Computer implementation system and method for providing a decentralized protocol for the recovery of crypto assets

A decentralized protocol using a Congress of blockchain network users with shared private key shares and a recovery password addresses the challenge of private key loss in crypto assets, ensuring secure and efficient recovery with low-entropy passwords and deterrents against attacks.

JP7881643B2Active Publication Date: 2026-06-29NCHAIN LICENSING AG

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
NCHAIN LICENSING AG
Filing Date
2024-05-09
Publication Date
2026-06-29

AI Technical Summary

Technical Problem

The loss of private keys for crypto assets, particularly in blockchain systems like Bitcoin, poses a significant barrier to the widespread adoption of cryptocurrencies due to the lack of secure and effective decentralized mechanisms for asset recovery.

Method used

A decentralized protocol utilizing a threshold signature scheme involving a group of users (Congress) on the blockchain network, where each member holds a private key share, allows access to digital assets using a shared private key and a recovery password (RPw), ensuring secure recovery without requiring multiple signatures for normal access, and incorporating a recovery deposit to deter attacks.

Benefits of technology

This method provides a secure and user-friendly mechanism for recovering crypto assets by leveraging a consensus-imposed cost, reducing the risk of brute-force attacks and ensuring asset recovery even with low-entropy passwords, thus enhancing the security and usability of blockchain-based systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007881643000010
    Figure 0007881643000010
  • Figure 0007881643000011
    Figure 0007881643000011
  • Figure 0007881643000001
    Figure 0007881643000001
Patent Text Reader

Abstract

To provide a method for enabling recovery of one or more digital assets held on a blockchain by a user under a public key Pk after a corresponding private key Sk for accessing the digital assets is lost.SOLUTION: In the method, the digital assets are held on the blockchain under the public key Pk and made accessible using the corresponding private key Sk of the user. The access to the digital assets is set to allow the access using a private key x shared by a congress on the blockchain. The congress has a group of users on the blockchain, and each member of the congress has a private key share xi to be used in a threshold signature scheme. In response to the private key Sk being lost, the congress is notified by the user to access the digital assets on behalf of the user. The user proves their identity to the congress by providing a recovery password RPw.SELECTED DRAWING: Figure 1
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] This specification generally relates to decentralized protocols for the recovery of crypto assets in the event of loss of private keys. The invention is particularly suited for use with the Bitcoin blockchain, but is not limited thereto. [Background technology]

[0002] In this document, we use the term “blockchain” to include all forms of electronic, computer-based distributed ledgers. These include consensus-based blockchain and transaction chain technologies, permissioned and unpermissioned ledgers, shared ledgers, and variations thereof. The most widely known application of blockchain technology is the Bitcoin ledger, although other blockchain implementations have been proposed and developed. While Bitcoin may be referred to herein for explanatory purposes for convenience, it should be noted that the present invention is not limited to use with the Bitcoin blockchain, and alternative blockchain implementations and protocols are within the scope of the present invention.

[0003] A blockchain is a consensus-based electronic ledger, implemented as a computer-based, decentralized, distributed system composed of blocks consisting of transactions and other information. In the case of Bitcoin, each transaction is a data structure that encodes the transfer of control of a digital asset between participants in the blockchain system, and includes at least one input and at least one output. Each block contains a hash of the previous block so that the blocks chain together to form a permanent and immutable record of all transactions that have been written to the blockchain since its inception. Transactions contain small programs known as scripts embedded in their inputs and outputs. The scripts specify how and by whom the output of a transaction can be accessed. On the Bitcoin platform, these scripts are written using a stack-based scripting language.

[0004] For a transaction to be written to the blockchain, it must be "validated." Several network nodes act as miners, performing the task of verifying that each transaction is valid, and invalid transactions are rejected from the network. For example, a software client installed on a node performs this validation task on transactions that refer to an unspent transaction output (UTXO). Validation may be performed by executing its locking and unlocking scripts. If the execution of the locking and unlocking scripts is TRUE, and certain other conditions are met, the transaction is valid and can be written to the blockchain. Therefore, for a transaction to be written to the blockchain, it must be i) validated by the first node receiving the transaction, and if the transaction is validated, the node relays it to other nodes in the network, ii) added to a new block constructed by miners, and iii) mined, i.e., added to the public ledger of past transactions. A transaction is considered confirmed when a sufficient number of blocks have been added to the blockchain to make the transaction truly irreversible.

[0005] While blockchain technology is most widely known for its use in cryptocurrency implementation, digital entrepreneurs are beginning to explore the use of both the cryptographic security system on which Bitcoin is based and the data that can be held on the blockchain to implement new systems. Blockchain offers significant advantages when used for automated tasks and processes that are not limited to the realm of crypto assets. Such solutions can broaden their applications while leveraging the benefits of blockchain (e.g., permanent tamper-proof recording of events, distributed processing, etc.).

[0006] One area of research is the use of blockchain for the implementation of "smart contracts". These are computer programs designed to automate the execution of the terms of a contract or agreement that can be decoded by a machine. Unlike conventional contracts written in natural language, smart contracts are machine-executable programs with rules that can process inputs to produce results, which can then trigger actions to be taken depending on those results.

[0007] Another area of interest regarding blockchain is the use of 'tokens' (or 'colored coins') to represent and transfer real-world entities via blockchain. Potentially confidential or secret items can be represented by tokens that have no recognizable meaning or value. Thus, tokens serve as identifiers that enable real-world items to be referenced from the blockchain.

[0008] The following documents disclose background information regarding threshold signature schemes and backup techniques for blockchain technology.

[0009] Pratyush Dikshit and Kunwar Singh ("Efficient weighted threshold ECDSA for securing bitcoin wallet", ISEA Asia Security and Privacy, 2017) (Non-Patent Document 1) disclose a threshold signature scheme for a bitcoin wallet, more specifically, a type of threshold signature scheme where different groups of participants require different numbers of other participants to reach the threshold for the threshold signature scheme.

[0010] Goldfeder et al. ("Securing Bitcoin wallets via a new DSA / ECDSA threshold signature scheme", 8 March 2015) (Non-Patent Literature 2) also describes a threshold signature scheme in which digital assets can only be accessed by a threshold number of members of a group of participants using a private key sharing scheme.

[0011] Two posts by user "etheipi" on bitcointalk (January 29, 2013, topic 139625 and March 9, 2013, topic 149820) (Non-Patent Literature 3) relate to a scheme in which a hard paper backup copy of a wallet can be divided into a number of different fragments, thereby allowing a user to reconstruct the wallet using a threshold number of hard copy backup fragments if necessary. [Prior art documents] [Non-patent literature]

[0012] [Non-Patent Document 1] Pratyush Dikshit and Kunwar Singh, “Efficient weighted threshold ECDSA for securing bitcoin wallet”,ISEA Asia Security and Privacy,2017 [Non-Patent Document 2] Goldfeder et al., “Securing Bitcoin wallets via a new DSA / ECDSA threshold signature scheme”, 8 March 2015 [Non-Patent Document 3] Two posts by user "etheipi" on bitcointalk (January 29, 2013, topic 139625 and March 9, 2013, topic 149820) [Overview of the project]

[0013] Recovering crypto assets in the event of private key loss is a well-known unsolved problem in cryptocurrencies. The lack of a secure and effective decentralized mechanism to achieve this is generally recognized as one of the biggest barriers to widespread adoption.

[0014] This specification relates to a method for enabling the recovery of digital assets held on the blockchain under a public key PK after the corresponding private key SK for accessing the digital assets has been lost. The method involves setting up access to a digital asset held on the blockchain under a public key PK and accessible using the user's corresponding private key SK, so that the digital asset can also be accessed using a private key shared by the user's congress on the blockchain network using a threshold signature scheme. When a user loses their private key SK, they can notify the congress to access the digital asset on their behalf using a threshold signature scheme, and the user proves their identity to the congress by providing a recovery password RPW.

[0015] According to one aspect described herein, a computer-based method for enabling the recovery of one or more digital assets held on a blockchain by a user under a public key Pk after the loss of a corresponding private key Sk for accessing one or more digital assets, The system includes setting access to one or more digital assets held on the blockchain under the public key Pk and accessible using the user's corresponding private key Sk, so that the one or more digital assets can also be accessed using the private key x shared by Congress on the blockchain, The Congress has a group of users on the blockchain, and each member of the Congress has a private key share x i It has the private key share x iThis is used in a threshold signature scheme where at least a threshold of private key share is used to generate a valid signature through the combination of partial signatures of the Congress and to access the one or more digital assets on behalf of the user. This means that if the private key Sk is lost, the Congress may be notified by the user to access the one or more digital assets using the threshold signature scheme on behalf of the user, and the user proves their identity to the Congress by providing a recovery password RPw. A method performed by the aforementioned computer is provided.

[0016] The method described above uses a threshold signature scheme in the form of a congress to recover assets. The difference between this method and the more standard multi-signature method is that an account is configured to be accessible by one user using their private key, and if the user loses their private key and is unable to access their assets, then access is only possible when requested by the user, by the congress using its shared private key system. As such, unless the user loses their private key, multiple signatures are not usually required for a user to access their assets. In such a situation, the congress may then be notified to access the account on behalf of the user.

[0017] The system incorporates a certain level of security in that it requires agreement to access assets on behalf of the user when requested and when the correct recovery password is entered. That is, a threshold number of members can verify the validity of the user request before the assets can be accessed. In this way, the system combines the ease of use of a single-signature system with the security of a multi-signature system. The congress may be configured to use the private key share only to generate and output a partial signature, provided that agreement on the decision to do so is adhered to.

[0018] To enhance the system's robustness against attacks, higher levels of security and incentives may be provided. For example, a recovery password may be set, which is used as part of the validation protocol for user requests to Congress to access assets. The process of setting up access to digital assets may be initiated by transaction T1, which is sent to Congress on the blockchain. Transaction T1 indicates a desire to set a recovery password to access one or more digital assets held under a public key Pk. A recovery deposit may be set, which must be provided when an attempt is made to recover one or more digital assets. In this regard, recovery deposit data may be supplied in transaction T1, for example, in the metadata of transaction T1. That is, the recovery deposit statement may be included in T1 as metadata. The recovery deposit is recovered if the recovery is successful (minus the recovery fee paid to Congress's product) and lost if the recovery is unsuccessful. Thus, setting a recovery deposit can deter an attacker from attempting to access the account multiple times, as they will lose the recovery deposit each time their attempt fails.

[0019] The process of setting up access to digital assets may further include mapping data associated with a recovery password RPw to data associated with a private key x shared by the Congress on the blockchain network. The mapping may involve combining data associated with the private key x shared by the Congress on the blockchain network with data associated with the recovery password RPw. For example, data associated with the recovery password RPw may be combined with data associated with the private key x shared by the Congress so as to constitute a mapping from the recovery password onto the private key x shared by the Congress, and the mapping itself does not indicate anything with respect to either the private key x shared by the Congress or the recovery password RPw. The mapping may then be held on the blockchain, thereby separating the information necessary to access one or more digital assets into a public mapping held on the blockchain and a private private key shared by the Congress. Furthermore, the mapping saved on the blockchain is configured such that the mapping itself does not indicate anything with respect to either the private key x shared by the Congress or the recovery password RPw.

[0020] Using such a binding, mapping, and / or recovery deposit procedure enables a recovery process in which the user can prove their identity to Congress by providing a password. This password can be arbitrarily low-entropy (and therefore easily memorized), while the protocol remains secure (especially secure against brute-force attacks on the recovery password). For example, the recovery password RPw can have lower entropy than the private key Sk, and a 6, 5, 4, 3, or 2-digit PIN is sufficient as long as the system remains secure (e.g., as long as the recovery deposit is properly modified).

[0021] An example of a method to achieve the above mapping from a recovery password to an existing secret amount (congress secret key) may include one or more of the following steps: Encrypting data associated with each private key share using a public key Pk associated with one or more digital assets, or concatenating a public key Pk with the hash of a block header; Here, the data related to each private key share is quantity g. xi It has a quantity g xi Each transaction, including this one, is associated with a member of the Congress; Quantity g from each member of the Congress xi Check to ensure consistency; quantity g xi However, when checked to ensure consistency, the following

number

[0022] After generating the mapping, the mapping data can be signed using the private key Sk and mined on the proof-of-work blockchain where the account resides. For example, the mapping data can be mined on the proof-of-work blockchain by transaction T2, which references the account's public key Pk.

[0023] The above procedure may be used to set a recovery password. A computer-implemented method for recovering one or more digital assets on a blockchain with access to the above setting is then provided. The method involves accessing one or more digital assets using a threshold signature scheme when the Congress receives a transaction indicating the user's desire to recover one or more digital assets when the user has lost their private key to access the assets. It should be noted that this alternative method is considered to be used only when the user has lost their private key, as initiating the transfer of assets is a costly method compared to using the private key Sk.

[0024] A transaction sent to the Congress indicating a desire to recover one or more digital assets may further identify a recovery public key. Thus, after accessing one or more digital assets, those digital assets may be transferred to the recovery public key. Furthermore, a transaction sent to the Congress indicating a desire to recover one or more digital assets may further include a recovery deposit. As mentioned above, the recovery deposit can be recovered if the recovery is successful (minus the recovery fee paid to the members of the Congress), but is lost if the recovery is unsuccessful. Thus, setting a recovery deposit can deter an attacker from attempting to access the account multiple times. For example, after receiving a transaction indicating a desire to recover one or more digital assets, the Congress may initiate a challenge period in which it monitors the blockchain for veto transactions from the owners of one or more digital assets. If a valid veto transaction is observed (i.e., a veto transaction signed by Sk), the recovery of the one or more digital assets is aborted, and any recovery deposit is forfeited. If no valid rejection transaction is observed, recovery can proceed by verifying that the data corresponding to the recovery password, the data related to the private key share, and the mapping data all match. If they match, one or more digital assets in the account can be recovered by Congress using their threshold key sharing systems. If they do not match, recovery of one or more digital assets in the account will be halted, and any recovery deposits will be forfeited.

[0025] In one configuration, after the challenge period, a second transaction is required to proceed with the recovery of one or more digital assets. The second transaction sent to Congress to recover the assets may contain data corresponding to the recovery password RPw. By verifying the data corresponding to the recovery password, recovery can proceed; if verified as correct, one or more digital assets are recovered; if incorrect, recovery of one or more digital assets is halted, and any recovery deposit is forfeited. Congress may initiate a temporary proof-of-stake blockchain (e.g., the so-called ghost chain described below) to verify the data corresponding to the recovery password.

[0026] The computer-based methods described herein can be implemented by providing a computer-readable storage medium having computer-executable instructions, which, when executed, cause a processor to perform the methods described herein. Furthermore, an electronic device can be provided having an interface device, a processor coupled to the interface device, and a memory coupled to the processor storing computer-executable instructions, which, when executed, causes the processor to perform the methods described herein.

[0027] The inventions described herein differ from the prior art discussed in the background section presented below.

[0028] Pratyush Dikshit and Kunwar Singh ("Efficient weighted threshold ECDSA for securing bitcoin wallet", ISEA Asia Security and Privacy, 2017) (Non-Patent Literature 1) disclose a threshold signature scheme for a Bitcoin wallet, more specifically a kind of threshold signature scheme where different groups of participants require different numbers of other participants to reach a threshold for the threshold signature scheme. There is no disclosure or suggestion of setting up access to digital assets held on the blockchain for one user under a public key PK and accessible using the corresponding private key SK of one user, so that only if the private key SK is lost, the user can notify the Congress to access one or more digital assets on their behalf using the threshold signature scheme, and the user provides proof of their identity to the Congress by supplying a recovery password RPW.

[0029] Goldfeder et al. ("Securing Bitcoin wallets via a new DSA / ECDSA threshold signature scheme", 8 March 2015) (Non-Patent Literature 2) also describes a threshold signature scheme in which digital assets can only be accessed by a threshold number of members of a group of participants using a private key sharing scheme. As before, the relevant public and private keys are provided to a single access account, the threshold signature scheme is used only if the private key is lost, Congress is notified by the user to access the digital assets using the threshold signature scheme on behalf of the user, and there is no disclosure or suggestion that the user proves their identity to Congress by providing a recovery password (RPW).

[0030] Both of the above documents concern threshold signature schemes that are always used to access assets and require signatures from a threshold number of users on the blockchain network. Such threshold signature schemes are known in the technology and are useful for enhancing security and preventing a single user from accessing and moving digital assets. Such schemes also have the additional effect that if a member of a group of users loses their private key, the digital assets remain accessible to a threshold number of other users. However, such a configuration has the drawback that, because a large number of users always need to access the digital assets, this system is inconvenient for a single user who wants to set up a system that allows access to digital assets without the need for any other users, but still requires a means to access their digital assets if they lose their private key. The present invention addresses this problem of private key loss by utilizing a threshold signature scheme as a means to recover assets while verifying their identity with a recovery password when an individual user loses their private key.

[0031] Two posts by user "etheipi" on bitcointalk (January 29, 2013, topic 139625 and March 9, 2013, topic 149820) (Non-Patent Literature 3) relate to a scheme in which a hard paper backup copy of a wallet can be divided into a number of different fragments, thereby allowing a user to reconstruct the wallet using a threshold number of hard copy backup fragments if necessary. None of these disclosures relate to the use of Congress, which has a group of users on the blockchain network, each member having a key share used in the threshold signature scheme. There is no disclosure or suggestion that, if a user loses their private key, they can prove their identity to Congress by supplying a recovery password RPW and notify members of Congress to use the threshold signature scheme to access digital assets on their behalf. The two posts concern the problem of a single user losing access to their digital assets. Prior art methods that provide backup systems take the form of printed paper copies of private digital keys. However, this raises security risks if such paper copies are stolen. The methods described in those posts provide a solution in which a backup copy is divided into multiple fragments that can be reconstructed by users. This is a different solution from the one provided herein, which instead uses a threshold signature scheme involving multiple users on a blockchain network.

[0032] These and other aspects of the present invention will be described with reference to and will become apparent from the embodiments described herein. Embodiments of the present invention will be described hereby, merely as examples, with reference to the accompanying drawings. [Brief explanation of the drawing]

[0033] [Figure 1] This shows the scheme for the password setting procedure. [Figure 2]This shows a scheme for a password recovery protocol. [Modes for carrying out the invention]

[0034] [overview] It is estimated that more than 2,700 Bitcoins have been effectively lost due to hard drive crashes or loss of private keys [https: / / www.cryptocoinsnews.com / thousands-bitcoins-lost-time / ]. When credentials are lost, coins that may be worth billions of dollars are locked in unusable wallets.

[0035] Using easy-to-remember passwords for wallet recovery seemed like a feasible and more effective measure to take. So-called brainwallets use simple passwords that can be memorized in the user's 'brain' to recover funds in case the private key is lost. Nevertheless, hackers and researchers have proven that brute-force attacks to recover passwords and steal funds are relatively easy to carry out.

[0036] Key stretching, a technique that uses multiple difficult-to-optimize hash functions to obtain a private key from a simple password, helps make attacks more computationally expensive, but it does not guarantee future security. In fact, new hardware with improved computing power may be developed, making the computational challenges more affordable from a cost and feasibility standpoint. Furthermore, the security of stretched keys decreases as the value of the fund in the account (assuming computer time is at a statutory price) increases. This is because the payoff if it is cracked would be many times the investment required to crack it.

[0037] This specification presents a first, not entirely reliable, solution for recovering funds in the event of loss of private keys, while maintaining a certain level of security against brute-force hacking attacks. It is of interest to users who have lost the ability to allow their funds to be moved by "normal means" (more precisely, lost control of their private keys) and who wish to recover those funds. Our solution utilizes the Congresses and Ghost Chains protocols to effectively replace the computational cost of key stretching with a consensus-imposed cost, which is only imposed when attempts to recover funds are unsuccessful.

[0038] The security and functionality of cryptocurrency transactions depend heavily on the secure storage and protection of private keys. The main problem is the theft or loss of user private keys. The inability to recover lost passwords, private keys, or funds has been cited as a significant barrier to the widespread adoption of cryptocurrencies [Extance, A. (2015). Bitcoin and beyond. Nature, 526(7571), 21. http: / / www.nature.com / polopoly_fs / 1.18447! / menu / main / topColumns / topLeftColumn / pdf / 526021a.pdf]. In fact, losing a Bitcoin private key may seem at first glance similar to losing an online banking password. However, there are at least two important differences: (i) In banking systems, transactions are traceable and reversible, and stolen funds may be recovered by discarding fraudulent transactions [Eskandari, S., Barrera, D., Stobert, E., & Clark, J. (2015, February). A first look at the usability of bitcoin key management. In Workshop on Usable Security (USEC). https: / / users.encs.concordia.ca / ~clark / papers / 2015_usec.pdf], but this is obviously impossible in the case of crypto assets like Bitcoin, as transactions are irreversible and there is no central authority to arbitrate in case of fraud; (ii) Banking passwords are recoverable in exchange for the user proving their identity to the banking number. This specification provides an equivalent solution to (ii) for cryptographic systems (in particular, consensus-based distributed ledgers).

[0039] To address these concerns, various solutions have been proposed: users can choose from various types of wallets, such as web wallets that provide key management services, or they can store their private keys using cold storage, that is, in a location inaccessible from the internet. However, these services require trust in the provider [Antonopoulos, AM (2014). Mastering Bitcoin: unlocking digital cryptocurrencies. O'Reilly Media, Inc.; http: / / www.coindesk.com / information / how-to-store-your-bitcoins / ].

[0040] Online services that offer password recovery, such as wallet recovery services [http: / / www.coindesk.com / meet-man-will-hack-long-lost-bitcoin-wallet-money / ], generally have a low success rate of around 30%, depending on the information provided by the user, and the fee charged for this service is up to 20% of the wallet's value if recovery is successful. Note that such services can only be effective if the account holder has lost the password needed to decrypt their private key while keeping it encrypted.

[0041] Of particular interest is the idea of ​​Brainwallets [https: / / blog.ethereum.org / 2014 / 10 / 23 / information-theoretic-account-secure-brainwallets / ], where the private key is generated by hashing a sufficiently long password or passphrase created directly by the user [Franco, P. (2014). Understanding Bitcoin: Cryptography, engineering and economics. John Wiley & Sons]. This solution attempts to solve the key storage problem by eliminating the need for the password to be stored in the wallet itself, as it can be held in the user's brain. Online platforms such as https: / / brainwallet.io / , https: / / paper.dash.org / etc. can easily generate deterministic cryptocurrency addresses given a password / passphrase and some salt, i.e., random data used as additional input to a one-way hash function.

[0042] BrainWallet passwords must be both secure and memorable: security depends on the time required by an attacker to crack the password, while memorability depends on the amount of information that must be recalled. Clearly, the two aspects are inversely correlated and depend on the password entropy chosen [Franco, P. (2014). Understanding Bitcoin: Cryptography, engineering and economics. John Wiley & Sons].

[0043] One of the main problems associated with such types of wallets is undoubtedly the high incentive to attempt to decrypt the password, which enables an attacker to gain full access to the funds locked within the wallet itself. The attacker uses a brute force decryption algorithm to try numerous passwords and checks whether the generated addresses exist and contain funds. According to current technology, the chip can perform 36 two trials per second. [Courtois, N., Song, G., & Castellucci, R. (2016). Speed Optimizations in Bitcoin Key Recovery Attacks. IACR Cryptology ePrint Archive, 2016, 103. https: / / eprint.iacr.org / 2016 / 103.pdf; https: / / github.com / ryancdotorg / brainflayer] shows that even when complex passwords are used, the brain wallet is not secure and a new high-speed algorithm for scanning the blockchain for vulnerable keys is available. The presented attack succeeded in finding 16,250 passwords per second in red to hide and decoded over 18,000 brain wallet addresses. Furthermore, as described above, the decryption of the brain wallet becomes easier over time as hardware improves and is more profitable assuming an increase in the value of the cryptocurrency (which has been extremely important in the case of all major cryptocurrencies to date).

[0044] Moreover, in recent years, millions of real-world leaked passwords have become available to hackers, who can use them to reconstruct user habits and design faster algorithms [https: / / arstechnica.com / security / 2012 / 08 / passwords-under-assault / ].

[0045] A further potential vulnerability may arise when BrainWallet addresses obtained from the same password are stored on the blockchain as part of the transaction script. Guessing the password becomes easier when multiple addresses are obtained from the same seed.

[0046] To reduce the opportunity to reverse engineer a system while still keeping password entropy low, one option is to use a robust key derivation function. This process, also known as key stretching, is based on repeatedly applying a hash function that is difficult to optimize, such as SHA256 or SHA1, multiple times in succession (typically around 1000 times) [https: / / en.wikipedia.org / wiki / Key_stretching]. In this way, checking individual passwords becomes more time-consuming and costly, increasing the workload for an attacker. However, these solutions seem insufficient because they may not be effective in the future.

[0047] If a personal computer can perform approximately 6500 SHA-1 hashes per second, it's easy to see that key-stretching solutions immediately become insecure. The key-stretching problem uses 6500 rounds of hashes and can delay the user by about one second. From an attacker's perspective, since any normal password test typically requires one hash operation, using key-stretching doubles the attacker's workload. 16(Equivalent to the extra 16 bits of entropy added to a normal password.) Double it. According to Moore's Law, computer performance doubles every 1.5 years in terms of speed. This means that it may become possible to easily determine another bit of key stretching every 1.5 years. To maintain a certain level of security, the key stretching round should be doubled every 1.5 years, but this would require (i) a higher computational cost for users to perform key stretching, and (ii) that the designers of key stretching should take this aspect into account when determining the lifespan of the system. Blockchain miners can also be used to perform the computational tasks of the key stretching process 'while they are mining', thereby incurring little extra cost. Furthermore, this can be done without showing the user's password to the miners [https: / / en.wikipedia.org / wiki / Key_stretching]. However, such an arrangement would also allow miners to attempt to brute-force the user's password 'for free'. This defeats the entire purpose of key stretching.

[0048] Furthermore, as the value of cryptocurrencies increases, it becomes even more difficult to predict, providing further incentives for brute-force attacks on BrainWallet passwords, posing a serious threat to wallet security.

[0049] The solution proposed herein does not rely on key stretching techniques and uses a consensus mechanism for retrieving user passwords. Upon user request and payment of a recovery deposit (from which a fee may be deducted if recovery is successful), members of the Congress can validate the request, unlock the funds, and move them to a new address where the private key is known to the requester.

[0050] When discussing the details of decentralized protocols for the recovery of crypto assets in the event of loss of private keys, Congress and Ghost Chain protocols are mentioned, in that they are used in the configuration of the crypto asset recovery protocols described herein.

[0051] [Congress] Congresses can be run on a blockchain network. A Congress is an open-membership group that can be joined by any node in the blockchain network upon proposal of a sufficient contribution to the pool associated with the Congress. For example, a node can join a Congress by moving digital assets (e.g., Bitcoin), tokens, or other digital assets such as contributions or values ​​to resources (e.g., accounts) associated with the Congress. Congresses can be partially secured through the distributed generation of private key shares. Each private key share can be used by its owner to generate a partial signature for a transaction. A threshold signature scheme may be used to generate a valid signature for such a transaction using at least a threshold for the partial signature. Member deposits are subject to forfeiture in the event of malicious activity.

[0052] Through the distributed generation of key shares and the use of other security features, key shares are secured to prevent malicious activity by group members or non-group members. Such security, combined with the use of threshold signature schemes, enables the formation of autonomous, decentralized groups, which can be used for any one of a number of purposes. More specifically, threshold signature schemes enable groups to control digital assets that have been compromised by the public keys associated with that group. In this specification, such congress groups are used in decentralized protocols for the recovery of crypto assets in the event of loss of private keys.

[0053] A Congress may be formed in the following ways: (i) a node in a blockchain network broadcasts a transaction to move one or more digital assets to a public group address associated with a Congress public key, the public group address being associated with one or more other digital assets associated with other members of the Congress; (ii) a private key share is generated for use in a threshold signature scheme where at least a threshold of public key shares should be used to generate a valid signature through the joining of partial signatures instead of the Congress, the other holders of the private key share being other members of the Congress who are participating in the Congress by moving their respective digital assets to the public group address; (iii) the private key share is used to collaboratively generate a valid signature for a transaction from the public group address.

[0054] In some implementations, threshold signature schemes are elliptic curve digital signature algorithms.

[0055] In some implementations, the computer-based methods may further include (i) detecting malicious activity by a malicious party that is also a member of the Congress, and (ii) confiscating at least some of the digital assets previously transferred by the malicious party to a public group address.

[0056] In some implementations, the computer-based methods may further include (i) detecting redistribution requests, (ii) coordinating with other congress members to transfer all digital assets located in a public group address to a new public address associated with a new public key, and (iii) generating a new private key share.

[0057] Notable features of the Congress: • A shared public key that we call the Congress public key (CPK). The requirement for funds to be deposited and lent under the control of threshold signatures means that the Congress can form autonomous groups, and cooperative action can be enforced by a threshold of good faith members through the threat of forfeiture of all or part of the deposits of any subgroup of uncooperative (i.e., malicious) members. The distributed generation of private keys is a crucial feature of the Congress because its purpose is to create autonomous, decentralized entities. Leaving the Congress is achieved through a refund of the fund, which must be approved by the threshold of current members. Joining the Congress may or may not require the approval of current members, depending on the specific implementation.

[0058] [Ghost Chain] A ghost chain is typically a blockchain for arbitration (e.g., resolving disputes). For example, in the current application, nodes claim ownership of an account by issuing a recovery request and presenting evidence in the form of RPw. This evidence is to be evaluated by a congress, which may constitute arbitration. The validity of the recovery request and / or RPw may or may not be disputed.

[0059] A ghost chain exists only temporarily and is deployed in response to a dispute on the parent blockchain. The ghost chain (ghost) requests various forms of evidence from the participating parties, mediates according to a fixed set of criteria, and distributes funds on the parent as appropriate. The ghost stops when the outcome of the dispute (optionally, along with the Merkle root hash of the intermediate computation state) is submitted to the main chain. A ghost chain can be backed by proof-of-stake (POS). This is a more suitable security model for ghost chains than Proof-of-Work (POW) because POS allows for high-frequency blockchains with more predictable block times and makes the evidence-gathering process much more efficient.

[0060] A ghost chain can be implemented in the following ways: (i) a node joins a group by depositing digital assets to a public group address in order to become a group member (i.e., a member of the Congress), the group is associated with a threshold signature scheme in which the node controls the private key share, and the deposit of digital assets takes place on a proof-of-work blockchain network; and (ii) a node collaborates with other nodes in the group. For example, the collaboration may involve detecting requests for arbitration, deploying a ghost chain to resolve the arbitration request, the ghost chain being a proof-of-stake blockchain in which the miners of the ghost chain are members of the group, and terminating the ghost chain once the arbitration is resolved.

[0061] Therefore, a ghost chain may be a temporary blockchain and, in contrast to conventional blockchains, may be configured to terminate, disappear, and / or expire when one or more criteria, goals, or specified purposes are achieved or satisfied. In other words, a ghost chain may be a single-purpose blockchain that ceases to exist once its purpose is achieved.

[0062] This specification describes how Congress and Ghost Chain can be combined to provide a decentralized protocol for the recovery of crypto assets in the event of private key loss.

[0063] [Fund locked with recovery password] Imagine Alice wants to lend some crypto assets to an account using her signing (private) key, Sk. She is worried that she might lose her signing key, and therefore wants an alternative way to recover her funds in the event of a disaster. This section explains how Alice could configure her account so that her funds are recoverable in return for (potentially) a small fee by supplying a recovery password (RPw) that is simple enough for her to remember. The fee is determined by the market, more specifically by the market price, to be paid to the miners on the ghost chain (for further details on market pricing of computation steps in consensus protocols, see the concept of 'gas' in Ethereum: https: / / ethereum.gitbooks.io / frontier-guide / content / costs.html). As will be discussed later, Alice's account is considered secure even if a very simple recovery password RPw is chosen, as long as a sufficient deposit is required when attempting to recover the funds. Most funds may be recoverable (depending on the fees) if the password RPw recovery is successful.

[0064] In this specification, the implementation of the Congress and Ghost Chain Protocol includes the following: • Members of the Congress hold security deposits on the Proof-of-Work (POW) blockchain M (where Alice's account exists). In return for these deposits, and in proportion to them, members receive one or more shares of the private key. • Members of the Congress mine Proof-of-Stake (POS) alt-chain A. For example, alt-chain A can be a ghost chain. A static Congress Public Key (CPK) exists, and Congress member i has a share x of the corresponding private key x within a Trusted Execution Environment (TEE). i Hold and x i To prevent direct access to members. TEE is x i It is configured not to output any quantities that indicate information related to that. TEE will only do so if it complies with the agreement regarding A. i Outputs the quantity obtained from (e.g., partial signature).

[0065] The public key is represented by Pk, and the corresponding signing key is represented by Sk. Let G be a cyclic group of large prime order for which the discrete logarithm problem is difficult.

number

number

[0066] [protocol] This section describes the main steps in setting a recovery password and the asset recovery phase. It also describes the password reset procedure. Security discussions will be left to later sections.

[0067] Setup: 1. Alice sends the fund using special transaction T1. Transaction T1 signals to Congress her desire to set RPw for the account. The output of T1 can be used by Alice (i) while locked under Pk, or by Congress (ii) while locked under CPK. This transaction is a recovery deposit (r) that needs to be provided when attempting to recover the asset. d The quantity of ) is shown. For example, T1 is M block B m It will be mined. Unless otherwise specified, we will retain any related information or references to other transactions as metadata.

[0068] 2. Each member of the Congress has a quantity g xi Send it secretly to Alice (encrypted by Pk). At this time, G∋g≡g(m):=H1(B m ○Pk) and m>n are fixed by convention. Naturally, Pk is, for example, B m It can also be concatenated with the hash of the block header. xi Each transaction containing should be associated with the share ID of an individual TEE belonging to the member and signed with the corresponding private key. A certain blind quantity is also included in the transaction, thereby x i The consistency can be verified.

[0069] 3. Once Alice was convinced that the quantities she had received from the members were consistent,

number

[0070] 4. Alice obtains the binary (ASCII) representation of her RPw, and the length of the padded column is g x To make it equal in length, for example, by concatenating 0s after 1: RPw → RPw○100···00. Then Alice enters 'padding password' and g x Take the exclusive OR of this.

number

[0071] Asset recovery: 1. If Alice loses her Sk, she can use her RPw to recover her funds as follows: Alice broadcasts a pre-recovery transaction (PRT) referencing T1 and sends the required recovery deposit to the CPK. The PRT (i) contains H2(RPw○RPk), where RPk is the recovery public key and should be a newly generated public key known only to Alice (at this stage), and the PRT (ii) provides a recovery fee (r) to the miner of Ghost Chain A in exchange for executing the recovery protocol. f (r f is, r d It will be deducted from. ) The fund will recover successfully, r d -r f If it returns to Alice, it will be relocked under the RPk. The transaction is signed by the Deposit Signing Key (DSk) corresponding to the Public Key (DPk) of the account from which the deposit is paid.

