kept securely, though the Bitcoin protocol would be changing to QC-resistant algos, and all this discussion about it is probably moot.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!