On Cryptocurrency Wallet Design

The security of cryptocurrency and decentralized blockchain-maintained assets relies on their owners safeguarding secrets, typically cryptographic keys. This applies equally to individuals keeping daily-spending amounts and to large asset management companies. Loss of keys and attackers gaining control of keys resulted in numerous losses of funds. The security of individual keys was widely studied with practical solutions available, from mnemonic phrases to dedicated hardware. There are also techniques for securing funds by requiring combinations of multiple keys. However, to the best of our knowledge, a crucial question was never addressed: How is wallet security affected by the number of keys, their types, and how they are combined? This is the focus of this work. We present a model where each key has certain probabilities for being safe, lost, leaked, or stolen (available only to an attacker). The number of possible wallets for a given number of keys is the Dedekind number, prohibiting an exhaustive search with many keys. Nonetheless, we bound optimal-wallet failure probabilities with an evolutionary algorithm. We evaluate the security (complement of failure probability) of wallets based on the number and types of keys used. Our analysis covers a wide range of settings and reveals several surprises. The failure probability general trend drops exponentially with the number of keys, but has a strong dependency on its parity. In many cases, but not always, heterogeneous keys (not all with the same fault probabilities) allow for superior wallets than homogeneous keys. Nonetheless, in the case of 3 keys, the common practice of requiring any pair is optimal in many settings. Our formulation of the problem and initial results reveal several open questions, from user studies of key fault probabilities to finding optimal wallets with very large numbers of keys. But they also have an immediate practical outcome, informing cryptocurrency users on optimal wallet design. 2012 ACM Subject Classification Security and privacy → Formal security models

[1]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[2]  Joshua A. Kroll,et al.  perspectives on Bitcoin and second-generation cryptocurrencies , 2015 .

[3]  Randolph Church,et al.  Nunmerical analysis of certain free distributive structures , 1940 .

[4]  Nitesh Saxena,et al.  Password-protected secret sharing , 2011, CCS '11.

[5]  Nadia Heninger,et al.  Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies , 2019, IACR Cryptol. ePrint Arch..

[6]  Douglas H. Wiedemann,et al.  A computation of the eighth Dedekind number , 1991 .

[7]  Aggelos Kiayias,et al.  Low-Level Attacks in Bitcoin Wallets , 2017, ISC.

[8]  Elaine Shi,et al.  Bitter to Better - How to Make Bitcoin a Better Currency , 2012, Financial Cryptography.

[9]  Shmuel Sagiv,et al.  Phoenix: A Formally Verified Regenerating Vault , 2021, ArXiv.

[10]  Adoption of Security and Privacy Measures in Bitcoin – Stated and Actual Behavior , 2018 .

[11]  Tyler Moore,et al.  The Bitcoin Brain Drain: Examining the Use and Abuse of Bitcoin Brain Wallets , 2016, Financial Cryptography.

[12]  Arvind Narayanan,et al.  Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security , 2016, ACNS.

[13]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[14]  Aggelos Kiayias,et al.  A Formal Treatment of Hardware Wallets , 2019, IACR Cryptol. ePrint Arch..

[15]  A. E. Eiben,et al.  Introduction to Evolutionary Computing , 2003, Natural Computing Series.

[16]  Emin Gün Sirer,et al.  Bitcoin Covenants , 2016, Financial Cryptography Workshops.

[17]  R. Dedekind,et al.  Über Zerlegungen von Zahlen Durch Ihre Grössten Gemeinsamen Theiler , 1897 .

[18]  Jeremy Clark,et al.  A first look at the usability of bitcoin key management , 2018, ArXiv.

[19]  Aggelos Kiayias,et al.  Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online) , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[20]  Cormac Herley,et al.  Is Everything We Know about Password Stealing Wrong? , 2012, IEEE Security & Privacy.

[21]  Ari Juels,et al.  Flash Boys 2.0: Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[22]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.