-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recovery Secret Seed #2038
Comments
It's desirable for the recovery seed to also provide full selective-disclosure functionality for interim transactions. |
@daira suggests a way to enable users to have forward secrecy by rotating their backup secrets:
@daira, would it be accurate to say that feature could be built on a layer above a 'stateless / static derivation seed' scheme described in this ticket? |
Forward unspendability and forward transaction confidentiality (as defined by @daira in #18 (comment)) seem at odds with reusable long-term addresses. If I receive a payment to my long-term public payment address, I should be able to decipher and spend it, no matter how many times the generator seed has been rotated in the meanwhile. Naively, this means I can also decipher and spend old transactions sent to that address, so both of the above properties are violated. The closest thing I can think of, which doesn't break long-term addresses, is:
Problems:
|
I think forward unspendability and transaction confidentiality are compatible with long-term addresses if you change the encryption scheme to a time-based forward-secure one. That is, the sender of a transaction derives a public key for the current epoch from the long-term address, and the recipient derives a corresponding private key using a one-way function. I believe there are proposals for suitable forward-secure schemes using pairings, e.g. Canetti et al's scheme, and probably more efficient ones since then [edit: such as Lu and Li's scheme]. |
If you link the time periods to block chain height, then you can absolutely prevent the problem of encryptions with old keys that puncturable encryption is trying to address, because it's possible for the zk-SNARK circuit to enforce that the ciphertext has been encrypted to the correct period (this is essentially the same as #718). Then, after scanning all the blocks up to the end of the period (plus a margin to account for block chain reorgs), the recipient can be certain that they've received the corresponding funds. So now they can send those funds to themself at an address for a later period, confirm that transaction, back up the new HD root key, and delete the key for the old period. |
(BTW, I am not suggesting that we should block support for recovery seeds on changing the encryption scheme, just pointing out that these goals are not incompatible.) |
@nathan-at-least wrote:
It might have to use a specific derivation scheme designed for the purpose. However, I don't think there's any harm in implementing an opt-in hierarchical wallet scheme similar to BIP32 and then designing a new one later that supports forward security as well. |
About forward-secure schemes with blockheight-dependent ciphertexts: this may break schemes that rely on "floating" transactions that are communicated between peers but not immediately posted on the blockchain. To the extent that such schemes even work with JoinSplits, they'd also need to be analyzed to see if a target blockheight can be fixed in advance. |
You can do loosely time dependent forward security.
http://cs.jhu.edu/~imiers/pdfs/forwardsec.pdf
The problem is even if the ciphertext is forward secure, for zcash you must
store its contents until you spend the coin. This limits the upside of
forward secrecy severely
|
@imichaelmiers, by "loosely time dependent forward security", do you mean puncturable encryption? That's discussed above (#2038 (comment)). |
Well you can combine the two is the point. But readying back on context, I don't think that helps at all.
|
@tromer wrote:
That depends on how long time periods are, and whether there's a delay before deleting the private key for a period. |
Complete as of zcashd v4.7.0 |
This feature allows a 'recovery secret seed' with these features:
Questions:
Implementation:
The text was updated successfully, but these errors were encountered: