Minimal Design for Decentralized Wallet. Omer Shlomovits

Size: px

Start display at page:

Download "Minimal Design for Decentralized Wallet. Omer Shlomovits"

Madeleine Armstrong
5 years ago
Views:

1 Minimal Design for Decentralized Wallet Omer Shlomovits 1

2 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times

3 !3 Our Heroes Rick Morty

4 !4 The Journey Verifiable Social Recovery Mixed Model KMS TMOVE

5 !5 Key Management System Three main functionalities in the context of blockchains: Key generation and custody Signatures Key backup and recovery

6 !6 Problem: Key Management is hard Side channel attacks Social engineering attacks Human errors etc

7 !7 Trusted Party to the rescue?

8 !8 Trusted Party to the rescue?

9 !9 Trusted Party to the rescue? How can we optimize on keys security without compromising on keys usability?

10 !10 From single to distributed keys Enter threshold cryptography

11 !11 From single to distributed keys Enter threshold cryptography Given n parties, we divide the key management responsibilities Distributed key generation Signing requires cooperation of t out of n

12 !12 From single to distributed keys Enter threshold cryptography Given n parties, we divide the key management responsibilities Distributed key generation Signing requires cooperation of t out of n Efficient protocols exists Threshold ECDSA [GG18, DKLS18, LNR18]

13 !13 Sounds a lot like Multisig to me

14 !14 Multisig vs Threshold Signing Max number of parties Interactiveness Rotation Access policy privacy Chain support Low cost Efficiency (communication/ computation)

!15 Multisig vs Threshold Signing https://mediumcom/kzen-networks/threshold-signatures-private-key-the-next-generation-f27b30793b

15 !15 Multisig vs Threshold Signing Max number of parties Interactiveness Rotation Access policy privacy Chain support Low cost Efficiency (communication/ computation)

16 !16 Mixed Model Roles Owner x 1 Service Providers

17 !17 Mixed Model {t=n=2} Roles Owner x 1 Service Providers x 1

18 !18 Mixed Model {t=n=2} Roles Owner x 1 Service Providers x 1 System Requirements No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times?

19 !19 Choosing Parameters {t,n} Depends on the adversary model and specific use case different access structures can be considered Axiom: assuming SP is motivated solely by Economical Gain, We cannot avoid the Recovery problem Fact: two-party protocols are simpler than multi-party protocols

20 !20 Recovery in Mixed Model {t=n=2}

21 !21 Recovery in Mixed Model {t=n=2} Recovery in the two party setting can mean: Self recovery: Owner s secret share Counter party recovery: SP secret share sk = f(, ) SP Owner

22 !22 Recovery in Mixed Model {t=n=2} Owner self-recovery reduces to classical backup Cloud/ Paper/etc Owner

23 !23 Recovery in Mixed Model{t=n=2} Owner self-recovery reduces to classical backup Assuming Authentication: Cloud SP Owner

24 !24 Recovery in Mixed Model{t=n=2} Recovery in the two party setting can mean: Self recovery: Owner s secret share Counter party recovery: SP secret share How can the Owner recover if SP goes offline / hacked / becomes malicious? sk = f(, ) SP Owner

25 !25 Recovery of Counter Party Secret How can we recover Counter secret share if SP goes offline / hacked / becomes malicious? Under certain assumptions this can be done easily Escrow service that is triggered to release SP secret share once SP is not sending a life signal for a certain period of time Escrow sk = f(, ) SP Owner

26 Recovery of Counter Party Secret General idea: If enough Owners collaborate, they each get to recover their Counter party secret share at the same time SP!26 Owner_1 Owner_2 Owner_n

27 Recovery of Counter Party Secret General idea: If enough Owners collaborate, they each get to recover their Counter party secret share at the same time TMOVE!27 Owner_1 Owner_2 Owner_n

28 Recovery of Counter Party Secret General idea: If enough Owners collaborate, they each get to recover their Counter party secret share at the same time!28 Owner_1 Owner_2 Owner_n

29 !29 Background: PVSS Publicly Verifiable Secret Sharing

30 !30 Background: PVSS Publicly Verifiable Secret Sharing Dealer Distribution s ss 1 ss 2 ss n 1 ss n pk n 1 pk n pk 2 pk 1

31 !31 Background: PVSS Publicly Verifiable Secret Sharing Dealer Public proofs : A dealer cannot send incorrect shares s ss 1 ss 2 pk 2 pk n 1 pk n ss n 1 ss n {π di } n 1 pk 1

32 !32 Background: PVSS Publicly Verifiable Secret Sharing Dealer Reconstruction: t out of n s pk t ss t pk t 1 ss t 1 pk 2 ss 2 s ss 1 pk 1

33 !33 Background: PVSS Publicly Verifiable Secret Sharing Dealer Public proofs :Participants cannot submit incorrect shares s {π di } n 1 {π ri } t 1 pk t ss n pk t 1 ss n 1 Pk 2 ss 2 s ss 1 pk 1

34 !34 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log

35 !35 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog [x = g ω ] {sk m, pk m } Gen(1 n )

36 !36 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, pk m ) {sk m, pk m } Gen(1 n )

37 !37 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, pk m ) {sk m, pk m } Gen(1 n ) 1/0 V(c, π, x, pk m )

38 !38 Background: DLog VE[CS03] Verifiable Encryption of Discrete Log {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, pk m ) {sk m, pk m } Gen(1 n ) 1/0 V(c, π, x, pk m ) ω Dec (c, sk m )

39 !39 TVE Threshold Verifiable Encryption

40 !40 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog [x = g ω ] pk 1 pk 2 pk n {sk m, pk m } Gen(1 n )

41 !41 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) pk 1 pk 2 pk n {sk m, pk m } Gen(1 n )

42 !42 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) {π di } n 1 pk 1 PVSS::distribute pk 2 pk n {sk m, pk m } Gen(1 n )

43 !43 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) pk 1 {π di } n 1 {π ri } t 1 PVSS::reconstruct pk 2 pk n {sk m, pk m } Gen(1 n )

44 !44 TVE Threshold Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog c, π Enc (ω, {pk i } n 1, pk m ) 1/0 V(c, π, x, pk m ) pk 1 {π di } n 1 {π ri } t 1 pk 2 pk n ω Dec (c, sk m, {ss i } t 1 ) {sk m, pk m } Gen(1 n )

45 !45 TMOVE Threshold Multiple Output Verifiable Encryption

46 !46 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog pk 1 pk 2 pk n

47 !47 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) pk 1 pk 2 pk n

48 !48 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) PVSS::distribute pk 1 pk 2 pk n {{π dij } n i=1 }m j=1

49 !49 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) PVSS::reconstruct pk 1 pk 2 pk n {{π dij } n i=1 }m j=1 {{π rij } t j i=1 }m j=1

50 !50 TMOVE Threshold Multiple Output Verifiable Encryption {Gen, Enc, Dec} {x, ω} R dlog {c i } n 1, π Enc ({ω i } n 1, {pk i }n 1 ) 1/0 V({c i } n 1, π, x, {pk i }n 1 ) pk 1 pk 2 {{π dij } n i=1 }m j=1 {{π rij } t j i=1 }m j=1 pk n ω k Dec (c k, sk k, {{ss i } t j i=1 }m j=1 )

51 !51 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n

52 !52 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n

53 !53 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n

54 !54 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n

55 !55 TMOVE Properties TVE per party Gradual release (up to one segment) ω 1 ω 2 ω k ω n 1 ω n

56 !56 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} Additively-Homomorphism: + = (B 1, B 2 ) = {ωg + ry, rg} (C 1, C 2 ) = {ag + sy, sg} (D 1, D 2 ) = {(a + ω)g + (r + s)y, (r + s)g}

57 !57 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} We do the following for party i and PVSS secret α j : C 1 [i, j] = [ω i ] j G + α j pk i

58 !58 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} We do the following for party i and PVSS secret α j : Verifiable Encryption: ZK proof that segment under public key of party C 1 [i, j] = [ω i ] j G + α j pk i C 1 [i, j] i is an encryption of a small witness with randomness equal to α j

59 !59 TMOVE Instantiation Additive Homomorphic Encryption scheme: ElGamal in the exponent (homomorphic ElGamal) : Enc Y (ω) = {C 1, C 2 } = { ωg + ry, rg} We do the following for party i and PVSS secret α j : Verifiable Encryption: ZK proof that segment under public key of party C 1 [i, j] = [ω i ] j G + α j pk i C 1 [i, j] i is an encryption of a small witness with randomness equal to α j α j Gradual release: are reconstructed one at a time such that at any given moment the difference between parties is no more than one encrypted segment

60 !60 Verifiable Social Recovery via TMOVE Service Provider Owner i

61 !61 Verifiable Social Recovery via TMOVE Service Provider Owner i 2P keygen s r sk = f(s r, s m ) s m

62 !62 Verifiable Social Recovery via TMOVE Service Provider Owner i s r 2P keygen s m s r TMOVE::encrypt( ) TMOVE::distribute::party(i)

63 !63 Verifiable Social Recovery via TMOVE (Part 2) s m

64 !64 Verifiable Social Recovery via TMOVE (Part 2) TMOVE::reconstruct s m {α j } m 1 {α j } m 1 {α j } m 1

65 !65 Verifiable Social Recovery via TMOVE (Part 2) sk = f(s r, s m ) s r s m {α j } m 1 {α j } m 1 {α j } m 1 TMOVE::decrypt::party(i)

66 !66 Mixed Model{t=n=2} Roles Owner x 1 Service Providers x 1 System Requirements No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times?

67 !67 Mixed Model{t=n=2} Roles Owner x 1 Service Providers x 1 System Requirements No single point of failure Move of assets (signing) cannot happen without Owner approval Recovery is possible at all times

68 68 The Journey Trust that other users in the same situation will act rationally 1 owner, 1 sp No single point of failure Verifiable Social Recovery Mixed Model KMS Key management is hard TMOVE Threshold multiple output verifiable encryption

1 sp No single point of failure Verifiable Social Recovery Mixed Model

69 !69 Questions? Trust that other users in the same situation will act rationally 1 owner, 1 sp No single point of failure Verifiable Social Recovery Mixed Model KMS Key management is hard TMOVE Threshold multiple output verifiable encryption kzencorpcom twittercom/kzencorp githubcom/kzen-networks

70 !70 Practical Considerations One SP can handle millions of Owners Owners can join the service Asynchronously Owners of the same SP must have similar stake in the system PKI: Owners of the same SP must know each other public key (blockchain pk s are good)

Secret sharing schemes

Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret