Search

EP-3740920-B1 - MULTI-APPROVAL SYSTEM USING M OF N KEYS TO PERFORM AN ACTION AT A CUSTOMER DEVICE

EP3740920B1EP 3740920 B1EP3740920 B1EP 3740920B1EP-3740920-B1

Inventors

  • WEIGHT, Joel
  • HOPKINS, Steven
  • BLACK, TRON
  • BECKER, Denny

Dates

Publication Date
20260506
Application Date
20190117

Claims (14)

  1. A system (1200), comprising: a plurality of vault systems (1250A-N) comprising: a first vault system (1250A); and a second vault system (1250N), different from the first vault system; and a customer computing device (102), comprising: at least one processor (1804); at least one memory (1802) communicatively coupled to the at least one processor (1804); and at least one network interface (1806) communicatively coupled to the at least one processor (1804) and configured to communicate with the plurality of vault systems (1250A-N); wherein the at least one processor (1804) is configured to: generate a private key and split the private key into a plurality of private key components comprising a first key component and a second key component; transmit a first private key component of the plurality of private key components to the first vault system (1250A) of the plurality of vault systems (1250A-N); transmit a second private key component of the plurality of private key components to the second vault system (1250N) of the plurality of vault systems (1250A-N); wherein the first vault system (1250A) of the plurality of vault systems (1250A-N) is configured to: receive at least a first piece of identity data in a first key request from the customer computing device (102); perform customer authentication (1306) based on the at least the first piece of identity data from the customer computing device (102); and transmit the first private key component of the plurality of private key components, identified using the at least the first piece of identity data in the first key request, to the customer computing device (102) in response to a first successful customer authentication; and wherein the second vault system (1250N) of the plurality of vault systems (1250A-N) is configured to: receive at least a second piece of identity data in a second key request from the customer computing device (102); perform customer authentication (1306) based on the at least the second piece of identity data from the customer computing device (102); and transmit the second private key component of the plurality of private key components, identified using the at least the second piece of identity data in the second key request, to the customer computing device (102) in response to a second successful customer authentication; and wherein the at least one processor (1804) is further configured to: receive (1308) the first private key component of the plurality of private key components from the first vault system (1250A); receive (1308) the second private key component of the plurality of private key components from the second vault system (1250N); reconstruct a single private key from at least the first private key component received from the first vault system (1250A) and the second private key component received from the second vault system (1250N); and perform at least one action, the at least one action comprising: decrypting encrypted data, encrypting data, generating a transaction address, or signing a transaction based on the single private key.
  2. The system (1200) of claim 1, wherein the customer computing device (102) is configured to decrypt the encrypted data, encrypt the data, generate the transaction address, or sign the transaction at least in part by: identifying (1404) the data to be encrypted or the encrypted data to be decrypted; and encrypting the data or decrypting (1406) the encrypted data based on the single private key.
  3. The system (1200) of claim 1, wherein the customer computing device (102) is configured to decrypt the encrypted data, encrypt the data, generate the transaction address, or sign the transaction at least in part by: deriving a public transaction key from the single private key; and generating (1504) the transaction address based on the public transaction key.
  4. The system (1200) of claim 3, wherein the customer computing device (102) is configured to decrypt the encrypted data, encrypt the data, generate the transaction address, or sign the transaction at least in part by: receiving (1506) funds into a generated transaction address as part of the transaction; and transmitting (1508), from the customer computing device (102), the transaction to a node implementing a distributed ledger for recording on the distributed ledger.
  5. The system (1200) of claim 1, wherein the customer computing device (102) is configured to decrypt the encrypted data, encrypt the data, generate the transaction address, or sign the transaction at least in part by: generating (1604, 1614, 1624), at the customer computing device (102), the transaction; and signing (1606, 1616, 1626) the transaction, at the customer computing device (102), using the single private key.
  6. A method (1300) performed by a customer computing device (102) and a plurality of vault systems (1250A-N) comprising: a first vault system (1250A) and a second vault system (1250N), different from the first vault system, the customer computing device (102) communicating with the plurality of vault systems (1250A-N), the method comprising: at the customer computing device (102): generating a private key and splitting the private key into a plurality of private key components comprising a first key component and a second key component; transmitting a first private key component of the plurality of private key components from the customer computing device (102) to the first vault system (1250A) of the plurality of vault systems (1250A-N); transmitting a second private key component of the plurality of private key components from the customer computing device (102) to the second vault system (1250N) of the plurality of vault systems (1250A-N); at the first vault system (1250A): receiving at least a first piece of identity data in a first key request from the customer computing device (102); performing customer authentication (1306) based on the at least the first piece of identity data from the customer computing device (102); transmitting, from the first vault system (1250A), the first private key component of the plurality of private key components, identified using the at least the first piece of identity data in the first key request, to the customer computing device (102) in response to a first successful customer authentication; at the second vault system (1250N): receiving at least a second piece of identity data in a second key request from the customer computing device (102); performing customer authentication (1306) based on the at least the second piece of identity data from the customer computing device (102); transmitting, from the second vault system (1250N), the second private key component of the plurality of private key components, identified using the at least the second piece of identity data in the second key request, to the customer computing device (102) in response to a second successful customer authentication; at the customer computing device (102): receiving (1308) the first private key component of the plurality of private key components from the first vault system (1250A); receiving (1308) the second private key component of the plurality of private key components from the second vault system (1250N); reconstructing a single private key from at least the first key component received from the first vault system (1250A) and the second private key component received from the second vault system (1250N); and performing at least one action, the at least one action comprising: decrypting encrypted data, encrypting data, generating a transaction address, or signing a transaction using the single private key.
  7. The method (1300, 1400) of claim 6, wherein decrypting the encrypted data, encrypting the data, generating the transaction address, or signing the transaction comprises: identifying (1404) the data to be encrypted or the encrypted data to be decrypted; and encrypting the data or decrypting (1406) the encrypted data based on the single private key.
  8. The method (1300, 1500) of claim 6, wherein decrypting the encrypted data, encrypting the data, generating the transaction address, or signing the transaction comprises: deriving a public transaction key from the single private key; and generating (1504) the transaction address based on the public transaction key.
  9. The method (1300, 1500) of claim 8, wherein decrypting the encrypted data, encrypting the data, generating the transaction address, or signing the transaction comprises: receiving (1506) funds into a generated transaction address as part of the transaction; and transmitting (1508), from the customer computing device (102), the transaction to a node implementing a distributed ledger for recording on the distributed ledger.
  10. The method (1300, 1600A, 1600B, 1600C) of claim 6, wherein decrypting the encrypted data, encrypting the data, generating the transaction address, or signing the transaction comprises: generating (1604, 1614, 1624), at the customer computing device (102), the transaction; and signing (1606, 1616, 1626) the transaction, at the customer computing device (102), using the single private key.
  11. The system (1200) of claim 5 or the method (1300, 1600B, 1600C) of claim 10, wherein the transaction is a sweeping transaction that transfers all funds from at least one input transaction address in a customer wallet to a new transaction address.
  12. The system (1200) or the method (1300) of any of claims 1-11, wherein the identity data comprises biometric data.
  13. The system (1200) or the method (1300) of any of claims 1-12, wherein each of the plurality of vault systems (1250A-N) is owned or operated at least one of: a credit union; a bank; a currency conversion system (104) that converts currency into another form of currency; a corporation; and an individual.
  14. The system (1200) or the method (1300) of any of claims 1-13, wherein one of the vault systems (1250A-N) is a currency conversion system (104); wherein performing customer authentication comprises confirming that the at least the first piece of identity data or the at least the second piece of identity data from the customer computing device (102) matches stored biometric data for a customer and confirming that anti-money-laundering screening was previously performed for the customer.

Description

BACKGROUND Cryptography can be used to securely store and transmit data. Keys can be used to encrypt data and decrypt encrypted data. SUMMARY The present invention provides, according to a first aspect, a system as defined in appended claim 1. According to a second aspect, the present invention provides a method as defined in appended claim 6. DRAWINGS Understanding that the drawings depict only exemplary embodiments and are not therefore to be considered limiting in scope, the exemplary embodiments will be described with additional specificity and detail through the use of the accompanying drawings, in which: Figure 1 is a block diagram illustrating an example system for multi-approval cryptocurrency accounts and transactions;Figure 2A is a block diagram illustrating an example node tree on the customer device for implementing a customer wallet;Figure 2B is a block diagram illustrating another example node tree on the currency conversion system for implementing a customer wallet;Figure 2C is a block diagram illustrating another example node tree on the trusted third party for implementing a customer wallet;Figure 3 is a flow diagram illustrating an example method for onboarding a customer in a multi-approval system;Figure 4 is a flow diagram illustrating an example method for purchasing cryptocurrency in a multi-approval system;Figure 5 is a block diagram illustrating an example currency conversion system for generating a multi-approval transaction address;Figure 6 is a flow diagram illustrating a method for generating a multi-approval transaction address;Figure 7A is a flow diagram illustrating an example method for cryptocurrency transactions in a multi-approval system;Figure 7B is a flow diagram illustrating an example method for cryptocurrency transactions in a key splitting system;Figure 8A is a flow diagram illustrating a first example method for signing a transaction request using multi-sig;Figure 8B is a flow diagram illustrating a second example method for signing a transaction request using multi-sig;Figure 8C is a flow diagram illustrating a third example method for signing a transaction request using multi-sig;Figure 8D is a flow diagram illustrating a fourth example method for signing a transaction request using multi-sig;Figure 8E is a flow diagram illustrating an example method for signing a transaction request using key splitting;Figure 9A is a flow diagram illustrating an example method for restoring a customer wallet following the loss of the customer's private key using multi-sig;Figure 9B is a flow diagram illustrating another example method for restoring a customer wallet following the loss of the customer's private key using multi-sig;Figure 9C is a flow diagram illustrating an example method for restoring a customer wallet following the loss of the customer's private key component using key splitting;Figure 10A is a block diagram illustrating an example method for restoring a customer wallet using multi-sig;Figure 10B is a block diagram illustrating another example method for restoring a customer wallet using multi-sig;Figure 10C is a block diagram illustrating an example method for restoring a customer wallet using key splitting;Figure 11 is a block diagram illustrating an example system for transacting from a multi-approval transaction address;Figure 12 is a block diagram illustrating another example system for multi-approval cryptocurrency accounts and transactions;Figure 13 is a flow diagram illustrating an example method for performing an action based on at least M of N private keys (or key components);Figure 14 is a flow diagram illustrating an example method for encrypting or decrypting data based on at least M of N private keys (or key components);Figure 15 is a flow diagram illustrating an example method for generating a transaction address at a customer device;Figure 16A is a flow diagram illustrating an example method for signing a transaction using at least M of N private keys (or key components);Figure 16B is a flow diagram illustrating an example method for signing a transaction using at least M of N private keys (or key components);Figure 16C is a flow diagram illustrating an example method for signing a sweeping transaction using at least M of N private keys (or key components) at a customer device;Figure 17 is a block diagram illustrating an example computer system with which some embodiments of the present disclosure may be utilized; andFigure 18 is a block diagram illustrating another example computing device. In accordance with common practice, the various described features are not drawn to scale but are drawn to emphasize specific features relevant to the exemplary embodiments. DETAILED DESCRIPTION In the following detailed description, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration specific illustrative embodiments. The following detailed description is, therefore, not to be taken in a limiti