Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system

Abstract

A solution for controlling access to a resource such as a digital wallet implemented using a blockchain. Use of the invention during set-up of the wallet can enable subsequent operations to be handled in a secure manner over an insecure channel. An example method comprises splitting a verification element into multiple shares; determining a common secret at multiple nodes in a network; and using the common secret to transmit a share of the verification element between nodes. The shares can be split such that no share is sufficient to determine the verification element and can be stored at separate locations. Upon share unavailability, the share can be retrieved a location accessibility. For safe transmission of the share(s), the common secret is generated at two different nodes independently and used to generate an encryption key for encrypting at least one share of the verification element to be transmitted securely.

Claims

1. A computer-implemented method, comprising: determining a common secret at a first node in a network based, at least in part, on a first node private key of the first node and a second node public key of a second node in the network; using the common secret to transmit at least one share of a verification element that has been split into at least three shares to the second node to enable the second node to use the at least one share of the verification element to compute the verification element, wherein the verification element is usable to control access to a digital wallet associated with a user; and storing the at least three shares of the verification element at different locations relative to each other, wherein a first share of the at least three shares is stored in or on a back-up or safe-storage facility that is separate, independent, and/or distinct from the locations in which other shares of the at least three shares are stored, and wherein the back-up or safe-storage facility is, or is operated by, a party that is independent of at least the first node and the user, and that accepts responsibility for storing the share and supplying it upon request, and wherein a second share of the at least three shares is stored at a user device associated with the user and the digital wallet.

2. The method of claim 1, wherein the verification element comprises: a representation of a cryptographic key different from the cryptographic key; or one or more elements that may be used to obtain the cryptographic key.

3. The method of claim 1, wherein using the common secret to transmit the at least one share of the verification element comprises: using the common secret to generate an encryption key; and transmitting the at least one share of the verification element in an encrypted format using the encryption key.

4. The method of claim 1, wherein the verification element is a cryptographic key.

5. The method of claim 1, further comprising: splitting the verification element into the plurality of shares such that the verification element can be restored or regenerated from two or more shares of the plurality of shares, wherein no individual share of the plurality of shares is sufficient to restore or regenerate the verification element.

6. The method of claim 5, wherein Shamir's Secret Sharing Scheme is utilized as part of splitting the verification element into the plurality of shares.

Description

(1) An embodiment of the present invention will now be described, by way of example only, and with reference to the accompany drawings, in which:

(2) FIG. 1 is a schematic diagram of an example system to determine a common secret for a first node and second node, as may be used in accordance with the present invention for secure transmission of highly sensitive information, such as a share of a private key;

(3) FIG. 2 is a flow chart of computer-implemented methods for determining a common secret as may be used in accordance with the present invention for secure transmission of highly sensitive information, such as a share of a private key;

(4) FIG. 3 is a flow chart of computer-implemented methods to register the first and second nodes;

(5) FIG. 4 is another flow chart of computer-implemented methods for determining a common secret as may be used in accordance with the present invention for secure transmission of highly sensitive information, such as a share of a private key;

(6) FIG. 5 is a flow chart of computer-implemented methods of secure communication between the first node and second node.

(7) As explained above, a need exists for enhanced storage and/or exchange of a secret such as a cryptographic key, or a secret which can be used to generate a key. The secret may be a seed for a wallet mnemonic, or other security-related item. The invention provides such a solution. An embodiment is described below for the purposes of illustration, and uses the context of a digital wallet implemented on a blockchain. However, the invention is not limited to such implementations and could be implemented in respect of any computer-implemented network or system.

(8) As above, public-key cryptography is often used in relation to digital wallets. If the end user (which we may refer to as a “client” or simply “user”) is responsible for storing their private key, problems may arise when the user or their hardware become unavailable as this renders the private key, and thus the wallet's funds, inaccessible. However, storage of the key at the wallet provider's end (which we may refer to as “server side”) requires a degree of trust in that provider and their security mechanisms. So there is a need to store the private key in such a way that it cannot be obtained by an unauthorised party, but can also be reproduced when necessary. The term “user” may be a human user or a computer-implemented resource.

(9) One known cryptographic algorithm, known as “Shamir's secret sharing scheme” (4S), teaches splitting the secret up into unique parts or shares which are then distributed to different parties. The shares can be used to reconstruct the secret thereafter. Each individual share is of no value or use on its own until it is combined with one or more other shares. The number of shares required to reconstruct the secret can vary according to the needs of the situation. In some cases, all shares may be required, while in other cases only a sufficient number are required. This is known as the threshold scheme, where any k of the shares are sufficient to reconstruct the original secret.

(10) In this illustrative embodiment, 4S is used to split a secret such as a private key or mnemonic seed into a number of parts. It is then also used to regenerate the key or mnemonic seed from a certain number of parts. The use of mnemonics is known in conjunction with digital wallets. The mnemonic is a human-friendly code or group of words which can be turned into a binary seed for the generation of a wallet or data.

(11) Herein, there following terms may be used. “Secret” (S) is a secret (e.g. a number or value) that needs to be shared securely between parties. “Share” is a piece of the secret. The secret is divided into pieces and each piece is called a share. It is computed from the given secret. In order to recover the secret, one must obtain a certain numbers of shares. “Threshold” (k) is the minimum number of shares that one needs to regenerate or recover the secret. The secret can be regenerated only when you have >=k shares. “Prime” (p) is a random prime number.

(12) From a broad perspective, an illustrative embodiment may comprise a method as follows. In this example, we use a ‘2-of-3’ scheme (i.e. k=2): A user registers with a wallet provider to generate and set up a new wallet associated with that user. In this example, the wallet is a Bitcoin wallet, which utilises the Blockchain A public-private key pair is generated and associated with the user's wallet; The private key is split into shares, using 4S One share of the private key is sent via a secure transmission to the user Another share of the private key is retained by the service provider and stored on a server Another share is sent via a secure transmission to a remote location for safe storage. The term ‘remote’ does not imply any particular geographical distance or location. Instead, it is used herein to mean that the share is held in, at or on a secure storage facility or resource which is independent in some sense from the wallet provider or the user, preferably both. “Independent” may include physical, logical, financial, political and/or organisationally independent. For example, the safe storage may be contracted out to a commercial entity which provides the safe storage service for a fee; or it may be held by the user's attorney, or some other elected (and trusted) party who accepts responsibility for storing the share and supplying it upon request if needed; The wallet provider can destroy any or all copies of the complete private key, because it is no longer needed. When the private key is needed for subsequent authorisation of the user (e.g. because the user now wishes to make a transaction) the key can be reconstructed from the user's share, which the user provides to the wallet provider as and when needed, and the wallet provider's share.

(13) An advantage of this is that even if the wallet provider's security is breached, the unauthorised party cannot gain access to the user's private key because it is not stored anywhere on the wallet provider's system and the wallet provider's system alone does not contain enough shares to allow reconstruction of the private key. This same advantage applies in situations where the client's security is breached.

(14) Another advantage is that by storing a share at a safe storage location, the private key can be reconstructed by retrieving that share from safe storage and combining it with the wallet provider's share. Thus, if the user dies or becomes incapacitated, or if the user's hardware (and thus share) is lost, damaged or stolen, the funds in the wallet can still be accessed. In such a situation, the user's identity would be verified. In some cases, the identity of a proven, trusted party such as executor of an estate or attorney would be verified. This may be achieved, by example, upon production of evidence such as death certificate, passport, a legal document or other form of identification. Upon verification of authorised identity, the share of the secret would be retrieved from safe storage. Therefore, the safe storage serves as a type of back-up facility which can be used in exceptional or pre-determined circumstances.

(15) Thus, the invention provides an advantageous combination of enhanced system/data security plus convenience. It provides a simple, effective and secure solution for access control.

(16) It should be noted that in the above example, the private key is generated by the wallet service provider and respective parts are sent to the user and safe storage resource. However, this may not be the case in other embodiments. It is also important to note that transmission of parts between parties, which may be referred to as ‘nodes’, must be performed in a secure manner because any unauthorised interception of multiple shares could enable the interceptor to reconstruct the secret (e.g. mnemonic or key). This secure exchange problem is also addressed by the invention, as described below.

(17) More detailed aspects of the invention are now described for the purpose of illustration. It should be noted that Shamir's Secret Sharing Scheme is a technique which is known in the art, and the skilled person would be aware of, understand and be able to use it. Therefore, the following is provided for the purpose of completeness only.

(18) Splitting the Secret into Shares

(19) Given a secret S, a number of participants n, a threshold number k, and some prime number p, we construct a polynomial:
y=f(x) of degree k−1 (modulo our prime p)
with constant term S.

(20) Next, we choose n unique random integers between 1 and p−1, inclusive, and evaluate the polynomial at those n points. Each of the n participants is given a (x, y) pair. This can be achieved by the following steps.

(21) 1. Convert into Integer

(22) For the 4S algorithm, the secret needs to be an integer. Hence if the secret is in some other format (ex. String, hex etc.) it must be converted into an integer first. If the secret is already an integer, this step can be omitted. For this example, let S=1234.

(23) 2. Decide Number of Shares (n) and Threshold (k)

(24) Note that k parts will be required to regenerate the secret. Hence, choose S and k such that k parts can always be obtained while recovering the secret. For this example, let n=6, k=3.

(25) 3. Create the Polynomial

(26) We need to create a polynomial of the form: y=f(x) mod p

(27) i. Determine constant term and degree of polynomial
f(x)=a.sub.0+a.sub.1x+a.sub.2x.sup.2+a.sub.3x.sup.3+ . . . +a.sub.k−1x.sup.k−1 The constant term a.sub.0=S degree of polynomial=k−1 Hence for k=3 and S=1234, we need to build a polynomial with degree 2 and a.sub.0=1234
f(x)=1234+a.sub.1x+a.sub.2x.sup.2
ii. Determine coefficients Chose k−1 random numbers (use a Random (or pseudo random) Number Generator) such that:
0<a.sub.n<S Let a.sub.1=166; a.sub.2=94 Hence, f(x)=1234+166x+94 x.sup.2
iii. Select a random prime number Chose a random prime number (p) such that:
p>max(S,n) Let p=1613
iv. Final polynomial
y=f(x)mod p
y=(1234+166x+94x.sup.2)mod 1613
Creating the Shares

(28) To divide the secret into n shares, we need to construct n points (shares) using the polynomial:
y=(1234+166x+94x.sup.2)mod 1613

(29) Since n=6 for this example, we will have 6 points. Note that we start with x=1 and NOT x=0.

(30) For x=1 to 6, the 6 points are as follows:

(31) (1, 1494); (2, 329); (3, 965); (4, 176); (5, 1188); (6, 775)

(32) Out of these n (6) points, any k (3) points can be used to regenerate the secret key.

(33) Reconstructing the Secret from a Given Number of Shares

(34) i. Get the secret integer

(35) To reconstruct the secret, we need following information:
n=6, k=3, p=1613, k shares:
(x0,y0)=(1,1494); (x1,y1)=(2,329); (x2,y2)=(3,965) Once we have the above information, we can use a technique such as Lagrange Interpolation which is known in the art and readily appreciated by the skilled person. Using this technique we can rebuild the entire polynomial. The coefficients can be calculated according to formula below:
a.sub.i(x)=[Σ.sup.k−1.sub.i−0y.sub.iΠ.sub.0←j←k−1,j≠i(x−x.sub.j)/(x.sub.i−x.sub.j)] mod p but since S=a.sub.0, we only need to find a.sub.0=a.sub.0 (0)

(36) $a_{0} = [{.Math.}_{i = 0}^{k - 1} y_{i} \underset{\underset{j \neq 1}{0 \leq j \leq k - 1}}{.Math.} \frac{- x_{j}}{x_{i} - x_{j}}] \mod p$ $where x_{i} - x_{j} \neq 0$

(37) The skilled person will understand that in the above, the exponent −1 signifies taking the multiplicative inverse. Most programming languages comprise inbuilt packages to perform mathematical operations such as multiplicative inverse.

(38) ii. Convert integer to desired format

(39) If Step 1 was performed to convert a specific format to an integer, we follow the reverse procedure to convert the integer back to the desired format.
Secure Transmission of the Shares

(40) As mentioned above, it is important that the shares of the secret are transmitted to the respective recipients in a secure manner so as to prevent unauthorised parties from being able to reconstruct the secret. In a preferred embodiment, the secure transmission can be achieved as described below.

(41) A common secret (CS) can be established between two parties and then used to generate a secure encryption key for transmission of one or more of the shares. This common secret (CS) is not to be confused with the secret (S) referred to above. The Common Secret (CS) is generated and used to enable secure exchange of the Secret (S) e.g. key or share thereof.

(42) The two parties could be any two of the wallet service provider, the user, the safe storage resource or some other legitimate party. Hereafter, for the sake of convenience, they will be referred to as a first node (C) a second node (S). The aim is to generate a common (CS) secret which both nodes know but without that common secret having been sent via a communication channel, thus eliminating the possibility of its unauthorised discovery. The secret splitting plus safe storage technique, in combination with a secure transmission technique such as described below, provides a secure key-management solution.

(43) The secure transmission technique of the present invention involves the CS being generated at each end of the transmission in an independent manner, so that while both nodes know the CS it has not had to travel over potentially unsecure communication channels. Once that CS has been established at both ends, it can be used to generate a secure encryption key that both nodes can use for communication thereafter. This is of particular benefit during the wallet registration process, for transmission of the split private key from one party to another.

(44) FIG. 1 illustrates a system 1 that includes a first node 3 which is in communication with a second node 7 over a communications network 5. The first node 3 has an associated first processing device 23 and the second node 5 has an associated second processing device 27. The first and second nodes 3, 7 may include an electronic device, such as a computer, phone, tablet computer, mobile communication device, computer server etc. In one example, the first node 3 may be a client (user) device and the second node 7 may be a server. The server may be a digital wallet provider's server.

(45) The first node 3 is associated with a first asymmetric cryptography pair having a first node master private key (V.sub.1C) and a first node master public key (P.sub.1C). The second node (7) is associated with a second asymmetric cryptography pair having a second node master private key (V.sub.1S) and a second node master public key (P.sub.1S). In other words, the first and second nodes are each in possession of respective public-private key pairs.

(46) The first and second asymmetric cryptography pairs for the respective first and second nodes 3, 7 may be generated during a registration process, such as registration for a wallet. The public key for each node may be shared publicly, such as over communications network 5.

(47) To determine the common secret (CS) at both the first node 3 and second node 7, the nodes 3, 7 perform steps of respective methods 300, 400 without communicating private keys over the communications network 5.

(48) The method 300 performed by the first node 3 includes determining 330 a first node second private key (V.sub.2C) based on at least the first node master private key (V.sub.1C) and a Generator Value (GV). The Generator Value may be based on a message (M) that is a shared between the first and second nodes, which may include sharing the message over the communications network 5 as described in further detail below. The method 300 also includes determining 370 a second node second public key (P.sub.2S) based on at least the second node master public key (P.sub.1S) and the Generator Value (GV). The method 300 includes determining 380 the common secret (CS) based on the first node second private key (V.sub.2C) and the second node second public key (P.sub.2S).

(49) Importantly, the same common secret (CS) can also be determined at the second node 7 by method 400. The method 400 includes determining 430 a first node second public key (P.sub.2C) based on the first node master public key (P.sub.1C) and the Generator Value (GV). The method 400 further include determining 470 a second node second private key (V.sub.2S) based on the second node master private key (V.sub.1S) and the Generator Value (GV). The method 400 includes determining 480 the common secret (CS) based on the second node second private key (V.sub.2S) and the first node second public key (P.sub.2C).

(50) The communications network 5 may include a local area network, a wide area network, cellular networks, radio communication network, the internet, etc. These networks, where data may be transmitted via communications medium such as electrical wire, fibre optic, or wirelessly may be susceptible to eavesdropping, such as by an eavesdropper 11. The method 300, 400 may allow the first node 3 and second node 7 to both independently determine a common secret without transmitting the common secret over the communications network 5.

(51) Thus one advantage is that the common secret (CS) may be determined securely and independently by each node without having to transmit a private key over a potentially unsecure communications network 5. In turn, the common secret may be used as a secret key (or as the basis of a secret key) for encrypted communication between the first and second nodes 3, 7 over the communications network 5.

(52) The methods 300, 400 may include additional steps. The method 300 may include, at the first node 3, generating a signed message (SM1) based on the message (M) and the first node second private key (V.sub.2C). The method 300 further includes sending 360 the first signed message (SM1), over the communications network, to the second node 7. In turn, the second node 7 may perform the steps of receiving 440 the first signed message (SM1). The method 400 also includes the step of validating 450 the first signed message (SM2) with the first node second public key (P.sub.2C) and authenticating 460 the first node 3 based on the result of validating the first signed message (SM1). Advantageously, this allows the second node 7 to authenticate that the purported first node (where the first signed message was generated) is the first node 3. This is based on the assumption that only the first node 3 has access to the first node master private key (V.sub.1C) and therefore only the first node 3 can determine the first node second private key (V.sub.2C) for generating the first signed message (SM1). It is to be appreciated that similarly, a second signed message (SM2) can be generated at the second node 7 and sent to the first node 3 such that the first node 3 can authenticate the second node 7, such as in a peer-to-peer scenario.

(53) Sharing the message (M) between the first and second nodes may be achieved in a variety of ways. In one example, the message may be generated at the first node 3 which is then sent, over the communications network 5, the second node 7. Alternatively, the message may be generated at the second node 7 and then sent, over the communications network 5, to the second node 7. In yet another example, the message may be generated at a third node 9 and the message sent to both the first and second nodes 3, 7. In yet another alternative, a user may enter the message through a user interface 15 to be received by the first and second nodes 3, 7. In yet another example, the message (M) may be retrieved from a data store 19 and sent to the first and second nodes 3, 7. In some examples, the message (M) may be public and therefore may be transmitted over an unsecure network 5.

(54) In further examples, one or more messages (M) may be stored in a data store 13, 17, 19, where the message may be associated with some entity such as digital wallet, or a communication session established between the first node 3 and the second node 7. Thus the messages (M) may be retrieved and used to recreate, at the respective first and second nodes 3, 7, the common secret (CS) associated with that wallet or session.

(55) Advantageously, a record to allow recreation of the common secret (CS) may be kept without the record by itself having to be stored privately or transmitted securely. This may be advantageous if numerous transactions are performed at the first and second nodes 3, 7 and it would be impractical to store all the messages (M) at the nodes themselves.

(56) Method of Registration 100, 200

(57) An example of a method of registration 100, 200 will be described with reference to FIG. 3, where method 100 is performed by the first node 3 and method 200 is performed by the second node 7. This includes establishing the first and second asymmetric cryptography pairs for the respective first and second nodes 3, 7.

(58) The asymmetric cryptography pairs include associated private and public keys, such as those used in public-key encryption. In this example, the asymmetric cryptography pairs are generated using Elliptic Curve Cryptography (ECC) and properties of elliptic curve operations.

(59) Standards for ECC may include known standards such as those described by the Standards for Efficient Cryptography Group (www.sceg.org). Elliptic curve cryptography is also described in U.S. Pat. Nos. 5,600,725, 5,761,305, 5,889,865, 5,896,455, 5,933,504, 6,122,736, 6,141,420, 6,618,483, 6,704,870, 6,785,813, 6,078,667, 6,792,530.

(60) In the method 100, 200, this includes the first and second nodes agreeing 110, 210 on a common ECC system and using a base point (G). (Note: the base point could be referred to as a Common Generator, but the term ‘base point’ is used to avoid confusion with the Generator Value GV). In one example, the common ECC system may be based on secp256K1 which is an ECC system used by Bitcoin. The base point (G) may be selected, randomly generated, or assigned.

(61) Turning now to the first node 3, the method 100 includes settling 110 on the common ECC system and base point (G). This may include receiving the common ECC system and base point from the second node 7, or a third node 9. Alternatively, a user interface 15 may be associated with the first node 3, whereby a user may selectively provide the common ECC system and/or base point (G). In yet another alternative one or both of the common ECC system and/or base point (G) may be randomly selected by the first node 3. The first node 3 may send, over the communications network 5, a notice indicative of using the common ECC system with a base point (G) to the second node 7. In turn, the second node 7 may settle 210 by sending a notice indicative of an acknowledgment to using the common ECC system and base point (G).

(62) The method 100 also includes the first node 3 generating 120 a first asymmetric cryptography pair that includes the first node master private key (V.sub.1C) and the first node master public key (P.sub.1C). This includes generating the first master private key (V.sub.1C) based, at least in part, on a random integer in an allowable range specified in the common ECC system. This also includes determining the first node master public key (P.sub.1C) based on elliptic curve point multiplication of the first node master private key (P.sub.1C) and the base point (G) according to the formula:
P.sub.1C=V.sub.1C×G (Equation 1)

(63) Thus the first asymmetric cryptography pair includes: V.sub.1C: The first node master private key that is kept secret by the first node. P.sub.1C: The first node master public key that is made publicly known.

(64) The first node 3 may store the first node master private key (V.sub.1C) and the first node master public key (P.sub.1C) in a first data store 13 associated with the first node 3. For security, the first node master private key (V.sub.1C) may be stored in a secure portion of the first data store 13 to ensure the key remains private.

(65) The method 100 further includes sending 130 the first node master public key (P.sub.1C), over the communications network 5, to the second node 7. The second node 7 may, on receiving 220 the first node master public key (P.sub.1C), store 230 the first node master public key (P.sub.1C) in a second data store 17 associated with the second node 7.

(66) Similar to the first node 3, the method 200 of the second 7 includes generating 240 a second asymmetric cryptography pair that includes the second node master private key (V.sub.1S) and the second node master public key (P is). The second node master private key (V.sub.1S) is also a random integer within the allowable range. In turn, the second node master public key (P.sub.1S) is determined by the following formula:
P.sub.1S=V.sub.1S×G (Equation 2)

(67) Thus the second asymmetric cryptography pair includes: V.sub.1S: The second node master private key that is kept secret by the second node. P.sub.1S: The second node master public key that is made publicly known.

(68) The second node 7 may store the second asymmetric cryptography pair in the second data store 17. The method 200 further includes sending 250 the second node master public key (P.sub.1S) to the first node 3. In turn, the first node 3 may receive 140 and stores 150 the second node master public key (P.sub.1S).

(69) It is to be appreciated that in some alternatives, the respective public master keys may be received and stored at a third data store 19 associated with the third node 9 (such as a trusted third party). This may include a third party that acts as a public directory, such as a certification authority. Thus in some examples, the first node master public key (P.sub.1C) may requested and received by the second node 7 only when determining the common secret (CS) is required (and vice versa).

(70) The registration steps may only need to occur once as an initial setup of, for example, the digital wallet.

(71) Session Initiation and Determining the Common Secret by the First Node 3

(72) An example of determining a common secret (CS) will now be described with reference to FIG. 4. The common secret (CS) may be used for a particular session, time, transaction, or other purpose between the first node 3 and the second node 7 and it may not be desirable, or secure, to use the same common secret (CS). Thus the common secret (CS) may be changed between different sessions, time, transactions, etc.

(73) The following is provided for illustration of the secure transmission technique which has been described above.

(74) Generating a Message (M) 310

(75) In this example, the method 300 performed by the first node 3 includes generating 310 a message (M). The message (M) may be random, pseudo random, or user defined. In one example, the message (M) is based on Unix time and a nonce (and arbitrary value). For example, the message (M) may be provided as:
Message (M)=UnixTime+nonce (Equation 3)

(76) In some examples, the message (M) is arbitrary. However it is to be appreciated that the message (M) may have selective values (such as Unix Time, etc) that may be useful in some applications.

(77) The method 300 includes sending 315 the message (M), over the communications network 3, to the second node 7. The message (M) may be sent over an unsecure network as the message (M) does not include information on the private keys.

(78) Determining a Generator Value (GV) 320

(79) The method 300 further includes the step of determining 320 a Generator Value (GV) based on the message (M). In this example, this includes determining a cryptographic hash of the message. An example of a cryptographic hash algorithm includes SHA-256 to create a 256-bit Generator Value (GV). That is:
GV=SHA-256(M) (Equation 4)

(80) It is to be appreciated that other hash algorithms may be used. This may include other has algorithms in the Secure Hash Algorithm (SHA) family. Some particular examples include instances in the SHA-3 subset, including SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256. Other hash algorithms may include those in the RACE Integrity Primitives Evaluation Message Digest (RIPEMD) family. A particular example may include RIPEMD-160. Other hash functions may include families based on Zémor-Tillich hash function and knapsack-based hash functions.

(81) Determining a First Node Second Private Key 330

(82) The method 300 then includes the step 330 of determining 330 the first node second private key (V.sub.2C) based on the second node master private key (V.sub.1C) and the Generator Value (GV). This can be based on a scalar addition of the first node master private key (V.sub.1C) and the Generator Value (GV) according to the following formula:
V.sub.2C=V.sub.1C+GV (Equation 5)

(83) Thus the first node second private key (V.sub.2C) is not a random value but is instead deterministically derived from the first node master private key. The corresponding public key in the cryptographic pair, namely the first node second public key (P.sub.2C), has the following relationship:
P.sub.2C=V.sub.2C×G (Equation 6)

(84) Substitution of V.sub.2C from Equation 5 into Equation 6 provides:
P.sub.2C=(V.sub.1C+GV)×G (Equation 7)
where the ‘+’ operator refers to elliptic curve point addition. Noting that elliptic curve cryptography algebra is distributive, Equation 7 may be expressed as:
P.sub.2C=V.sub.1C×G+GV×G (Equation 8)

(85) Finally, Equation 1 may be substituted into Equation 7 to provide:
P.sub.2C=P.sub.1C+GV×G (Equation 9.1)
P.sub.2C=P.sub.1C+SHA-256(M)×G (Equation 9.2)

(86) Thus the corresponding first node second public key (P.sub.2C) can be derivable given knowledge of the first node master public key (P.sub.1C) and the message (M). The second node 7 may have such knowledge to independently determine the first node second public key (P.sub.2C) as will be discussed in further detail below with respect to the method 400.

(87) Generate a First Signed Message (SM1) Based on the Message and the First Node Second Private Key 350

(88) The method 300 further includes generating 350 a first signed message (SM1) based on the message (M) and the determined first node second private key (V.sub.2C). Generating a signed message includes applying a digital signature algorithm to digitally sign the message (M). In one example, this includes applying the first node second private key (V.sub.2C) to the message in an Elliptic Curve Digital Signature Algorithm (ECDSA) to obtain the first signed message (SM1).

(89) Examples of ECDSA include those based on ECC systems with secp256k1, secp256r1, secp384r1, se3cp521r1.

(90) The first signed message (SM1) can be verified with the corresponding first node second public key (P.sub.2C) at the second node 7. This verification of the first signed message (SM1) may be used by the second node 7 to authenticate the first node 3, which will be discussed in the method 400 below.

(91) Determine a Second Node Second Public Key 370′

(92) The first node 3 may then determine 370 a second node second public key (P.sub.2S). As discussed above, the second node second public key (P.sub.2S) may be based at least on the second node master public key (P.sub.1S) and the Generator Value (GV). In this example, since the public key is determined 370′ as the private key with elliptic curve point multiplication with the base point (G), the second node second public key (P.sub.2S) can be expressed, in a fashion similar to Equation 6, as:
P.sub.2S=V.sub.2S×G (Equation 10.1)
P.sub.2S=P.sub.1S+GV×G (Equation 10.2)

(93) The mathematical proof for Equation 10.2 is the same as described above for deriving Equation 9.1 for the first node second public key (P.sub.2C). It is to be appreciated that the first node 3 can determine 370 the second node second public key independently of the second node 7.

(94) Determine the Common Secret 380 at the First Node 3

(95) The first node 3 may then determine 380 the common secret (CS) based on the determined first node second private key (V.sub.2C) and the determined second node second public key (P.sub.2S). The common secret (CS) may be determined by the first node 3 by the following formula:
S=V.sub.2C×P.sub.2S (Equation 11)
Method 400 Performed at the Second Node 7

(96) The corresponding method 400 performed at the second node 7 will now be described. It is to be appreciated that some of these steps are similar to those discussed above that were performed by the first node 3.

(97) The method 400 includes receiving 410 the message (M), over the communications network 5, from the first node 3. This may include the message (M) sent by the first node 3 at step 315. The second node 7 then determines 420 a Generator Value (GV) based on the message (M). The step of determining 420 the Generator Value (GV) by the second node 7 is similar to the step 320 performed by the first node described above. In this example, the second node 7 performs this determining step 420 independent of the first node 3.

(98) The next step includes determining 430 a first node second public key (P.sub.2C) based on the first node master public key (P.sub.1C) and the Generator Value (GV). In this example, since the public key is determined 430′ as the private key with elliptic curve point multiplication with the base point (G), the first node second public key (P.sub.2C) can be expressed, in a fashion similar to Equation 9, as:
P.sub.2C=V.sub.2C×G (Equation 12.1)
P.sub.2C=P.sub.1C+GV×G (Equation 12.2)

(99) The mathematical proof for Equations 12.1 and 12.2 is the same as those discussed above for Equations 10.1 and 10.2.

(100) The Second Node 7 Authenticating the First Node 3

(101) The method 400 may include steps performed by the second node 7 to authenticate that the alleged first node 3, is the first node 3. As discussed previously, this includes receiving 440 the first signed message (SM1) from the first node 3. The second node 7 may then validate 450 the signature on the first signed message (SM1) with the first node second public key (P.sub.2C) that was determined at step 430.

(102) Verifying the digital signature may be done in accordance with an Elliptic Curve Digital Signature Algorithm (ECDSA) as discussed above. Importantly, the first signed message (SM1) that was signed with the first node second private key (V.sub.2C) should only be correctly verified with the corresponding first node second public key (P.sub.2C), since V.sub.2C and P.sub.2C form a cryptographic pair. Since these keys are deterministic on the first node master private key (V.sub.1C) and the first node master public key (P.sub.1C) that were generated at registration of the first node 3, verifying first signed message (SM1) can be used as a basis of authenticating that an alleged first node sending the first signed message (SM1) is the same first node 3 during registration. Thus the second node 7 may further perform the step of authenticating (460) the first node 3 based on the result of validating (450) the first signed message.

(103) The above authentication may be suitable for scenarios where one of the two nodes is a trusted node and only one of the nodes need to be authenticated. For example, the first node 3 may be a client and the second node 7 may be a server trusted by the client such as a wallet provider. Thus the server (second node 7) may need to authenticate the credentials of the client (first node 3) in order to allow the client access to the server system. It may not be necessary for the server to be authenticate the credentials of the server to the client. However in some scenarios, it may be desirable for both nodes to be authenticated to each other, such as in a peer-to-peer scenario.

(104) The Second Node 7 Determining the Common Secret

(105) The method 400 may further include the second node 7 determining 470 a second node second private key (V.sub.2S) based on the second node master private key (V is) and the Generator Value (GV). Similar to step 330 performed by the first node 3, the second node second private key (V.sub.2S) can be based on a scalar addition of the second node master private key (V.sub.1S) and the Generator Value (GV) according to the following formulas:
V.sub.2S=V.sub.1S+GV (Equation 13.1)
V.sub.2S=V.sub.1S+SHA-256(M) (Equation 13.2)

(106) The second node 7 may then, independent of the first node 3, determine 480 the common secret (CS) based on the second node second private key (V.sub.2S) and the first node second public key (P.sub.2C) based on the following formula:
S=V.sub.2S×P.sub.2C (Equation 14)
Proof of the Common Secret (CS) Determined by the First Node 3 and Second Node 7

(107) The common secret (CS) determined by the first node 3 is the same as the common secret (CS) determined at the second node 7. Mathematical proof that Equation 11 and Equation 14 provide the same common secret (CS) will now be described.

(108) Turning to the common secret (CS) determined by the first node 3, Equation 10.1 can be substituted into Equation 11 as follows:
S=V.sub.2C×P.sub.2S (Equation 11)
S=V.sub.2C×(V.sub.2S×G)
S=(V.sub.2C×V.sub.2S)×G (Equation 15)

(109) Turning to the common secret (CS) determined by the second node 7, Equation 12.1 can be substituted into Equation 14 as follows:
S=V.sub.2S×P.sub.2C (Equation 14)
S=V.sub.2S×(V.sub.2C×G)
S=(V.sub.2S×V.sub.2C)×G (Equation 16)

(110) Since ECC algebra is commutative, Equation 15 and Equation 16 are equivalent, since:
S=(V.sub.2C×V.sub.2S)×G=(V.sub.2S×V.sub.2C)×G (Equation 17)
The Common Secret (CS) and Secret Key

(111) The common secret (CS) may now be used as a secret key, or as the basis of a secret key in a symmetric-key algorithm for secure communication between the first node 3 and second node 7. This communication may be used to convey part of a private key, a representation of or identifier for a private key, or mnemonic for a private key. Therefore, once the invention has been used during set-up of, for example, a digital wallet or other controlled resource, secure communication between the parties can be performed thereafter.

(112) The common secret (CS) may be in the form of an elliptic curve point (xs, ys). This may be converted into a standard key format using standard publicly known operations agreed by the nodes 3, 7. For example, the xs value may be a 256-bit integer that could be used as a key for AES256 encryption. It could also be converted into a 160-bit integer using RIPEMD160 for any applications requiring this length key.

(113) The common secret (CS) may be determined as required. Importantly, the first node 3 does not need to store the common secret (CS) as this can be re-determined based on the message (M). In some examples, the message(s) (M) used may be stored in data store 13, 17, 19 (or other data store) without the same level of security as required for the master private keys. In some examples, the message (M) may be publicly available.

(114) However depending on some application, the common secret (CS) could be stored in the first data store (X) associated with the first node provided the common secret (CS) is kept as secure as the first node master private key (V.sub.1C).

(115) It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word “comprising” and “comprises”, and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. In the present specification, “comprises” means “includes or consists of” and “comprising” means “including or consisting of”. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system

Assignee

Inventors

Cpc classification

Classification Explorer

H04L2209/56

ELECTRICITY

Classification Explorer

G06Q20/3829

PHYSICS

Classification Explorer

H04L9/0861

ELECTRICITY

Classification Explorer

H04L9/085

ELECTRICITY

Classification Explorer

H04L9/3066

ELECTRICITY

Classification Explorer

G06Q20/3678

PHYSICS

Classification Explorer

G06Q2220/00

PHYSICS

Classification Explorer

H04L9/0825

ELECTRICITY

Classification Explorer

H04L9/3247

ELECTRICITY

Classification Explorer

H04L9/0894

ELECTRICITY

Classification Explorer

H04L9/3252

ELECTRICITY

Classification Explorer

H04L63/0442

ELECTRICITY

International classification

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

G06Q20/36

PHYSICS

Classification Explorer

G06Q20/38

PHYSICS

Classification Explorer

H04L9/30

ELECTRICITY

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04L9/40

ELECTRICITY

Abstract

Claims

Description