Skip to main content

Secure Hierarchical Deterministic Wallet Supporting Stealth Address

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Abstract

Over the past decade, cryptocurrency has been undergoing a rapid development. Digital wallet, as the tool to store and manage the cryptographic keys, is the primary entrance for the public to access cryptocurrency assets. Hierarchical Deterministic Wallet (HDW), proposed in Bitcoin Improvement Proposal 32 (BIP32), has attracted much attention and been widely used in the community, due to its virtues such as easy backup/recovery, convenient cold-address management, and supporting trust-less audits and applications in hierarchical organizations. While HDW allows the wallet owner to generate and manage his keys conveniently, Stealth Address (SA) allows a payer to generate fresh address (i.e., public key) for the receiver without any interaction, so that users can achieve “one coin each address” in a very convenient manner, which is widely regarded as a simple but effective way to protect user privacy. Consequently, SA has also attracted much attention and been widely used in the community. However, as so far, there is not a secure wallet algorithm that provides the virtues of both HDW and SA. Actually, even for standalone HDW, to the best of our knowledge, there is no strict definition of syntax and models that captures the functionality and security (i.e., safety of coins and privacy of users) requirements that practical scenarios in cryptocurrency impose on wallet. As a result, the existing wallet algorithms either have (potential) security flaws or lack crucial functionality features.

In this work, after investigating HDW and SA comprehensively and deeply, we formally define the syntax and security models of Hierarchical Deterministic Wallet supporting Stealth Address (HDWSA), capturing the functionality and security (including safety and privacy) requirements imposed by the practice in cryptocurrency, which include all the versatile functionalities that lead to the popularity of HDW and SA as well as all the security guarantees that underlie these functionalities. We propose a concrete HDWSA construction and prove its security in the random oracle model. We implement our scheme and the experimental results show that the efficiency is suitable for typical cryptocurrency settings.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Note that we change the term from “one coin each address” to “one coin each cold-address”, to explicitly emphasize that it is not only for the privacy-preservation but also for the safety of coins.

  2. 2.

    Note that the payee can detect such malicious behaviors easily.

  3. 3.

    [13] discussed how to support dynamic hierarchy but does not give formal model or proof, and discussed a method to achieve transaction unlinkability, but will lose the master public key property.

  4. 4.

    This separation is borrowed from the stealth address mechanisms in [12, 17].

  5. 5.

    Actually, an individual user can also be regarded as a special organization, for example, a user may manage his wallets in a hierarchy manner.

  6. 6.

    Note that we are abusing the concept of ‘\(\in \)’. In particular, if there exists a tuple \((ID, \textsf{wpk}_{ID}, \textsf{wsk}_{ID}) \in L_{wk}\) for some \((\textsf{wpk}_{ID}, \textsf{wsk}_{ID})\) pair, we say that \(ID \in L_{wk}\).

  7. 7.

    Note that \(\textsf{WalletKeyDelegate}(\cdot , \cdot , \cdot )\) is a deterministic algorithm, so that querying \(\textsf{OWKeyDelegate}(\cdot )\) on the same identifier will obtain the same response.

  8. 8.

    Note that actually the adversary \(\mathcal {A}\) here should not make such a query with \(t=0\) (as required by the success conditions defined in later Output Phase). In later definition of unlinkability, the adversary may query this oracle on ID with \(t=0\).

  9. 9.

    Note that we are abusing the concepts of ‘\(\in \)’. In particular, if there exists a pair \((\textsf{dvk}, ID) \in L_{dvk}\) for some ID, we say that \(\textsf{dvk} \in L_{dvk}\).

References

  1. Alkadri, N.A., et al.: Deterministic wallets in a quantum world. In: CCS 2020, pp. 1017–1031 (2020)

    Google Scholar 

  2. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26

    Chapter  Google Scholar 

  3. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13

    Chapter  Google Scholar 

  4. Buterin, V.: Deterministic wallets, their advantages and their understated flaws. Bitcoin Magazine (2013)

    Google Scholar 

  5. ByteCoin: Untraceable transactions which can contain a secure message are inevitable (2011). https://bitcointalk.org/index.php?topic=5965.0

  6. Das, P., Erwig, A., Faust, S., Loss, J., Riahi, S.: The exact security of BIP32 wallets. In: CCS 2021, pp. 1020–1042 (2021)

    Google Scholar 

  7. Das, P., Faust, S., Loss, J.: A formal treatment of deterministic wallets. In: CCS 2019, pp. 651–668 (2019)

    Google Scholar 

  8. Fan, C., Tseng, Y., Su, H., Hsu, R., Kikuchi, H.: Secure hierarchical bitcoin wallet scheme against privilege escalation attacks. In: IEEE Conference on Dependable and Secure Computing, DSC 2018, pp. 1–8 (2018)

    Google Scholar 

  9. Fan, C., Tseng, Y., Su, H., Hsu, R., Kikuchi, H.: Secure hierarchical bitcoin wallet scheme against privilege escalation attacks. Int. J. Inf. Sec. 19(3), 245–255 (2020)

    Article  Google Scholar 

  10. Gutoski, G., Stebila, D.: Hierarchical deterministic bitcoin wallets that tolerate key leakage. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 497–504. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_31

    Chapter  Google Scholar 

  11. Liu, W., Liu, Z., Nguyen, K., Yang, G., Yu, Yu.: A lattice-based key-insulated and privacy-preserving signature scheme with publicly derived public key. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 357–377. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_18

    Chapter  Google Scholar 

  12. Liu, Z., Yang, G., Wong, D.S., Nguyen, K., Wang, H.: Key-insulated and privacy-preserving signature scheme with publicly derived public key. In: 2019 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 215–230. IEEE (2019)

    Google Scholar 

  13. Di Luzio, A., Francati, D., Ateniese, G.: Arcula: a secure hierarchical deterministic wallet for multi-asset blockchains. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 323–343. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65411-5_16

    Chapter  Google Scholar 

  14. NIST: FIPS pub 186-4. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf. Accessed 10 Jan 2021

  15. Noether, S., Mackenzie, A.: Ring confidential transactions. Ledger 1, 1–18 (2016)

    Article  Google Scholar 

  16. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  Google Scholar 

  17. van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper.pdf

  18. Todd, P.: Stealth addresses. Post on Bitcoin development mailing list (2014). https://www.mail-archive.com/bitcoindevelopment@lists.sourceforge.net/msg03613.html

  19. Unger, N.: The PBC go wrapper, December 2018. https://github.com/Nik-U/pbc

  20. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7

    Chapter  Google Scholar 

  21. Wuille, P.: BIP32: hierarchical deterministic wallets (2012). https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

  22. Yin, X., Liu, Z., Yang, G., Chen, G., Zhu, H.: Secure Hierarchical Deterministic Wallet Supporting Stealth Address. Cryptology ePrint Archive, Paper 2022/627 (2022). https://eprint.iacr.org/2022/627

Download references

Acknowledgements

This work was supported by the National Natural Science Foundation of China (No. 62072305, 62132013), and Shanghai Key Laboratory of Privacy-Preserving Computation.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Zhen Liu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yin, X., Liu, Z., Yang, G., Chen, G., Zhu, H. (2022). Secure Hierarchical Deterministic Wallet Supporting Stealth Address. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13554. Springer, Cham. https://doi.org/10.1007/978-3-031-17140-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17140-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17139-0

  • Online ISBN: 978-3-031-17140-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics