1. Introduction
Blockchain uses cryptography algorithm, P2P network architecture, consensus algorithm, and other methods to ensure reliable data transmission, storage, and access functions. As a distributed shared ledger and database, the blockchain can enable peers to establish a trusted distributed system without mutual trust. It has the characteristics of decentralization, non- tampering, traceability, collective maintenance, openness, and transparency. These characteristics ensure the "honesty" and "transparency" of the blockchain and lay the foundation for creating trust in the blockchain. Blockchain applications have extended from cryptocurrency [1] to smart city [2], affiliate systems [3], healthcare [4], supply chain [5,6], Internet of Things [7,8], data sharing and storage [9,10], Information tracking and analysis [11]. However, as a brand-new technology, there are still many difficulties in the combination of blockchain and other technologies. Sáez et al. [12] discussed the challenges faced by blockchain-enabled platforms.
As the underlying technology of decentralized platforms and applications, blockchain has a serious problem in account management: there is no trusted third-party in the blockchain system, and individuals keep the user's private key, if the device has a hard disk crash, data damage, or loss of the device carrying the key, the private key will lose, and the user's blockchain account cannot be retrieved, which causes cause the user's property in the blockchain to be lost. In the blockchain system, the private key is the user's unique identity, and the secure key storage is the core of the security technology in the key management system and the entire blockchain system and is an important guarantee for account security.
Consequently, the current blockchain system requires a safe and effective blockchain account management method to protect users' property safety. The current work on the blockchain account management scheme mainly focused on the security and convenience of the private key generation, storage, and use phase. There is mainly a private key generation scheme combining random seed with a password in the user's private key generation arena, using random seed and password stored in the local device to generate private keys [13]. In the private key storage arena, the main solutions are local storage, offline storage [14], encrypted wallet, account custody [15], and hierarchical deterministic wallet [16,17]. In the private key use arena, multi-signature [18-20] and threshold signature schemes [21,22] are mainly proposed. The multi-signature transactions require M completed signatures among N members to take effect. If someone wants to change the multi-signature transaction strategy, he needs to generate a new multi-signature transaction address and script. In the threshold signature scheme [21], the account's private key is divided into n shares and stored by n participants. When initiating a transaction, several participants greater than the threshold t are required to sign together. In the Dikshit scheme [22], different weights can be given to participants according to their identities. These threshold signature schemes can complete transactions through the joint participation of multiple people, which enhances the security and reliability of the account to a certain extent, but how to manage the keys of each participant has also become a problem. In the scheme [23], the users mix the private key of the blockchain account with the personal password for secret sharing. Each peer in the public chain stores the generated n shares, and the key recovery request is broadcasted. After the number of peers exceeding the threshold t completes the response, the user can completely recover the private key with the password.
In the scheme of combining random seed and password, the user can recover the private key through the seed and password, but in essence, the user needs to store the random seed and the password safely. The security of this scheme is still related to passwords. The multi signature and threshold signature schemes are not suitable for individual user account management. The threshold secret sharing scheme also needs to store the user password securely. Once the user password is leaked, more than t peers can steal the user's private key through a collusion attack, and the throughput of the public chain is low. The network is prone to congestion, which does not apply to the future blockchain application environment.
In order to deal with the problem of the secure recovery of blockchain private keys, we propose a recoverable private key scheme for consortium blockchain based on verifiable secret sharing. The consortium blockchain uses the access mechanism to authenticate the user's identity, presets the committer peers, and has advantages over the public chain in terms of efficiency and flexibility. The user shares his private key using the verifiable secret sharing scheme with the committer peers, and each committer peer keeps one share. Once the private key is lost, the user can prove his identity information with the digital certificate and obtain the shares from the committer peers, and the user can confirm the correctness of the shares provided by each committer peer before reconstructing the private key. The private key can be recovered when the number of correct shares satisfies the threshold number.
2. Consortium Blockchain
The consortium blockchain is only aimed at members of a certain group and limited third parties. Multiple pre-selected peers are designated as committers. All pre-selected committer peers determine the generation of each block. Other peers can participate in the transaction, but not the committer process, and any third parties can perform limited queries through the open API of the blockchain.
The consortium blockchain has certain requirements for the configuration of consensus or verification peers and the network environment to obtain better performance. With the access mechanism, the consortium blockchain can improve transaction performance more easily and avoid problems caused by uneven participants.
The main user groups of the consortium blockchain are banks, insurance, securities, business associations, and group companies. When the blockchain was born, these companies have generally completed IT and Internet. They realized the blockchain would be very helpful further to improve the efficiency of the notarization, settlement, clearing business, and value exchange network in the industrial chain of their circle. However, when trying to use the existing blockchain technology, they found that the processing performance, privacy protection, and compliance of the blockchain could not meet their business needs. On the other hand, if these companies fully adopt Bitcoin's public chain design concept, they will subvert their existing business models and inherent interests and bear great risks. So they begin to transform the blockchain system that suits them. Consortium blockchain was born. The form of the consortium blockchain is mostly distributed ledgers. The distributed ledgers and distributed consensus of the blockchain solve the main core problem for them: the trust problem of multiple participants in the consortium.
Regarding the consensus algorithm of the consortium blockchain, the practical Byzantine fault-tolerant algorithm (PBFT) is adopted in the scheme proposed in this article. PBFT is an algorithm based on state machine copy replication that aims to solve how to ensure the consistency and correctness of the final decision even when malicious nodes exist in the entire system. Each state machine copy saves the service state and realizes the legal request of customers. In addition to transactions, it can also complete other operations and has a wide range of applications. And PBFT can still ensure the safety and liveness of the system when there are less than (n-1)/3 number of error peers in the system and correctly reach a distributed
3. Threshold Secret Sharing Scheme
In this section, we introduce two definitions of SS (Secret Sharing) and TCSS (Threshold Changeable Secret Sharing), Shamir SS scheme based on univariate polynomial, and Harn- Hsu TCSS scheme based on bivariate polynomial.
3.1 Shamir's Threshold Secret Sharing Scheme
In the Shamir secret sharing scheme [24], there are n shareholders U = {U1, U2, ⋯ , Un} and a mutually trusted dealer D. In order to share the secret s into n shares, the dealer D generates a (t−1) degree polynomial 𝑓(𝑥) ∈ 𝑍𝑃, where P is a prime number. The shared secret is 𝑠 = 𝑓(0), and the dealer computes the secret shares as 𝑦𝑖 = 𝑓(𝑥𝑖) for 𝑥𝑖 ≠ 0, then send the pair (𝑥𝑖, 𝑦𝑖) to the shareholder Ui. When reconstructing the secret, at least t shares(𝑥𝑖, 𝑦𝑖)are needed to recover the polynomial 𝑓′(𝑥), thus each shareholder can obtain the secret 𝑠 = 𝑓′(0). The scheme consists of two algorithms: share generation and secret reconstruction:
3.1.1 Share Generation
The (t−1) degree polynomial is defined as 𝑓(𝑥) = 𝑎0 + 𝑎1𝑥1 + 𝑎2𝑥2 + ⋯ + 𝑎𝑡−1𝑥𝑡−1 (mod 𝑝) and 𝑎𝑎𝑖𝑖 ∈ 𝑍𝑃, for 0 ≤ 𝑖 ≤ t − 1 and 𝑎𝑡−1 ≠ 0, the secret 𝑠 = 𝑓(0) = 𝑎0. In a (t, n) secret sharing scheme, n points need randomly selected as 𝑥𝑖: 1 ≤ 𝑖 ≤ n, and 𝑥𝑖 ∉ 𝑍𝑃, dealer computes 𝑦𝑖 = 𝑓(𝑥) and sends 𝑠𝑖 = (𝑥𝑖, 𝑦𝑖) to shareholders Ui.
3.1.2 Share Reconstruction
Suppose that m(m ≥ t) shareholders U1,U2, ⋯ , Um team up for secret reconstruction. Each shareholder Ui provides the share 𝑠𝑖 to the other shareholders. After that, one shareholder has m shares 𝑠1, ⋯ , 𝑠𝑚−1, 𝑠𝑚 and he can use Lagrange interpolation polynomial to recover 𝑓′(𝑥) as:
\(f(x)=\sum_{i=1}^{t} s_{i} \prod_{j=1, j \neq i}^{t} \frac{x_{j}-x}{x_{j}-x_{i}} \bmod p\),
Thus, the secret s can be computed as the following:
\(s=f(0)=\sum_{i=1}^{t} s_{i} \prod_{j=1, j \neq i}^{t} \frac{x_{j}}{x_{j}-x_{i}} \bmod p\).
3.2 Harn-Hsu TCSS Scheme
In the Harn-Hsu TCSS scheme [25], there are n shareholders U = {U1, U2, ⋯ , Un} and a mutually trusted dealer D. The initial threshold is t and it can be increased to the exact number of shareholders who participate in secret reconstruction. This scheme consists of two algorithms: share generation and secret reconstruction.
3.2.1 Share Generation
The dealer D picks a prime number p and a random symmetric polynomial 𝐹(𝑥,𝑦) with degree t − 1 as
\(\begin{gathered} f(x, y)=a_{0,0}+a_{1,0} x+a_{0,1} y+a_{2,0} x^{2}+a_{1,1} x y+a_{0,2} y^{2}+\cdots+a_{t-1,0} x^{t-1} \\ +a_{t-2,0} x^{t-2} y+\cdots+a_{0, t-1} y^{t-1}(\bmod p) \end{gathered}\)
where the coefficient 𝑎𝑖,𝑗 ∈ 𝑍𝑝, 𝑎𝑖,𝑗 = 𝑎𝑗,𝑖, and ∀𝑖,𝑗 ∈ [0,𝑡 − 1]. The secret 𝑠 ∈ 𝑍𝑝 satisfies 𝑠 = 𝐹(0,0) + 𝑏(1,1), where 𝑏 ∈ 𝑍𝑝.
The dealer D picks n different positive integers 𝑥1, ⋯ , 𝑥𝑛−1, 𝑥𝑛 from 𝑍𝑝(𝑥𝑖 ∉ {0,1}) and computes 𝑠𝑖(𝑦) = 𝐹(𝑥𝑖, 𝑦), for 𝑖 = 1,2, ⋯ , n. Then dealer D distributes each share 𝑠𝑖(𝑦) to the shareholder Ui securely.
3.2.2 Share Generation
Suppose that m( 𝑡 ≤ 𝑚 ≤ 1 + 𝑡(𝑡 + 1)/2) shareholders, for example, U1,U2, ⋯ , Um want to recover the secret. Each shareholder Ui accesses the public information b and uses its share 𝑠𝑖(𝑦) to compute
\(w_{i}=s_{i}(0) \prod_{j=1, j \neq i}^{m} \frac{x_{j}}{x_{j}-x_{i}}+\mathrm{b} s_{i}(1) \prod_{j=1, j \neq i}^{m} \frac{x_{j}-1}{x_{j}-x_{i}} \bmod p\).
Each shareholder Ui sends 𝑤𝑖 to the other shareholders. After that, a shareholder has 𝑤1, 𝑤2, ⋯ , 𝑤𝑚 and the secret can be evaluated as
\(s=\sum_{i=1}^{m} w_{i} \bmod p\).
The HARN-HSU TCSS scheme indicates that if the threshold m satisfy ( 𝑡 ≤ 𝑚 ≤ 𝑡(𝑡 + 1)/2) in the secret reconstruction phase, the threshold can be increased from t to m. In this case, all participants must utilize valid shares to recover the secret. However, the paper [26] has employed linear subspace method to attack Harn-Hsu TCSS scheme successfully. The authors claimed that t+1 shares are sufficient to reconstruct the secret even if the threshold is increased beyond t+1. Therefore, if an illegal participant without valid share collaborates with more than t shareholders, it can receive enough shares to obtain the secret. Thus, the TCSS scheme does not have the threshold changeable property and is still vulnerable to illegal participant attack.
4. Proposed Scheme
This section proposes a verifiable threshold secret sharing scheme for private key recovery in consortium blockchain.
The consortium blockchain has a user access mechanism, and users need to pass the CA authentication when registering an account on the consortium blockchain to obtain access rights. CA (Certificate Authority) is a certificate authority used to check whether the user’s identity is valid and legal. Only the user who is certified by CA can trade on the blockchain. After passing the authentication, the user registers and gets a personal blockchain account, thereby holding the private key s, using all the user’s blockchain property and the unique identifier of the user’s corresponding blockchain identity. The user and all committer peers form a group to share the user’s private key. Fig. 1 shows the application scenario of the proposed scheme.
Fig. 1. Application scenario
In our scheme, there are a user U, n (n > t(t+1)/2), committer peers and the threshold is t. The user U is both secret sharer and secret combiner, committer peers 𝑡(𝑡+1)/2 P={P1, P2, ⋯, Pn} who exercise committer power in consortium blockchain are shareholders. The user U splits the secret and sends it to the committer peers. Each committer peer only holds one share of the secret-sharing and it can verify the correctness of the share he received. In the secret reconstruction phase, the user U receives the secret shares that reach the threshold t or more, and each share can be verified for correctness, confirm that all the secret shares are true and effective, then U reconstructs the secret, and finally reconstruct the original secret.
The user’s biometric key SK [27] is the key information when recovering the private key. If the user needs to use SK, it can be achieved by extracting personal biometrics, without memory and additional backup. And the private key s can be recovered correctly only by using the SK in the secret recovery phase.
The notations used throughout the presentation are summarized in Table 1.
Table 1. Notation used throughout the scheme.
4.1 Algorithms
The proposed scheme is based on Harn-Hsu TCSS scheme [19] and its consists of three phases: share generation phase, verification phase and secret reconstruction phase.
4.1.1 Share Generation Phase
The user U selects a symmetric polynomial of the degree t−1 as the following
\(\begin{aligned} f(x, y) &=a_{0,0}+a_{1,0} x+a_{0,1} y+a_{2,0} x^{2}+a_{1,1} x y+a_{0,2} y^{2}+\cdots \\ &+a_{t-1,0} x^{t-1}+a_{t-2,0} x^{t-2} y+\cdots+a_{0, t-1} y^{t-1}(\bmod p) \end{aligned}\) (1)
where ai,j∈ Xp, ai,j = aj,i, and ∀𝑖,𝑗 ∈ [0,t − 1]. The secret s = 𝐹(0,0) + 𝑏F(1,1), where s ∈ 𝑍𝑝, 𝑏 ∈ 𝑍𝑝.
The user U computes his shares 𝑠p𝑖 = 𝑓𝑖(0) = 𝐹(𝑥𝑖, 0) and 𝑠𝑞𝑖 = 𝑓𝑖(1) = 𝐹(𝑥𝑖, 1), 𝑥𝑖 ∉ {0,1}, then U uses 𝑆K to compute the shares for committer peer Pi
• 𝑆P𝑖 = 𝑠p𝑖⨁𝑆K.
• 𝑆Q𝑖 = 𝑠𝑞𝑖⨁𝐻(𝑆K)⨁𝐻(𝑠p𝑖).
• 𝑋𝑖 = 𝑥𝑖⨁𝐻(𝑆K)⨁𝐻(𝑠𝑞𝑖).
• U computes the verification message 𝑉𝑖 = 𝐻(𝑠p𝑖 ∥ 𝑠𝑞𝑖 ∥ 𝑥𝑖) . Let 𝑚𝑖 = 𝐻(𝑆P𝑖 ∥ 𝑆Q𝑖 ∥ 𝑋𝑖 ∥ 𝑉𝑖) , then use the improved the ElGamal signature to sign the plaintext 𝑚𝑖. Select a large prime number p and set 𝑔 to be the generator of the group GF(p). The random number 𝑙 ∈ [1, p − 1] and gcd(𝑙, 𝑝 − 1) = 1 . Let 𝑦 = 𝑔𝑙 mod 𝑝 as the public key, 𝑙 is the private key, and computes the modulo inverse of 𝑙 as 𝑑 = 𝑙 −1 mod 𝑝. (𝑦, 𝑔, 𝑝) is the public content.
• The user signs the plaintext, selects a random number 𝑘𝑖 ∈ [1, p − 1], gcd(𝑘𝑖, 𝑝 − 1) = 1, computes 𝑟𝑖 = 𝑔𝑘𝑖 mod 𝑝.
• Computes 𝑠𝑖 = (𝑚𝑖 − 𝑘𝑖 𝑟𝑖)𝑑 mod (𝑝 − 1), the signature of 𝑚𝑖 is ( 𝑟𝑖, 𝑠𝑖).
U packages the share (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖, 𝑉𝑖, 𝑟𝑖, 𝑠𝑖) and sends it to the committer peer Pi.
Fig. 2 shows the share generation phase.
Fig. 2. Share generation phase.
4.1.2 Verification Phase
The committer peer Pi receives the share (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖, 𝑉𝑖, 𝑟𝑖, 𝑠𝑖) sent by the user, and verifies it
• Pi computes 𝑚′𝑖 = 𝐻(𝑆P𝑖 ∥ 𝑆Q𝑖 ∥ 𝑋𝑖 ∥ 𝑉𝑖).
• If \(y^{s_{i}} r_{i}^{r_{i}}=g^{m_{i}^{\prime}}\) mod 𝑝 is true, the signature is valid, and the secret share is correct.
Then Pi stores the share so that the user can get it to recover the secret.
4.1.3 Secret Reconstruction Phase
Once user U loses the private key, he needs to pass CA authentication again to get a new account to join the consortium blockchain and initiate an application to recover the secret key to the committer peers. After the committer peer confirms the user’s identity, the committer peer Pi reports to the user to send the share (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖, 𝑉𝑖). After the user receives m (𝑡 ≤ 𝑚 ≤ 1 + 𝑡(𝑡 + 1)/2) shares, perform a secret recovery operation
• U enters the biometric extraction key SK to compute the initial share
𝑠p𝑖 = 𝑆P𝑖⨁𝑆K.
𝑠𝑞𝑖 = 𝑆Q𝑖⨁𝐻(𝑆K)⨁𝐻(𝑠p𝑖).
𝑥𝑖 = 𝑋𝑖⨁𝐻(𝑆K)⨁𝐻𝐻(𝑠𝑞𝑖).
• U computes the verification information 𝑉′𝑖 = 𝐻(𝑠p𝑖 ∥ 𝑠𝑞𝑖 ∥ 𝑥𝑖), if 𝑉′𝑖 is equal to 𝑉𝑖, the committer peer Pi is an honest peer, and the share that Pi provides is correct and valid, otherwise Pi can be judged as malicious peer. The malicious peers will be punished after being confirmed.
• U uses the correct share (𝑠p𝑖, 𝑠𝑞𝑖, 𝑥𝑖) to compute:
\(w_{i}=s p_{i} \prod_{j=1, j \neq i}^{m} \frac{x_{j}}{x_{j}-x_{i}}+b s q_{i} \prod_{j=1, j \neq i}^{m} \frac{x_{j}-1}{x_{j}-x_{i}} \bmod p .\) (2)
Then enters 𝑤𝑖 that reaches the threshold number m to recover the secret s by Lagrangian interpolation algorithm:
\(\begin{aligned} s^{\prime} &=\sum_{i=1}^{m} w_{i} \bmod p \\ &=\sum_{i=1}^{m} s p_{i} \prod_{j=1, j \neq i}^{m} \frac{x_{j}}{x_{j}-x_{i}}+b \sum_{i=1}^{m} s q_{i} \prod_{j=1, j \neq i}^{m} \frac{x_{j}-1}{x_{j}-x_{i}} \bmod p \\ &=\sum_{i=1}^{m} F\left(x_{i}, 0\right) \prod_{j=1, j \neq i}^{m} \frac{x_{j}}{x_{j}-x_{i}}+b \sum_{i=1}^{m} F\left(x_{i}, 1\right) \prod_{j=1, j \neq i} \frac{x_{j}-1}{x_{j}-x_{i}} \bmod p \\ &=F(0,0)+b F(1,1) \\ &=s . \end{aligned}\) (3)
Fig. 3 shows the secret reconstruction phase.
Fig. 3. Secret reconstruction phase.
4.2 Peers Addition and Deletion
When a newly added user peer joins the consortium blockchain network, the (t,n) secret sharing scheme is executed for secret sharing, and his secret shares are stored at each committer peer.
If there are changes such as the addition or deletion of several committer peers, the n of the (t,n) secret sharing scheme is updated to n' which is the new number of existing committer peers in the consortium blockchain network. And users should execute the new (t', n') secret sharing scheme.
5. Security Analysis and Scheme Comparison
5.1 Security Analysis
In this section, we will analyze the security to prove the robustness of the proposed scheme against some threats.
Theorem 1. Any subset of participants with t members cannot recover the secret.
Proof. In the (𝑡, 𝑛) threshold scheme, at least t set of shares are required to reconstruct the secret. In the proposed scheme, committer peers only hold the shadow shares (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖) that are generated by U by computing 𝑆P𝑖 = 𝑠p𝑖⨁𝑆K, 𝑆Q𝑖 = 𝑠𝑞𝑖
Theorem 2. Any adversary cannot recover the secret by performing ‘Man-in-the-middle attack'.
Proof. The attacker may intercept the message when the user initiates a secret recovery request to committer peers and simulates the user to apply for the secret sharing share to each peer to get (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖). However, the attacker does not have the key 𝑆K, and cannot generate the real share (𝑠p𝑖, sqi, 𝑥𝑖) from (𝑆P𝑖, 𝑆P𝑖, 𝑋𝑖) to complete the secret recovery which means (𝑆P𝑖, 𝑆P𝑖, 𝑋𝑖) has no meaning to the attacker.
Theorem 3. Any attacker cannot recover the secret by bribing the committer peer.
Proof. Even if the attacker bribing peers and gets the (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖) kept by committer peer, he cannot compute the (𝑠p𝑖, sqi, 𝑥𝑖) from (𝑆P𝑖, 𝑆P𝑖, 𝑋𝑖) to get any secret-related information about the secret due to lack of the biometric binding key 𝑆K.
Theorem 4. Illicit peers can be identified in the proposed scheme.
Proof. When the user wants to recover the secret, at least t committer peers need to respond and send the shares (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖), and the user utilizes 𝑆K to compute t pairs of shares 𝑠p𝑖, sqi, 𝑥𝑖. Then the correct secret can be recovered.
Suppose that when the committer peer sends information, replace 𝑆P𝑖 with 𝑆P′𝑖. The user computes the followings:
𝑠′𝑖 = 𝑆P′𝑖𝑖⨁𝑆K, which is not equal to 𝑠p𝑖.
𝑠𝑞′𝑖 = 𝑆P𝑖⨁𝐻(𝑆K)⨁𝐻(𝑠p′𝑖), and we get 𝑠𝑞′𝑖 ≠ sqi.
𝑥′𝑖 = 𝑋𝑖⨁𝐻(𝑆K)⨁𝐻(𝑠𝑞′𝑖), and we get 𝑥′𝑖 ≠ 𝑥𝑖.
The verification information 𝑉′𝑖 = 𝐻(𝑠′𝑖 ∥ 𝑠𝑞&prme;𝑖 ∥ 𝑥′𝑖) does not equal to 𝑉𝑖, hence the verification fails, and the peer Pi may judge as an illicit peer.
Suppose the share (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖) that provided by committer peer can pass the user’s verification while the share has been changed, which means that the peer Pi has found two different numbers with the same hash value. And that is not achievable in polynomial time.
Theorem 5. Shareholders in this scheme also have verification capabilities.
Proof. In secret sharing phase, user U shares the secret, generates share content (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑖, 𝑉𝑖, 𝑟𝑖, 𝑠𝑖) and sends it to the Pi. If there is an attacker intercepts the share during the communication, tampers the share then sends committer peer (𝑆P′𝑖, 𝑆Q′𝑖, 𝑋′𝑖, 𝑉′𝑖, 𝑟′𝑖, 𝑠′𝑖) to the committer peer Pi.
The committer peer Pi receives the share and computes the plaintext content as 𝑚′𝑖 = 𝐻(𝑠p′𝑖 ∥ 𝑠𝑞′𝑖 ∥ 𝑥′𝑖 ∥ 𝑉′𝑖) with the public information (𝑦, 𝑔, 𝑞) then verifies the signature. Pi may find out the equation \(y^{s^{\prime} i} r_{i}^{\prime^{\prime} i}=g^{m_{i}^{\prime}}\) mod 𝑝 is not satisfied. The share is considered fake, Pi refuses to accept the share.
Theorem 6. Our scheme allows the user to update the biometric extraction key SK.
Proof. If the user wants to replace the key 𝑆K with 𝑆KN, computes:
\(\begin{aligned} &M_{1}=S K \bigoplus S K N \\ &M_{2}=H(S K) \oplus H(S K N) \end{aligned}\) (4)
User sends 𝑀1 and 𝑀2 to every committer peer and every committer peer performs the following computations:
\(\begin{aligned} S P^{\prime}{ }_{i} &=S P_{i} \oplus M_{1}=s p_{i} \oplus S K \oplus S K \oplus S K N=s p_{i} \oplus S K N . \\ S Q^{\prime}{ }_{i} &=S Q_{i} \oplus M_{2}=s q_{i} \oplus H(S K) \oplus H\left(s p_{i}\right) \oplus H(S K) \oplus H(S K N)=s q_{i} \oplus H(S K N) H\left(s p_{i}\right) \\ X^{\prime}{ }_{i} &=X_{i} \oplus M_{2}=x_{i} \oplus H(S K) \oplus H\left(s q_{i}\right) \oplus H(S K) \oplus H(S K N)=x_{i} \oplus H(S K N) \oplus H\left(s q_{i}\right) \end{aligned}\) (5)
The committer peer replaces (𝑆P𝑖, 𝑆Q𝑖, 𝑋𝑋𝑖𝑖) with (𝑆P′𝑖, 𝑆Q′𝑖,𝑋′𝑖) to achieve the user’s update of the biometric key. Here every user can update its key 𝑆K without let committer peers knowing about the secret and the committer peers are given relief from storing the secret.
5.2 Scheme Comparison
In this section, the proposed scheme is compared with some existing blockchain private key protection schemes that use other technologies.
Gutoski1 et. al. scheme [12] proposed a new Hierarchical deterministic wallet that solves the vulnerability that the master public key and sub-private key of the HD wallet can reversely recover the master private key. However, the HD wallet essentially relies on the secure storage of the master private key, and there are still private key security issues. Once the master private key is lost, the user cannot retrieve the property.
Goldfeder et. al. [15] proposed a threshold signature scheme compatible with bitcoins signature by using Elliptic Curve Digital Signature Algorithm providing security policy of shared control of a wallet in which each player gets only a single share. Dikshit et al. scheme [16] proposed an extend the weighted threshold ECDSA scheme. These threshold signature schemes can solve the transaction security problem of group decision-making in the blockchain, but they are not suitable for the security protection of the private key of individual users.
