US20200153622A1 - System and method for enforcement of correctness for key derivation - Google Patents

System and method for enforcement of correctness for key derivation Download PDF

Info

Publication number
US20200153622A1
US20200153622A1 US16/183,868 US201816183868A US2020153622A1 US 20200153622 A1 US20200153622 A1 US 20200153622A1 US 201816183868 A US201816183868 A US 201816183868A US 2020153622 A1 US2020153622 A1 US 2020153622A1
Authority
US
United States
Prior art keywords
key
function
nodes
computerized nodes
derivation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US16/183,868
Other versions
US10630471B1 (en
Inventor
Yehuda LINDELL
Guy Pe'er
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Coinbase IL RD Ltd
Original Assignee
Bar Ilan University
Unbound Tech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bar Ilan University, Unbound Tech Ltd filed Critical Bar Ilan University
Priority to US16/183,868 priority Critical patent/US10630471B1/en
Priority to US16/726,965 priority patent/US10833871B2/en
Application granted granted Critical
Publication of US10630471B1 publication Critical patent/US10630471B1/en
Publication of US20200153622A1 publication Critical patent/US20200153622A1/en
Assigned to UNBOUND SECURITY LTD reassignment UNBOUND SECURITY LTD CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: UNBOUND TECH LTD
Assigned to COINBASE IL RD LTD reassignment COINBASE IL RD LTD CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: UNBOUND SECURITY LTD
Assigned to UNBOUND SECURITY LTD reassignment UNBOUND SECURITY LTD ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BAR ILAN UNIVERSITY
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem

Definitions

  • the present disclosure generally relates to derivation of cryptographic keys, and more particularly relates to enforcement of correctness for key derivation.
  • MPC secure multiparty computation
  • the parties also use MPC in order to compute the derivation key, since the aim is that no key is ever held by any single party at any time.
  • MPC secure multiparty computation
  • each party inputs its share of the key that is being used in the derivation, and the parties receive as output the shares of the new derivation key.
  • This derivation can be achieved using standard known MPC techniques like garbled circuits for two parties or authenticated garbling of the BMR circuit for many parties.
  • MPC does not prevent parties from changing their local inputs.
  • a malicious party can input an incorrect share of the derivation key and the result would be a derivation key that is a valid ECDSA key, but cannot be reconstructed from the master key.
  • the backup master key cannot be used to recover the private key, resulting in the cryptocurrency that is protected by that key being permanently lost.
  • the multiple computerized nodes are further configured to compute and exchange a first commitment message which is a cryptographic function receiving as input the output of the selected function.
  • the cryptographic function comprises an ECDSA function computed on the output of the selected function and a hash function performed on the output of the ECDSA function.
  • the processing module is further configured to receive a second commitment message from another computerized node of the multiple computerized nodes, said second commitment message comprises a key share sent from the selected function to the other computerized node and to check correctness of the input provided by the other computerized node.
  • the processing module is configured to identify that the selected function is the key derivation function, identify that the other computerized node inputted a correct value and to assign the value provided from the MPC process as a key share of the derivation key. In some cases, the processing module assigns the value provided from the MPC process as a key share of the derivation key after checking performance of the optional function that outputs values that can be verified by the computerized nodes performed by the MPC process, said processing module checks performance of the optional function using the commitment message received from another node as input. In some cases, the MPC process and estimating correction of the key shares are performed until a predefined condition is met. In some cases, the multiple computerized nodes are configured to check the commitment from the other nodes and verifying that the selected function is, assigning the output of the selected function as the key shares of the derivation key.
  • the multiple computerized nodes comprise instructions to perform two different optional functions having output values that can be verified by the computerized nodes, wherein one of the two optional functions outputs two equal random values and another optional function outputs two random values having a predefined additive share.
  • the computerized nodes assign the output of the MPC process as a share of the derivation key in case all potential candidates of derivation key share that fail to match the optional functions that can be verified by the computerized nodes are equal in all outputs of the MPC process.
  • FIG. 1 discloses a method of deriving a key, according to exemplary embodiments of the subject matter
  • FIG. 2 discloses a method for enforcing correctness of key shares during a key derivation process, according to exemplary embodiments of the subject matter.
  • FIG. 3 discloses a method for computing and encrypting the output of the selected function to verify correctness of the key shares, according to exemplary embodiments of the subject matter.
  • the present invention discloses a system and method for managing derivation of a cryptographic key, also referred herein as key.
  • the method is performed by multiple computerized nodes used to store shares of the key.
  • the key may be used in the context of money transfer, for example a Blockchain-related transfer, when a cryptographic key is required to transfer the funds.
  • the key may be used for any other purpose selected by a person skilled in the art.
  • the method is configured to verify, with a very high probability, that the key shares inputted by all the nodes are correct and can be used to create a valid derivation key.
  • the method is performed multiple times, for example in the range of 16-128, and each time the inputted shares to the derivation key are considered valid, reduces the probability that the node actual input is false.
  • Each of the multiple computerized nodes stores a share of the key used to derive a derivation key.
  • the key shares may be generated using a multi-party computation (MPC) process.
  • the nodes also store a set of instructions that are detailed below.
  • Each node comprises a communication module configured to exchange messages with the multiple computerized nodes.
  • the communication module may exchange signals via wireless or wired channels, for example via the internet, on cables, via a cellular network or any communication technique desired by a person skilled in the art.
  • the nodes also comprise a memory unit configured to store a set of instructions to be executed by the nodes and to store the messages received from the multiple computerized nodes.
  • the messages received from the multiple computerized nodes may be associated with an identifier of the specific node of the multiple computerized nodes that sent the message.
  • FIG. 1 discloses a method of deriving a key, according to exemplary embodiments of the subject matter.
  • Step 110 discloses the multiple computerized nodes receive a request to generate a derivation key based on a key shared between multiple nodes.
  • the request may be sent before transferring funds associated with the key.
  • the nodes may be computers, servers, mobile electronic devices, cellular phones, and any electronic devices having a memory, communication module and memory for storing the key share and performing the instructions disclosed herein.
  • Each node of the multiple computerized nodes performs the method below multiple times, as the logic output in each time is that there is 50% that the node provides a false value as the key share without being caught.
  • performing the method 20 times and outputting that the value received from the nodes ares correct implies that the likelihood of a false value received from the node is less than 1 to million.
  • the number of times a value is requested from the node may be defined by a person skilled in the art.
  • Step 120 discloses the multiple nodes compute the derivation key using an MPC process.
  • the MPC process is performed in a manner in which the entire key and the derivation key are never accessible to a single entity.
  • the MPC process receives as input a derivation string which is public to all the nodes, and key shares provided by the nodes.
  • the output of the MPC process is shares of the derivation key and authentication information.
  • Each node receives a share of the derivation key.
  • such a derivation key can be computed by computing the HMAC function with the key and public derivation string via MPC, so that the input and output key shares of a node are not revealed to any other node.
  • the authentication information may be used to finalize the verifying correctness of the key shares.
  • the MPC process is performed multiple times, as desired by the person skilled in the art, for example 20 times, 64 times, 144 times and the like. In some cases, in each time the output of the MPC process may be the authentication information or the derivation key shares. At the end of the MPC process, the nodes receive both the authentication information and the derivation key shares in a very high probability.
  • Step 130 discloses verifying correctness of the key shares inputted by the nodes for the key derivation process.
  • the correctness of the key shares is performed by exchanging messages between the multiple computerized nodes, as detailed below. At least some of the messages contain outputs of cryptographic operations.
  • the nodes can verify in a very high probability whether or not the other node inputted the correct share for the key derivation process.
  • Step 140 discloses the nodes assigning the values received in step 120 as shares of the derivation key, if the verification performed in step 130 succeeds.
  • FIG. 2 discloses a method for performing an MPC process configured to output shares of the derivation key and authentication information, according to exemplary embodiments of the subject matter.
  • the MPC process is performed multiple times, each time the MPC process outputs either the shares of the derivation key or authentication information.
  • the number of multiple times may be predefined, or the MPC process may terminate in response to a predefined event, for example after all the optional options elaborated in steps 230 , 233 and 235 .
  • the coins indicate that the key derivation option is selected.
  • occurrences number 3 , 7 and 9 - 11 the shares are created according to step 233 and in occurrences number 4 - 6 , 8 and 12 , the shares are created according to step 235 .
  • x in 1 is the share stored in node 1 and x in 2 is the share stored in node 2 .
  • x in denotes the key from which the derivation key is derived.
  • Step 220 discloses Flip two coins b 1 and b 2 .
  • the two coins represent 4 options having substantially the same probability to take place.
  • the MPC process performed by the nodes requires that all 4 options are randomly selected in a very high likelihood, for example a probability of at least 99.99%.
  • Flipping the coins may be performed using a Bernouli process implemented on a computer software running on an MPC process between the nodes.
  • the outcome of the coins is not revealed to any of the nodes.
  • the coins may have a value of “0” or “1”.
  • the flip coin is a representation of a random selection of one option from multiple options disclosed in steps 230 , 233 and 235 .
  • the options may be selected in equal or unequal probabilities.
  • the MPC process sets two values, each value is configured to be outputted to another node.
  • the MPC process sets both shares x 1 ′, x 2 ′ to be the same random value.
  • x out H(x in , s)
  • x 1 ′, x 2 ′ of x out the mathematical computations disclosed in steps 233 and 235 are exemplary only, and represent any selection of random values that can be used to verify the correctness in the method described in FIG. 3 .
  • the nodes are not aware at any stage of the option selected by the coin flip.
  • step 240 the share x 1 ′ is outputted to node P 1 and the share x 2 ′ is outputted to node P 2 .
  • the process is repeated after step 240 , as shown in FIG. 2 .
  • coin flip is performed multiple times, for example 64 times, each time is assigned an identifier, then, the selected option is performed, according to the value of the identifier. For example, value “00” indicates that both coin flips were assigned “0”.
  • all the 64 outputs are outputted to each node using the MPC process, and each node has 64 occurrences of outputs, for example, 20 key derivation shares, 20 random shares and 24 random additive shares.
  • FIG. 3 discloses a method for computing and encrypting the output of the selected function to verify correctness of the key shares, according to exemplary embodiments of the subject matter.
  • node P 1 receives X 1 and P 2 receives X 2 .
  • G is the generator (or base point) of the Elliptic curve being used. It should be noted that x i ′ cannot be extracted from Q i ′, as G is an irreversible function.
  • each node P i sends the other node a cryptographic commitment of Q i ′.
  • the commitment is defined as a value that bounds the node to the value but does not reveal it.
  • each node P i receives the cryptographic commitment from the other node.
  • exchange of the commitments, commitment openings and additional messages between the nodes may be performed via a wired or wireless channel.
  • the nodes are different and distinct entities located nearby, even in the same building or server farm/cluster.
  • the nodes exchange commitment openings.
  • the commitment openings may be the commitment message before the hash function is applied thereto.
  • step 345 the nodes check the result of the commitments. Checking may be performed by applying the hash function on the commitment opening and comparing the output of the hash function to the commitment message.
  • the method may define one or more functions that can be verifiable by the nodes without revealing the outputs X 1 and X 2 . As noted above, one optional verifiable function outputs two random and equal values. Thus, the nodes can check whether Q 1 equals Q 2 and thus X 1 equals X 2 .
  • the nodes conclude that the selected function is the function that computes the derivation key.
  • the outputted values X 1 and X 2 are stored in the nodes as the shares of the derivation key.
  • Another verifiable function is outputting two additive shares of Xin.
  • no node can modify the Q′ i ′ value that it sends in the commitment, or the node will be detected cheating, as all the nodes should have the same value and this will be different.
  • the malicious node may send a different value and hope that this will fall into the case another verifiable function selected or being the same value as stored in other executions, but since Q′ j is just a random value, the chance of it falling into another case is extremely small.

Abstract

The subject matter discloses a system for enforcing correctness of a derivation key, comprising multiple computerized nodes, comprising a storage module configured to store a share of a key used as an input of a function generating the derivation key, a communication module configured to exchange information between the multiple computerized nodes, and a processing module configured to receiving a request to create the derivation key, performing an MPC process between the multiple computerized nodes, said MPC process is performed multiple times, in each time the MPC process comprises receiving the key shares as input, randomly selecting a function, outputting the outputs of the selected function to the multiple computerized nodes, the multiple computerized nodes lack access to the selected function, the multiple computerized nodes perform computations on the received outputs and exchange outputs of the computations to estimate correction of the key shares inputted into the MPC process.

Description

    FIELD OF THE INVENTION
  • The present disclosure generally relates to derivation of cryptographic keys, and more particularly relates to enforcement of correctness for key derivation.
    • BACKGROUND OF THE INVENTION
  • In crypto currencies, it is common practice to choose a single master key for the ECDSA digital signature and to derive multiple keys from that key. This has the advantage that it suffices to back up a single key, and yet many keys can be derived for the purpose of holding different accounts and having different addresses. This derivation takes for input a private derivation key (for example an ECDSA private key) and a public derivation string (which can be modified to obtain multiple different keys), and outputs a new key pair (private key and public key), sometimes an ECDSA key pair. An ECDSA key pair is of the form (Q,x) where Q is the public key, x is the private key, and Q=x·G where G is the generator (or base point) of the Elliptic curve being used. One particular standard for this is the BIP032/BIP044 derivation method.
  • In some cases, there is no single entity who holds the master key or any subsequently derived keys, and there is a set of parties who share the key, and they compute the ECDSA signature needed to transfer funds using secure multiparty computation (MPC); also known as threshold ECDSA signatures. In this case, the parties also use MPC in order to compute the derivation key, since the aim is that no key is ever held by any single party at any time. In this MPC, each party inputs its share of the key that is being used in the derivation, and the parties receive as output the shares of the new derivation key. This derivation can be achieved using standard known MPC techniques like garbled circuits for two parties or authenticated garbling of the BMR circuit for many parties. However, MPC does not prevent parties from changing their local inputs. In such a case, a malicious party can input an incorrect share of the derivation key and the result would be a derivation key that is a valid ECDSA key, but cannot be reconstructed from the master key. Thus, if the key shares are lost, then the backup master key cannot be used to recover the private key, resulting in the cryptocurrency that is protected by that key being permanently lost.
    • SUMMARY OF THE INVENTION
  • The subject matter disclosed below can be used for any derivation method, not limited to crypto currencies, and for any key-pair of the same form as ECDSA. Thus, it can also work for Schnorr-based signatures, like EdDSA.
  • It is an object of the subject matter to disclose a system for enforcing correctness of a derivation key, comprising multiple computerized nodes, comprising a storage module configured to store a share of a key used as an input of a function generating the derivation key, a communication module configured to exchange information between the multiple computerized nodes, and a processing module configured to perform a set of instructions, comprising receiving a request to create the derivation key, performing an MPC process between the multiple computerized nodes, said MPC process is performed multiple times, in each time the MPC process comprises receiving the key shares as input, randomly selecting a function from a plurality of optional functions, one function of the plurality of optional function outputs key shares of the derivation key and another optional function outputs values that can be verified by the computerized nodes, outputting the outputs of the selected function to the multiple computerized nodes, the multiple computerized nodes lack access to the selected function, the multiple computerized nodes perform computations on the received outputs and exchange outputs of the computations to estimate correction of the key shares inputted into the MPC process.
  • In some cases, the multiple computerized nodes are further configured to compute and exchange a first commitment message which is a cryptographic function receiving as input the output of the selected function. In some cases, the cryptographic function comprises an ECDSA function computed on the output of the selected function and a hash function performed on the output of the ECDSA function.
  • In some cases, the processing module is further configured to receive a second commitment message from another computerized node of the multiple computerized nodes, said second commitment message comprises a key share sent from the selected function to the other computerized node and to check correctness of the input provided by the other computerized node.
  • In some cases, the processing module is configured to identify that the selected function is the key derivation function, identify that the other computerized node inputted a correct value and to assign the value provided from the MPC process as a key share of the derivation key. In some cases, the processing module assigns the value provided from the MPC process as a key share of the derivation key after checking performance of the optional function that outputs values that can be verified by the computerized nodes performed by the MPC process, said processing module checks performance of the optional function using the commitment message received from another node as input. In some cases, the MPC process and estimating correction of the key shares are performed until a predefined condition is met. In some cases, the multiple computerized nodes are configured to check the commitment from the other nodes and verifying that the selected function is, assigning the output of the selected function as the key shares of the derivation key.
  • In some cases, the multiple computerized nodes comprise instructions to perform two different optional functions having output values that can be verified by the computerized nodes, wherein one of the two optional functions outputs two equal random values and another optional function outputs two random values having a predefined additive share.
  • In some cases, the computerized nodes assign the output of the MPC process as a share of the derivation key in case all potential candidates of derivation key share that fail to match the optional functions that can be verified by the computerized nodes are equal in all outputs of the MPC process.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The invention may be more clearly understood upon reading of the following detailed description of non-limiting exemplary embodiments thereof, with reference to the following drawings, in which:
  • FIG. 1 discloses a method of deriving a key, according to exemplary embodiments of the subject matter;
  • FIG. 2 discloses a method for enforcing correctness of key shares during a key derivation process, according to exemplary embodiments of the subject matter; and,
  • FIG. 3 discloses a method for computing and encrypting the output of the selected function to verify correctness of the key shares, according to exemplary embodiments of the subject matter.
    •
  • The following detailed description of embodiments of the invention refers to the accompanying drawings referred to above. Dimensions of components and features shown in the figures are chosen for convenience or clarity of presentation and are not necessarily shown to scale. Wherever possible, the same reference numbers will be used throughout the drawings and the following description to refer to the same and like parts.
    • DETAILED DESCRIPTION OF THE INVENTION
  • Illustrative embodiments of the invention are described below. In the interest of clarity, not all features/components of an actual implementation are necessarily described.
  • The present invention discloses a system and method for managing derivation of a cryptographic key, also referred herein as key. The method is performed by multiple computerized nodes used to store shares of the key. The key may be used in the context of money transfer, for example a Blockchain-related transfer, when a cryptographic key is required to transfer the funds. The key may be used for any other purpose selected by a person skilled in the art. The method is configured to verify, with a very high probability, that the key shares inputted by all the nodes are correct and can be used to create a valid derivation key. The method is performed multiple times, for example in the range of 16-128, and each time the inputted shares to the derivation key are considered valid, reduces the probability that the node actual input is false.
  • Each of the multiple computerized nodes stores a share of the key used to derive a derivation key. The key shares may be generated using a multi-party computation (MPC) process. The nodes also store a set of instructions that are detailed below. Each node comprises a communication module configured to exchange messages with the multiple computerized nodes. The communication module may exchange signals via wireless or wired channels, for example via the internet, on cables, via a cellular network or any communication technique desired by a person skilled in the art. The nodes also comprise a memory unit configured to store a set of instructions to be executed by the nodes and to store the messages received from the multiple computerized nodes. The messages received from the multiple computerized nodes may be associated with an identifier of the specific node of the multiple computerized nodes that sent the message.
  • FIG. 1 discloses a method of deriving a key, according to exemplary embodiments of the subject matter.
  • Step 110 discloses the multiple computerized nodes receive a request to generate a derivation key based on a key shared between multiple nodes. The request may be sent before transferring funds associated with the key. The nodes may be computers, servers, mobile electronic devices, cellular phones, and any electronic devices having a memory, communication module and memory for storing the key share and performing the instructions disclosed herein. Each node of the multiple computerized nodes performs the method below multiple times, as the logic output in each time is that there is 50% that the node provides a false value as the key share without being caught. Thus, performing the method 20 times and outputting that the value received from the nodes ares correct implies that the likelihood of a false value received from the node is less than 1 to million. The number of times a value is requested from the node may be defined by a person skilled in the art.
  • Step 120 discloses the multiple nodes compute the derivation key using an MPC process. The MPC process is performed in a manner in which the entire key and the derivation key are never accessible to a single entity. The MPC process receives as input a derivation string which is public to all the nodes, and key shares provided by the nodes. The output of the MPC process is shares of the derivation key and authentication information. Each node receives a share of the derivation key. In typical embodiments of the invention, such a derivation key can be computed by computing the HMAC function with the key and public derivation string via MPC, so that the input and output key shares of a node are not revealed to any other node. The authentication information may be used to finalize the verifying correctness of the key shares. The MPC process is performed multiple times, as desired by the person skilled in the art, for example 20 times, 64 times, 144 times and the like. In some cases, in each time the output of the MPC process may be the authentication information or the derivation key shares. At the end of the MPC process, the nodes receive both the authentication information and the derivation key shares in a very high probability.
  • Step 130 discloses verifying correctness of the key shares inputted by the nodes for the key derivation process. The correctness of the key shares is performed by exchanging messages between the multiple computerized nodes, as detailed below. At least some of the messages contain outputs of cryptographic operations. In the end of the verifying correctness phase, the nodes can verify in a very high probability whether or not the other node inputted the correct share for the key derivation process.
  • Step 140 discloses the nodes assigning the values received in step 120 as shares of the derivation key, if the verification performed in step 130 succeeds.
  • FIG. 2 discloses a method for performing an MPC process configured to output shares of the derivation key and authentication information, according to exemplary embodiments of the subject matter. The MPC process is performed multiple times, each time the MPC process outputs either the shares of the derivation key or authentication information. The number of multiple times may be predefined, or the MPC process may terminate in response to a predefined event, for example after all the optional options elaborated in steps 230, 233 and 235. Thus, for example, in the first and second time, the coins indicate that the key derivation option is selected. In occurrences number 3, 7 and 9-11, the shares are created according to step 233 and in occurrences number 4-6, 8 and 12, the shares are created according to step 235.
