US-20260127587-A1 - DIGITAL SIGNATURE GENERATION USING A COLD WALLET

Abstract

A method and a system for providing a digital signature are disclosed. A private signature key is distributed among two or more nodes of a cold wallet. Each node of the cold wallet generates a pre-signature, based on its share(s) of the private signature key, and transmits the pre-signature to one of two or more pre-signature nodes. A signing application requests a signature and transmits a message to be signed to each of the pre-signature nodes. In response to receiving the request for a signature and the message to be signed, each pre-signature node generates a partial signature, based on its pre-signature and on the message to be signed. Each pre-signature node transmits its partial signature to the signing application, and the signing application computes a digital signature from the partial signatures.

Inventors

• Jakob Illeborg Pagter
• Thomas Pelle Jakobsen

Assignees

• BLOCKDAEMON APS

Dates

Publication Date

20260507

Application Date

20250904

Priority Date

20191015

Claims (20)

1. 1 - 15 . (canceled)
2. 16 . A system, comprising: one or more processors; and one or more non-transitory computer-readable medium storing code comprising executable instructions, wherein the instructions, when executed, cause the one or more processors to perform steps comprising: receiving by two or more nodes of a cold wallet, one or more shares of a private signature key, each node of the cold wallet thereby being in the possession of the one or more shares of the private signature key, and none of the nodes of the cold wallet being in the possession of all shares of the private signature key; generating by each node of the cold wallet a pre-signature, based on its share(s) of the private signature key, and transmitting the pre-signature to one of two or more pre-signature nodes, in such a manner that each pre-signature node receives a pre-signature from only one of the nodes of the cold wallet; requesting by a signing application a signature and transmitting a message to be signed to each of the pre-signature nodes; in response to receiving the request for a signature and the message to be signed, generating by each pre-signature node a partial signature, based on its pre-signature and on the message to be signed; transmitting by each pre-signature node its partial signature to the signing application; and in response to receiving the partial signatures from each pre-signature node, computing by the signing application a digital signature from the received partial signatures; wherein the step of each node of the cold wallet transmitting the pre-signature to one of the pre-signature nodes is performed using a one-way communication channel.
3. 17 . The system of claim 16 , wherein the steps further comprise deleting, by each of the pre-signature nodes, the pre-signature after the step of generating a partial signature and before the step of transmitting the partial signature.
4. 18 . The system of claim 16 , wherein receiving the private signature key is performed by the nodes of the cold wallet generating the private signature key by a multi-party computation protocol.
5. 19 . The system of claim 16 , wherein each node of the cold wallet is configured to generate the pre-signature as part of a batch comprising two or more pre-signatures.
6. 20 . The system of claim 16 , wherein at least the steps of receiving a private signature key, generating pre-signatures and transmitting the pre-signatures to the pre-signature nodes are performed as pre-processing steps prior to the step of the signing application requesting a signature.
7. 21 . The system of claim 16 , wherein the step of each node of the cold wallet generating a pre-signature, based on its share(s) of the private signature key, and transmitting the pre-signature to one of two or more pre-signature nodes is initiated by the pre-signature nodes in response to receipt of a request for a signature from the signing application.
8. 22 . The system of claim 16 , wherein the step of each pre-signature node generating a partial signature is performed without internal communication among the pre-signature nodes.
9. 23 . The system of claim 16 , wherein the steps further comprise authorizing the request for a signature from the signing application.
10. 24 . The system of claim 16 , wherein the nodes of the cold wallet fulfil a threshold condition, t, and the pre-signature nodes fulfil a threshold condition, t′, where t′≥t.
11. 25 . The system of claim 16 , wherein the steps further comprise: at least some of the nodes of the cold wallet generating one or more additional pre-signature shares, encrypting the additional pre-signature share(s), and transmitting the encrypted additional pre-signature share(s) to one or more of the pre-signature nodes along with the pre-signatures; and each pre-signature node which has received an encrypted additional pre-signature share transmitting the encrypted additional pre-signature share to the signing application along with the partial signature; wherein signing application computing a digital signature comprises: decrypting, by the signing application, the received encrypted additional pre-signature share(s); generating, by the signing application, an additional pre-signature, based on the decrypted additional pre-signature share(s), and generating an additional partial signature based on the additional pre-signature and on the message to be signed; and computing, by the signing application, the digital signature from the partial signatures received from the pre-signature nodes and the generated additional partial signature.
12. 26 . The system of claim 25 , wherein generating one or more additional pre-signature shares is performed by each of the nodes of the cold wallet generating an additional pre-signature share and encrypting the additional pre-signature share.
13. 27 . The system of claim 25 , wherein generating one or more additional pre-signature shares is performed by at least two of the nodes of the cold wallet applying a multi-party computation protocol.
14. 28 . The system of claim 25 , wherein the additional pre-signature shares are encrypted and decrypted by means of symmetric encryption keys shared between the respective nodes of the cold wallet and the signing application.
15. 29 . The system of claim 16 , wherein the pre-signatures are generated within the cold wallet, in such a manner that no data enters the cold wallet and no shares of the private signature key leaves the cold wallet.
16. 30 . The system of claim 16 , wherein the cold wallet is air-gapped.
17. 31 . The system of claim 16 , wherein the one-way communication channel comprises a visual output.
18. 32 . A system comprising: a plurality of nodes of cold wallet, each comprising one or more processors, the plurality of nodes of cold wallet configured to: receive one or more shares of a private signature key, wherein each node of the cold wallet is in possession of the one or more shares of the private signature key, and none of the nodes of the cold wallet is in possession of all shares of the private signature key; generate, by each node of the cold wallet a pre-signature, based on its share(s) of the private signature key; and transmit the pre-signature using a one-way communication channel; and a plurality of pre-signature nodes, each comprising one or more processors, the plurality of pre-signature nodes configured to: receive the pre-signature in such a manner that each pre-signature node receives a pre-signature from only one of the nodes of the cold wallet; receive, from a signing application, a request for a signature and a message to be signed to each of the pre-signature nodes; generate, responsive to receiving the request and by each pre-signature node, a partial signature based on its pre-signature and on the message to be signed; and transmit, by each pre-signature node, its partial signature to the signing application, wherein the signing application, responsive to receiving the partial signatures, is configured to compute a digital signature from the received partial signatures.
19. 33 . The system of claim 32 , wherein each of the pre-signature nodes is further configured to delete the pre-signature after generating a partial signature and transmitting the partial signature.
20. 34 . The system of claim 32 , wherein the plurality of nodes of cold wallet are configured to receive the one or more shares of the private signature key by a multi-party computation protocol.

Description

FIELD OF THE INVENTION The present invention relates to a method and a system for generating a digital signature, using a cold wallet holding a private signature key. BACKGROUND OF THE INVENTION Digital signatures are widely used for signing documents, performing transactions, etc., in a manner which ensures that the person signing the document or performing the transaction is in fact authorised to do so. This is, for instance, relevant when performing transactions relating to crypto currencies. If a malicious party gains access to a private signature key, the malicious party will be able to perform signatures and transactions in the name of the rightful owner of the private signature key, and such transactions may be irreversible. Such malicious access to a private signature key may therefore cause unrepairable damage, and it is therefore imperative that private signature keys are stored under secure conditions. When providing digital signatures a private signature key which proves the identity of the signor is normally required. Such private signature keys may be stored locally, for instance on a private PC belonging to the user or another piece of dedicated hardware, such as a portable memory storage or a dongle. As an alternative, a hardware security module (HSM) may be applied for storing signature keys. This has the disadvantage that signatures can only be generated from the PC or the dedicated hardware. Furthermore, the security of the system is limited by the behaviour of the user, including how careful the user is with respect to preventing theft or unauthorised access to the hardware where the private signature key is stored. Another possibility is to store private signature keys at a trusted key management service. This allows a user to access the private signature key without necessarily having access to specific hardware. Furthermore, the security of the system is handled centrally, by the trusted key management service, and it is therefore less sensitive to the behaviour of the individual user. However, the security of the system needs to be balanced between allowing easy access for the rightful users, while preventing malicious parties from gaining access to the signature keys. In order to provide a high level of security, so-called ‘cold wallets’ may be applied. Cold wallets are systems for storing and controlling private signature keys, which are not connected to a communication network, such as the Internet. This is sometimes referred to as an ‘air-gapped’ system. Since access from a communication network is considered as one of the major attack vectors on a key management system, cold wallets exhibit a very high security level. However, the lack of communication network accessibility also makes it difficult for a rightful user to gain access to his or her private signature key. Furthermore, the cold wallet still represents a single point of failure in the sense that if a malicious party succeeds in compromising the hardware holding the cold wallet, he or she will have full access to the private signature key. This is even true if the private signature key is secret shared and stored in different locations, because it is still necessary to assemble the private signature key in order to generate a signature. Finally, in order to perform a signature, some data needs to enter the air-gapped system, thereby introducing a risk that malware enters the air-gapped system and compromises the private signature key. Steven Goldfeder, et al., “Securing Bitcoin wallets via threshold signatures”, 3 Jun. 2014, available at https://www.cs.princeton.edu/˜stevenag/bitcoin_threshold_signatures.pdf, discloses a threshold signature scheme which is compatible with Bitcoin's ECDSA signatures, and which can be used to enforce complex yet useful security policies including shared control of a wallet, secure bookkeeping, secure delegation of authority, and two-factor security for personal wallets. The ability to construct a valid signature is distributed among n players, each of whom receives a share of a private signing key, e.g. by means of a secret sharing scheme. The participation of t or more of them is required to sign, for some fixed t≤n. The key shares may be stored in a cold wallet. An ECDSA threshold signature protocol is used for providing a signed transaction with parallel control without reconstructing the private signing key. The signature is obtained directly from the key shares in a step which requires communication among the players holding the key shares. DESCRIPTION OF THE INVENTION It is an object of embodiments of the invention to provide a method for providing a digital signature, in which a high level of security is obtained while allowing easy access for rightful users. It is a further object of embodiments of the invention to provide a system for providing a digital signature, which offers a high level of security while allowing easy access for rightful users. According to a first aspect th