\(\text{ W-OTS}^{+}\) Up My Sleeve! A Hidden Secure Fallback for Cryptocurrency Wallets

Abstract

We introduce a new key generation mechanism where users can generate a “back up key”, securely nested inside the secret key of a signature scheme.

Our main motivation is that in case of leakage of the secret key, established techniques based on zero-knowledge proofs of knowledge are void since the key becomes public. On the other hand, the “back up key”, which is secret, can be used to generate a “proof of ownership”, i.e., only the real owner of this secret key can generate such a proof. To the best of our knowledge, this extra level of security is novel, and could have already been used in practice, if available, in digital wallets for cryptocurrencies that suffered massive leakage of account private keys. In this work, we formalize the notion of “Proof of Ownership” and “Fallback” as new properties. Then, we introduce our construction, which is compatible with major designs for wallets based on ECDSA, and adds a \(\text{ W-OTS}^{+}\) signing key as a “back up key”. Thus offering a quantum secure fallback. This design allows the hiding of any quantum secure signature key pair, and is not exclusive to \(\text{ W-OTS}^{+}\). Finally, we briefly discuss the construction of multiple generations of proofs of ownership.

Appendices

A Generic Attacks

The early presented constructions are hash based ones, therefore in this section we present an extensive list of computational complexities of various generic attacks against hash functions, while relating them with our constructions. Later we rely on these complexities to analyse and prove security of our proposed signature scheme.

Preimage Resistance. The adversary \(\mathcal {A} \) may obtain a hash digest and attempt to invert the one-way property of the used hash function. Assuming that the inputs are uniform random n-bit values, then this preimage attack costs \(2^{n}\) in the classical setting. In the post-quantum setting, using Grover’s algorithm, this attack costs \(2^{n/2}\).

Second Preimage Resistance (SPR). The adversary may instead attempt to find a second preimage of an n-bit message. Assuming a non-compressing hash function, that is, there is at least an n-bit-to-n-bit preimage to hash mapping, then this attack costs \(2^{n}\) in the classic setting, and \(2^{n/2}\) in the post-quantum setting.

Enhanced Target Collision Resistance (eTCR). The notion of eTCR implies that an adversary is allowed to choose a target message M. Upon choosing this target message, \(\mathcal {A} \) learns the function \(\mathcal {H}_{K}\) (by learning the key K) and the adversary wins after presenting a new message \(M'\) and a (possibly new) key \(K'\) such that \(H_{K}(M) = H_{K'}(M')\).

A possible application of the eTCR game in our setting involves the adversary committing to a \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})\) public key value and then obtaining the hash function key. There are two ways an adversary may attempt to break the eTCR property of a hash function. First, \(\mathcal {A} \) may attempt to obtain a new \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\) such that \(H_{K}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})) = H_{K}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})')\). Second, \(\mathcal {A} \) may attempt to obtain a new key \(K'\) and \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\) such that \(H_{K}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})) = H_{K'}(L(\text{ W-OTS}^{+}_{\mathtt {vk}})')\).

If \(\mathcal {A} \) owns the secret keys corresponding to the colliding \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\), then \(\mathcal {A} \) can forge a proof of ownership of the target wallet. This forgery costs at least \(2^n\) pre-quantum, \(2^{n/2}\) post-quantum (Grover’s algorithm), and results in the adversary having the ability to prove ownership of an elliptic curve based wallet with a different fallback public key. We highlight, however, that even if the adversary can find a second preimage, it is not guaranteed that it corresponds to a \(L(\text{ W-OTS}^{+}_{\mathtt {vk}})'\) actually controlled by \(\mathcal {A} \).

Multi-target Attacks. The previous definitions assume an adversary attacking one single target. We assume a hash function with n-bit outputs is used d times and each of these d outputs is publicly posted (e.g., on a blockchain). The adversary \(\mathcal {A} \) may, therefore, attempt to invert any of these public d values, which results in an attack complexity of \(2^{n - log_{2}(d)}\) instead of \(2^n\). In order to show the effectiveness of a multi-target attack, we consider the case where all the secret keys associated with the wallet addresses are publicly exposed and are generated using our hidden key construction.

This setting results in a leakage of approximately \(2^{29}\) target wallet addresses, for example  [8, 12], which results in an attack complexity cost of \(2^{n - 29}\). Typically, ECDSA secret keys of 256 bits. Therefore, a multi-target attack in the setting we describe results in a direct loss of 29 bits in security, resulting in a cost of \(2^{227}\) instead of \(2^{256}\). In a post-quantum setting¹, however, the adversary must perform \(2^{n/2}/\sqrt{d}\), where \(d < 2^{n/3}\).

Decisional Second-Preimage Resistance (DSPR). In [4], Bernstein and Hülsing introduce DSPR, which defines the advantage in deciding, given a random input x, whether x has a second preimage.

An adversary could potentially use this definition to determine in advance whether or not it is worth attacking the SPR (or eTCR) of a hash function. If the DSPR advantage is non-negligible, then the adversary can choose a wallet target, and determine in advance whether or not there is a second-preimage. For example, if there is not a second-preimage associated with a target wallet address, then the adversary can select another target address as opposed to spending unnecessary computational resources trying to find a non-existent value. The paper, however, proves that DSPR is at least as hard to break as preimage resistance (PRE) or second preimage resistance (SPR) for uniform random hash functions from \(\{0, 1\}^{n} \text{ to } \{0, 1\}^{n}\). This results in an attack cost of \(2^{n}\) in the classical setting, and \(2^{n/2}\) in the post-quantum setting.

The authors considered ways to attack DSPR for real hash functions, and concluded that there is no obvious way for a fast attack to achieve any advantage. Consequently, \(\mathcal {A} \) cannot take advantage of the DSPR notion to gain any non-negligible advantage in creating forged proof(s)-of-ownership.

B Simplified Description of the Construction

Fig. 1.

Hidden key construction for \(\text{ eW-OTS}^{+}\). The dotted boxes are the potentially public values, while the normal boxes are the secret values. The diagram shows the commonly know as “ladders”, i.e. the sequence of hash function executions up to the verification values, and “rng seed” generating randomness for the private hash key x.