  • Step 210 discloses computing xin=xin 1+xin 2 mod q. It should be noted that none of the nodes that perform the MPC process hold or have access to both xin 2 and xin 2 during any of the processes described in the subject matter. xin 1 is the share stored in node 1 and xin 2 is the share stored in node 2. xin denotes the key from which the derivation key is derived.
  • Step 220 discloses Flip two coins b1 and b2. The two coins represent 4 options having substantially the same probability to take place. As the next steps are performed multiple times, the MPC process performed by the nodes requires that all 4 options are randomly selected in a very high likelihood, for example a probability of at least 99.99%. Flipping the coins may be performed using a Bernouli process implemented on a computer software running on an MPC process between the nodes. The outcome of the coins is not revealed to any of the nodes. For simplicity, the coins may have a value of “0” or “1”. The flip coin is a representation of a random selection of one option from multiple options disclosed in steps 230, 233 and 235. The options may be selected in equal or unequal probabilities.
  • After flipping the coins, the MPC process sets two values, each value is configured to be outputted to another node. In case the first coin has a value “0”, as disclosed in step 230, the MPC process sets both shares x1′, x2′ to be the same random value. In case the first coin has a value “1” and the second coin has a value “0”, as disclosed in step 233, the MPC process sets both shares x1′, x2′ to be random shares of xin (that is, x1′+x2′=xin mod q). In case the first coin has a value “1” and the second coin has a value “1”, as disclosed in step 235, the MPC process computes xout=H(xin, s) and prepare random shares x1′, x2′ of xout. It should be noted that the mathematical computations disclosed in steps 233 and 235 are exemplary only, and represent any selection of random values that can be used to verify the correctness in the method described in FIG. 3. The nodes are not aware at any stage of the option selected by the coin flip.
  • Then, in step 240, the share x1′ is outputted to node P1 and the share x2′ is outputted to node P2. Again, also when outputting the shares x1′ and x2′, none of the nodes has access to the shares. In some cases, the process is repeated after step 240, as shown in FIG. 2. In some other cases, coin flip is performed multiple times, for example 64 times, each time is assigned an identifier, then, the selected option is performed, according to the value of the identifier. For example, value “00” indicates that both coin flips were assigned “0”. Then, all the 64 outputs are outputted to each node using the MPC process, and each node has 64 occurrences of outputs, for example, 20 key derivation shares, 20 random shares and 24 random additive shares.
  • FIG. 3 discloses a method for computing and encrypting the output of the selected function to verify correctness of the key shares, according to exemplary embodiments of the subject matter.
  • In step 310, each node Pi (for i=1,2) receives function output xi′. For example, node P1 receives X1 and P2 receives X2.
  • In step 320, each node Pi computes Qi′=xi′·G. G is the generator (or base point) of the Elliptic curve being used. It should be noted that xi′ cannot be extracted from Qi′, as G is an irreversible function.
  • In step 330, each node Pi sends the other node a cryptographic commitment of Qi′. The commitment is defined as a value that bounds the node to the value but does not reveal it. The commitment may be computed, for example, by choosing a random ri of length 128 bits and computing ci=SHA256(Qi′, ri). Then, the nodes exchange the value ci.
  • In step 340, each node Pi receives the cryptographic commitment from the other node. exchange of the commitments, commitment openings and additional messages between the nodes may be performed via a wired or wireless channel. In some exemplary cases, the nodes are different and distinct entities located nearby, even in the same building or server farm/cluster.
  • In step 345, the nodes exchange commitment openings. The commitment openings may be the commitment message before the hash function is applied thereto. For example, the commitment opening is (Qi′, ri) while the commitment message is ci=SHA256(Qi′, ri).
  • In step 345, the nodes check the result of the commitments. Checking may be performed by applying the hash function on the commitment opening and comparing the output of the hash function to the commitment message.
  • In step 360, if the commitment is correct multiple times and if Q1′=Q2′ or Q1′+Q2′=Qin, and the multiple Q1 and Q2 values received in each node are the same in all iterations, define Q1 and Q2 as public key shares, xi′ as private key share for each node, and Q=Q1+Q2 as the derived public key. The method may define one or more functions that can be verifiable by the nodes without revealing the outputs X1 and X2. As noted above, one optional verifiable function outputs two random and equal values. Thus, the nodes can check whether Q1 equals Q2 and thus X1 equals X2. Otherwise, the nodes conclude that the selected function is the function that computes the derivation key. In such a case, the outputted values X1 and X2 are stored in the nodes as the shares of the derivation key. Another verifiable function is outputting two additive shares of Xin.
  • In case the selected function outputs equal random values, no node can modify the Q′i′ value that it sends in the commitment, or the node will be detected cheating, as all the nodes should have the same value and this will be different. The malicious node may send a different value and hope that this will fall into the case another verifiable function selected or being the same value as stored in other executions, but since Q′j is just a random value, the chance of it falling into another case is extremely small.
  • Assume that a node inputs an incorrect share into the computation and the selected function outputs two values such that X1+X2 equals Xin mod q. In this case, the malicious node needs to make the result equal Qin. This requires it changing its Q′j value since the input share was incorrect and Qin is publicly known. However, by what we have just explained, it cannot change Q′j if b_1=0 or it will be detected. Thus, such a strategy is doomed to fail and have the cheating be detected.
  • Finally, assume that both nodes input correct shares but an attacker wishes to make the resulting key be incorrect. In order to do so, the attacker has to change the Q′j value it received. Again, this strategy is doomed to fail as the attacker must input its correct share and cannot change its output; else, it will be detected with a very high probability.
  • While the disclosure has been described with reference to exemplary embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings without departing from the essential scope thereof. Therefore, it is intended that the disclosed subject matter not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but only by the claims that follow.

Claims (10)

1. A system for enforcing correctness of a derivation key, comprising:
multiple computerized nodes configured to store a share of a key used as an input of a function generating the derivation key, a communication module configured to exchange information between the multiple computerized nodes, said multiple computerized nodes are configured to perform a set of instructions, comprising:
receiving a request to create the derivation key;
performing a multiparty computation (MPC) process between the multiple computerized nodes, said MPC process is performed multiple times, in each time the MPC process comprises:
(a) receiving the key shares as input,
(b) randomly selecting a function from a plurality of optional functions, wherein the multiple computerized nodes are not aware of the randomly-selected function one optional function of the plurality of optional functions outputs key shares of the derivation key and another optional function of the plurality of optional functions outputs values that can be verified by the computerized nodes and
(c) performing the MPC process using the randomly-selected function;
outputting the outputs of the selected function to the multiple computerized nodes, the multiple computerized nodes lack access to the selected function;
wherein in case the another optional function is selected, the multiple computerized nodes perform computations on the received outputs and exchange outputs of the computations to estimate correction of the key shares inputted into the MPC process.
2. The system of claim 1, wherein the multiple computerized nodes are further configured to compute and exchange a first commitment message which is a cryptographic function receiving as input the output of the selected function.
3. The system of claim 2, wherein the cryptographic function comprises an ECDSA function computed on the output of the selected function and a hash function performed on the output of the ECDSA function.
4. The system of claim 2, wherein the multiple computerized nodes are further configured to receive a second commitment message from another computerized node of the multiple computerized nodes, said second commitment message comprises a key share sent from the selected function to the other computerized node and to check correctness of the input provided by the other computerized node.
5. The system of claim 1, wherein the multiple computerized nodes are configured to identify that the selected function is the key derivation function, identify that the other computerized node inputted a correct value and to assign the value provided from the MPC process as a key share of the derivation key.
6. The system of claim 1, wherein the multiple computerized nodes assign the value provided from the MPC process as a key share of the derivation key after checking performance of the optional function that outputs values that can be verified by the computerized nodes performed by the MPC process, said multiple computerized nodes check performance of the optional function using the commitment message received from another node as input.
7. The system according to claim 1, wherein the MPC process and estimating correction of the key shares are performed until a predefined condition is met.
8. The system according to claim 1, wherein the multiple computerized nodes are configured to check the commitment from the other nodes and verifying that the selected function is, assigning the output of the selected function as the key shares of the derivation key.
9. The system according to claim 1, wherein the multiple computerized nodes comprise instructions to perform two different optional functions having output values that can be verified by the computerized nodes, wherein one of the two optional functions outputs two equal random values and another optional function outputs two random values having a predefined additive share.
10. The system according to claim 1, wherein the computerized nodes assign the output of the MPC process as a share of the derivation key in case all potential candidates of derivation key share that fail to match the optional functions that can be verified by the computerized nodes are equal in all outputs of the MPC process.
US16/183,868 2018-11-08 2018-11-08 System and method for enforcement of correctness for key derivation Active 2038-11-16 US10630471B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US16/183,868 US10630471B1 (en) 2018-11-08 2018-11-08 System and method for enforcement of correctness for key derivation
US16/726,965 US10833871B2 (en) 2018-11-08 2019-12-26 System and method for deterministic signing of a message using a multi-party computation (MPC) process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US16/183,868 US10630471B1 (en) 2018-11-08 2018-11-08 System and method for enforcement of correctness for key derivation

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/726,965 Continuation-In-Part US10833871B2 (en) 2018-11-08 2019-12-26 System and method for deterministic signing of a message using a multi-party computation (MPC) process

Publications (2)

Publication Number Publication Date
US10630471B1 US10630471B1 (en) 2020-04-21
US20200153622A1 true US20200153622A1 (en) 2020-05-14

Family

ID=70285117

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/183,868 Active 2038-11-16 US10630471B1 (en) 2018-11-08 2018-11-08 System and method for enforcement of correctness for key derivation

Country Status (1)

Country Link
US (1) US10630471B1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4082154A4 (en) * 2019-12-23 2023-06-14 Kzen Networks Ltd. System and method of management of a shared cryptographic account
US11658815B2 (en) * 2020-08-03 2023-05-23 Coinbase Il Rd Ltd. System and method for performing key operations during a multi-party computation process
US11909866B2 (en) * 2021-08-27 2024-02-20 Paypal, Inc. Systems and methods for configuring a networked system to perform threshold multi-party computation
US11438146B1 (en) * 2021-10-27 2022-09-06 Coinbase Il Rd Ltd. System and method for performing key exchange while overcoming a malicious adversary party

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9489522B1 (en) * 2013-03-13 2016-11-08 Hrl Laboratories, Llc Method for secure and resilient distributed generation of elliptic curve digital signature algorithm (ECDSA) based digital signatures with proactive security
US10114851B2 (en) * 2014-01-24 2018-10-30 Sachet Ashok Shukla Systems and methods for verifiable, private, and secure omic analysis

Also Published As

Publication number Publication date
US10630471B1 (en) 2020-04-21

Similar Documents

Publication Publication Date Title
US10833871B2 (en) System and method for deterministic signing of a message using a multi-party computation (MPC) process
CN109756338B (en) Authentication apparatus, computer-implemented method of authentication apparatus, and computer-readable medium
CN110914851B (en) Improving integrity of communications between a blockchain network and external data sources
RU2721959C1 (en) System and method for protecting information
RU2716740C1 (en) Information protection system and method
US11917051B2 (en) Systems and methods for storage, generation and verification of tokens used to control access to a resource
US10630471B1 (en) System and method for enforcement of correctness for key derivation
US9292692B2 (en) System and device for verifying the integrity of a system from its subcomponents
EP3985916A1 (en) Secure dynamic threshold signature scheme employing trusted hardware
US10382962B2 (en) Network authentication system with dynamic key generation
US9715590B2 (en) System and device for verifying the integrity of a system from its subcomponents
US20150318994A1 (en) System and device binding metadata with hardware intrinsic properties
JP2020507222A (en) System and method for information protection
US10425235B2 (en) Device and system with global tamper resistance
US11405365B2 (en) Method and apparatus for effecting a data-based activity
US20020062452A1 (en) Countering credentials copying
US11374910B2 (en) Method and apparatus for effecting a data-based activity
US10805090B1 (en) Address whitelisting using public/private keys and ring signature
KR101253683B1 (en) Digital Signing System and Method Using Chained Hash
US11637817B2 (en) Method and apparatus for effecting a data-based activity
CN110060055B (en) Digital asset hosting method and device in block chain and electronic equipment
US10797866B1 (en) System and method for enforcement of correctness of inputs of multi-party computations
CN114641788B (en) Method and apparatus for preventing denial of service attacks on blockchain systems
US11588640B2 (en) Method for performing a preprocessing computation during a proactive MPC process
JP2000509521A (en) How to use transient failures to verify the security of a cryptographic system

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: UNBOUND SECURITY LTD, ISRAEL

Free format text: CHANGE OF NAME;ASSIGNOR:UNBOUND TECH LTD;REEL/FRAME:059785/0632

Effective date: 20210519

Owner name: COINBASE IL RD LTD, CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:UNBOUND SECURITY LTD;REEL/FRAME:059380/0994

Effective date: 20220308

Owner name: UNBOUND SECURITY LTD, ISRAEL

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BAR ILAN UNIVERSITY;REEL/FRAME:059289/0592

Effective date: 20211125

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4