Professional Documents
Culture Documents
G
G
online offline
online offline
online
cold address(es)
offline
Storage of Keys: Cold or Hot Storage
• Is it possible to manage Bitcoins only with a cold storage?
– No! But it can be used together with a hot one to store the majority of
Bitcoins
– If you use both Hot and cold storage together:
• Keep separate addresses and keys for each
– BENEFIT: Coins in the cold storage will be safe even if the hot
storage is compromised
Moving Bitcoins between hot and cold storage
• Each side knows its own secret key and the receiving address of the other side
• Even if the cold storage is offline most of the time, it sometimes needs to connect
– To transfer money and to check if its balance is changed.
• Scenario-1: Hot storage is operating whereas the cold storage is offline
– If the amount in the hot storage becomes too high:
• Move some coins from hot storage to cold storage using their own addresses
– If the amount in the hot storage becomes too low:
• Move some coins from cold storage to hot storage but how?
• Cold storage is offline
• Is there any real-world facility allows even if you are offline?
– Gmail generates a list of codes, take the printout and use these codes to login.
– Cold storage needs to go online, generate a list of addresses and transfer it to
Hot storage.
– Hot storage uses these addresses of cold storage to transfer money from it.
– Last two steps were done by Hierarchical Wallet.
Hierarchical Wallet
• Allows the cold storage side to have an unbounded number of addresses and the hot side
knows these addresses vi a short, one time communication between the both sides.
• IMPORTANT - Regular key generate (generateKey) creates a public key (address) and a secret
key but with the key generation info it is possible to create a sequences of addresses instead
of just one without leaking the information regarding private keys
– address generation info
• apply genAddr operation to the address generation info and integer i, obtaining the ith address
– private key generation info
• apply genKey operation to the key generation info and integer i, obtaining the ith private key
– This split up enables the address generation in the Hot side and the private key generation in the
cold side
– ECDSA supports hierarchical key generation
• As long as the hot and cold side know the right sequence number, you can generate
addresses from the hot side and private keys on the cold side.
Hierarchical Wallet
• At the beginning the cold side does
the generateKeysHier operation
obtaining both the address and key
generation info.
• Then it pass the address generation
info to the hot side.
• So, now they're connected and
the two sides can generate
addresses or keys when
needed.
How to store the key or a key generation info
in cold storage ?
• Digital Wallet
– Save it in phone or tablet
• If the device is stolen or broken, the keys get lost
• Brain Wallet
– encrypt the information with a password that we
must remember
• subject to all possible attacks against passwords
• Paper Wallet
– print the information and lock it up in a safe as 2D
barcode, QR code or a string in base 58 notations
• It can be stolen
Split and share keys
• So far different ways of storing the private keys in a single place were discussed
– Problem: Single point of failure
– Solution: split and share keys to have more security.
• Secret Sharing – Split and Share the keys
– split the key in N pieces such that,
• given any K of those pieces, is possible to reconstruct the key.
• given fewer than K pieces, it is impossible to know anything about the original key.
– Example: N=2, K=2
• Step:1 – Choose the following
– large prime number P
– S is the secret and has to be in the range [0,P-1]
– R a random value, which is also in the range [0,P-1]
• Step:2 – Split the secret S as shown below
– X1 = (S+R) mod P
– X2= (S+2R) mod P
• Step:3 – Reconstruct S If both X1 and X2 are known:
– (2X1 - X2) mod P = (2S+2R-S-2R) mod P = S mod P = S
• How to increase N, with K=2
– take the 2D plane with X and Y
axis
– choose a random value R
– draw a line with slope R and
passing through the point (0,S)
– the shares will be the points on
the line (1, S+R), (2, S+2R), (3,
S+3R), ...
– Clearly it is possible to choose as
many shares as wanted, since
there's an infinite number of
points on the line
– Given any two points on a line, it
is possible to retrieve its
equations using the
interpolation, so K=2.
– Given just one point, it's
impossible to retrieve any
information about the line
– If we do this operation using the
arithmetic modulo a large prime
P, all we have said is still
applicable.
• How to increase K?
– To increase K, use functions that require more than two points to be defined
• Ex: For K=3, use a Quadratic function Y = R2 X2 + R1 X + S which requires two random
parameters R1 and R2
• Ex: K=4, use a Cubic function (increase a polynomial degree)
• Advantages of secret sharing
– Adversary
• needs to retrieve K shares in order to get back the secret key
• needs to break the security of different places K times
• Disadvantages of secret sharing
– To sign a transaction, we need to reconstruct the key bringing the shares
together
– If an attack happens at that time, it is easy get the secret key
• Using Multi-signature
– able to sign transactions without
needing to recontruct a single key
– possible to keep the shares apart
and sign the transactions using K
of those shares separately
• Example: Andrew, Arvind, Ed, and
Joseph are cofounders of a company
which owns a lot of Bitcoins. To
protect their storage they can
decide to use a multi-signature 3
out of 4 for their cold storage.
– Advantages
• the four key are kept separately and
with a different security. So that it is
quite difficult for an attacker to
retrieve 3 of them
• if one or two employees go rogue,
they're still not able to take
ownership of the money. The
majority is necessary to manage it
• in addition if one loses the key it is
still possible to manage the cold
storage and transfer the money to a
new place.