Professional Documents
Culture Documents
Efficient Weighted Threshold ECDSA For Securing Bitcoin Wallet
Efficient Weighted Threshold ECDSA For Securing Bitcoin Wallet
Efficient Weighted Threshold ECDSA For Securing Bitcoin Wallet
Bitcoin Wallet
Pratyush Dikshit Kunwar Singh
Department of Computer Science and Engineering Department of Computer Science and Engineering
National Institute of Technology National Institute of Technology
Tiruchirappalli, Tamil Nadu - 620015 Tiruchirappalli, Tamil Nadu - 620015
pratyushdikshit.pd@gmail.com kunwar2081@gmail.com
• 3-factor authentication scheme: Users can use Shamir’s secret sharing scheme gives the solution for
biometrics methods such as retina scan, fingerprint scan, generalization of above problem. Shamir’s secret sharing
etc. But again, anonymity is compromised. considers the secret as some data D and divides the data D
into u pieces in such a way that at least t- pieces are required
• Cold storage: Cold Storage defines keeping the main to construct the data D but no information about data D is
bitcoin wallet on an offline device i.e., the device which revealed from t-1 pieces or less. Shamir’s secret sharing is
is not connected to the Internet, and moving only the based on the following theorem.
funds needed for frequent use to online storage, i.e.,
Hot Storage. Often it seems too much of a hassle, and THEOREM:
obviously, it takes much more time to transact which is Given t points in the 2-dimensional plane (x1 , y1 ), . . . , (xt , yt )
not in favor of goals of bitcoin. with distinct x’s, there is one and only one polynomial of
degree t − 1 such that q(xi ) = yi for all i.
• Multi Signature [4][7]: Multi-signature (multisig) wal-
lets offer a better solution. A multisig transaction requires a) Shamir’s sharing protocol.: Our goal is to create u-
the agreement of the required number of authorized secret shares of the secret s such that at least t shares are
signatories, for example a 3-of-5 transaction will require required to compute D.
three signatories out of five. However, the paper shows
1) Dealer D pick a random t − 1 degree polynomial
that multisig transactions have some serious usability
q(x) = a0 + a1 x+, . . . , +at−1 xt−1 in which a0 = s.
problems, and anonymity and confidentiality drawbacks.
Here all coefficients ai (0 ≤ i ≤ t − 1) are from field
To preserve the anonymity, there are some existing tech-
(Fp : prime p).
niques like Mixcoin, CoinJoin, and the use of change
addresses. The problem is none of these techniques
2) Dealer D computes q(1), q(2), . . . , q(u) and secretly
are compatible with multisignatures, while they all are
distributes each player j the share q(j). Hence the shares
compatible with threshold signatures.
are denoted as q(1), q(2), . . . , q(u).
Suppose a player uses multisignature-based security and
constructs a transaction at an online store. Then the From these t- points we can construct polynomial q(x) of
spending address (address of player) and change address degree t-1 and can find secret s = q(0). One can construct
will all have the same t-of-n access control structure, polynomial by using Lagrange interpolation.
whereas the destination address (address of store) most
likely will not. This provides clues to adversaries to link b) Lagrange polynomial.: Given t points in the 2- di-
player’s input and output addresses. On the other hand, mensional plane (x1 , y1 ), . . . , (xt , yt ) with distinct x’s, then
the unique polynomial passing through these points in the the secret key. Because of this adversary cannot produce
Lagrange form is a linear combination signatures without a threshold sized group.
t
X
q(x) = L(x) = yi li (x) C. Sharing Secret : With Dealer vs. Without Dealer
i=1
Here, dealer is the third party which is an authorized and
of the Lagrange basis polynomials: trusted system who manages the distribution of secret. Here,
Y (x − xm ) (x − x1 ) (x − xt ) it is described how shares are generated and distributed.
li (x) = = ...
(xi − xm ) (xi − x1 ) (xi − xt )
1≤m≤t,m6=i One way to do this is by using a trusted dealer who
has a randomly generated key [9]. He generates the shares
and distributes them to each player. But, this scheme has
c) Properties of Shamir’s secret sharing:
a major drawback of dependency on a single point for all
1) Perfect Security: Adversary with knowledge of t − 1 shares. A more sophisticated scheme eliminates the use of
shares or less cannot find any information regarding trusted dealer and allows the players to generate shares of a
secret. key in a distributed manner without ever constructing the key
2) Ideal: Size of each share is exactly the same as the size in the process.
of the secret.
3) Extendable: By calculating the polynomial in additional Both the approaches have their own strengths and
points, additional shares may easily be created. weaknesses. None of them is strictly better than the other.
4) Homomorphic Property: Although having a trusted dealer is a weakness, but in some
• If we add/multiply a constant to all secret shares (y- cases it is strictly necessary. A dealer less protocol allows the
values) then this constant will be added/multiplied parties to generate a new key, but it does not allow players
to the secret to get new secret. to distribute an already existing key. In the Bitcoin context,
• Suppose we have two secrets s and t. Their corre- if someone already has an address and later he wants to
sponding shares are f (1), . . . , f (n) for polynomial add threshold security to that address, he needs a trusted
f (x) and g(1), . . . , g(n) for polynomial g(x). Now dealer protocol to generate shares from the existing secret key.
we define j th share as f (j) + g(j), (j ∈ [1 . . . n]).
New secret will be s + t for new function h(x) = However, when generating a new address, a dealer
f (x) + g(x) since h(0) = f (0) + g(0). less protocol is generally superior. This explains the need
B. Threshold Secret Sharing of the proposed scheme to include both approaches in two
different levels.
Threshold secret sharing is a scheme to distribute a secret
value into shares that can be given to different players, with
D. Joint Random Secret Sharing (without a dealer) [JRSS]
the following two properties [4]:
JRSS provides freedom to the players to choose their
(1) any subset of shares of size equals or more than secrets on their own. This scheme doesn’t require a dealer
threshold can reconstruct the secret or a third party to generate shares of a secret. Each player
(2) any subset of shares smaller than this threshold together chooses secret using Shamir Secret Sharing. Then all n -
yields not a single bit of information about the secret. players distribute the shares to all other players. Finally, t
(threshold) players with their shares can compute combined
The secret can be framed as a polynomial of degree secret key. This protocol is free from single point of failure.
t − 1 and a randomly selected point on the polynomial It also verifies the correctness and consistency of shares
is given to each of n players, any t-of-n can be used to of the players without sharing original secret to anyone.
reconstruct the polynomial using Lagrange Interpolation. The proposed solution is preferable when generating a new
address.
Secret sharing schemes are fundamentally one-time Firstly, All the players agree on the following setup:
use. In that, once the secret is reconstructed, it is known to
all the players who took part in reconstructing it. A more [9] Given an elliptic curve E defined over field Zp (prime
general approach is threshold cryptography, where a threshold p). The base point G ∈ E(Zp ) of large cyclic sub-group of
number of shares would be needed, out of all the shares, to order r (prime r) that divides the number of points in E(Zp ).
reconstruct the secret. A (t, n)-threshold signature scheme Given a threshold t and the total number of players n ≥ 2t+1.
distributes signing power to n players. Any group of at least
t players can generate a signature, whereas a group of less Now, each player Pi does the following:
than t cannot. The main property of threshold signatures
is that the secret key need not ever be reconstructed. Even A. Secret Sharing among all the players:
after repeated signing, adversary cannot learn anything about
1) selects a random polynomial fi (x) of degree t, Since B is not singular (because bi s are distinct), we have
such that fi (0) is the secret value. for example, S(B −1 P B) = R, but A = B −1 P B is some fixed constant
fi (x) = ai0 + ai1 x + ... + ait xt . Here ai0 is the secret of matrix. This proves our claim.
player i, where i ∈ [1, ..., n]
F. Simple Reciprocal Protocol
2) secretly sends fi (j) to player Pj , ∀j = [1, ..., n] Following is the protocol to calculate the share of inverse
of secret.
3) Compute yi = aik G, ∀k = [0, ..., t] .
1) A secret x mod r is shared among n players.
2) Generate shares of x−1 modr without revealing any
4) Compute zi = fi (j)G, ∀j = [1, ..., n] .
information about x or x−1 .
3) Each player Pi has a share xi of x on a polynomial of
B. Verification of shared secret by all the players: degree t.
4) The players run the JRSS protocol [9], ending up with
1) For verification purpose, each player Pi broadcasts yi each player Pi having share ei of a random secret e on
and zi to all other players . a polynomial of degree t.
Pt 5) Also, the players run the JZSS [9] such that each player
k
2) Each Pj6=i verifies that k=0 j yi = fi (j)G or not, Pi has a share zi of a zero secret on a polynomial of
and that fi (j)G is consistent with his share. For degree 2t.
example, player 2 verifies the share of player 1 on 6) Each player Pi locally computes and broadcasts, ui =
a polynomial of degree t = 2. Player 2 computes xi ei + zi .
f2 (1) = (a20 + a21 + a22 )G. Player 2 also computes 7) Players can interpolate the polynomial of degree 2t and
P 2 k 2
k=0 1 ak G. Since both the values come out to be compute u.
equal, player 2 accepts the signature as valid. 8) All the players can compute u−1 modr.
9) Each player Pi computes his share of x−1 as Ci =
If any player is found guilty, then the decision would be taken ei u−1 on a polynomial of degree 2t.
on the basis of majority voting. Once the above scheme is
completed successfully, each player Pi can safely calculates G. Standard ECDSA
Pn
his share as j=1 fj (i) mod r. Firstly, the usual ECDSA signature generation scheme is
presented below.
The combined secret key of n-players is a10 + a20 + ... + an0 .
Out of n-players, any t-players with their shares can compute Parameters
the combined secret key.
Given an elliptic curve E over Zp (prime p) [2]. Given
E. The Degree Reduction Protocol base point G of order n, the private key d, and the message
This protocol shows that a polynomial of degree 2t can m to be signed.
be reduced to polynomial of degree t while keeping the free
coefficient unchanged [11]. Signature Generation
Let h(x) = a0 + a1 x + ... + a2t x2t and let si = h(bi ) = 1) Compute e = SHA-1 (m). Convert e to an integer
f (bi )g(bi ), for i = 0, ..., n − 1 be the shares of h(x). Each using the method in ANSI X9.62. With reference to
player Pi holds an si . So, h(x) can be truncated to be k(x) = ANSI X9.62, given an input message, SHA-1 gives the
a0 + a1 x + ... + at xt and ri = k(bi ) for i = 1, ..., n − 1 This output in the form of hexadecimal which can be further
can be proved as follows: converted into integer easily.
CLAIM: Let S = (s0 , ..., sn−1 ) and R = (r0 , ..., rn−1 ) then
there exists a constant nXn matrix A such that R = S.A 2) Select a random integer k such that 1 ≤ k ≤ n − 1
Now
Let H be the n-vector H = (h0 , ..., ht , ..., h2t , 0, ..., 0) 3) Compute (x1 , y1 ) = kG.
and let K be the n-vector K = (h0 , ..., ht , 0, ..., 0).
Let B = (ci,j ) be the nXn (Vandermonde) matrix, where 4) Convert x1 to an integer using the method in ANSI
ci,j = bij for i, j = 0, ..., n − 1. Furthermore, let P be the X9.62. Compute r = x1 modn . If r = 0, return to step
linear projection 2.
P (x0 , ..., xn−1 ) = (x0 , ..., xt , 0, ..., 0).
We have 5) Compute s = k −1 (e+dr)modn. If s = 0, return to step 2.
H.B = S
H.P = K 6) The signature for m using the key d is the pair (r, s).
K.B = R
IV. PROPOSED SCHEME constructed is same for all the groups. All the players possess
a single share. Suppose, there are n1 players in GROUP 1,
Now, the proposed scheme for efficient weighted threshold n2 players in GROUP 2, and so on. The dealer calculates the
signature using ECDSA is explained below: share of all the players as f 1 (x1 ), f 1 (x2 ), ..., f 1 (xn1 ) and
sends secretly to player 1, players 2, ..., player n1 respectively
Our Scheme : Efficient Weighted Threshold ECDSA of GROUP 1. Similarly, the dealer calculates the share for
players of GROUP 2 as f 2 (x1 ), f 2 (x2 ), ..., f 2 (xn2 ) and
Our proposed scheme is similar to the scheme explained sends secretly to player 1, player 2, ..., player n2 , (n2 > n1 )
by Goldfeder et al. [4] and Dikshit and Singh [12]. The key respectively. Similarly, he calculates the shares for players
difference is that the scheme given by Dikshit and Singh of GROUP R as f R (x1 ), f R (x2 ), ..., f R (xnR ) and sends
[12], each player is given shares according to his weightage. secretly to player 1, player 2, ..., player nR of that group.
If player i has weightage wi , then player i is given wi shares. The value of share of player i of GROUP k is given by
In our weighted threshold ECDSA scheme, each player is dki = f k (xi ).
given only one share.
Pnk
Public Key for GROUP k is Qk = i=1 di G, where
In proposed scheme, all the players are divided into nk is the number of players in GROUP k.
groups of different weightages. The players belong to one
group possess same weightage. Every group has its own Once this is complete, each group separately can do
threshold value. Any subset of players having more than or signature on message m. Here, we have provided the scheme
equal to the threshold value of that group can construct the of signature generation for one group with n players, out of
signature, but any subset of players having lesser players than which any t (threshold) payers are required to construct their
threshold value cannot construct the signature. signatures.
This scheme is divided into two phases - setup phase Signature Generation
and signature generation phase. The set up phase is totally
handled by a dealer to distribute the shares of each player First Part of Signature: This part of signature is computed
secretly. without using the shares issued by the dealer.
Signature generation phase is further divided into 1) Since m is public, each player computes e = SHA-1(m)
two sections. First section calculates the value of first part and then e is converted to an integer using ANSI X9.62.
of signature i.e., r. Dealer does not have any information
about the value of individual shares of players. The second 2) Players run Joint Random Secret Sharing without a
section of this phase calculates the value of second part of Dealer [Refer section III.D] as follows:
signature i.e., s with the help of secret shared by the dealer.
Combining both the parts, we get the required signature i.e. This section does not include the role of secret
(r, s). Signature can be constructed by any number of players shared by the dealer. Every player i computes
of one group whose combined shares equals or more than the f i (1), f i (2), ..., f i (n) and gives to players 1, 2, ..., n.
threshold (t) value. For example, a player P2 selects a random polynomial
such that f 2 (x) = (a20 + a21 x + ... + a2t xt ). Then
The base condition for this scheme is that total number of he calculates f 2 (1), f 2 (2), ..., f 2 (n) and distribute to
players in each group must be twice more than the threshold players 1, 2, ..., n. The free term a20 is the secret of
value, i.e., n ≥ 2t + 1. player 2.
• Each player Pi selects random polynomial f i (x)
Parameters of degree t such that his chosen secret is the free
term of the polynomial. For example, for player P2 ,
An elliptic curve E defined over field Zp (prime p). f 2 (x) = (a20 + a21 x + ... + a2t xt ). The free term a20 is
A base point G ∈ E(Zp ) is a generator of large cyclic sub the secret of player 2.
group of order r (prime r) that divides the number of points
in elliptic group E(Zp ). • Each player computes shared value for all
other players and send to respective players,
Setup Phase ki = f 1 (xi ) + f 2 (xi ) + ... + f n (xi ), where ki is
the shared secret of player i.
Let the number of groups be R. The dealer D selects
R different random polynomials f 1 , f 2 , ..., f R of degree 3) Each player i computes the value of the Lagrange basis
t − 1, 2t − 1, ..., Rt − 1 respectively. The dealer keeps the same polynomial
free term in all the polynomials. That is, the secret key to be
j−x
player selects random polynomial f i (x).
