0Chain Signature Scheme for a Secure Wallet
As a decentralized technology, a well designed blockchain does not take responsibility of managing the client identities. Most open source blockchains like Bitcoin and Ethereum follow this approach. 0Chain is no different. While the identity management is not owned by the blockchain, it still provides a specification of crypto constructs that a client has to follow. In this article, I am going to discuss the digital signature scheme that 0chain chose and the reason behind that.
A blockchain is not concerned about the username and email address in the traditional sense of identity for an online service. Instead, it just requires crypto keys for creating digital signatures. The blockchain is only concerned about two things associated with a client
- The state (think of token balances) of the client account
- The transaction authenticity, that is the transaction is from the client account and not from anyone else (as there is no authentication and session management, anyone can submit a transaction pretending to be anyone).
The unique identifier to track the state of a client account can be the public key of the signature or a unique way of deriving it from the public key such as a hash of the key. 0Chain uses the SHA3–256 hash of the public key as the client id. We decouple this with the anticipation of potentially supporting concepts like key rotation in the future.
The digital signature of a message is like a finger print. The same message signed with a key gives a (practically) unique signature that can only be obtained from that key. There are different signature schemes. One popular scheme that 0chain evaluated in the initial days was ED25519 which provides tremendous performance (around 7,000 ops per second on a Core i7 3.1 GHz laptop). While this scheme worked very well, 0Chain has been researching on providing a more secure wallet for users so their hard earned tokens are not stolen by a malware.
The best way to protect against malware is to have a hardware wallet. However, the hardware wallets are difficult to use, expensive and also require carrying an additional piece of equipment during travel. Hence, 0chain engaged with a research team from IIT-Madras, India, and came up with a novel approach that provides a secure wallet using only software and devices that most people already carry, a laptop and a mobile phone.
Let’s first discuss briefly in non-technical terms on how the digital signatures work. If you are a security expert, please bear with the way it is described.
Say you have generated public and private key as values 17 and 29 and say you sign a message (it’s actually the hash of the message), 7, with your private key and provide the signature, say 12. Someone will be able to take the original message (7), the signature (12) and your public key (17) and validate that it is indeed signed by the private key (29). This can be done by applying some function on 7, 12 and 29. It is the crypto signature schemes that provide this ability to validate a signature is authentic. Modern cryptography is based on Elliptic curves. Note that the actual values are 256-bit long and hence much much bigger (order of 10⁷⁷).
In order to secure a digital wallet it is important to ensure that the private key is not compromised. The most secure way of doing this would be to break the key into two (or multiple) parts and have each part stored on a separate device. At no point and on no single device should these parts be combined into the original key. Then, losing any single device or a malware on any one of the device will still protect the original private key from getting compromised. For this to work, we need a scheme that signs the message with partial keys and rather than combining the keys we combine the signatures. Luckily, there is such a scheme called BLS. This signature scheme is based on Elliptic Bilinear Pairing. That may sound like a mouthful of words. But it is really very simple (to understand at a high level, may be not to invent!).
Under this scheme, you can literally break your private key into two parts (sk = sk1+sk2) and sign the message separately and then combine the individual signatures. The resulting signature will be exactly same as if the message was signed with the original private key.
To continue with your example, the secret key 29 is split into 13 and 16 and stored on two separate devices. The message 7 is signed separately by the keys 13 and 16 and may result in 6 and 2 and combining with a special function (multiplication in this example) will result in 12 as it was obtained by signing with the original private key. The best part with this is that as far as the blockchain is concerned, it only knows about the client with a public key of 17 and knows nothing about the split private keys and associated public keys. This also means that the user can keep rotating the split keys whenever needed since the only requirement is that they literally add up to the original private key.
The above scheme already provides enough security. But we make this even more secure by also optionally requiring a PIN. Essentially, on one of the devices, instead of storing the partial key, we store a part of that partial key (in other words, think of the splitting into 3 parts sk1, sk2 and sk3 instead of 2 parts). Then before signing, we combine the sk2 and the PIN from which we derive sk3, sign and then combine the signatures. This essentially means, in the rare chance of losing both devices or both devices getting compromised, PIN will still keep your wallet secure!
Note that all of this works with the standard mnemonic based key generation so that you can store your word list safely and reconstruct your primary keys should you need them.
As with many features on our blockchain, we made the signature scheme configurable. So, if a forked chain wants speed and less concerned about the extra security of the wallet, it could still operate with ed25519. The mainnet will be launched with our scheme which can be configured by setting the signature scheme as bls0chain.