[0072] 2. In response to observing a PRT with the correct deposit and offering a recovery fee they deem sufficient, the Congress will initiate a challenge period that will last a fixed number of blocks. During the challenge period, the Congress will monitor M for (i) further PRTs attempting to recover the same account, and for mining rejected transactions signed by Sk. If a rejected transaction is observed, the recovery protocol will be terminated, and the recovery deposit associated with the PRT will be forfeited.

[0073] 3. If a rejected transaction that is not validly signed is observed during the challenge period, the Congress instantiates a ghost chain. Any party that previously sent a PRT can now send a recovery transaction RT that references the PRT to the ghost chain. The RT should (i) include RPw and (ii) include RPk and be signed by DSk. The verifiers should then check that RPw○RPk hash to the value contained in the referenced PRT. Otherwise, the recovery deposit associated with this PRT is forfeited, the recovery fee is deducted, and the remaining deposit is forfeited.

[0074] 4. If there is an RT whose hash of RPw○RPk matches a value contained in the corresponding PRT, then the members of the Congress are g xi Broadcast (m). From now on, everyone can g x (m) can be reconstructed and verification attempted:

number

[0075] RPw Reset: Alice should select a new RPw. Congress and Alice are g(m)→g(m′)=H(B m′ Repeat steps 2-4 of the setup phase, excluding ○Pk),m′>m. At this time, B m′ This is a generally-agreed-upon M block and (B m′ This can also be block A or its hash. In short, it must be a random number that cannot be predicted when a request to set a recovery password is made. ) and it is established that the recovery attempt has failed (i.e.,

number

[0076] Comment: Assets can be used from or deposited into the account while maintaining the recovery function. When this happens, the recovery deposit r dThese can also change (this is necessary to maintain a certain level of security). Any UTXO paid to 'Pk or CPK' can be recovered. Those transactions also refer to T2 to signal that the password has already been set by Congress for the Pk. Those UTXOs can change d When it has the maximum r d This is selected. Therefore, for example, Alice uses all UTXOs locked under Pk from her account and pays the 'change' to 'Pk or CPK' and generally another r d (Estimated, this is the lower r) d Payment can be made by returning a UTXO that presents ). When Alice wants to add assets to her account, she sends those assets via a transaction that has an output that pays 'Pk or CPK'. This transaction is r d An increase in this could be identified, which then applied to all assets within her account.

[0077] [Design Selection and Protocol Security] The primary objective is to leverage the characteristics of Congress while avoiding imposing any substantial additional burden on members. The Congress secret key is a secret stored in the members' 'collective memory,' thereby reallocating and deleting shares of the secret when members join or leave. The idea is to derive a 'mapping' (XOR) from RPw to secret x (more precisely, a quantity obtained from x using a one-way function) and maintain this mapping on the blockchain. In this way, the information necessary to reconstruct RPw is effectively divided between the XOR (public) and x (private) so that information about RPw cannot be obtained from the public part. This approach means that members do not need to hold any additional secret information within their TEE. The only requirement is to maintain a collective memory of x, which can be done in any way.

[0078] Comments on the security of various steps in the protocol: setting: 1. The recovery deposit may be presented as a percentage of the total funds in the account and must be large enough that it is uneconomical for an attacker to attempt to guess RPw (i.e., the expected profit from guessing is negative). Note that this makes our scheme entirely future-proof (in stark contrast to the key stretching described in the introduction), because the entropy of a given RPw and the recovery deposit (a portion of the total funds) do not change over time. The future-proof guarantee also requires that the recovery fee be presented at the PRT rather than at the initial stage.

[0079] 2. Identify the members xi Associating them with this means they can receive compensation for providing this service.

[0080] 3. Furthermore, it also means that they are inconsistent g xi This also means that if they are found to be providing such services, they could face economic penalties.

[0081] 4.g x Assuming that it is random,

number

[0082] Figure 1 shows the scheme of the password setting procedure. The password setting process is initiated by the requester by sending T1 to lock the fund under the Congress Public Key (CPK) and the requester's Pk. The members of Congress then send encrypted shares derived from their private keys so that the requester can g xThis calculates the result, takes the exclusive OR of it with his / her chosen RPw, and makes it possible to broadcast the result in T2.

[0083] Asset recovery: 1. H2(RPw○RPk) commits to both RPw and RPk. Furthermore, assuming that RPk is known only to Alice (at this stage) and has typical entropy (effectively random and sufficiently long), neither can be reversed from the hash, even in the case of RPw with extremely low entropy. The proposed recovery fee is presented at this stage and may vary depending on the current market price for calculation purposes.

[0084] 2. We must consider the possibility that adversaries could 'front-run' transactions, steal certain information, and use it to construct malicious transactions that could potentially be mined first. For example, this is quite likely achievable by large-scale miners. For this reason, after the first PRT is observed, we must consider the time it takes for other PRTs to be mined, as there is no way to determine at this stage which one is genuine. It should be noted that Alice cannot construct a valid rejection transaction (assuming one of them is genuine, i.e., Sk has actually been lost).

[0085] 3. RT is only considered if it corresponds to a verified PRT committed to RPw and RPk and should include a recovery deposit. If verification fails, all recovery deposits are lost. An attacker has no way of obtaining information about RPw at the time the PRT is mined. Therefore, the protocol is secure as long as the recovery deposit is sufficiently large compared to the amount of assets being recovered and the entropy of RPw.

[0086] 4. In the final stage of the verification or attempted verification of RPw, the true RPw will be revealed.

[0087] RPw Reset: The true RPw will be revealed during the checking process. Note that, assuming a timely response via a rejection transaction by Alice, we do not anticipate any attempts to guess RPw and reach this stage. It is a common assumption in the cryptocurrency field that account holders monitor M and can respond promptly to theft attempts. One example is the issuance of Breach Remedy Transactions on the Lightning Network [J. Poon, T. Dryja. The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments, (Draft version 0.5.9.2). Available online: https: / / lightning.network / lightning-network-paper.pdf]. However, in contrast to the situation on the Lightning Network (where all funds in an account could be lost), the consequences of our protocol for failing to respond in a timely manner are considerably milder (RPw reset).

[0088] Figure 2 illustrates the scheme of the password recovery protocol. It consists of two phases: a pre-recovery phase and a recovery phase. During the pre-recovery phase, the password recovery request is received by Congress. Within the so-called challenge period, Congress also monitors whether a rejection transaction has been issued by the wallet owner to abort the procedure. If no rejection has been issued, a ghost chain is initiated, and a recovery transaction is issued by the requester and checked for consistency (detailed in the asset recovery protocol description). In case of success, the funds are transferred to a new address and controlled by the requester. Any fraudulent attempts will instead result in the forfeiture of the deposit.

[0089] [Password security] Password strength is generally measured as the expected number of computational steps required by an attacker to guess the password. In the case of randomly generated passwords, as mentioned above, a brute-force attack is commonly used, which tries all possible combinations of characters of a given length. This means that, given a password of length L consisting of n characters, an attacker would have to try n L Follow these steps to find the correct password.

[0090] In our solution, we associate a cost for each failed attempt, a so-called recovery deposit. This can be expressed as a percentage of the funds held at the address. In this way, a substantial deterrent exists against any attempt to carry out an attack.

[0091] For example, a password of length L=3 using Arabic numerals as the symbol set, i.e., n=10, and deposit r d We can consider = 0.01 × F, where F is the amount of funds available in the wallet derived from the password. To crack the password, the attacker needs 10 3 It is expected that the attacker will perform 10 times the amount of funds held in the account. 3 This would impose a burden of ×0.01 × F = 10F. Therefore, increasing the recovery deposit is equivalent to preventing random attempts from malicious attackers and improving the security of the wallet. Note that the security of the scheme remains constant even if the computational cost of generating password permutations and the value of the associated crypto assets change.

[0092] In our protocol, estimating the number of attempts required for an attacker to crack a password is even more complex, and the above calculation may be useful in calculating a lower bound on the costs associated with the attack. In fact, g xThanks to the 'padding procedure' described in the setup phase (point 4), where the binary representation of RPw is padded by concatenating 0s after 1s to make it equal to the length, the attacker cannot know the exact length of the selected password. Therefore, the attacker cannot know any length (g) until a valid length and the password itself are found. x ) on average n L It needs to be repeated.

[0093] [Summary and Conclusion] We offer a first, not entirely reliable, solution for recovering funds in the event of private key loss, while maintaining a certain level of security against brute-force hacking attacks.

[0094] Our scheme is only suitable in the case of 'rare events' such as the loss of a private key, as the RPw is revealed only when the fund is recovered. It is unsuitable for use as a common method of authenticating transactions, for example, because it incurs relatively high fees and requires the password to be reset each time ((i) it is likely to be forgotten, and (ii) the password choice is any pattern in which it may be identifiable).

[0095] Another drawback is that, for sufficient security, the blockchain must monitor for any attempts by account holders to fraudulently recover funds and respond (by rejecting a transaction) within a challenge period. However, failure to do so almost always results in a password reset (as opposed to, for example, loss of funds).

[0096] It should be noted that the embodiments described above are illustrative, not limiting, of the invention, and that those skilled in the art can design many alternative embodiments without exceeding the scope of application of the invention as defined by the appended claims. In the claims, no reference numerals in parentheses should be construed as limiting the claims. The words “comprising” and “comprises,” etc., do not exclude the existence of elements or steps other than those listed in any claim or the entirety of the specification. In this specification, “comprises” means “includes or consists of,” and “comprising” means “including or consisting of.” A single reference to an element does not exclude multiple references to such element, and vice versa. The invention may be carried out using hardware having several individual elements and a appropriately programmed computer. In apparatus claims listing several means, some of those means may be embodied by the same item of hardware. The mere fact that certain means are mentioned in different claims does not indicate that a combination of those means cannot be used advantageously.

Claims

1. A method carried out by hardware including a properly programmed computer, The transaction involves receiving a transaction from a specific party within the Congress indicating a desire to regain access to one or more digital assets, wherein the specific party is a member of the congress who joined the congress by moving their respective digital assets to a public group address associated with the congress's public key, each member of the congress possesses a private key share, and the private key shares are used in a threshold signature scheme in which at least a threshold number of private key shares should be used to generate a valid signature through the combination of the congress's partial signatures to access the digital assets on behalf of each member. A challenge period is initiated to monitor for rejected transactions from the aforementioned specific party, and if a rejected transaction is detected, at least a portion of the one or more digital assets is confiscated. It has, The aforementioned rejection transaction is Broadcasting additional recovery attempts to the same account corresponding to one or more of the aforementioned digital assets, Mining of transactions signed with the original private key corresponding to the specific party, regardless of the threshold signing scheme, Presentation of a transaction not validly signed with a public key to restore access to one or more of the aforementioned digital assets, and Cryptographic validation fails for transactions containing values ​​that do not match the recovery hash. Detected by one or more of the following observations: method.

2. The aforementioned Congress is formed on a blockchain network. The method according to claim 1.

3. The members of the aforementioned Congress hold security deposits on the proof-of-work blockchain. The method according to claim 1.

4. The data associated with each private key share is further encrypted using the public key Pk associated with one or more digital assets. The method according to claim 1.

5. Further comprising concatenating the public key Pk associated with one or more digital assets with the hash of the block header, The method according to claim 1.

6. The data associated with each private key share is quantity g. xi The method has the quantity g xi The further comprising associating each transaction containing the above with a member of the Congress, The method according to any one of claims 1 to 5.

7. The quantity g from each of the members of the Congress xi Furthermore, it involves checking to ensure that they are consistent. The method according to claim 6.

8. Said quantity g xi Checking to ensure consistency between them is [Math 1] This includes constituting g x L is a point on an elliptic curve. i These are the Lagrangian coefficients. The method according to claim 7.

9. A computer-readable storage medium having a computer-executable instruction that, when executed, causes a processor to perform the method according to any one of claims 1 to 8.

10. Interface device and A processor coupled to the aforementioned interface device, The memory connected to the aforementioned processor and which stores computer executable instructions It has, When the computer executable instruction is executed, it causes the processor to perform the method according to any one of claims 1 to 8. Electronic devices.