Q
bi (x) = j6=i,j∈B j−i
Pn
But in order to consider the free term of polynomial, • zi is the secret of player i, where zi = a=1 fa (i) .
put x = 0 in above equation
5) Now, each player i locally computes and broadcasts
Q j
bi (0) = j6=i,j∈B j−i vi = ki ci + zi
B is the set of indices of any number of players 6) Players can interpolate the polynomial of degree 2t and
out of n players. compute v. And then, all players can compute v −1 mod
n.
4) Each player i computes yi = bi ki .
7) Each player i computes his share of k −1 as li = ci v −1
5) Each player i broadcasts Vi = yi G = bi ki G . on a polynomial of degree 2t . So, apply secure degree
It is very hard to find out yi from Vi because of elliptic reduction protocol [Refer section III.E] to reduce the
curve discrete logarithm problem. degree of polynomial from 2t to t.
6) According to the homomorphic property of Shamir 8) Players now run secure reciprocal protocol and compute
secret sharing, if we add/multiply a constant to all the shares of wi = di ki−1 over a degree 2t polynomial
secret shares then this constant will be added/multiplied by multiplying their shares of d and k −1 . They run
to secret to get new secret [Refer section III.A]. All secure degree reduction protocol, to reduce the degree
players can now compute of the polynomial back to t [Refer section III.E].
(x1 , y1 ) = kG = i∈B Vi , where k = a10 +a20 +...+an0
P
mod n . 9) By applying homomorphic property of Shamir Secret
Sharing [Refer section III.A], each player now computes
7) Convert x1 to an integer using the method in ANSI the share
X9.62. Then, compute r = x1 mod n. If r = 0, then si = ki−1 e + rwi = ki−1 e + r(di ki−1 ) = ki−1 (e + di r)
return to setup phase. Players, then, can run secure degree reduction protocol
to reduce the degree of the polynomial sharing s back
to t [Refer section III.E].
Second Part of Signature:
1) It is required to compute k −1 mod n from shares of k 10) Players can now interpolate their shares of s to recover
without revealing any information about k . s = k −1 (e + dr).
If s = 0, then return to setup phase.
2) The players run the Joint Random Secret Sharing
protocol [Refer section III.D] to distribute 11) Hence, (r, s) is the required signature on message m
a share ci of c to each player i, where using key d.
ci = f 1 (xi ) + f 2 (xi ) + ... + f m (xi ). Since the secret key d is same for all the groups, t of
GROUP 1, 2t of GROUP 2, ..., Rt of GROUP R can generate
3) A simple multiplication protocol can be employed here, the signature.
such that ui = ci ki . But the result is automatically Signature Verification
a share on a polynomial of degree 2t. Moreover, the
resulting polynomial is not completely random which Verification to the signature obtained in threshold ECDSA
may weaken the security of the scheme. Consequently, scheme is almost the same as that of standard ECDSA
the Joint Random Zero Secret Sharing is employed to verification procedure. For authenticating signature, one must
add a sort of randomization to the process. have a copy of dealer’s public key Q. One can verify Q is
valid curve point as follows:
4) Players for each share run the Joint Random Zero
1) Check that Q is not equal to the identity element O.
Secret Sharing. This scheme is a special case of JRSS.
In this scheme each player for each share chooses his
2) Check that Q lies on the curve.
secret as zero. Hence for all the players in this scheme
must agree with a0 G = 0 ∀i = {1, ..., n}. The stepwise
3) Check that n X Q = O. Here, n is the order of elliptic
procedure of this scheme as follows:
curve chosen by dealer.
• Each player i selects a random polynomial f After this, follow these steps:
of degree 2t subject to zero as its free term, i.e., 1) Check that the two parts of signature obtained above, r
f (x) = 0 + a1 x + a2 x2 + ... + at xt + ... + a2t x2t . Each and s are integers and r, s ∈ [1, n − 1] .
[3] Transactions
2) Calculate SHA-1(m) and convert bit string to integer e https://en.bitcoin.it/wiki/Transactions
accessed: 2014-02-11
by using ANSI X9.62 . [4] S Goldfeder, J Bonneau, EW Felten, JA Kroll, A Narayanan. Securing
Bitcoin wallets via threshold signatures.
3) Calculate w = s−1 mod n http://www.cs.princeton.edu/∼ stevenag/bitcoin
threshold signatures.pdf
Princeton University,2014
4) Calculate u1 = ew mod n and u2 = rw mod n . [5] S Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008
[6] R Gennaro, S Goldfeder, A Narayanan. Threshold-optimal DSA/ECDSA
signatures and an application to Bitcoin wallet security. International
5) Calculate the curve point (x1 , y1 ) = u1 G + u2 Q . Conference on Applied Cryptography and Network Security. Springer
International Publishing. 2016 Jun 19 (pp. 156-174)
6) The signature is valid if r ≡ x1 mod n. Invalid, [7] S Goldfeder,R Gennaro,H Kalodner, J Bonneau, EW Felten, JA Kroll,
A Narayanan. Securing Bitcoin wallets via a new DSA/ECDSA threshold
otherwise. signature scheme. 2015
[8] K Singh, CP Rangan, AK Banerjee. Lattice-based identity-based resplit-
table threshold public key encryption scheme. International Journal of
This scheme is of more practical use than that of explained Computer Mathematics. 2016 Feb 1;93(2):289-307.
by Goldfeder, et al[4], Gennaro, et al[6], Goldfeder, et al.[7]. [9] MH Ibrahim, IA Ali,II Ibrahim, AH El-sawi. A robust threshold elliptic
Goldfeder et al.[4] provided a scheme as all the players were curve digital signature providing a new verifiable secret sharing scheme.
InCircuits and Systems, 2003 IEEE 46th Midwest Symposium on 2003
supposed to have equal weightage/priority. But practically, Dec 30 (Vol. 1, pp. 276-280)
users keep priority to various devices/systems according to [10] A Shamir. How to share a secret. Communications of the ACM 22(11),
their reliability, availability and convenience. 612-613 (1979)
[11] H Ghodosi, J Pieprzyk, R Safavi-Naini. Completeness Theorems for
Non-Cryptographic Fault-Tolerant Distributed Computation Proceedings
V. C ONCLUSION of the twentieth annual ACM symposium on Theory of computing, ACM
pp. 1-10 (1988)
We have extended weighted threshold ECDSA in order to [12] P Dikshit, K Singh Weighted Threshold ECDSA for Securing Bitcoin
address efficient weighted threshold ECDSA. We explained Wallet National Workshop on Cryptology (2016)
that our proposed scheme can be implemented in any orga- [13] H Ghodosi, J Pieprzyk, R Safavi-Naini Remarks on the multiple assign-
ment secret sharing scheme Information and Communications Security
nization according to its internal hierarchical level. We have (1997): 72-80
given a scheme on how to use weighted threshold ECDSA
scheme to realize bitcoin wallets effectively. Our technique
has the potential to dramatically improve bitcoin security. We
have removed the drawback of scheme proposed in [12] that it
requires more space for storing secret share of each player. In
our scheme, all the players are divided into groups according to
similarity in weightages. The players belong to the same group
have same weightage. A group with higher weightage can
have access to reconstruct the key just by t out of n players.
Whereas, group of lesser weightage can reconstruct the secret
by T (> t) out of N (> n) players. Each player has to store
only one share. Here, each player possesses one share which is
represented by a polynomial value. This gives an advantage of
storing only one polynomial no matter what the weightage the
player or the group possesses. The limitation of this scheme,
we can say, is that the scheme will not work securely if players
come together from two or more different groups to reconstruct
the key. That is, if players from different groups take part
in reconstructing secret, this scheme does not work properly.
Our future work includes the distribution of shares to all the
players in such a way that players from another group can also
take part in secret reconstruction securely without affecting the
already existing condition.
R EFERENCES
[1] Deterministic Wallet
https://en.bitcoin.it/wiki/DeterministicWallet
accessed: 2014-02-11
[2] Elliptic Curve Digital Signature Algorithm
https://en.bitcoin.it/wiki/Elliptic_Curve_Digital
_Signature_Algorithm
accessed: 2014-02-11