A portion of the disclosure of this patent document contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the U.S. Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever. The following notice applies to the disclosure herein and to the drawings that form a part of this document: Copyright 2017-2020, MobileCoin, Inc., All Rights Reserved.
This patent document pertains generally to secure transaction networks, online payment systems, secure online digital delivery systems, and more particularly, but not by way of limitation, to a system and method for providing auxiliary curve cold storage.
To support custodianship at leading cryptocurrency exchanges, the exchange must support the delegation of spending authority to a FIPS 140 certified hardware security module (HSM) for funds moved to “cold storage.” FIPS 140 is a Federal Information Processing Standard (FIPS) Publication No. 140, which is a publicly-available U.S. government computer security standard used to approve and certify cryptographic modules and HSMs. Exchanges commonly require cold storage for digital assets to satisfy insurance and regulatory oversight requirements.
A cryptocurrency that does not support cold storage using a certified HSM device may have substantially less utility or market appeal.
Typical HSM devices are designed to support the cryptographic curves and algorithms that are recommended for government use. The set of recommended cryptographic curves for Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures is described in FIPS Publication No. 186. Exchanges currently offer custodianship services for Bitcoin™ and other cryptocurrencies, which rely on digital signatures that use the “secp256k1” curve. This curve does not appear on the list of recommended curves, suggesting that acceptable HSM devices could also be developed for other curve systems. However, it may be prohibitively expensive and time consuming to produce and certify new HSM devices with support for other curve systems. An alternative solution would be to modify a currently used cryptocurrency protocol to use curves and algorithms that are available on existing certified HSM hardware. However, these changes would be costly and time-consuming to implement and would compromise performance. It would be advantageous to provide a method for delegating spending authority to a certified HSM suitable for cryptocurrencies that require algorithms that are not available on certified HSM hardware.
A system and method for providing auxiliary curve cold storage are disclosed. In the various example embodiments disclosed herein, the auxiliary curve cold storage system of an example embodiment introduces a second layer of cryptography on top of a currently used cryptocurrency protocol for “cold storage” transactions. This allows spending authority to be selectively controlled by signing algorithms that are compatible with certified HSM devices, without modifying the protocol for other transactions.
The various example embodiments disclosed herein are not limited to cryptocurrencies that make use of SGX, the Stellar Consensus Protocol algorithm, or those that implement parts of the CryptoNote protocol. SGX is an Intel® Corporation Software Guard Extensions (SGX) architecture. SGX is a set of central processing unit instruction code from Intel® that allows user-level code to allocate private regions of memory, called enclaves, which are protected from processes running at higher privilege levels. The Stellar Consensus Protocol (SCP) provides a way to reach consensus in a secure financial transaction without relying on a closed system to accurately record financial transactions. CryptoNote is an application layer protocol that aims to solve the problems outlined in Bitcoin™ Core, the protocol behind Bitcoin™ The protocol powers several decentralized privacy-oriented cryptocurrencies.
The various example embodiments disclosed herein can be used to enable custodial management of or with other cryptocurrencies, which use cryptographic curves that are not approved by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. For example, the various example embodiments disclosed herein can be used to enable custodial management for Stellar Lumens™, Zcash™ Sia™, Scorex™, BigchainDB™, Chain Core™, and Monero™, among others. In each case, changes to the code that validates transactions may need to be adopted.
The additional layer of encryption of the example embodiment is applied using three new transactions types: 1) Cold Storage Deposit, 2) Cold Storage Withdrawal, and 3) Cold Storage Transfer. These three transaction types of the auxiliary curve cold storage system of an example embodiment are described in more detail below with reference to the figures provided herewith.
The various embodiments are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which:
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the various embodiments. It will be evident, however, to one of ordinary skill in the art that the various embodiments may be practiced without these specific details.
A system and method for providing auxiliary curve cold storage are disclosed. In the various example embodiments disclosed herein, the auxiliary curve cold storage system of an example embodiment introduces a second layer of cryptography on top of a currently used cryptocurrency protocol for “cold storage” transactions. This allows spending authority to be selectively controlled by signing algorithms that are compatible with certified HSM devices, without modifying the protocol for other transactions.
The additional layer of encryption of the example embodiment is applied using three new transactions types: 1) Cold Storage Deposit, 2) Cold Storage Withdrawal, and 3) Cold Storage Transfer. These three transaction types of the example embodiment are described in more detail below with reference to the figures provided herewith.
The base Cryptonote transaction and the txo-sig are submitted together to the consensus network via secure network nodes of a secure transaction network as a deposit transaction. The validity of the base transaction is first checked as in a standard transaction submitted to the secure transaction network and the consensus network. In an example embodiment, the network nodes of the secure transaction network can also include an internal secure computing environment or enclave. The enclave represents a secure computing environment having: 1) an encrypted, isolated, and/or sequestered memory (e.g., random access memory or RAM); 2) isolated processing logic that cannot make or receive calls from an operating system (OS); and 3) an ability to attest to the authenticity and security of the secure computing environment upon request from a client device or another network node. In a particular example embodiment, the enclave can be implemented as an Intel® Corporation SGX architecture as described above. In the network nodes with SGX enclaves of the particular example embodiment, the network nodes are configured to run with an SGX secure enclave. The SGX enclave is isolated from the host operating system (OS) in hardware-encrypted random access memory (RAM), which prevents the network node operator from having access into the enclave. An example embodiment of a secure transaction network ecosystem in which an example embodiment can be implemented is described below in connection with
For any rptxo, there will be a corresponding private key that advances the generator point by application of the group operator to the rptxo value. It is very important that we do not use an algorithm that leaks this private key when we calculate the rptxo. Moreover, there are a few other possible implementation options:
Following this procedure, the rptxo will look like a standard transaction output (i.e., a 32 byte random location on the ristretto curve), maintaining zero knowledge privacy in the public data. Cold storage transactions are therefore computationally indistinguishable from other transactions. That is, given any practical computation resources, a cold storage transaction cannot be identified in the public ledger with a probability better than random guessing.
It may not be necessary to obscure which transactions are in cold storage. In this case, we do not need to generate the rptxo value. Instead all authorization data can be published to the blockchain in a unique field.
We note that the hint field of the transaction may be safely used to store the original source-txo value for convenience, using additional random data to pad its value to any desired length.
To move value from one “on-chain cold storage” to another “on-chain cold storage” transaction without moving the funds out of cold storage as an intermediate step, the withdrawal transaction can be modified slightly to include a new output rptxo, and new output txo-sig.
Referring now to
Network 20 can be configured to couple one computing device/node with another computing device/node in networked data communication. Network 20 may be enabled to employ any form of computer readable media for communicating information from one electronic device to another. For example, network 20 can include the Internet, other wide area networks (WANs), local area networks (LANs), direct connections, such as through a universal serial bus (USB) port, wireless data connections (e.g., WiFi, Bluetooth™, etc.), optic data connections, other forms of devices for the transfer of computer-readable media, or any combination thereof. On an interconnected set of sub-networks, including those based on differing architectures and protocols, a router and/or gateway device can act as a link between sub-networks, enabling messages to be sent between computing devices/nodes in a network ecosystem.
Network 20 may further include any of a variety of wireless sub-networks that may further overlay stand-alone or ad-hoc networks to provide an infrastructure-oriented connection. Such sub-networks may include mesh networks, wireless LAN (WLAN) networks, cellular networks, and the like. Network 20 may also include an autonomous system of terminals, gateways, routers, and the like connected by wireless radio links or wireless transceivers. These connectors may be configured to move freely and randomly and organize themselves arbitrarily, such that the topology of network 20 may change rapidly and arbitrarily.
Network 20 may further employ a plurality of access technologies including 2nd (2G), 2.5, 3rd (3G), 4th (4G), 5th (5G) generation network technologies, including radio access for cellular systems, WLAN, Wireless Router (WR) mesh, and the like. Access technologies such as 2G, 3G, 4G, 5G, and future access networks may enable wide area coverage for mobile devices, such as one or more of client devices 200, with various degrees of mobility. For example, network 20 may enable a radio connection through a radio network access such as Global System for Mobile communication (GSM), General Packet Radio Services (GPRS), Enhanced Data GSM Environment (EDGE), Wideband Code Division Multiple Access (WCDMA), CDMA2000, and the like. Network 20 may also be constructed for use with various other wired and wireless communication protocols, including TCP/IP, UDP, SIP, SMS, RTP, WAP, CDMA, TDMA, EDGE, UMTS, GPRS, GSM, UWB, WiFi, WiMax, IEEE 802.11x, and the like. In essence, network 20 may include virtually any wired and/or wireless data communication mechanisms by which information may travel between one computing device and another computing device, network, and the like.
Referring still to
The client device 200 may also include at least one client application that is configured to interact with the secure transaction network 10 via network 20. In an example embodiment, the client application can be a wallet 205 corresponding to a software module for execution by a data processor of the client device 200, the wallet 205 being configured to manage a user's digital cash and the secure transactions related thereto. In particular, the wallet 205 enables a user of a client device 200 to send and receive digital cash and related secure transactions via the secure transaction network 10.
Referring still to
Each of the network nodes 100 of the secure transaction network 10 can include or be coupled with a transaction ledger 105 for storage of secure transaction data, key images, and related information. In an example embodiment, the transaction ledger 105 can be implemented as a secure data storage device, a database, a secure memory area or partition, or the like.
As shown in
There are many situations where it is valuable to require authentication from public keys created on different curves for spending a cryptocurrency output. For example, “HSMs” (hardware security modules) are high-end, government-certified devices used to securely manage digital keys, and are staples of high-stakes environments. However, HSMs are only able to handle a limited number of cryptographic curves, and can't directly interact with cryptocurrencies that manage spend authority with curves outside that range.
By allowing cryptocurrency transaction authors to assign output spend authority to public keys from different curves, it is possible to expand signing rights to HSM devices without compromising the currency's core protocol. As described in detail below, we disclose embodiments of an extension to the class of cryptocurrency protocols known as “RingCT”, with a focus on a particular variant, which enables a unique kind of transaction output that can only be spent when two public keys from different curves authorize the transaction output.
As disclosed above, a dual-curve authentication procedure focused around cold storage is described. A user may ‘deposit money into cold storage’ with a normal self-spend transaction that includes a signature from an HSM public key. A self-spend transaction is one where the user sends money to themselves. In this case, the user needs both their normal wallet keys and their HSM public key to spend the money again. To withdraw that ‘cold storage’ money, the user can create another normal transaction spending the relevant output, and provide a second signature with the same HSM public key.
Importantly, the secure transaction network must verify both HSM signatures are legitimate. In the described example embodiments, an HSM signature is just a normal elliptic curve signature (e.g., ECDSA), using some elliptic curve supported by HSM devices. Protocol designers have to choose which HSM curve to use out of the available standard choices (e.g., a NIST standard curve).
Suppose an individual user wishes to deposit money (which they already own) into HSM-secured cold storage. The general steps the user would follow are set forth below:
K
Jake,x
o=p(Kxo, σxHSM, KxHSM)
(c) Store the fake output address KJake,xo in place of the one-time output address.
Now suppose that individual wants to withdraw money previously deposited into HSM-secured cold storage.
K
fake, x
a=p(Kxo, σxHSM, KxHSM)
There are a few drawbacks to the protocol just discussed.
Fortunately, many of the drawbacks of the protocol described above can be addressed, while also making the protocol changes more generic and less focused on HSMs and cold storage. An example of this second example embodiment is described in more detail below. Suppose an individual wishes to receive money to a dual-key account. This account has a normal RingCT address (Kel,x, Kel,x) (view and spend keys), and secondary authorization address Kauthc2=kc2*Gc2. We use superscripts c1 and c2 to denote keys on two different elliptie curves. Curve 1 is the core curve employed by the RingCT-based cryptocurrency under consideration, and curve 2 is some other (secure and robust)elliptie curve.
A different individual, the sender, can send money to the dual-key account with the following procedure.
K
t
x1,da=p(Kauth,3x2,xh)
Here Kbase,2x2 is the base key of Kauth,xc2,xh, which is a Diffie-Hellman shared key between the base key and the secondary authorization address. The base key can either be the second curve's generator Gc2 (in which case the shared key is equal to the secondary authorization key), or based on the sender-reciver shared secret. As we will see, using the sender-receiver shared secret allows the recipient to hide their secondary key from verifiers when spending dual-key outputs. It uses a hash-to-sealer function xcb2( ) that produces scalars in the range 1, . . . , lch2, and has a similar form to the amount and commitment mask scalars.
k
bxxx,s
x2=xth2(“dual-key base”, xch1(rKkch1,o, t))
K
stored,t
ct,o
=K
t
c1,o
+K
t
c1,do
Now let the receiver search for outputs owned by their dual-key combination.
K
t
ct,o
=K
xtord,x
−K
8
ct,do
k
base,x
2
=H
x
ch2(“dual-key base”, Hxch2(rKcch1,x, t))
and check
K
ch,x
=K
stored,x
cl,o−
H
n(rKct,v)Gc1−Hp(kbase,x2*Gx2, kbase,xx2*Kauth,tt2)
It is slower than the simpler case, but the privacy benefits will be clear as described below.
Finally, after the receiver has identified dual-key outputs that they own, they can spend them. This process for an example embodiment is described below.
RingCT, where those with the private view key don't know when an output is spent.
3. Before constructing the dual-key input's MLSAF, aubtract the dual-key offset from each ring member's public key. It's just like how we subtract the pseudo-output commitment from each output commitment. The ring for input j should look like this:
The offset is computed with hash-to-point, so its discrete log with respect to the generator Gc1 is unknown (except with negligible probability), and the output's owner has no choice but to subtract the offset before they can make a signature with the output address. Being forced to subtract the offset means they are also forced to include the real secondary authorization key pair (base and shared) with the transaction, since verifiers need to compute the offset correctly.
However, outputs with offsets appear just like outputs without offsets. Just as the verifier doesn't know which member of a ring signature is the true signer, subtracting the offset from all members leaves him/her just as unaware of the real signer.
Whoever sends an output to a dual-curve address will know when it is spent, since they can see the output offset in the spending transaction. If the dual-curve address output is a self-spend, then the problem is moot, however more advanced applications of the technique should keep this in mind.
The Abstract of the Disclosure is provided to allow the reader to quickly ascertain the nature of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In addition, in the foregoing Detailed Description, it can be seen that various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment.
This non-provisional patent application draws priority from U.S. provisional patent application Ser. No. 62/914,504; filed Oct. 13, 2019. This present non-provisional patent application draws priority from the referenced patent application. The entire disclosure of the referenced patent application is considered part of the disclosure of the present application and is hereby incorporated by reference herein in its entirety.
Number | Date | Country | |
---|---|---|---|
62914504 | Oct 2019 | US |