Protecting Private Keys on Mobile Devices
Date
2022-08
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
A cryptocurrency wallet is a software stored in a user's device, such as a mobile phone or personal computer. This wallet software holds a public-private key pair that is used for digital cryptocurrency transactions, like Bitcoin. The private key is used to access, authorize and sign transactions, hence it should be secured. The public key on the other hand, serves as the user's public address. Mobile phones and personal computers are susceptible to device failure, external attacks, theft and loss. In the event of a user's device failure, the private key could become inaccessible. If the device is lost or stolen, the private key would fall into the wrong hands and the user will irrecoverably lose their funds. This thesis addresses the question of secure storage of the private key. More precisely, we study this problem such that the following conditions are satisfied:
(i) The private key is broken into shares and stored on remote servers; (ii) A user can retrieve their private key by triggering a reconstruction protocol using only a human-memorable password, and the reconstruction is successful as long as at least some threshold number of servers are honest and available. We have designed and implemented a Password Protected Secret Sharing (PPSS) scheme, that can be used to construct a system that satisfies the above. Our PPSS uses two building blocks: (i) Threshold Password-Authenticated Key Exchange (TPAKE) protocol (for authentication); and (ii) A symmetric key encryption scheme (to emulate secure channels for sending the shares). The user divides the private key into shares, and stores each share on a different remote server. When the key is needed, the user enters their password to the device, and the device will reconstruct the secret key by contacting the servers and obtaining the stored shares. Our protocol is provably secure under Computational Diffie-Hellman (CDH) assumption, while providing state-of-the-art security guarantees. We give an implementation as an application for a mobile phone. Efficiency analysis shows that the proposed system is highly deployable.
Description
Keywords
Password Protected Secret Sharing, TPAKE, Wallet, Mobile Application Implementation
Citation
Ngure, J. W. (2022). Protecting private keys on mobile devices (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca.