Difference between revisions of "User:Vbuterin/K of N redundant offline private key proposal"

From Bitcoin Wiki
Jump to: navigation, search
(2. N piece generation)
(Key Reconstitution)
Line 49: Line 49:
 
===Key Reconstitution===
 
===Key Reconstitution===
  
To reconstitute the private key, simply solve the linear system from any three pieces, inferring from the second byte of the pieces what all the coefficients are, and XOR all the results.  
+
To reconstitute the private key, simply solve the linear system from any three pieces, inferring from the second byte of the pieces what all the coefficients are, to get the original values <code>v(1)</code> to <code>v(k)</code>. Once you have these values, XOR all of them to get your final result.
  
 
For example imagine that you have pieces 1, 3 and 4 from above. You thus have:
 
For example imagine that you have pieces 1, 3 and 4 from above. You thus have:
Line 80: Line 80:
 
   .----------------------------------------
 
   .----------------------------------------
 
             v(3)*132 = pc(3)*6  - pc(2)*14  + pc(1)*8
 
             v(3)*132 = pc(3)*6  - pc(2)*14  + pc(1)*8
             v(3)    = pc(3)/22 - pc(2)*7/66 + pc(1)*2/33
+
             v(3)    = (pc(3)*6  - pc(2)*14  + pc(1)*8) / 132
 
                        
 
                        
 
   v(2) = -v(3)*78/14 + pc(3) - pc(1)
 
   v(2) = -v(3)*78/14 + pc(3) - pc(1)
 
   v(1) = pc(2) - v(2)*8 - v(3)*27
 
   v(1) = pc(2) - v(2)*8 - v(3)*27
 
</code>
 
</code>
 +
 +
The general pattern is to take <code>k</code> equations, combine all adjacent pairs to get <code>k-1</code> equations without any coefficient for <code>v(1)</code> and repeat the process until you're down to a single equation of the form <code>v(k)*a = b</code>. From there, just work your way back up the chain of intermediate equations to get all the other values.
  
 
You actually don't have to know what <code>n</code> is because you can simply assume that <code>n</code> is the number of pieces that you have, and if you have too many pieces solving the linear system will simply lead you to discover that the <code>n+1</code>st, <code>n+2</code>nd, etc pieces are all equal to zero.
 
You actually don't have to know what <code>n</code> is because you can simply assume that <code>n</code> is the number of pieces that you have, and if you have too many pieces solving the linear system will simply lead you to discover that the <code>n+1</code>st, <code>n+2</code>nd, etc pieces are all equal to zero.
  
 
The scheme can easily be adapted to make the private key the EC product of <code>v(1)</code>, <code>v(2)</code>, etc rather than an XOR, and even the linear systems can be changed to an multiplicative/exponential equivalent if desired, so it's pretty adaptable.
 
The scheme can easily be adapted to make the private key the EC product of <code>v(1)</code>, <code>v(2)</code>, etc rather than an XOR, and even the linear systems can be changed to an multiplicative/exponential equivalent if desired, so it's pretty adaptable.

Revision as of 12:14, 5 August 2012

There is an important tradeoff between security and recoverability when storing an offline wallet. The simplest setup, storing the entire private key in a single place in a lockbox, provides medium security but is vulnerable to accidental loss or destruction through accidents such as fire. Storing a simple backup of the key mitigates this risk, but at the same time decreases security, and the opposite strategy, splitting the key into multiple pieces, all of which must somehow be combined to retrieve the original key, increases security but makes the accidental loss problem even worse. The optimal solution is a setup which combines the two strategies, allowing the key to easily be split up into n pieces, any k of which can be used to recover the original key. The simplest such setup is storing k parts of the key and then an XOR of all k parts, but that approach is limiting as it only allows for n = k+1. What this document proposes is a setup which allows any n and k to be used. The steps are the following:

1. K-piece key splitting

Take your private key, P, and find k values (which we'll call v(1) to v(k)) which meet the following conditions:

  1. hex(SHA256(i)) starts with '00' for all i 1 to k - this is the checksum
  2. XOR(v(i) for all i 1 to k) = the original private key

Pseudocode implementation:

def generate(P,k):
  v = array(k)
  for i in range(0,k-2):
    while hex(sha256(v[i]))[0:2] != '00':
      v[i] = random(1,2^256)
  remainder = P
  for i in range(0,k-2):
    remainder = remainder XOR v[i]
  while hex(sha256(v[k-2]))[0:2] != '00' or hex(sha256(v[k-1]))[0:2] != '00':
    v[k-2] = random(1,2^256)
    v[k-1] = remainder XOR v[k-2]

So far, what we have are k pieces that can be trivially recombined (through XOR) into the original private key, and all of which have a basic checksum to provide some protection against mistakes.

2. N piece generation

The next step will transform these k pieces, once again referred to as v(1) to v(k), into n pieces, any k of which can be used to find the original values v(1) to v(k).

Piece i will have the following format:

  • Byte 0 = 0x86 (unique "format" identifier to make keyparts in base 58 recognizable to the untrained eye)
  • Byte 1 = i
  • Byte 2 = byte length of everything coming after it (leave this blank at first, and calculate it at the end).
  • Bytes 3-whatever = v(1) + v(2)*2^i + v(3)*3^i + v(4)*4^i + ...

For example, if you want your private key to require three out of five pieces to reconstitute, the final pieces will be (byte lengths will depend on exactly what v(1), v(2) and v(3) are):

  1. 0x86 1 33 v(1) + v(2)*2 + v(3)*3
  2. 0x86 2 33 v(1) + v(2)*4 + v(3)*9
  3. 0x86 3 33 v(1) + v(2)*8 + v(3)*27
  4. 0x86 4 33 v(1) + v(2)*16 + v(3)*81
  5. 0x86 5 34 v(1) + v(2)*32 + v(3)*243

When you're done, the pieces can be kept as hex or base58 - either format works fine, and stored wherever you want. You might, for example, store one in a safe at home, another at a safety deposit box at the local bank, a third on your computer, a fourth with a friend and memorize the fifth.

Key Reconstitution

To reconstitute the private key, simply solve the linear system from any three pieces, inferring from the second byte of the pieces what all the coefficients are, to get the original values v(1) to v(k). Once you have these values, XOR all of them to get your final result.

For example imagine that you have pieces 1, 3 and 4 from above. You thus have:

 v(1) + v(2)*2  + v(3)*3  = pc(1)
 v(1) + v(2)*8  + v(3)*27 = pc(2)
 v(1) + v(2)*16 + v(3)*81 = pc(3)

Elimination goes as follows:

   v(1) + v(2)*8  + v(3)*27 =  pc(2)
 - v(1) - v(2)*2  - v(3)*3  = -pc(1)
 .----------------------------------
          v(2)*6  + v(3)*24 =  pc(2) - pc(1)
   v(1) + v(2)*16  + v(3)*81 =  pc(3)
 - v(1) - v(2)*2   - v(3)*3  = -pc(1)
 .----------------------------------
          v(2)*14  + v(3)*78 =  pc(3) - pc(1)
 v(2)*14  + v(3)*78  = pc(3) - pc(1)
 v(2)*6   - v(3)*24  = pc(2) - pc(1)
                     |  
                     v
 v(2)*84  + v(3)*468 = pc(3)*6  - pc(1)*6
 v(2)*84  - v(3)*336 = pc(2)*14 - pc(1)*14
 .----------------------------------------
            v(3)*132 = pc(3)*6  - pc(2)*14   + pc(1)*8
            v(3)     = (pc(3)*6  - pc(2)*14   + pc(1)*8) / 132
                     
 v(2) = -v(3)*78/14 + pc(3) - pc(1)
 v(1) = pc(2) - v(2)*8 - v(3)*27

The general pattern is to take k equations, combine all adjacent pairs to get k-1 equations without any coefficient for v(1) and repeat the process until you're down to a single equation of the form v(k)*a = b. From there, just work your way back up the chain of intermediate equations to get all the other values.

You actually don't have to know what n is because you can simply assume that n is the number of pieces that you have, and if you have too many pieces solving the linear system will simply lead you to discover that the n+1st, n+2nd, etc pieces are all equal to zero.

The scheme can easily be adapted to make the private key the EC product of v(1), v(2), etc rather than an XOR, and even the linear systems can be changed to an multiplicative/exponential equivalent if desired, so it's pretty adaptable.