Han [20] proposed a new multi-signature wallet that shows better performance, storage efficiency, and privacy than existing blockchain wallets. the proposed wallet involves T- ECDSA and a Bloom-filter and does not require any modification of the blockchain protocol. However, this scheme requires information exchange and multiple encryption and decryption operations between clients, and is only suitable for multi-signature application scenarios between small groups.
We propose a verifiable secret sharing scheme, and it is applied to the consortium blockchain. The scheme achieves the secret-sharing between the user and the committer peers. Only when the user applies for the access qualification of the consortium blockchain there needs a third-party trusted center CA. In the secret recovery process were no trusted center is required to participate and the user behavior is anonymous, and the sharing and recovery of secrets are performed by the user himself. The user can verify the information submitted by the committer peers and identify illegal peers. The scheme adopts a verifiable threshold secret sharing scheme, which has the recoverability of secrets and the ability to resist single-point failures, to realize the two-way verification of user peers and committer peers against collusion attacks, and in the scheme we use the biometric extraction key of the user to achieve secret recovery, without the need to memories and store the password. The comparison of the proposed scheme with some existing methods are presented in Table 2.
Table 2. Scheme comparison.
6. Conclusion
We propose a recoverable private key scheme for consortium blockchain based on verifiable secret sharing to overcome the difficulty of recovering the lost private key of the blockchain. Compared with the currently used mnemonic words and other methods where the user stores the private key separately to recover the key information, this solution can split the private key and share it with each committer peer, and the committer peer participates in the private key reconstruction. With the biometric encryption system, it is guaranteed that the user’s private key can be recovered correctly only when the user’s biometrics are held. After security analysis, our scheme satisfies the requirements of resistance to collusion attacks, man-in-the-middle attacks, and verifiable threshold secret-sharing. In terms of efficiency, the application scenario of our scheme is the consortium blockchain. Compared with the public chains, the consortium blockchain’s transaction cost is cheaper and peers can complete the transaction faster.
In our future work, we will explore how to integrate the threshold secret sharing with the private key system of the blockchain more efficiently and expand the application scenarios from the consortium blockchain for more blockchain applications.
Acknowledgement
This research is partially supported by the National Natural Science Foundation of China (No. 61772166) and the Key Program of the Natural Science Foundation of Zhejiang province of China (No. LZ17F020002).
References
- Nakamoto Satoshi, "Bitcoin: A peer-to-peer electronic cash system," Manubot, Nov. 2019.
- C. Esposito, M. Ficco, B. B. Gupta, "Blockchain-based authentication and authorization for smart city applications," Information Processing and Management, vol. 58, no. 2, pp. 102468, Mar. 2021. https://doi.org/10.1016/j.ipm.2020.102468
- A. Baldominos, JL. Lopez-Sanchez, M. Acevedo-Aguilar, "Blockverse: A Cloud Blockchain-based Platform for Tracking in Affiliate Systems," International Journal of Interactive Multimedia and Artificial Intelligence, vol. 6, no. 3. Jun. 2020.
- H. S. Jennath, V. S. Anoop, S. Asharaf, "Blockchain for Healthcare: Securing Patient Data and Enabling Trusted Artificial Intelligence," International Journal of Interactive Multimedia and Artificial Intelligence, vol. 6, pp. 15-23. Dec. 2020.
- H. M. Kim, M. Laskowski, "Toward an ontology-driven blockchain design for supply-chain provenance," Intelligent Systems in Accounting, Finance and Management, vol. 25, no. 1, pp. 18-27, Mar. 2018. https://doi.org/10.1002/isaf.1424
- N. K. shetri, "1 blockchain's roles in meeting key supply chain management objectives," International Journal of Information Management, vol. 39, pp. 80-89, Apr. 2018. https://doi.org/10.1016/j.ijinfomgt.2017.12.005
- H. N. Dai, Z. Zheng, and Y. Zhang, "Blockchain for internet of things: A survey," IEEE Internet of Things Journal, vol. 6, no. 5, pp. 8076-8094, Oct. 2019. https://doi.org/10.1109/jiot.2019.2920987
- A. Ouaddah, H. Mousannif, A. Abou Elkalam, and A. A. Ouahman, "Access control in the internet of things: Big challenges and new opportunities," Computer Networks, vol. 112, pp. 237-262, Jan. 2017. https://doi.org/10.1016/j.comnet.2016.11.007
- C. Feng, K. Yu, A. K. Bashir, Y. D. Al-Otaibi, Y. Lu, S. Chen, D. Zhang, "Efficient and secure data sharing for 5G flying drones: a blockchain-enabled approach," IEEE Network, vol. 35, no. 1, pp. 130-137. Feb. 2021. https://doi.org/10.1109/MNET.011.2000223
- M. El Ghazouani, E. kiram, M. Ahmed, "Efficient Method Based on Blockchain Ensuring Data Integrity Auditing with Deduplication in Cloud," International Journal of Interactive Multimedia and Artificial Intelligence, vol. 6, no. 3, pp. 32-38. Sep. 2020. https://doi.org/10.9781/ijimai.2020.08.001
- F. Jurado, O. Delgado, A. Ortigosa, "Tracking News Stories Using Blockchain to Guarantee their Traceability and Information Analysis," International Journal of Interactive Multimedia and Artificial Intelligence, vol. 6, no. 3, pp. 39-46. Sep. 2020. https://doi.org/10.9781/ijimai.2020.06.003
- M. Saez, "Blockchain-Enabled Platforms: Challenges and Recommendations," International Journal of Interactive Multimedia and Artificial Intelligence, vol. 6, no. 3 pp. 73-89. Sep. 2020. https://doi.org/10.9781/ijimai.2020.08.005
- Y. Liu, R. Li, X. Liu, J. Wang, L. Zhang, C. Tang, and H. Kang, "An efficient method to enhance bitcoin wallet security," in Proc. of the 2017 11th IEEE International Conference on Anti-counterfeiting, Security, and Identification (ASID), Xiamen. pp. 26-29, Oct. 2017.
- S. Eskandari, J. Clark, D. Barrera, and E. Stobert, "A first look at the usability of bitcoin key management," in Proc. of NDSS Symposium 2015, 2015.
- M. Guri, "Beatcoin: Leaking private keys from air-gapped cryptocurrency wallets," in Proc. of the 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Halifax, NS, Canada, pp. 1308-1316, Aug. 2018.
- D. Khovratovich and J. Law, "BIP32-Ed25519: Hierarchical Deterministic Keys over a Non-linear Keyspace," in Proc. of the 2017 IEEE European Symposium on Security and Privacy Workshops, Paris, pp. 27-31, Apr. 2017.
- G. Gutoski and D. Stebila, "Hierarchical deterministic bitcoin wallets that tolerate key leakage," in Proc. of the International Conference on Financial Cryptography and Data Security, Springer, pp. 497-504, Jul. 2015.
- G. Maxwell, A. Poelstra, Y. Seurin, and P. Wuille, "Simple schnorr multisignatures with applications to bitcoin," Designs, Codes and Cryptography, vol. 87, no. 9, pp. 2139-2164, Feb. 2019. https://doi.org/10.1007/s10623-019-00608-x
- N. Z. Aitzhan and D. Svetinovic, "Security and privacy in decentralized energy trading through multi-signatures, blockchain and anonymous messaging streams," IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 840-852, Oct. 2018. https://doi.org/10.1109/tdsc.2016.2616861
- J. Han, M. Song, H. Eom, Y. Son, "An efficient multi-signature wallet in blockchain using bloom filter," in Proc. of the 36th Annual ACM Symposium on Applied Computing, pp. 273-281. Mar. 2021.
- D. Boneh, R. Gennaro, and S. Goldfeder, "Using level-1 homomorphic encryption to improve threshold dsa signatures for bitcoin wallet security," in Proc. of the International Conference on Cryptology and Information Security in Latin America, Springer, pp. 352-377, Jul. 2017.
- P. Dikshit and K. Singh, "Efficient weighted threshold ecdsa for securing bitcoin wallet," in Proc. of the 2017 ISEA Asia Security and Privacy (ISEASP), Surat, pp. 1-9, Feb. 2017.
- J. Zhou and R. Qu, "Study on the healing blockchain wallet protection mechanism against conspiracy attack," Computer Engineering, pp. 1-7, Apr. 2020.
- A. Shamir, "How to share a secret," Communications of the ACM, vol. 22, no. 11, pp. 612-613, Nov. 1979. https://doi.org/10.1145/359168.359176
- L. Harn and C.-F. Hsu, "Dynamic threshold secret reconstruction and its application to the threshold cryptography," Information Processing Letters, vol. 115, no. 11, pp. 851-857, Nov. 2015. https://doi.org/10.1016/j.ipl.2015.06.014
- S. Jamshidpour and Z. Ahmadian, "Security analysis of a dynamic threshold secret sharing scheme using linear subspace method," Information Processing Letters, vol. 163, p. 105994, Nov. 2020. https://doi.org/10.1016/j.ipl.2020.105994
- N. Zhang, Y.L. Zang, and J. Tian, "The integration of biometrics and cryptography-a new solution for secure identity authentication," Journal of Cryptologic Research, vol. 2, no. 2, pp. 159-176, Apr. 2015.