US20220222634A1 - Weighted multiple authorizations - Google Patents

Weighted multiple authorizations Download PDF

Info

Publication number
US20220222634A1
US20220222634A1 US17/581,359 US202217581359A US2022222634A1 US 20220222634 A1 US20220222634 A1 US 20220222634A1 US 202217581359 A US202217581359 A US 202217581359A US 2022222634 A1 US2022222634 A1 US 2022222634A1
Authority
US
United States
Prior art keywords
authorization
authority
signatures
node
weights
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/581,359
Inventor
Konstantinos Chalkias
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
R3 Ltd
Original Assignee
R3 Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by R3 Ltd filed Critical R3 Ltd
Priority to US17/581,359 priority Critical patent/US20220222634A1/en
Assigned to R3 Ltd. reassignment R3 Ltd. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHALKIAS, KONSTANTINOS
Publication of US20220222634A1 publication Critical patent/US20220222634A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/04Payment circuits
    • G06Q20/06Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme
    • G06Q20/065Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash
    • G06Q20/0658Private payment circuits, e.g. involving electronic currency used among participants of a common payment scheme using e-cash e-cash managed locally
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3827Use of message hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q2220/00Business processing using cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the bitcoin system was developed to allow electronic cash to be transferred directly from one party to another without going through a financial institution, as described in the white paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto.
  • a bitcoin e.g., an electronic coin
  • a new transaction is generated and added to a stack of transactions in a block.
  • the new transaction which includes the public key of the new owner, is digitally signed by the owner with the owner's private key to transfer ownership to the new owner, as represented by the new owner public key.
  • the signing by the owner of the bitcoin is an authorization by the owner to transfer ownership of the bitcoin to the new owner via the new transaction.
  • the block is “capped” with a block header that is a hash digest of all the transaction identifiers within the block.
  • the block header is recorded as the first transaction in the next block in the chain, creating a mathematical hierarchy called a “blockchain.”
  • the blockchain of transactions can be followed to verify each transaction from the first transaction to the last transaction.
  • the new owner need only have the private key that matches the public key of the transaction that transferred the bitcoin.
  • the blockchain creates a mathematical proof of ownership in an entity represented by a security identity (e.g., a public key), which in the case of the bitcoin system is pseudo-anonymous.
  • the bitcoin system maintains a distributed ledger of transactions.
  • a ledger of all the transactions for a bitcoin is stored redundantly at multiple nodes (i.e., computers) of a blockchain network.
  • the ledger at each node is stored as a blockchain.
  • the transactions are stored in the order that the transactions are received by the nodes.
  • Each node in the blockchain network has a complete replica of the entire blockchain.
  • the bitcoin system also implements techniques to ensure that each node will store the identical blockchain, even though nodes may receive transactions in different orderings.
  • the blocks in the blockchain can be accessed from oldest to newest, generating a new hash of the block and comparing the new hash to the hash generated when the block was created. If the hashes are the same, then the transactions in the block are verified.
  • the bitcoin system also implements techniques to ensure that it would be infeasible to change a transaction and regenerate the blockchain by employing a computationally expensive technique to generate a nonce that is added to the block when it is created.
  • a bitcoin ledger is sometimes referred to as an Unspent Transaction Output (“UTXO”) set because it tracks the output of all transactions that have not yet been spent.
  • UXO Unspent Transaction Output
  • the owner public key is set as the token owner identity, and when performing actions against tokens, ownership proof is established by providing a signature generated by the owner private key and validated against the public key listed as the owner of the token.
  • a person can be uniquely identified, for example, using a combination of a user name, social security number, and biometric (e.g., fingerprint).
  • a product e.g., refrigerator
  • the identity tokens for each would be a cryptographic one-way hash of such combinations.
  • the identity token for an entity may be the public key of a public/private key pair, where the private key is held by the entity.
  • Identity tokens can be used to identify people, institutions, commodities, contracts, computer code, equities, derivatives, bonds, insurance, loans, documents, and so on. Identity tokens can also be used to identify collections of assets.
  • An identity token for a collection may be a cryptographic one-way hash of the digital tokens of the assets in the collection.
  • the creation of an identity token for an asset in a blockchain establishes provenance of the asset, and the identity token can be used in transactions (e.g., buying, selling, insuring) involving the asset stored in a blockchain, creating a full audit trail of the transactions.
  • each party and asset involved with the transaction needs an account that is identified by a digital token.
  • a digital token For example, when one person wants to transfer a car to another person, the current owner and next owner create accounts, and the current owner also creates an account that is uniquely identified by the car's vehicle identification number.
  • the account for the car identifies the current owner.
  • the current owner creates a transaction against the account for the car that indicates that the transaction is a transfer of ownership, indicates the public keys (i.e., identity tokens) of the current owner and the next owner, and indicates the identity token of the car.
  • the transaction is signed by the private key of the current owner, and the transaction is evidence that the next owner is now the current owner.
  • a smart contract is computer code that implements transactions of a contract.
  • the computer code may be executed in a secure platform (e.g., an Ethereum platform, which provides a virtual machine) that supports recording transactions in blockchains.
  • the smart contract itself is recorded as a transaction in the blockchain using an identity token that is a hash (i.e., identity token) of the computer code so that the computer code that is executed can be authenticated.
  • identity token that is a hash (i.e., identity token) of the computer code so that the computer code that is executed can be authenticated.
  • a transaction When a transaction is recorded against a smart contract, a message is sent to the smart contract, and the computer code of the smart contract executes to implement the transaction (e.g., debit a certain amount from the balance of an account).
  • the computer code ensures that all the terms of the contract are complied with before the transaction is recorded in the blockchain.
  • a smart contract may support the sale of an asset.
  • the inputs to a smart contract to sell a car may be the identity tokens of the seller, the buyer, and the car and the sale price in U.S. dollars.
  • the computer code ensures that the seller is the current owner of the car and that the buyer has sufficient funds in their account.
  • the computer code then records a transaction that transfers the ownership of the car to the buyer and a transaction that transfers the sale price from the buyer's account to the seller's account. If the seller's account is in U.S. dollars and the buyer's account is in Canadian dollars, the computer code may retrieve a currency exchange rate, determine how many Canadian dollars the seller's account should be debited, and record the exchange rate. If either transaction is not successful, neither transaction is recorded.
  • each node executes the computer code of the smart contract to implement the transaction. For example, if 100 nodes each maintain a replica of a blockchain, then the computer code executes at each of the 100 nodes. When a node completes execution of the computer code, the result of the transaction is recorded in the blockchain.
  • the nodes employ a consensus algorithm to decide which transactions to keep and which transactions to discard. Although the execution of the computer code at each node helps ensure the authenticity of the blockchain, it requires large amounts of computer resources to support such redundant execution of computer code.
  • the notary checks the inputs to the transaction against the UTXO database to ensure that the outputs that the inputs reference have not been spent. If the inputs have not been spent, the notary updates the UTXO database to indicate that the referenced outputs have been spent, notarizes the transaction (e.g., by signing the transaction or a transaction identifier with a public key of the notary), and sends the notarization to the party that submitted the transaction for notarization. When the party receives the notarization, the party stores the notarization and provides the notarization to the counterparties.
  • Distributed ledger systems require the signature of a designated authorizing party (“authority”) to consume the output of a transaction such as a transaction to transfer ownership of an asset.
  • a transaction such as a transaction to transfer ownership of an asset.
  • the signature of the owner (i.e., the authority) of a bitcoin is required to be in a transaction to transfer ownership of that bitcoin to a new owner.
  • the signature is generated by the owner encrypting the hash of the prior transaction that transferred the bitcoin to the owner with the private key corresponding to the public key included in the prior transaction.
  • requiring the authorization of only a single authority may not be sufficient to provide the needed level of security.
  • a governmental entity that is responsible for providing to its citizens notifications of imminent threats e.g., an attack or a natural disaster
  • a bank that has been transferred a large number of bitcoins may want to require the authorization of multiple authorities (e.g., the vice-president of finance and the vice-president of compliance) before the bitcoins can be transferred.
  • a company that is a party to a contract may specify that the contract is not valid unless signed by multiple people (e.g., the president and the controller of the company along with a member of the board of directors of the company).
  • the script language for the bitcoin system supports a “multi-sig” instruction.
  • the multi-sig instruction has some number of public keys as one input parameter and a threshold number of public keys as another parameter.
  • the multi-sig instruction indicates that the current transaction has been authorized when at least the threshold number of distinct signatures of the prior transaction has been verified using the public keys of the multi-sig instruction. For example, when the multi-sig instruction includes ten public keys and the threshold number is five, then the current transaction is authorized when five of the public keys have been used to verify five signatures of the current transaction.
  • the multi-sig instruction can be considered to represent a threshold number of authorizations out of equally valued (or weighted) authorizations.
  • multi-signature authorizations provide a much higher level of security than single-signature authorizations, such multi-signature authorizations require a pre-specified threshold number of signatures and the signatures of any of the authorizing parties can be used to meet that threshold number.
  • multi-signature authorizations do not support options such as requiring either the signatures of two specified persons or only the signature of a different specified person (e.g., the president and the controller of a company or just the signature of a board member).
  • FIG. 1 illustrates an overall structure of tree representations of authorization specifications.
  • FIGS. 2A and 2B illustrate example tree representations of authorization specifications.
  • FIG. 3 illustrates an example tree representation of an authorization specification.
  • FIG. 4 is a block diagram that illustrates components of the WMA system in some embodiments.
  • FIG. 5 is a flow diagram that illustrates the processing of a receive multi-signature transaction component in some embodiments.
  • FIG. 7 is a flow diagram that illustrates the processing of a check validity component in some embodiments.
  • FIG. 8 is a flow diagram that illustrates the processing of a check cycles component in some embodiments.
  • FIG. 9 is a flow diagram that illustrates the processing of a check constraints component in some embodiments.
  • FIG. 10 is a flow diagram that illustrates the processing of a check authorization component in some embodiments.
  • a weighted multiple authorization (“WMA”) system confirms authorization of a matter when the combined authority weights of one or more authorities that provide their authorizations satisfy a threshold weight.
  • WMA weighted multiple authorization
  • an authority provides an authorization to transfer an amount of bitcoin that is output by a prior transaction (i.e., the matter being authorized) by signing with their private key a hash of the prior transaction whose output is input to a current transaction.
  • the authority weights of the authorities vary so that the authorizations of some authorities are weighted more than other authorities.
  • a first authority may have a weight of 1 and a second authority may have a weight of 3, which means that the authorization of the second authority counts three times as much toward satisfying the threshold weight.
  • the authority weight for each authority and the threshold weight are identified in an authorization specification that specifies the criteria for the authorization of a matter.
  • the authorization specification also specifies authorization verification information for each authority.
  • an authorization specification may include authority weights of 1, 2, and 3 for authorities A, B, and C, respectively, and a threshold weight of 3.
  • the authorization specification may also include the public keys of authorities A, B, and C as their authorization verification information.
  • the WMA confirms authorization because the sum of their authority weights equals the threshold weight irrespective of whether the authorization of authority C has been provided or verified.
  • the WMA system confirms authorization because the authority weight of authority C equals the threshold weight irrespective of whether the authorizations of authorities A or B have been provided or verified.
  • the authorization specification of this example effectively implements the Boolean expression of “(A and B) or C,” meaning that authorization of the matter is confirmed when the authorization of both A and B are verified or when the authorization of C is verified. This authorization specification would require, for example, the authorizations of two vice-presidents of a company to confirm authorization of a matter or the authorization of the president alone to confirm authorization of the matter.
  • the WMA system may be used with other techniques for providing authorizations.
  • the WMA system may be used with authorities who have security tokens.
  • a security token may store a static password.
  • a security token may alternatively generate a dynamic password based on synchronized clocks of the security token and the WMA system.
  • a security token may also be a smartphone or other device that receives from the WMA system a one-time code when an authority is to provide its authorization. Once the WMA system receives the password or one-time code for an authority, it verifies the authorization of that authority based on the password or one-time code.
  • the WMA system may be used with authorities who have physical keys. Thus, when the WMA system is described as using signature-based authorizations, the authorizations may be based alternatively on these other techniques.
  • an authority may be a parent authority with multiple child authorities whose authorizations determine whether authorization of the parent authority is verified.
  • authority B may be a parent authority with child authorities B 1 , B 2 , and B 3 , which are considered to be sibling authorities represented by sibling nodes.
  • the parent authority has a threshold weight, and each child authority has an authority weight.
  • the parent authority B may have a threshold weight of 2 and the child authorities B 1 , B 2 , and B 3 may have authority weights of 1, 1, and 2, respectively.
  • the authorization of parent authority B is verified when the sum of the authority weights of the child authorities whose authorizations are verified is equal to or greater than the threshold weight of authority B.
  • the WMA system may support the use of weighted multiple signatures for a blockchain system such as bitcoin.
  • a blockchain system may define a “weighted multi-sig” instruction.
  • the weighted multi-sig instruction may have two parameters: an authorization specification and a set of signatures (i.e., authorizations), possibly along with the identification (e.g., public key) of the authority who provided each signature.
  • an authorization specification i.e., authorizations
  • the instruction verifies the signatures (i.e., verified authorizations) using the public keys of the authorization specification.
  • the instruction uses the verified signatures to determine whether the threshold weights of the authorization specification are satisfied and ultimately to determine the threshold weight of the topmost parent authority.
  • the instruction indicates that the authorization as specified by the authorization specification has been verified.
  • the WMA system may be implemented, at least in part, in the code of the smart contracts associated with transactions.
  • a single authority may use the WMA system to provide enhanced security in providing its authorization for a matter. If the authority relies on a private/public key pair to provide authorization and if the private key is compromised (e.g., stolen or the encryption scheme broken), then another party could use the private key to provide malicious authorization for the matter. To help prevent such malicious authorization, the authority could use the WMA system to require multiple authorizations from itself. For example, an authority can specify that authorizations based on three different private keys (or security tokens) are needed to confirm the authorization for the matter. The authority may store the private keys in different ways such as storing the first private key on a cloud system, the second private key on a USB token, and the third private key in a key vault on a desktop computer.
  • the single party may employ various authorization specifications such as of “((A 1 and A 2 ) or A 3 ).” With such an authorization specification, the single party may store the private key for A 3 in an ultra-secure vault that is accessed only if the private key for A 1 or A 2 is lost. Also, the authority may use different algorithms to generate the private/public key pairs.
  • the first key pair may be generated using an Rivest-Shamir-Adelman (“RSA”) algorithm such as RSA-3072
  • the second key pair may be generated using an Elliptical Curve Digital Signature Algorithm (“ECDSA”)
  • EDSA Elliptical Curve Digital Signature Algorithm
  • the third key pair may be generated using a SPHINCS algorithm (see, Daniel J. Bernstein, Daira Hopwood, Andreas HüIsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox-O'Hearn. “ SPHINCS: practical stateless hash - based signatures ,” Advances in Cryptology—EUROCRYPT 2015-34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, Apr.
  • the WMA system may be used to employ different algorithms for various reasons.
  • the RSA algorithms and the ECDSA algorithms are considered to be classical algorithms because they are considered to be not secure in light of quantum computing.
  • the SPHINCS algorithm is considered to be a post-quantum algorithm because it is considered to be secure in light of quantum computing.
  • the WMA system may thus support authorizations based on a combination of classical algorithms and post-quantum algorithms.
  • An authorization specification may be “(A and B)” where A represents authorization with a classical algorithm and B represents authorization with a post-quantum algorithm.
  • A represents authorization with a classical algorithm
  • B represents authorization with a post-quantum algorithm.
  • different regulators may require access to information that is accessible using certain algorithms.
  • a first banking regulator of one country may require use of an RSA algorithm
  • a second banking regulator of another country may require use of an ECSA algorithm.
  • the WMA system may be used to verify authorization based on using either algorithm, which may be represented as “(A or B)” where A represents the authorization of the first banking regulator and B represents the authorization of the second banking authority.
  • a first regulator for security reasons may require that authorization be allowed only based on a first algorithm under the assumption that the first algorithm is very secure.
  • a second regulator for similar reasons may require that authorizations be allowed only based on a second algorithm. In such a case, to accommodate both regulators, they may agree to an authorization that requires both algorithms with an authorization specification such as “(A and B)” where A represents the first algorithm and B represents the second algorithm.
  • FIG. 1 illustrates an overall structure of tree representations of authorization specifications.
  • a tree 100 includes nodes 101 - 110 , each of which represents an authority. The ellipses indicate that the tree can have many other nodes.
  • Node 101 is a root node
  • nodes 102 - 104 are non-leaf nodes
  • nodes 105 - 110 are leaf nodes.
  • the non-leaf nodes (including the root node) represent parent authorities
  • nodes 105 - 110 represent authorities whose authorization verification information is included in an authorization specification.
  • a parent authority is considered to be a composite authority because it represents a composite of the authorities of its descendant leaf nodes.
  • the non-leaf nodes include a threshold weight (“T”) and, except for the root node, an authority weight (“W”).
  • the leaf nodes include an authority weight and authorization verification information (“K”).
  • the WMA system supports authorization specifications with a tree of arbitrary width and depth.
  • FIGS. 2A and 2B illustrate example tree representations of authorization specifications.
  • a tree 200 includes a root node 201 , which is a parent authority, with a threshold weight of 100, leaf node 202 represents authority A and has an authority weight of 100 and a public key KA of authority A, leaf node 203 represents authority B and has an authority weight of 50 and a public key KB of authority B, and leaf node 204 represents authority C and has an authority weight of 50 and a public key Kc of authority C.
  • the tree 200 represents an authorization specification represented by the Boolean expression “(A or (B and C))” because the authority weight of authority A is equal to the threshold weight and the sum of the authority weights of authority B and authority C is equal to the threshold weight.
  • a tree 210 includes a root node 211 , which is a parent node, with a threshold weight of 100, leaf node 212 represents authority A and has an authority weight of 99 and a public key KA, leaf node 213 represents authority B and has an authority weight of 1 and a public key KB, and leaf node 214 represents authority C and has an authority weight of 1 and a public key Kc.
  • the tree 210 represents an authorization specification represented by the Boolean expression “(A and (B or C))” because the sum of the authority weights of authority A and authority B is equal to the threshold weight and the sum of the authority weights of authority A and authority C is equal to the threshold weight.
  • the authority weights of at least two sibling nodes are different.
  • FIG. 3 illustrates an example tree representation of an authorization specification.
  • a tree 300 includes a root node 301 , non-leaf node 302 , and leaf nodes 303 - 308 .
  • the tree 300 is similar to the tree 200 except that node 202 representing authority A is replaced by a parent node 302 for a parent authority A.
  • a parent node may also be referred to as a “composite key” in the sense that it has multiple descendant nodes with public keys.
  • node 302 represents a composite key because it is the parent node, or more generally the ancestor node, of multiple leaf nodes that include keys.
  • the nodes 303 - 306 include authority weights and public keys K A1 -K A4 for child authorities A 1 -A 4 of authority A.
  • the tree 300 represents an authorization specification represented by the Boolean expression of “((A 1 or (A 2 and (A 3 or A 4 ))) or (B and C)).” If nodes 305 ′ and 306 ′ were to replace nodes 305 and 306 , then the authorization specification would be represented by the Boolean expression of “((A 1 or (A 2 and A 3 and A 4 )) and (B and C)).”
  • FIG. 4 is a block diagram that illustrates components of the WMA system in some embodiments.
  • the WMA system is described primarily in the context of authorizations to consume outputs of transactions recorded in a distributed ledger such as a blockchain.
  • the WMA system can also be used for authorization of other matters, as described above.
  • the WMA system provides components for distributed ledger nodes 410 and client devices 420 that are connected via a communication channel 430 .
  • the distributed ledger nodes include a receive multi-signature transaction component 411 , a check validity component 412 , a check cycles component 413 , a check constraints component 414 , a receive consume multi-signature transaction component 415 , and a check authorization component 416 .
  • the distributed ledger nodes also include a distributed ledger store 417 for storing, for example, blocks of a blockchain.
  • the receive multi-signature transaction component receives a transaction that includes an authorization specification and invokes the check validity component to ensure that the authorization specification is valid.
  • the check validity component invokes the check cycles component to ensure that the authorization specification represents a properly formed tree (e.g., without cycles) and invokes the check constraints component to ensure that the authorization specification satisfies various constraints.
  • the receive consume multi-signature transaction component receives a current transaction to consume an output of a prior transaction that includes an authorization specification and invokes the check authorization component to verify the authorization of the current transaction based on the authorization specification.
  • the client devices include a create multi-signature transaction component 421 , a create consume multi-signature transaction component 422 , and a collect signatures component 423 .
  • the create multi-signature transaction component creates a transaction that includes an authorization specification.
  • the create consume multi-signature transaction component creates a transaction that consumes the output of a multi-signature transaction.
  • the create consume multi-signature transaction component invokes the collect signatures component to collect signatures of authorities specified by the authorization specification of a multi-signature transaction to consume the output of the multi-signature transaction.
  • the collect signature component may interact with user interface components to obtain confirmations from the authorities to use their private keys to sign the prior multi-signature transaction whose output is to be consumed.
  • the client devices may store private keys locally, access private keys stored remotely, or receive private keys from the authority each time a signature is needed.
  • the collect signature component may alternatively obtain such confirmations from other computing devices or may receive signatures from other computing devices without having any access to private keys.
  • the computing systems may include a central processing unit, input devices, output devices (e.g., display devices and speakers), storage devices (e.g., memory and disk drives), network interfaces, graphics processing units, cellular radio link interfaces, global positioning system devices, and so on.
  • the input devices may include keyboards, pointing devices, touch screens, gesture recognition devices (e.g., for air gestures), head and eye tracking devices, microphones for voice recognition, and so on.
  • the computing systems may include desktop computers, laptops, tablets, e-readers, personal digital assistants, smartphones, gaming devices, servers, and so on.
  • the computing systems may access computer-readable media that include computer-readable storage media and data transmission media.
  • the computer-readable storage media are tangible storage means that do not include a transitory, propagating signal. Examples of computer-readable storage media include memory such as primary memory, cache memory, and secondary memory (e.g., DVD) and other storage. The computer-readable storage media may have recorded on them or may be encoded with computer-executable instructions or logic that implements the WMA system.
  • the data transmission media are used for transmitting data via transitory, propagating signals or carrier waves (e.g., electromagnetism) via a wired or wireless connection.
  • the computing systems may include a secure cryptoprocessor as part of a central processing unit for generating and securely storing keys and for encrypting and decrypting data using the keys.
  • the WMA system may be described in the general context of computer-executable instructions, such as program modules and components, executed by one or more computers, processors, or other devices.
  • program modules or components include routines, programs, objects, data structures, and so on that perform tasks or implement data types of the WMA system.
  • the functionality of the program modules may be combined or distributed as desired in various examples.
  • aspects of the WMA system may be implemented in hardware using, for example, an application-specific integrated circuit (“ASIC”) or field programmable gate array (“FPGA”).
  • ASIC application-specific integrated circuit
  • FPGA field programmable gate array
  • FIG. 5 is a flow diagram that illustrates the processing of a receive multi-signature transaction component in some embodiments.
  • a receive multi-signature transaction component 500 is passed a transaction that includes an authorization specification, checks the validity of the transaction, and, if the transaction is valid, stores the transaction in the distributed ledger.
  • the component extracts the authorization specification and stores it as a tree data structure.
  • the component invokes a check validity component, passing an indication of the root node of the tree, and receives the result of the validity check.
  • decision block 503 if the result indicates that the validity check was passed, then the component continues at block 504 , else the component completes.
  • the component stores the multi-signature transaction in the distributed ledger. The component then completes.
  • the ellipsis between blocks 503 and 504 indicates that the component would typically perform additional validity checks (e.g., check for spent inputs) to ensure that the transaction is valid for reasons unrelated to the authorizations.
  • FIG. 6 is a flow diagram that illustrates the processing of a receive consume multi-signature transaction component in some embodiments.
  • the receive consume multi-signature transaction component 600 is passed an indication of a current transaction that consumes the output of a prior transaction with an authorization specification, confirms the authorization to consume the output, and if the authorization is confirmed, records the current transaction.
  • the component extracts signatures from the current transaction.
  • the component extracts the authorization specification from the prior transaction and stores it as a tree data structure.
  • the component invokes a check authorization component, passing an indication of the root node of the tree data structure, and receives the result of the check.
  • decision block 604 if the result indicates that authorization has been confirmed, then the component continues at block 605 , else the component completes.
  • the component records the current transaction in the distributed ledger and completes. The ellipsis between blocks 604 and 605 indicates that the component would typically perform validity checks (e.g., check for spent inputs) to ensure that the transaction is valid for reasons unrelated to the authorizations.
  • FIG. 7 is a flow diagram that illustrates the processing of a check validity component in some embodiments.
  • a check validity component 700 is passed a root node of a tree representing an authorization specification and ensures that the authorization specification is valid.
  • decision block 701 if the root node is a composite node (i.e., represents a parent authority), then the component continues at block 702 , else the component completes, indicating that the validity check was passed.
  • the component invokes the check cycles component, passing an indication of the root node and receiving the result of the check.
  • decision block 703 if the result indicates that the cycle check was passed (e.g., no cycles), then the component continues at block 704 , else the component completes, indicating that the validity check was not passed.
  • the component invokes a check constraints component, passing an indication of the root node and receiving the result of the check of the constraints.
  • decision block 705 if the result indicates that the check of constraints was passed, then the component continues at block 706 , else the component completes, indicating that the validity check was not passed.
  • blocks 706 - 710 the component checks the constraints of each descendent node. In block 706 , the component selects the next descendent node of the root node.
  • decision block 707 if all the descendent nodes have already been selected, then the component completes, indicating that the validity check was passed, else the component continues at block 708 .
  • decision block 708 if the selected node represents a composite authority, then the component continues at block 709 , else the component loops to block 706 to select the next descendent node.
  • block 709 the component invokes the check constraints component, passing an indication of the selected node, and receives the result of the check of the constraints.
  • decision block 710 if the result indicates that the check of the constraints was passed, then the component loops to block 706 to select the next descendent node, else the component completes, indicating that the validity check was not passed.
  • FIG. 8 is a flow diagram that illustrates the processing of a check cycles component in some embodiments.
  • a check cycles component 800 is invoked, passing an indication of a composite node, and checks for cycles. The component is initially passed a root node and is recursively invoked to process descendent nodes. In block 801 , the component selects the next child node of the composite node. In decision block 802 , if all the child nodes have already been selected, then the component completes, indicating that the check for cycles was passed, else the component continues at block 803 . In decision block 803 , if the child node is a composite node, then the component continues at block 804 , else the component loops to block 801 to select the next child node.
  • decision block 804 if the child node has been previously visited (i.e., a cycle exists), then the component completes, indicating that the check for cycles was not passed, else the component continues at block 805 .
  • the component marks the child node as having been visited.
  • the component invokes the check cycles component, passing an indication of the child node and receiving an indication of whether the check for cycles was passed.
  • decision block 807 if the result indicates that the check for cycles was passed, then the component loops to block 801 to select the next child node, else the component completes, indicating that the check for cycles was not passed.
  • FIG. 9 is a flow diagram that illustrates the processing of a check constraints component in some embodiments.
  • a check constraints component 900 is passed an indication of the root node of a tree that represents an authorization specification and determines whether the tree satisfies various constraints.
  • the component checks to ensure that there are no duplicate public keys in the authorization specification. The presence of a duplicate public key would indicate that an authority would need to provide multiple signatures. In such a case, the authorization specification could be reformulated to avoid the need for such multiple signatures. Alternatively, the WMA system could be implemented to accommodate such multiple signatures.
  • the component checks to ensure that each non-leaf node includes more than one child node.
  • the component checks to ensure that each threshold weight is greater than or equal to zero.
  • the component checks to ensure that the threshold weight of a non-leaf node is greater than or equal to the sum of the authority weights of its child nodes. If such threshold weight was not equal to or greater than such sum, the authorization of the parent authority of the non-leaf node could never be confirmed.
  • decision block 905 if all the checks have been passed, then the component completes with an indication that the checks have been passed, else the component completes with an indication that the checks were not passed.
  • the component may perform additional checks. For example, the component may ensure that the sum of all possible combinations of authority weights of child nodes of a parent node is not greater than the maximum integer value to prevent an overflow when checking authorizations.
  • the WMA system may also represent weights as real values. Also, rather than using explicit authority weights and threshold weights, the WMA system may represent an authorization specification using a Boolean expression, as described above. If so, the authority weights and the threshold weights could all be considered to be 1 (e.g., true). In such a case, a value of 1 or true can be used to represent authorities whose authorization is verified and 0 or false can be used otherwise.
  • the authorization specification represented by tree 300 may be verified by evaluating the Boolean expression of “((A 1 or (A 2 and (A 3 or A 4 ))) or (B and C)).” If the authorization of A 2 , B, and C are verified, the expression to evaluate would be “((0 or (1 and (0 or 0))) or (1 and 1)),” which would evaluate to 1 or true, confirming authorization.
  • the component recursively invokes the check authorization component, passing an indication of the selected node and receiving the result of the check.
  • decision block 1006 if the result indicates that the authorization was passed, then the component continues at block 1008 , else the component loops to block 1002 to select the next child node.
  • decision block 1007 if the signature for the child node has been provided and verified, then the component continues at block 1008 , else the component loops to block 1002 to select the next child node.
  • the component increments the total weight by the authority weight of the child node.
  • decision block 1009 if the total weight is greater or equal to than the threshold weight of the passed node, then the component completes, indicating that the authorization has been confirmed, else the component loops to block 1002 to select the next child node.
  • An implementation of the WMA system may employ any combination of the embodiments.
  • the processing described below may be performed by a computing device with a processor that executes computer-executable instructions stored on a computer-readable storage medium that implements the WMA system.
  • a method performed by a computing system for confirming an authorization based on multiple signatures of authorities.
  • the method accesses an authorization specification that specifies a threshold weight and, for each of a plurality of authorities, signature verification information and an authority weight.
  • the method accesses signatures of at least some of the authorities.
  • the method verifies the signature using the signature verification information of the authority.
  • the method generates a sum of the authority weights of the verified signatures. When the sum of the authority weights satisfies the threshold weight, the method indicates that authorization has been confirmed.
  • the authorization specification is provided as part of a first transaction recorded in a distributed ledger
  • the signatures are provided as part of a second transaction to consume an output of the first transaction
  • the second transaction is not valid unless the authorization has been confirmed.
  • the authority weights of at least two authorities are different.
  • the authorization specification includes a threshold weight and an authority weight for a parent authority. The method further generates a children sum of authority weights of child authorities whose signatures have been verified. When the children sum of the authority weights satisfies the threshold weight of the parent authority, the generating of the sum of the authority weights of the verified signatures factors in the authority weight of the parent authority rather than the authority weights of the child authorities.
  • a signature of an authority is a hash of a first transaction encrypted using a private key of a private/public key pair of the authority.
  • the first transaction identifies the authorization specification
  • the signature verification information for the authority is the public key of the private/public key pair of the authority.
  • the signature verification information for an authority is a public key of a private/public key pair of the authority.
  • the authorization specification includes, for each authority, an indication of an authorization technique for that authority.
  • At least two sibling nodes have different authority weights.
  • the authority weight of a sibling node satisfies the threshold weight of its parent node and a sum of the authority weights of the other sibling nodes satisfies the threshold weight of their parent node.
  • the computer-executable instructions further record a first transaction with the authorization specification in a distributed ledger, extract the signatures from a second transaction to consume an output of the first transaction, and record the second transaction in the distributed ledger when the authorization has been confirmed.
  • the distributed ledger is a blockchain.
  • the first transaction includes a script with an instruction for confirming authorization based on multiple signatures.
  • the authority weights of at least two sibling nodes are different.
  • a signature of an authority is a hash of a first transaction encrypted by using a private key of a private/public key pair of the authority, the first transaction identifies the authorization specification, and the signature verification information for an authority is the public key of the private/public key pair of the authority. In some embodiments, the signature verification information for an authority is a public key of a private/public key pair of the authority.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Finance (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computing Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

A system for confirming an authorization to consume an output of a transaction based on multiple signatures with different authority weights is provided. The system confirms the authorization to consume the output when the combined authority weights of one or more authorities that provide their authorizations satisfy a threshold weight. The authority weight for each authority and the threshold weight are identified in an authorization specification that specifies the criterion for the authorization of a matter. The authorization specification also specifies authorization verification information for each authority. When the sum of the authority weights of the authorities whose authorizations have been verified is greater than or equal to the threshold weight, the system confirms the authorization to consume the output.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application is a continuation of U.S. patent application Ser. No. 15/933,283 filed on Mar. 22, 2018, which is hereby incorporated by reference in its entirety.
  • BACKGROUND
  • The bitcoin system was developed to allow electronic cash to be transferred directly from one party to another without going through a financial institution, as described in the white paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto. A bitcoin (e.g., an electronic coin) is represented by a chain of transactions that transfers ownership from one party to another party. To transfer ownership of a bitcoin, a new transaction is generated and added to a stack of transactions in a block. The new transaction, which includes the public key of the new owner, is digitally signed by the owner with the owner's private key to transfer ownership to the new owner, as represented by the new owner public key. The signing by the owner of the bitcoin is an authorization by the owner to transfer ownership of the bitcoin to the new owner via the new transaction. Once the block is full, the block is “capped” with a block header that is a hash digest of all the transaction identifiers within the block. The block header is recorded as the first transaction in the next block in the chain, creating a mathematical hierarchy called a “blockchain.” To verify the current owner, the blockchain of transactions can be followed to verify each transaction from the first transaction to the last transaction. The new owner need only have the private key that matches the public key of the transaction that transferred the bitcoin. The blockchain creates a mathematical proof of ownership in an entity represented by a security identity (e.g., a public key), which in the case of the bitcoin system is pseudo-anonymous.
  • To ensure that a previous owner of a bitcoin did not double-spend the bitcoin (i.e., transfer ownership of the same bitcoin to two parties), the bitcoin system maintains a distributed ledger of transactions. With the distributed ledger, a ledger of all the transactions for a bitcoin is stored redundantly at multiple nodes (i.e., computers) of a blockchain network. The ledger at each node is stored as a blockchain. In a blockchain, the transactions are stored in the order that the transactions are received by the nodes. Each node in the blockchain network has a complete replica of the entire blockchain. The bitcoin system also implements techniques to ensure that each node will store the identical blockchain, even though nodes may receive transactions in different orderings. To verify that the transactions in a ledger stored at a node are correct, the blocks in the blockchain can be accessed from oldest to newest, generating a new hash of the block and comparing the new hash to the hash generated when the block was created. If the hashes are the same, then the transactions in the block are verified. The bitcoin system also implements techniques to ensure that it would be infeasible to change a transaction and regenerate the blockchain by employing a computationally expensive technique to generate a nonce that is added to the block when it is created. A bitcoin ledger is sometimes referred to as an Unspent Transaction Output (“UTXO”) set because it tracks the output of all transactions that have not yet been spent.
  • Although the bitcoin system has been very successful, it is limited to transactions in bitcoins or other cryptocurrencies. Efforts are currently underway to use blockchains to support transactions of any type, such as those relating to the sale of vehicles, sale of financial derivatives, sale of stock, payments on contracts, and so on. Such transactions use identity tokens, which are also referred to as digital bearer bonds, to uniquely identify something that can be owned or can own other things. An identity token for a physical or digital asset is generated using a cryptographic one-way hash of information that uniquely identifies the asset. Tokens also have an owner that uses an additional public/private key pair. The owner public key is set as the token owner identity, and when performing actions against tokens, ownership proof is established by providing a signature generated by the owner private key and validated against the public key listed as the owner of the token. A person can be uniquely identified, for example, using a combination of a user name, social security number, and biometric (e.g., fingerprint). A product (e.g., refrigerator) can be uniquely identified, for example, using the name of its manufacturer and its serial number. The identity tokens for each would be a cryptographic one-way hash of such combinations. The identity token for an entity (e.g., person or company) may be the public key of a public/private key pair, where the private key is held by the entity. Identity tokens can be used to identify people, institutions, commodities, contracts, computer code, equities, derivatives, bonds, insurance, loans, documents, and so on. Identity tokens can also be used to identify collections of assets. An identity token for a collection may be a cryptographic one-way hash of the digital tokens of the assets in the collection. The creation of an identity token for an asset in a blockchain establishes provenance of the asset, and the identity token can be used in transactions (e.g., buying, selling, insuring) involving the asset stored in a blockchain, creating a full audit trail of the transactions.
  • To record a simple transaction in a blockchain, each party and asset involved with the transaction needs an account that is identified by a digital token. For example, when one person wants to transfer a car to another person, the current owner and next owner create accounts, and the current owner also creates an account that is uniquely identified by the car's vehicle identification number. The account for the car identifies the current owner. The current owner creates a transaction against the account for the car that indicates that the transaction is a transfer of ownership, indicates the public keys (i.e., identity tokens) of the current owner and the next owner, and indicates the identity token of the car. The transaction is signed by the private key of the current owner, and the transaction is evidence that the next owner is now the current owner.
  • To enable more complex transactions than bitcoin can support, some systems use “smart contracts.” A smart contract is computer code that implements transactions of a contract. The computer code may be executed in a secure platform (e.g., an Ethereum platform, which provides a virtual machine) that supports recording transactions in blockchains. In addition, the smart contract itself is recorded as a transaction in the blockchain using an identity token that is a hash (i.e., identity token) of the computer code so that the computer code that is executed can be authenticated. When deployed, a constructor of the smart contract executes, initializing the smart contract and its state. The state of a smart contract is stored persistently in the blockchain. When a transaction is recorded against a smart contract, a message is sent to the smart contract, and the computer code of the smart contract executes to implement the transaction (e.g., debit a certain amount from the balance of an account). The computer code ensures that all the terms of the contract are complied with before the transaction is recorded in the blockchain. For example, a smart contract may support the sale of an asset. The inputs to a smart contract to sell a car may be the identity tokens of the seller, the buyer, and the car and the sale price in U.S. dollars. The computer code ensures that the seller is the current owner of the car and that the buyer has sufficient funds in their account. The computer code then records a transaction that transfers the ownership of the car to the buyer and a transaction that transfers the sale price from the buyer's account to the seller's account. If the seller's account is in U.S. dollars and the buyer's account is in Canadian dollars, the computer code may retrieve a currency exchange rate, determine how many Canadian dollars the seller's account should be debited, and record the exchange rate. If either transaction is not successful, neither transaction is recorded.
  • When a message is sent to a smart contract to record a transaction, the message is sent to each node that maintains a replica of the blockchain. Each node executes the computer code of the smart contract to implement the transaction. For example, if 100 nodes each maintain a replica of a blockchain, then the computer code executes at each of the 100 nodes. When a node completes execution of the computer code, the result of the transaction is recorded in the blockchain. The nodes employ a consensus algorithm to decide which transactions to keep and which transactions to discard. Although the execution of the computer code at each node helps ensure the authenticity of the blockchain, it requires large amounts of computer resources to support such redundant execution of computer code.
  • Although blockchains can effectively store transactions, the large amount of computer resources, such as storage and computational power, needed to maintain all the replicas of the blockchain can be problematic. To overcome this problem, some systems for storing transactions do not use blockchains, but rather have each party to a transaction maintain its own copy of the transaction. One such system is the Corda system developed by R3, Ltd., which provides a decentralized distributed ledger platform in which each participant in the platform has a node (e.g., computer system) that maintains its portion of the distributed ledger. When parties agree on the terms of a transaction, a party submits the transaction to a notary, which is a trusted node, for notarization. The notary maintains an UTXO database of unspent transaction outputs. When a transaction is received, the notary checks the inputs to the transaction against the UTXO database to ensure that the outputs that the inputs reference have not been spent. If the inputs have not been spent, the notary updates the UTXO database to indicate that the referenced outputs have been spent, notarizes the transaction (e.g., by signing the transaction or a transaction identifier with a public key of the notary), and sends the notarization to the party that submitted the transaction for notarization. When the party receives the notarization, the party stores the notarization and provides the notarization to the counterparties.
  • Distributed ledger systems require the signature of a designated authorizing party (“authority”) to consume the output of a transaction such as a transaction to transfer ownership of an asset. For example, the signature of the owner (i.e., the authority) of a bitcoin is required to be in a transaction to transfer ownership of that bitcoin to a new owner. The signature is generated by the owner encrypting the hash of the prior transaction that transferred the bitcoin to the owner with the private key corresponding to the public key included in the prior transaction.
  • In many domains, requiring the authorization of only a single authority may not be sufficient to provide the needed level of security. For example, a governmental entity that is responsible for providing to its citizens notifications of imminent threats (e.g., an attack or a natural disaster) may want to require the authorization of multiple authorities before sending such a notification. As another example, a bank that has been transferred a large number of bitcoins may want to require the authorization of multiple authorities (e.g., the vice-president of finance and the vice-president of compliance) before the bitcoins can be transferred. As another example, a company that is a party to a contract may specify that the contract is not valid unless signed by multiple people (e.g., the president and the controller of the company along with a member of the board of directors of the company).
  • To support the need for multiple authorizations to take an action, many distributed ledger systems support multi-signature authorizations. For example, the script language for the bitcoin system supports a “multi-sig” instruction. The multi-sig instruction has some number of public keys as one input parameter and a threshold number of public keys as another parameter. When the multi-sig instruction of a prior transaction is executed when validating a current transaction that inputs an output of the prior transaction, the multi-sig instruction indicates that the current transaction has been authorized when at least the threshold number of distinct signatures of the prior transaction has been verified using the public keys of the multi-sig instruction. For example, when the multi-sig instruction includes ten public keys and the threshold number is five, then the current transaction is authorized when five of the public keys have been used to verify five signatures of the current transaction. The multi-sig instruction can be considered to represent a threshold number of authorizations out of equally valued (or weighted) authorizations. Although such multi-signature authorizations provide a much higher level of security than single-signature authorizations, such multi-signature authorizations require a pre-specified threshold number of signatures and the signatures of any of the authorizing parties can be used to meet that threshold number. Moreover, such multi-signature authorizations do not support options such as requiring either the signatures of two specified persons or only the signature of a different specified person (e.g., the president and the controller of a company or just the signature of a board member).
  • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 illustrates an overall structure of tree representations of authorization specifications.
  • FIGS. 2A and 2B illustrate example tree representations of authorization specifications.
  • FIG. 3 illustrates an example tree representation of an authorization specification.
  • FIG. 4 is a block diagram that illustrates components of the WMA system in some embodiments.
  • FIG. 5 is a flow diagram that illustrates the processing of a receive multi-signature transaction component in some embodiments.
  • FIG. 6 is a flow diagram that illustrates the processing of a receive consume multi-signature transaction component in some embodiments.
  • FIG. 7 is a flow diagram that illustrates the processing of a check validity component in some embodiments.
  • FIG. 8 is a flow diagram that illustrates the processing of a check cycles component in some embodiments.
  • FIG. 9 is a flow diagram that illustrates the processing of a check constraints component in some embodiments.
  • FIG. 10 is a flow diagram that illustrates the processing of a check authorization component in some embodiments.
  • DETAILED DESCRIPTION
  • A method and system for confirming an authorization of a matter based on multiple signatures with different authority weights is provided. In some embodiments, a weighted multiple authorization (“WMA”) system confirms authorization of a matter when the combined authority weights of one or more authorities that provide their authorizations satisfy a threshold weight. For example, with the bitcoin system, an authority provides an authorization to transfer an amount of bitcoin that is output by a prior transaction (i.e., the matter being authorized) by signing with their private key a hash of the prior transaction whose output is input to a current transaction. The authority weights of the authorities vary so that the authorizations of some authorities are weighted more than other authorities. For example, a first authority may have a weight of 1 and a second authority may have a weight of 3, which means that the authorization of the second authority counts three times as much toward satisfying the threshold weight. The authority weight for each authority and the threshold weight are identified in an authorization specification that specifies the criteria for the authorization of a matter. The authorization specification also specifies authorization verification information for each authority. For example, an authorization specification may include authority weights of 1, 2, and 3 for authorities A, B, and C, respectively, and a threshold weight of 3. The authorization specification may also include the public keys of authorities A, B, and C as their authorization verification information. When the sum of the authority weights of the authorities whose authorizations have been verified is greater than or equal to the threshold weight, the WMA system confirms the authorization. For example, if the authorizations of authorities A and B are verified, then the WMA confirms authorization because the sum of their authority weights equals the threshold weight irrespective of whether the authorization of authority C has been provided or verified. Alternatively, if the authorization of authority C is verified, then the WMA system confirms authorization because the authority weight of authority C equals the threshold weight irrespective of whether the authorizations of authorities A or B have been provided or verified. The authorization specification of this example effectively implements the Boolean expression of “(A and B) or C,” meaning that authorization of the matter is confirmed when the authorization of both A and B are verified or when the authorization of C is verified. This authorization specification would require, for example, the authorizations of two vice-presidents of a company to confirm authorization of a matter or the authorization of the president alone to confirm authorization of the matter.
  • Although the WMA system is described primarily in the context of matters relating to the recording of transactions in a distributed ledger, the term “matter” refers to anything that can be authorized. For example, a matter may be a person entering a secure location. Authorization to enter may be confirmed when the authorization of two security guards is verified or when the authorization of the head of security is verified. As other examples, a matter may be executing a contract on behalf of a company, accessing a safety deposit box, leaving a country, selling or purchasing assets such as personal or real property, and so on.
  • Although the WMA system is described primarily in the context of authorizations that are based on private/public key encryption, the WMA system may be used with other techniques for providing authorizations. For example, the WMA system may be used with authorities who have security tokens. A security token may store a static password. A security token may alternatively generate a dynamic password based on synchronized clocks of the security token and the WMA system. A security token may also be a smartphone or other device that receives from the WMA system a one-time code when an authority is to provide its authorization. Once the WMA system receives the password or one-time code for an authority, it verifies the authorization of that authority based on the password or one-time code. As another example, the WMA system may be used with authorities who have physical keys. Thus, when the WMA system is described as using signature-based authorizations, the authorizations may be based alternatively on these other techniques.
  • In some embodiments, an authority may be a parent authority with multiple child authorities whose authorizations determine whether authorization of the parent authority is verified. Continuing with the example of authorities A, B, and C, authority B may be a parent authority with child authorities B1, B2, and B3, which are considered to be sibling authorities represented by sibling nodes. The parent authority has a threshold weight, and each child authority has an authority weight. For example, the parent authority B may have a threshold weight of 2 and the child authorities B1, B2, and B3 may have authority weights of 1, 1, and 2, respectively. The authorization of parent authority B is verified when the sum of the authority weights of the child authorities whose authorizations are verified is equal to or greater than the threshold weight of authority B. Thus, such an authorization specification may be represented by the Boolean expression of “((A and ((B1 and B2) or B3)) or C).” A parent authority thus has a threshold weight that needs to be satisfied by the sum of the authority weights of its child authorities whose authorizations have been verified. When the threshold weight of the parent authority is satisfied, the authorization of the parent authority is verified. A parent authority (except for the topmost parent authority) also has an authority weight that is used in the verification of the authorization of its parent authority when its authorization has been verified.
  • In some embodiments, the WMA system may support the use of weighted multiple signatures for a blockchain system such as bitcoin. To support weighted multiple signatures, a blockchain system may define a “weighted multi-sig” instruction. The weighted multi-sig instruction may have two parameters: an authorization specification and a set of signatures (i.e., authorizations), possibly along with the identification (e.g., public key) of the authority who provided each signature. When the instruction is executed, it verifies the signatures (i.e., verified authorizations) using the public keys of the authorization specification. The instruction then uses the verified signatures to determine whether the threshold weights of the authorization specification are satisfied and ultimately to determine the threshold weight of the topmost parent authority. If the authorization of the topmost parent authority is satisfied, then the instruction indicates that the authorization as specified by the authorization specification has been verified. For distributed ledgers that support smart contracts (e.g., Hyperledger or Ethereum), the WMA system may be implemented, at least in part, in the code of the smart contracts associated with transactions.
  • In some embodiments, a single authority may use the WMA system to provide enhanced security in providing its authorization for a matter. If the authority relies on a private/public key pair to provide authorization and if the private key is compromised (e.g., stolen or the encryption scheme broken), then another party could use the private key to provide malicious authorization for the matter. To help prevent such malicious authorization, the authority could use the WMA system to require multiple authorizations from itself. For example, an authority can specify that authorizations based on three different private keys (or security tokens) are needed to confirm the authorization for the matter. The authority may store the private keys in different ways such as storing the first private key on a cloud system, the second private key on a USB token, and the third private key in a key vault on a desktop computer. In this way, if one private key is compromised, then another party cannot provide malicious authorization for the matter because the other party does not access to the two other private keys. Also, the single party may employ various authorization specifications such as of “((A1 and A2) or A3).” With such an authorization specification, the single party may store the private key for A3 in an ultra-secure vault that is accessed only if the private key for A1 or A2 is lost. Also, the authority may use different algorithms to generate the private/public key pairs. For example, the first key pair may be generated using an Rivest-Shamir-Adelman (“RSA”) algorithm such as RSA-3072, the second key pair may be generated using an Elliptical Curve Digital Signature Algorithm (“ECDSA”), and the third key pair may be generated using a SPHINCS algorithm (see, Daniel J. Bernstein, Daira Hopwood, Andreas HüIsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, Zooko Wilcox-O'Hearn. “SPHINCS: practical stateless hash-based signatures,” Advances in Cryptology—EUROCRYPT 2015-34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, Apr. 26-30, 2015, pp. 368-397, which is herein incorporated by reference). Continuing an the example authorization specification of “(A1 and A2),” if the algorithm used to generate A1 is broken, then the another party cannot provide malicious authorization to the matter.
  • The WMA system may be used to employ different algorithms for various reasons. For example, the RSA algorithms and the ECDSA algorithms are considered to be classical algorithms because they are considered to be not secure in light of quantum computing. In contrast, the SPHINCS algorithm is considered to be a post-quantum algorithm because it is considered to be secure in light of quantum computing. The WMA system may thus support authorizations based on a combination of classical algorithms and post-quantum algorithms. An authorization specification may be “(A and B)” where A represents authorization with a classical algorithm and B represents authorization with a post-quantum algorithm. Thus, the authorization is secure even if one of the classical algorithms or the post-quantum algorithms (but not both) is compromised. As another example, different regulators (e.g., a national banking regulator) may require access to information that is accessible using certain algorithms. A first banking regulator of one country may require use of an RSA algorithm, and a second banking regulator of another country may require use of an ECSA algorithm. In such a case, the WMA system may be used to verify authorization based on using either algorithm, which may be represented as “(A or B)” where A represents the authorization of the first banking regulator and B represents the authorization of the second banking authority. As another example, a first regulator for security reasons may require that authorization be allowed only based on a first algorithm under the assumption that the first algorithm is very secure. A second regulator for similar reasons may require that authorizations be allowed only based on a second algorithm. In such a case, to accommodate both regulators, they may agree to an authorization that requires both algorithms with an authorization specification such as “(A and B)” where A represents the first algorithm and B represents the second algorithm.
  • FIG. 1 illustrates an overall structure of tree representations of authorization specifications. A tree 100 includes nodes 101-110, each of which represents an authority. The ellipses indicate that the tree can have many other nodes. Node 101 is a root node, nodes 102-104 are non-leaf nodes, and nodes 105-110 are leaf nodes. The non-leaf nodes (including the root node) represent parent authorities, and nodes 105-110 represent authorities whose authorization verification information is included in an authorization specification. A parent authority is considered to be a composite authority because it represents a composite of the authorities of its descendant leaf nodes. The non-leaf nodes include a threshold weight (“T”) and, except for the root node, an authority weight (“W”). The leaf nodes include an authority weight and authorization verification information (“K”). The WMA system supports authorization specifications with a tree of arbitrary width and depth.
  • FIGS. 2A and 2B illustrate example tree representations of authorization specifications. A tree 200 includes a root node 201, which is a parent authority, with a threshold weight of 100, leaf node 202 represents authority A and has an authority weight of 100 and a public key KA of authority A, leaf node 203 represents authority B and has an authority weight of 50 and a public key KB of authority B, and leaf node 204 represents authority C and has an authority weight of 50 and a public key Kc of authority C. The tree 200 represents an authorization specification represented by the Boolean expression “(A or (B and C))” because the authority weight of authority A is equal to the threshold weight and the sum of the authority weights of authority B and authority C is equal to the threshold weight. A tree 210 includes a root node 211, which is a parent node, with a threshold weight of 100, leaf node 212 represents authority A and has an authority weight of 99 and a public key KA, leaf node 213 represents authority B and has an authority weight of 1 and a public key KB, and leaf node 214 represents authority C and has an authority weight of 1 and a public key Kc. The tree 210 represents an authorization specification represented by the Boolean expression “(A and (B or C))” because the sum of the authority weights of authority A and authority B is equal to the threshold weight and the sum of the authority weights of authority A and authority C is equal to the threshold weight. In general, the authority weights of at least two sibling nodes are different.
  • FIG. 3 illustrates an example tree representation of an authorization specification. A tree 300 includes a root node 301, non-leaf node 302, and leaf nodes 303-308. The tree 300 is similar to the tree 200 except that node 202 representing authority A is replaced by a parent node 302 for a parent authority A. A parent node may also be referred to as a “composite key” in the sense that it has multiple descendant nodes with public keys. For example, node 302 represents a composite key because it is the parent node, or more generally the ancestor node, of multiple leaf nodes that include keys. The nodes 303-306 include authority weights and public keys KA1-KA4 for child authorities A1-A4 of authority A. The tree 300 represents an authorization specification represented by the Boolean expression of “((A1 or (A2 and (A3 or A4))) or (B and C)).” If nodes 305′ and 306′ were to replace nodes 305 and 306, then the authorization specification would be represented by the Boolean expression of “((A1 or (A2 and A3 and A4)) and (B and C)).”
  • FIG. 4 is a block diagram that illustrates components of the WMA system in some embodiments. In the following, the WMA system is described primarily in the context of authorizations to consume outputs of transactions recorded in a distributed ledger such as a blockchain. The WMA system can also be used for authorization of other matters, as described above. The WMA system provides components for distributed ledger nodes 410 and client devices 420 that are connected via a communication channel 430. The distributed ledger nodes include a receive multi-signature transaction component 411, a check validity component 412, a check cycles component 413, a check constraints component 414, a receive consume multi-signature transaction component 415, and a check authorization component 416. The distributed ledger nodes also include a distributed ledger store 417 for storing, for example, blocks of a blockchain. The receive multi-signature transaction component receives a transaction that includes an authorization specification and invokes the check validity component to ensure that the authorization specification is valid. The check validity component invokes the check cycles component to ensure that the authorization specification represents a properly formed tree (e.g., without cycles) and invokes the check constraints component to ensure that the authorization specification satisfies various constraints. The receive consume multi-signature transaction component receives a current transaction to consume an output of a prior transaction that includes an authorization specification and invokes the check authorization component to verify the authorization of the current transaction based on the authorization specification. The client devices include a create multi-signature transaction component 421, a create consume multi-signature transaction component 422, and a collect signatures component 423. The create multi-signature transaction component creates a transaction that includes an authorization specification. The create consume multi-signature transaction component creates a transaction that consumes the output of a multi-signature transaction. The create consume multi-signature transaction component invokes the collect signatures component to collect signatures of authorities specified by the authorization specification of a multi-signature transaction to consume the output of the multi-signature transaction. The collect signature component may interact with user interface components to obtain confirmations from the authorities to use their private keys to sign the prior multi-signature transaction whose output is to be consumed. The client devices may store private keys locally, access private keys stored remotely, or receive private keys from the authority each time a signature is needed. The collect signature component may alternatively obtain such confirmations from other computing devices or may receive signatures from other computing devices without having any access to private keys.
  • The computing systems (e.g., network nodes or collections of network nodes) on which the WMA system may be implemented may include a central processing unit, input devices, output devices (e.g., display devices and speakers), storage devices (e.g., memory and disk drives), network interfaces, graphics processing units, cellular radio link interfaces, global positioning system devices, and so on. The input devices may include keyboards, pointing devices, touch screens, gesture recognition devices (e.g., for air gestures), head and eye tracking devices, microphones for voice recognition, and so on. The computing systems may include desktop computers, laptops, tablets, e-readers, personal digital assistants, smartphones, gaming devices, servers, and so on. The computing systems may access computer-readable media that include computer-readable storage media and data transmission media. The computer-readable storage media are tangible storage means that do not include a transitory, propagating signal. Examples of computer-readable storage media include memory such as primary memory, cache memory, and secondary memory (e.g., DVD) and other storage. The computer-readable storage media may have recorded on them or may be encoded with computer-executable instructions or logic that implements the WMA system. The data transmission media are used for transmitting data via transitory, propagating signals or carrier waves (e.g., electromagnetism) via a wired or wireless connection. The computing systems may include a secure cryptoprocessor as part of a central processing unit for generating and securely storing keys and for encrypting and decrypting data using the keys.
  • The WMA system may be described in the general context of computer-executable instructions, such as program modules and components, executed by one or more computers, processors, or other devices. Generally, program modules or components include routines, programs, objects, data structures, and so on that perform tasks or implement data types of the WMA system. Typically, the functionality of the program modules may be combined or distributed as desired in various examples. Aspects of the WMA system may be implemented in hardware using, for example, an application-specific integrated circuit (“ASIC”) or field programmable gate array (“FPGA”).
  • FIG. 5 is a flow diagram that illustrates the processing of a receive multi-signature transaction component in some embodiments. A receive multi-signature transaction component 500 is passed a transaction that includes an authorization specification, checks the validity of the transaction, and, if the transaction is valid, stores the transaction in the distributed ledger. In block 501, the component extracts the authorization specification and stores it as a tree data structure. In block 502, the component invokes a check validity component, passing an indication of the root node of the tree, and receives the result of the validity check. In decision block 503, if the result indicates that the validity check was passed, then the component continues at block 504, else the component completes. In block 504, the component stores the multi-signature transaction in the distributed ledger. The component then completes. The ellipsis between blocks 503 and 504 indicates that the component would typically perform additional validity checks (e.g., check for spent inputs) to ensure that the transaction is valid for reasons unrelated to the authorizations.
  • FIG. 6 is a flow diagram that illustrates the processing of a receive consume multi-signature transaction component in some embodiments. The receive consume multi-signature transaction component 600 is passed an indication of a current transaction that consumes the output of a prior transaction with an authorization specification, confirms the authorization to consume the output, and if the authorization is confirmed, records the current transaction. In block 601, the component extracts signatures from the current transaction. In block 602, the component extracts the authorization specification from the prior transaction and stores it as a tree data structure. In block 603, the component invokes a check authorization component, passing an indication of the root node of the tree data structure, and receives the result of the check. In decision block 604, if the result indicates that authorization has been confirmed, then the component continues at block 605, else the component completes. In block 605, the component records the current transaction in the distributed ledger and completes. The ellipsis between blocks 604 and 605 indicates that the component would typically perform validity checks (e.g., check for spent inputs) to ensure that the transaction is valid for reasons unrelated to the authorizations.
