Abstract
We introduce a new key generation mechanism where users can generate a “back up key”, securely nested inside the secret key of a signature scheme.
Our main motivation is that in case of leakage of the secret key, established techniques based on zero-knowledge proofs of knowledge are void since the key becomes public. On the other hand, the “back up key”, which is secret, can be used to generate a “proof of ownership”, i.e., only the real owner of this secret key can generate such a proof. To the best of our knowledge, this extra level of security is novel, and could have already been used in practice, if available, in digital wallets for cryptocurrencies that suffered massive leakage of account private keys. In this work, we formalize the notion of “Proof of Ownership” and “Fallback” as new properties. Then, we introduce our construction, which is compatible with major designs for wallets based on ECDSA, and adds a \(\text{ W-OTS}^{+}\) signing key as a “back up key”. Thus offering a quantum secure fallback. This design allows the hiding of any quantum secure signature key pair, and is not exclusive to \(\text{ W-OTS}^{+}\). Finally, we briefly discuss the construction of multiple generations of proofs of ownership.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We highlight the work of Banegas and Bernstein [3] that studies the existing overhead beyond the quantum queries and shows that even in a post-quantum setting, the collision-finding algorithms costs at least \(2^{n/2}\), even if it requires a smaller number of queries.
References
Arapinis, M., Gkaniatsou, A., Karakostas, D., Kiayias, A.: A formal treatment of hardware wallets. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 426–445. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_26
Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: David, L., Mohammad, M., Michael, B., XiaoFeng, W., (eds), ACM CCS 2018: 25th Conference on Computer and Communications Security, Toronto, ON, Canada, 15–19 October 2018, pp. 913–930. ACM Press (2018)
Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 325–335. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_16
Bernstein, D.J., Hülsing, A.: Decisional second-preimage resistance: when does SPR imply PRE? In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 33–62. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_2
Bernstein, D.J., Hülsing, A., Kölb, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS\(^+\) signature framework. In: Cavallaro et al. [9], pp. 2129–2146 (2019)
Mnemonic code for generating deterministic keys. https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki. Accessed 20 Jan 2020
Mnemonic code converter. https://iancoleman.io/bip39/. Accessed 20 Jan 2020
Study finds less than 40% of btc addresses are economically relevant. https://news.bitcoin.com/study-finds-less-than-40-of-btc-addresses-are-economically-relevant/. Accessed 18 Jan 2020
Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.): ACM CCS 2019: 26th Conference on Computer and Communications Security. ACM Press (2019)
Dahmen, E., Okeya, K., Takagi, T., Vuillaume, C.: Digital signatures out of second-preimage resistant hash functions. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 109–123. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_8
Das, P., Faust, S., Loss, J.: A formal treatment of deterministic wallets. In: Cavallaro et al. [9], pp. 651–668 (2019)
Ethereum unique addresses chart. https://etherscan.io/chart/address. Accessed 18 Sep 2020
Implementation of wots up my sleeve. https://github.com/yaksetig/sleeve. Accessed 01 Apr 2021
Golang implementation of the bip39 spec. https://godoc.org/github.com/tyler-smith/go-bip39. Accessed 20 Sep 2020
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: 28th Annual ACM Symposium on Theory of Computing, Philadephia, PA, USA, 22–24 May 1996, pp. 212–219. ACM Press (1996)
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef et al. [27], pp. 173–188
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Hutter, M., Schwabe, P.: NaCl on 8-bit AVR microcontrollers. In: Youssef et al. [27], pp. 156–172
Karakostas, D., Kiayias, A., Larangeira, M.: Account management in proof of stake ledgers. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 3–23. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_1
Lamport, L.: Constructing digital signatures from a one-way function. Technical Report SRI-CSL-98, SRI International Computer Science Laboratory (1979)
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Trinity attack incident part 1: Summary and next steps. https://blog.iota.org/trinity-attack-incident-part-1-summary-and-next-steps-8c7ccc4d81e8. Accessed 22 Sept 2020
van Heyst, E., Pedersen, T.P.: How to make efficient fail-stop signatures. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 366–377. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_30
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, 1–32 (2014)
Youssef, A., Nitaj, A., Hassanien, A.E. (eds.): AFRICACRYPT 2013. LNCS, vol. 7918. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Generic Attacks
The early presented constructions are hash based ones, therefore in this section we present an extensive list of computational complexities of various generic attacks against hash functions, while relating them with our constructions. Later we rely on these complexities to analyse and prove security of our proposed signature scheme.
Preimage Resistance. The adversary \(\mathcal {A} \) may obtain a hash digest and attempt to invert the one-way property of the used hash function. Assuming that the inputs are uniform random n-bit values, then this preimage attack costs \(2^{n}\) in the classical setting. In the post-quantum setting, using Grover’s algorithm, this attack costs \(2^{n/2}\).
Second Preimage Resistance (SPR). The adversary may instead attempt to find a second preimage of an n-bit message. Assuming a non-compressing hash function, that is, there is at least an n-bit-to-n-bit preimage to hash mapping, then this attack costs \(2^{n}\) in the classic setting, and \(2^{n/2}\) in the post-quantum setting.
Enhanced Target Collision Resistance (eTCR). The notion of eTCR implies that an adversary is allowed to choose a target message M. Upon choosing this target message, \(\mathcal {A} \) learns the function \(\mathcal {H}_{K}\) (by learning the key K) and the adversary wins after presenting a new message \(M'\) and a (possibly new) key \(K'\) such that \(H_{K}(M) = H_{K'}(M')\).
A possible application of the eTCR game in our setting involves the adversary committing to a \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})\) public key value and then obtaining the hash function key. There are two ways an adversary may attempt to break the eTCR property of a hash function. First, \(\mathcal {A} \) may attempt to obtain a new \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\) such that \(H_{K}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})) = H_{K}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})')\). Second, \(\mathcal {A} \) may attempt to obtain a new key \(K'\) and \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\) such that \(H_{K}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})) = H_{K'}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})')\).
If \(\mathcal {A} \) owns the secret keys corresponding to the colliding \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\), then \(\mathcal {A} \) can forge a proof of ownership of the target wallet. This forgery costs at least \(2^n\) pre-quantum, \(2^{n/2}\) post-quantum (Grover’s algorithm), and results in the adversary having the ability to prove ownership of an elliptic curve based wallet with a different fallback public key. We highlight, however, that even if the adversary can find a second preimage, it is not guaranteed that it corresponds to a \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\) actually controlled by \(\mathcal {A} \).
Multi-target Attacks. The previous definitions assume an adversary attacking one single target. We assume a hash function with n-bit outputs is used d times and each of these d outputs is publicly posted (e.g., on a blockchain). The adversary \(\mathcal {A} \) may, therefore, attempt to invert any of these public d values, which results in an attack complexity of \(2^{n - log_{2}(d)}\) instead of \(2^n\). In order to show the effectiveness of a multi-target attack, we consider the case where all the secret keys associated with the wallet addresses are publicly exposed and are generated using our hidden key construction.
This setting results in a leakage of approximately \(2^{29}\) target wallet addresses, for example [8, 12], which results in an attack complexity cost of \(2^{n - 29}\). Typically, ECDSA secret keys of 256 bits. Therefore, a multi-target attack in the setting we describe results in a direct loss of 29 bits in security, resulting in a cost of \(2^{227}\) instead of \(2^{256}\). In a post-quantum settingFootnote 1, however, the adversary must perform \(2^{n/2}/\sqrt{d}\), where \(d < 2^{n/3}\).
Decisional Second-Preimage Resistance (DSPR). In [4], Bernstein and Hülsing introduce DSPR, which defines the advantage in deciding, given a random input x, whether x has a second preimage.
An adversary could potentially use this definition to determine in advance whether or not it is worth attacking the SPR (or eTCR) of a hash function. If the DSPR advantage is non-negligible, then the adversary can choose a wallet target, and determine in advance whether or not there is a second-preimage. For example, if there is not a second-preimage associated with a target wallet address, then the adversary can select another target address as opposed to spending unnecessary computational resources trying to find a non-existent value. The paper, however, proves that DSPR is at least as hard to break as preimage resistance (PRE) or second preimage resistance (SPR) for uniform random hash functions from \(\{0, 1\}^{n} \text{ to } \{0, 1\}^{n}\). This results in an attack cost of \(2^{n}\) in the classical setting, and \(2^{n/2}\) in the post-quantum setting.
The authors considered ways to attack DSPR for real hash functions, and concluded that there is no obvious way for a fast attack to achieve any advantage. Consequently, \(\mathcal {A} \) cannot take advantage of the DSPR notion to gain any non-negligible advantage in creating forged proof(s)-of-ownership.
B Simplified Description of the Construction
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Chaum, D., Larangeira, M., Yaksetig, M., Carter, W. (2021). \(\text{ W-OTS}^{+}\) Up My Sleeve! A Hidden Secure Fallback for Cryptocurrency Wallets. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12726. Springer, Cham. https://doi.org/10.1007/978-3-030-78372-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-78372-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78371-6
Online ISBN: 978-3-030-78372-3
eBook Packages: Computer ScienceComputer Science (R0)