2-Party Bip32
Introduction:
Bip32 describes hierarchical deterministic wallets, which can be shared partially or entirely with different systems, each with or without the ability to spend coins. This technique has been used in the blockchain world widely.
This library basing on "Garbled Circuit" offers an MPC 2-2 method to produce master-key shares and the associated child key shares without recovering any private keys. Moreover, the produced shares are compatible with our HTSS Library.
Warning:
This library has Not been audited. If you want to use it at your own risk.
Table of Contents:
Implementations:
This library is consist of Garble Circuit, OT, and Bip32.
Garble circuit:
Garbled circuit is a cryptographic protocol that enables two-party secure computation in which two mistrusting parties can jointly evaluate a function over their private inputs without the presence of a trusted third party.
We implement the "Garbled Circuit" according to the paper: Two Halves Make a Whole Reducing data Transfer in Garbled Circuits using Half Gates and improve its security according to the paper Better Concrete Security for Half-Gates Garbling.
The used boolean circuit is Bristol fashion.
In this library, we construct two special boolean circuits:
- MPCSEED
- MPCHMAC
OT:
Our implementation are based on Blazing Fast OT for Three-Round UC OT Extension.
2-party Bip32:
We offer two protocols here and explain these as follows.
Note
In this version, we assume that the security model is "Semi-Honest":
Semi-Honest (Passive) Security: In this case, it is assumed that corrupted parties merely cooperate to gather information out of the protocol, but do not deviate from the protocol specification. This is a naive adversary model, yielding weak security in real situations. However, protocols achieving this level of security prevent inadvertent leakage of information between (otherwise collaborating) parties, and are thus useful if this is the only concern. In addition, protocols in the semi-honest model are quite efficient, and are often an important first step for achieving higher levels of security.
Seed:
There are two roles in our protocol called Alice and Bob.
Alice and Bob will choose own seed called AliceSeed and BobSeed respectively. Then after the the protocol, Alice (resp. Bob) will get her(resp. his) share.
Briefly describe the idea:
- Alice chooses a secret seed s_A and a secret random value r_A and Bob also chooses a secret seed s_B and a secret random value r_B.
- Two parties perform garbled circuits with inputs s_A, s_B, r_A and r_B to learn own result.
Alice learns m_A := I_L + r_B mod N and Bob learns m_B := I_L + r_A mod N. (Note: Alice(resp. Bob) does not know I_L and r_B(resp. r_A).) Here I = I_L || I_R = HMAC512("Bitcoin seed",s_A||S_B) and
N is the order of the elliptic curve group of secp256k1.
- Applying hash commitments can fix the values m_A * G , m_B * G, r_B * G and r_A *G. These data can determine the public key P := m_A * G - r_B * G = m_B * G - r_A *G.
(Note that: P = parse_256(I_L)).
More details can be found in here.
Remark:
- The private seed is AliceSeed || BobSeed. Here || means "concatenate".
- In our setting, the bit length of AliceSeed and BobSeed are both 256. Therefore, the corresponding "seed" is always 512 bit.
ChildShare:
The difficult part here is
the case: hardened key.
There are still two roles in our protocol called Alice and Bob.
Alice (resp. Bob) uses her(resp. his) private input(i.e. share) to compute the own children share. And they can use children share as inputs of our TSS-sign to sign a transaction. In these processes, any private keys do not be recovered.
Briefly describe idea:
- Two parties use the protocol Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution to lean the HMAC512(chain-code, "private key").
The Quid Pro Quo-tocols can guarantee two parties learning the same output.
Examples:
If you are interested in it, please see our tests:
- Seed Part.
- Child share Part.
References:
- Two Halves Make a Whole Reducing data Transfer in Garbled Circuits using Half Gates
- Better Concrete Security for Half-Gates Garbling
- Bristol fashion
- Blazing Fast OT for Three-Round UC OT Extension
- Quid Pro Quo-tocols: Strengthening Semi-Honest Protocols with Dual Execution
- TinyGarble
- Secure multi-party computation
- JIGG
Other Libraries:
- SPDZ-2
- Obliv-C
- unboundsecurity