  • FIG. 7 is a flow diagram that illustrates the processing of a check validity component in some embodiments. A check validity component 700 is passed a root node of a tree representing an authorization specification and ensures that the authorization specification is valid. In decision block 701, if the root node is a composite node (i.e., represents a parent authority), then the component continues at block 702, else the component completes, indicating that the validity check was passed. In block 702, the component invokes the check cycles component, passing an indication of the root node and receiving the result of the check. In decision block 703, if the result indicates that the cycle check was passed (e.g., no cycles), then the component continues at block 704, else the component completes, indicating that the validity check was not passed. In block 704, the component invokes a check constraints component, passing an indication of the root node and receiving the result of the check of the constraints. In decision block 705, if the result indicates that the check of constraints was passed, then the component continues at block 706, else the component completes, indicating that the validity check was not passed. In blocks 706-710, the component checks the constraints of each descendent node. In block 706, the component selects the next descendent node of the root node. In decision block 707, if all the descendent nodes have already been selected, then the component completes, indicating that the validity check was passed, else the component continues at block 708. In decision block 708, if the selected node represents a composite authority, then the component continues at block 709, else the component loops to block 706 to select the next descendent node. In block 709, the component invokes the check constraints component, passing an indication of the selected node, and receives the result of the check of the constraints. In decision block 710, if the result indicates that the check of the constraints was passed, then the component loops to block 706 to select the next descendent node, else the component completes, indicating that the validity check was not passed.
  • FIG. 8 is a flow diagram that illustrates the processing of a check cycles component in some embodiments. A check cycles component 800 is invoked, passing an indication of a composite node, and checks for cycles. The component is initially passed a root node and is recursively invoked to process descendent nodes. In block 801, the component selects the next child node of the composite node. In decision block 802, if all the child nodes have already been selected, then the component completes, indicating that the check for cycles was passed, else the component continues at block 803. In decision block 803, if the child node is a composite node, then the component continues at block 804, else the component loops to block 801 to select the next child node. In decision block 804, if the child node has been previously visited (i.e., a cycle exists), then the component completes, indicating that the check for cycles was not passed, else the component continues at block 805. In block 805, the component marks the child node as having been visited. In block 806, the component invokes the check cycles component, passing an indication of the child node and receiving an indication of whether the check for cycles was passed. In decision block 807, if the result indicates that the check for cycles was passed, then the component loops to block 801 to select the next child node, else the component completes, indicating that the check for cycles was not passed.
  • FIG. 9 is a flow diagram that illustrates the processing of a check constraints component in some embodiments. A check constraints component 900 is passed an indication of the root node of a tree that represents an authorization specification and determines whether the tree satisfies various constraints. In block 901, the component checks to ensure that there are no duplicate public keys in the authorization specification. The presence of a duplicate public key would indicate that an authority would need to provide multiple signatures. In such a case, the authorization specification could be reformulated to avoid the need for such multiple signatures. Alternatively, the WMA system could be implemented to accommodate such multiple signatures. In block 902, the component checks to ensure that each non-leaf node includes more than one child node. If a non-leaf node included only one child node, then the non-leaf node could be replaced by the child node. In block 903, the component checks to ensure that each threshold weight is greater than or equal to zero. In block 904, the component checks to ensure that the threshold weight of a non-leaf node is greater than or equal to the sum of the authority weights of its child nodes. If such threshold weight was not equal to or greater than such sum, the authorization of the parent authority of the non-leaf node could never be confirmed. In decision block 905, if all the checks have been passed, then the component completes with an indication that the checks have been passed, else the component completes with an indication that the checks were not passed.
  • In some embodiments, the component may perform additional checks. For example, the component may ensure that the sum of all possible combinations of authority weights of child nodes of a parent node is not greater than the maximum integer value to prevent an overflow when checking authorizations. The WMA system may also represent weights as real values. Also, rather than using explicit authority weights and threshold weights, the WMA system may represent an authorization specification using a Boolean expression, as described above. If so, the authority weights and the threshold weights could all be considered to be 1 (e.g., true). In such a case, a value of 1 or true can be used to represent authorities whose authorization is verified and 0 or false can be used otherwise. So, for example, the authorization specification represented by tree 300 may be verified by evaluating the Boolean expression of “((A1 or (A2 and (A3 or A4))) or (B and C)).” If the authorization of A2, B, and C are verified, the expression to evaluate would be “((0 or (1 and (0 or 0))) or (1 and 1)),” which would evaluate to 1 or true, confirming authorization.
  • FIG. 10 is a flow diagram that illustrates the processing of a check authorization component in some embodiments. A check authorization component 1000 is passed an indication of a node and determines whether the signatures indicate that the authorization is provided. In block 1001, the component initializes a total weight variable to zero. The total weight variable will accumulate the authority weights of authorizations of child nodes. In block 1002, the component selects the next child node. In decision block 1003, if all the child nodes have already been selected, then the component completes, returning an indication that the authorization check was failed, else the component continues at block 1004. In decision block 1004, if the child node represents a composite authority, then the component continues at block 1005, else the component continues at block 1007. In block 1005, the component recursively invokes the check authorization component, passing an indication of the selected node and receiving the result of the check. In decision block 1006, if the result indicates that the authorization was passed, then the component continues at block 1008, else the component loops to block 1002 to select the next child node. In decision block 1007, if the signature for the child node has been provided and verified, then the component continues at block 1008, else the component loops to block 1002 to select the next child node. In block 1008, the component increments the total weight by the authority weight of the child node. In decision block 1009, if the total weight is greater or equal to than the threshold weight of the passed node, then the component completes, indicating that the authorization has been confirmed, else the component loops to block 1002 to select the next child node.
  • The following paragraphs describe various embodiments of aspects of the WMA system. An implementation of the WMA system may employ any combination of the embodiments. The processing described below may be performed by a computing device with a processor that executes computer-executable instructions stored on a computer-readable storage medium that implements the WMA system.
  • In some embodiment, a method performed by a computing system is provided for confirming an authorization based on multiple signatures of authorities. The method accesses an authorization specification that specifies a threshold weight and, for each of a plurality of authorities, signature verification information and an authority weight. The method accesses signatures of at least some of the authorities. For each signature of an authority, the method verifies the signature using the signature verification information of the authority. The method generates a sum of the authority weights of the verified signatures. When the sum of the authority weights satisfies the threshold weight, the method indicates that authorization has been confirmed. In some embodiments, 2 the authorization specification is provided as part of a first transaction recorded in a distributed ledger, the signatures are provided as part of a second transaction to consume an output of the first transaction, and the second transaction is not valid unless the authorization has been confirmed. In some embodiments, the authority weights of at least two authorities are different. In some embodiments, the authorization specification includes a threshold weight and an authority weight for a parent authority. The method further generates a children sum of authority weights of child authorities whose signatures have been verified. When the children sum of the authority weights satisfies the threshold weight of the parent authority, the generating of the sum of the authority weights of the verified signatures factors in the authority weight of the parent authority rather than the authority weights of the child authorities. In some embodiments, a signature of an authority is a hash of a first transaction encrypted using a private key of a private/public key pair of the authority. The first transaction identifies the authorization specification, and the signature verification information for the authority is the public key of the private/public key pair of the authority. In some embodiments, the signature verification information for an authority is a public key of a private/public key pair of the authority. In some embodiments, the authorization specification includes, for each authority, an indication of an authorization technique for that authority.
  • In some embodiments, a computer-readable storage medium storing an authorization specification is provided. The authorization specification includes a root node with a threshold weight and child nodes of non-leaf nodes. Each child node has an authority weight. When a child node is a leaf node, the authorization specification includes signature verification information of an authority. When a child node is a non-leaf node, the authorization specification includes a threshold weight. In some embodiments, the authorization specification is stored as a part of a transaction in a distributed ledger. In some embodiments, the signature verification information for an authority is a public key of a private/public key pair of the authority. In some embodiments, each non-leaf node includes at least two child nodes. In some embodiments, at least two sibling nodes have different authority weights. In some embodiments, the authority weight of a sibling node satisfies the threshold weight of its parent node and a sum of the authority weights of the other sibling nodes satisfies the threshold weight of their parent node.
  • In some embodiments, a computer system is provided for confirming an authorization based on multiple signatures, the computer system comprises one or more computer-readable storage mediums and one or more processors for executing the computer-executable instructions stored in the one or more computer-readable storage mediums. The computer-readable storage mediums store an authorization specification represented as a tree. The tree has a root node with a threshold weight and child nodes of non-leaf nodes. Each child node has an authority weight. When a child node is a leaf node, the authorization specification includes signature verification information of an authority. When a child node is a non-leaf node, the authorization specification includes a threshold weight. The computer-readable storage mediums store signatures of at least some of the authorities. The computer-readable storage mediums further store computer-executable instructions. The computer-executable instructions, for signatures of an authorities, verify the signature using the signature verification information of the authority. For each set of sibling nodes, the computer-executable instructions sum the authority weights of zero or more sibling nodes that are leaf nodes and have verified signatures of their authorities and sum the authority weights of zero or more non-leaf nodes whose threshold weight is satisfied by the authority weights of their child node and when the sum of the authority weights satisfies the threshold weight of the parent node of the sibling nodes, indicate that the threshold weight of the parent node is satisfied. The computer-executable instructions, when the threshold weight of the root node is indicated as being satisfied, indicate that the authorization has been confirmed. In some embodiments, the computer-executable instructions further record a first transaction with the authorization specification in a distributed ledger, extract the signatures from a second transaction to consume an output of the first transaction, and record the second transaction in the distributed ledger when the authorization has been confirmed. In some embodiments, the distributed ledger is a blockchain. In some embodiments, the first transaction includes a script with an instruction for confirming authorization based on multiple signatures. In some embodiments, the authority weights of at least two sibling nodes are different. In some embodiments, a signature of an authority is a hash of a first transaction encrypted by using a private key of a private/public key pair of the authority, the first transaction identifies the authorization specification, and the signature verification information for an authority is the public key of the private/public key pair of the authority. In some embodiments, the signature verification information for an authority is a public key of a private/public key pair of the authority.
  • In some embodiments, a method performed by a computing system for confirming an authorization is provided. The method determines whether authority weights associated with authorities who provided their authorizations satisfy a threshold weight. At least two of the authorities are associated with different authority weights. Upon determining that the authority weights satisfy the threshold weight, the method indicates that the authorization has been confirmed. In some embodiments, the authorization is for consuming an output of a transaction recorded in a distributed ledger. In some embodiments, the output specifies an amount of a cryptocurrency. In some embodiments, the threshold weight and the authority weights are specified in an authorization specification. In some embodiments, the authorization of an authority is a signature of the authority with a private key of a private/public key pair of the authority over information relating to a matter being authorized. In some embodiments, the information relating to the matter being authorized is a hash derived from the matter being authorized.
  • In some embodiments, a method performed by a computing system for confirming an authorization is provide. The method accesses a Boolean expression of an authorization specification based on authorities. The Boolean expression does not represent a threshold number of authorizations out of equal authorizations. The method accesses an indication of verified authorizations of the authorities. For each authority whose authorization is verified, the method sets its value to true. For each authority whose authorization is not verified, the method sets setting its value to false. The method evaluates the Boolean expression based on the setting. The method indicates that the authorization is confirmed when the Boolean expression evaluates to true.
  • In some embodiments, a computing system for confirming an authorization for an authority is provided. The method determines whether authority weights associated with authorizations of the authority satisfy a threshold weight. At least two of the authorizations are associated with different authority weights. The method, upon determining that the authority weights satisfy the threshold weight, indicates that the authorization has been confirmed. In some embodiments, the authorizations are based on different private/public key pair algorithms. In some embodiments, the authorizations are based on different techniques for providing authorizations. In some embodiments, a technique is based on a security token. In some embodiments, a technique is based on a private/public key pair.
  • In some embodiments, a method performed by a computing system for confirming an authorization based on multiple signatures is provided. The method accesses an authorization specification that specifies signature verification that specifies a first signature based on a first signature algorithm and a second signature based on a second signature algorithm. The method verifies a first signature using the first signature algorithm. The method verifies a second signature using the second signature algorithm. The method indicates that authorization has been confirmed based on the verifications. In some embodiments, the first signature algorithm is based on a classical algorithm and the second signature algorithm is based on a post-quantum algorithm. In some embodiments, authorization is confirmed when both the first signature and the second signature are verified.
  • Although the subject matter has been described in language specific to structural features and/or acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. For example, various types of authorization techniques may be used, such as RSA-2048, RSA-4096, and so on. The authorization verification information may be augmented to specify the type of authorization technique so that the WMA system selects the appropriate technique when verifying an authorization. Accordingly, the invention is not limited except as by the appended claims.

Claims (21)

1-35. (canceled)
36. A method, performed by a computing system having one or more processors and one or more memories, for confirming an authorization of a matter, the method comprising:
accessing an authorization specification that specifies, for each of one or more authorities,
signature verification information for one or more signatures, and
an authority weight associated with at least one of the one or more signatures;
receiving a request to confirm an authorization of a matter;
in response to receiving the request to confirm the authorization of the matter;
accessing a plurality of signatures of a first authority of the one or more authorities;
for each of two or more accessed signatures,
performing a verification check on the accessed signature based on the signature verification information specified by the accessed authorization specification;
combining the authority weights of the verified signatures;
determining that the combination of the authority weights of the verified signatures satisfies a threshold weight; and
in response to determining that the combination of the authority weights of the verified signatures satisfies the threshold weight,
indicating that authorization of the matter has been confirmed.
37. The method of claim 36, wherein accessing a plurality of signatures of the first authority comprises accessing a plurality of different private keys of the first authority, wherein each of the plurality of different private keys for the first authority is generated using a different algorithm.
38. The method of claim 37, further comprising:
checking for cycles in the authorization specification in response to receiving a node of the authorization specification.
39. The method of claim 36, wherein the signature verification information comprises public keys, the method further comprising:
checking to ensure that there are no duplicate public keys in the authorization specification.
40. The method of claim 36, further comprising:
ensuring that each sum of possible combinations of authority weights of child nodes of a first node in the authorization specification is not greater than a maximum integer value.
41. The method of claim 36, wherein the authorization of the matter comprises authorization to record a transaction in a distributed ledger.
42. The method of claim 36, wherein the authorization of the matter comprises at least one of authorization to execute a contract on behalf of a company, authorization to access a safety deposit box, authorization to leave a country, or any combination thereof.
43. The method of claim 36, wherein the authorization of the matter comprises at least one of authorization to sell one or more assets, authorization to purchase one or more assets, or any combination thereof.
44. The method of claim 36, wherein the authorization specification comprises at least one non-leaf node and a plurality of leaf nodes, the method further comprising:
determining that a first non-leaf node of the authorization specification includes only one child node,
in response to determining that the first non-leaf node of the authorization specification includes only one child node,
replacing the first non-leaf node of the authorization specification with the child node.
45. The method of claim 36, wherein the authority weights of the verified signatures are boolean values, wherein the threshold weight is a boolean value, and wherein determining that the combination of the authority weights of the verified signatures satisfies the threshold weight comprise evaluating a boolean expression.
46. A computer-readable medium storing instructions that, when executed by a computing system having one or more processors, cause the computing system to perform a method for confirming an authorization of a matter, the method comprising:
accessing an authorization specification that specifies, for each of one or more authorities,
signature verification information for one or more signatures, and
an authority weight associated with at least one of the one or more signatures;
receiving a request to confirm an authorization to purchase or sell one or more assets;
in response to receiving the request to confirm the authorization of the matter;
accessing a plurality of signatures of the one or more authorities;
for each of two or more accessed signatures,
performing a verification check on the accessed signature based on the signature verification information specified by the accessed authorization specification;
combining the authority weights of the verified signatures;
determining that the combination of the authority weights of the verified signatures satisfies a threshold weight; and
in response to determining that the combination of the authority weights of the verified signatures satisfies the threshold weight,
indicating that authorization of the matter has been confirmed.
47. The computer-readable medium of claim 46, wherein accessing the plurality of signatures of the one or more authorities comprises accessing a plurality of different private keys of a first authority, wherein each of the plurality of different private keys for the first authority is generated using a different algorithm.
48. The computer-readable medium of claim 46, the method further comprising:
checking for cycles in the authorization specification in response to receiving a node of the authorization specification;
checking to ensure that there are no duplicate public keys in the authorization specification;
determining that a first non-leaf node of the authorization specification includes only one child node,
in response to determining that the first non-leaf node of the authorization specification includes only one child node,
replacing the first non-leaf node of the authorization specification with the child node; and
ensuring that each sum of possible combinations of authority weights of child nodes of a second non-leaf node in the authorization specification is not greater than a maximum integer value.
49. The computer-readable medium of claim 46, wherein combining the authority weights of the verified signatures comprises generating a sum of the authority weights of the verified signatures.
50. The computer readable medium of claim 46, wherein the authority weights of the verified signatures are boolean values.
51. A computing system, having one or more processors and one or more memories, for confirming an authorization of a matter, the computing system comprising:
a component configured to access an authorization specification that specifies, for each of one or more authorities,
signature verification information for one or more signatures, and
an authority weight associated with at least one of the one or more signatures;
a component configured to check for cycles in the authorization specification in response to receiving a node of the authorization specification;
a component configured to, in response to determining that a first non-leaf node of the authorization specification includes only one child node, replace the first non-leaf node of the authorization specification with the child node;
a component configured to receive a request to confirm an authorization of a matter;
a component configured to, in response to receiving the request to confirm the authorization of the matter,
access a plurality of signatures of a first authority of the one or more authorities;
a component configured to, for each of two or more accessed signatures,
perform a verification check on the accessed signature based on the signature verification information specified by the accessed authorization specification;
a component configured to combine the authority weights of the verified signatures;
a component configured to determine that the combination of the authority weights of the verified signatures satisfies a threshold weight; and
a component configured to, in response to determining that the combination of the authority weights of the verified signatures satisfies the threshold weight,
indicate that authorization of the matter has been confirmed.
52. The computing system of claim 51, wherein the authorization of the matter comprises at least one of authorization to execute a contract on behalf of a company, authorization to access a safety deposit box, authorization to leave a country, authorization to sell one or more assets, authorization to purchase one or more assets, or any combination thereof.
53. The computing system of claim 51, wherein the signature verification information comprises public keys, the computing system further comprising:
a component configured to check to ensure that there are no duplicate public keys in the authorization specification.
54. The computing system of claim 51, further comprising:
a component configured to ensure that each sum of possible combinations of authority weights of child nodes of a first node in the authorization specification is not greater than a maximum integer value.
55. The computing system of claim 51, wherein the authority weights of the verified signatures are boolean values.
US17/581,359 2018-03-22 2022-01-21 Weighted multiple authorizations Pending US20220222634A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/581,359 US20220222634A1 (en) 2018-03-22 2022-01-21 Weighted multiple authorizations

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/933,283 US11263605B2 (en) 2018-03-22 2018-03-22 Weighted multiple authorizations
US17/581,359 US20220222634A1 (en) 2018-03-22 2022-01-21 Weighted multiple authorizations

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/933,283 Continuation US11263605B2 (en) 2018-03-22 2018-03-22 Weighted multiple authorizations

Publications (1)

Publication Number Publication Date
US20220222634A1 true US20220222634A1 (en) 2022-07-14

Family

ID=65951804

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/933,283 Active 2039-01-19 US11263605B2 (en) 2018-03-22 2018-03-22 Weighted multiple authorizations
US17/581,359 Pending US20220222634A1 (en) 2018-03-22 2022-01-21 Weighted multiple authorizations

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US15/933,283 Active 2039-01-19 US11263605B2 (en) 2018-03-22 2018-03-22 Weighted multiple authorizations

Country Status (2)

Country Link
US (2) US11263605B2 (en)
WO (1) WO2019180408A1 (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10521775B2 (en) 2016-04-18 2019-12-31 R3 Ltd. Secure processing of electronic transactions by a decentralized, distributed ledger system
US11263605B2 (en) 2018-03-22 2022-03-01 R3 Llc Weighted multiple authorizations
CN109583887B (en) * 2018-10-26 2024-04-05 创新先进技术有限公司 Block chain transaction method and device
CN112492006B (en) * 2018-10-31 2023-12-05 创新先进技术有限公司 Node management method and device based on block chain
US11301460B2 (en) * 2019-01-24 2022-04-12 Peoplebrowsr Inc. Platform for creating and using actionable non-fungible tokens (KNFT)
EP3590084B1 (en) * 2019-03-04 2022-05-11 Advanced New Technologies Co., Ltd. Methods and devices for testing signature verification for blockchain system
US11601284B2 (en) * 2019-06-14 2023-03-07 Planetway Corporation Digital signature system based on a cloud of dedicated local devices
US11095457B2 (en) * 2019-08-30 2021-08-17 Beatdapp Software Inc. System and method for scalably tracking media playback using blockchain
US10951417B2 (en) * 2019-07-12 2021-03-16 Advanced New Technologies Co., Ltd. Blockchain-based transaction verification
US11626983B1 (en) 2019-09-10 2023-04-11 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11477016B1 (en) 2019-09-10 2022-10-18 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11240014B1 (en) 2019-09-10 2022-02-01 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11218300B1 (en) 2019-09-10 2022-01-04 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography communications channels
US11552793B1 (en) 2019-09-10 2023-01-10 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography communications channels
US11218301B1 (en) 2019-09-10 2022-01-04 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography communications channels
US11533175B1 (en) * 2020-01-30 2022-12-20 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography on a smartcard
US11322050B1 (en) * 2020-01-30 2022-05-03 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11449799B1 (en) 2020-01-30 2022-09-20 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11838410B1 (en) 2020-01-30 2023-12-05 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US12099997B1 (en) 2020-01-31 2024-09-24 Steven Mark Hoffberg Tokenized fungible liabilities
CN111523889B (en) * 2020-04-17 2023-09-01 昆明大棒客科技有限公司 Multiple signature implementation method, device, equipment and storage medium
US11676144B2 (en) * 2020-11-12 2023-06-13 Citibank, N.A. Hierarchy-based blockchain
US11928677B2 (en) * 2020-11-12 2024-03-12 Citibank, N.A. Hierarchy-based distributed ledger
CN113362064B (en) * 2021-06-04 2022-09-16 杭州复杂美科技有限公司 Multiple signature method, computer device, and storage medium
US11677552B2 (en) * 2021-09-09 2023-06-13 Coinbase Il Rd Ltd. Method for preventing misuse of a cryptographic key
US20230259935A1 (en) * 2022-02-15 2023-08-17 Capital One Services, Llc Systems and methods for linking transaction devices
US20230396445A1 (en) * 2022-06-06 2023-12-07 Salesforce, Inc. Multi-signature wallets in public trust ledger actions via a database system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090222473A1 (en) * 2008-02-29 2009-09-03 International Business Machines Corporation Method for encoding, traversing, manipulating and querying a tree
US7849091B1 (en) * 2006-01-25 2010-12-07 At&T Intellectual Property Ii, L.P. Meta-data indexing for XPath location steps
US8788443B2 (en) * 2011-12-23 2014-07-22 Sap Ag Automated observational decision tree classifier
US20170076518A1 (en) * 2015-09-11 2017-03-16 Comcast Cable Communications, Llc Consensus Based Authentication and Authorization Process
US20180075527A1 (en) * 2016-09-14 2018-03-15 Royal Bank Of Canada Credit score platform
CN108428122A (en) * 2018-02-08 2018-08-21 布比(北京)网络技术有限公司 It is a kind of distribution account book on trade financing method and system
US20190179933A1 (en) * 2017-12-12 2019-06-13 International Business Machines Corporation Generating sub-indexes from an index to compress the index
US20200286076A1 (en) * 2017-10-13 2020-09-10 China Unionpay Co., Ltd. Methods and systems for verification and registration of digital currency transaction

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001095560A1 (en) 2000-06-06 2001-12-13 Ingeo Systems, Inc. Secure electronic document network transport process
US8478616B2 (en) 2004-10-29 2013-07-02 FrontRange Solutions USA Inc. Business application development and execution environment
US8181238B2 (en) 2007-08-30 2012-05-15 Software Ag Systems and/or methods for streaming reverse HTTP gateway, and network including the same
US20170109735A1 (en) * 2015-07-14 2017-04-20 Fmr Llc Computationally Efficient Transfer Processing and Auditing Apparatuses, Methods and Systems
US10803537B2 (en) 2016-04-18 2020-10-13 R3 Ltd. System and method for managing transactions in dynamic digital documents
US10521775B2 (en) 2016-04-18 2019-12-31 R3 Ltd. Secure processing of electronic transactions by a decentralized, distributed ledger system
US10447478B2 (en) 2016-06-06 2019-10-15 Microsoft Technology Licensing, Llc Cryptographic applications for a blockchain system
EP3549080B1 (en) 2016-11-29 2023-07-19 R3, Ltd. Secure processing of electronic transactions by a decentralized, distributed ledger system
US11263605B2 (en) 2018-03-22 2022-03-01 R3 Llc Weighted multiple authorizations

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7849091B1 (en) * 2006-01-25 2010-12-07 At&T Intellectual Property Ii, L.P. Meta-data indexing for XPath location steps
US20090222473A1 (en) * 2008-02-29 2009-09-03 International Business Machines Corporation Method for encoding, traversing, manipulating and querying a tree
US8788443B2 (en) * 2011-12-23 2014-07-22 Sap Ag Automated observational decision tree classifier
US20170076518A1 (en) * 2015-09-11 2017-03-16 Comcast Cable Communications, Llc Consensus Based Authentication and Authorization Process
US20180075527A1 (en) * 2016-09-14 2018-03-15 Royal Bank Of Canada Credit score platform
US20200286076A1 (en) * 2017-10-13 2020-09-10 China Unionpay Co., Ltd. Methods and systems for verification and registration of digital currency transaction
US20190179933A1 (en) * 2017-12-12 2019-06-13 International Business Machines Corporation Generating sub-indexes from an index to compress the index
CN108428122A (en) * 2018-02-08 2018-08-21 布比(北京)网络技术有限公司 It is a kind of distribution account book on trade financing method and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Andrewas M. Antonopoulos, Mastering Bitcoin, 2014, First Edition, O'Reilly Media, Inc., Chapters 4 and 5, pages 84, 86, 88-89, 100, 125, 132-134, 257 (Year: 2014) *
Pratyush Dikshit et al., Efficient Weighted Threshold ECDSA for Securing Bitcoin Wallet, 2017, IEEE (Year: 2017) *
Wang et al., X-Diff: An Effective Change Detection Algorithm for XML Documents, 2003, IEEE (Year: 2003) *

Also Published As

Publication number Publication date
US11263605B2 (en) 2022-03-01
WO2019180408A1 (en) 2019-09-26
US20190295050A1 (en) 2019-09-26

Similar Documents

Publication Publication Date Title
US20220222634A1 (en) Weighted multiple authorizations
US12120242B2 (en) Hash subtrees for grouping components by component type
AU2020202492B2 (en) Systems and methods for updating a distributed ledger based on partial validations of transactions
US20220309505A1 (en) Reissuing obligations to preserve privacy
US11625680B2 (en) Settling obligations via netting transactions
US20210374853A1 (en) Atomically swapping ownership certificates
EP3073670B1 (en) A system and a method for personal identification and verification
US20210233070A1 (en) Notary system for a distributed ledger
Godfrey-Welch et al. Blockchain in payment card systems
US20230039214A1 (en) Systems and methods for compliance checks
US20220141028A1 (en) Secure vault system for private key storage
Agrawal Blockchain Technology-Concepts and Applications
WO2024192302A1 (en) A system and method for producing an integrated distributed ledger ecosystem and operating platform
Godfrey-Welch et al. SMU Data Science Review

Legal Events

Date Code Title Description
AS Assignment

Owner name: R3 LTD., GREAT BRITAIN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CHALKIAS, KONSTANTINOS;REEL/FRAME:059425/0445

Effective date: 20181129

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED