2019 IEEE International Conference On Blockchain
2019 IEEE International Conference on Blockchain (Blockchain)Deterministic Sub-Wallet for CryptocurrenciesHossein Rezae ighalehDepartment a/Computer ScienceUniversity a/Central FloridaOrlando , USArezaei@knights .ucf.eduCliffC. ZouDepartment a/Computer ScienceUniversity a/Central FloridaOrlando , USAczou @cs.ucf.eduand cold wallets, and the most secure one is hardware walletwhich usually is in the form of a USB stick, Bluetooth device orsmartcard.Abstract- A big challenge in cryptocurrency is securing a userkey from potential hackers because nobody can rollback atransaetion made by an attacker with a stolen key once theblockchain network confirms it. One solution to protect users issplitting the money between super-wallet and sub-wallet. The userstores a large amount of money on her super-wallet and keeps itsafe; she refills the sub-wallet when she needs while using the subwallet for her daily purchases. In this paper, we propose a newscheme to create sub-wallet that we call deterministic sub-wallet.In this scheme, the seed of the sub-wallet keys is derived from thesuper-wallet master seed, and therefore the super-wallet can buildmany sub-wallet addresses and refill them in a single blockchaintransaction. Compared to existing approaches, our mechanism ischeaper, real-time, more secure against man-in-the-middle attackand easier for backup and recovery. We implement a proof-ofconcept on a hardware wallet and evaluate its performance. Inaddition, we analyze the attacks and defenses of this design todemonstrate that our proposed method has a higher level ofsecurity than existing models.Even though the hardware wallet is a secure option, it isrisky that a user puts all of her fund on a device and uses that forday-to-day purchase . A smart and simple solution is proposedin [I] called super-walletlsub-wallet model. The super-wallet islike a saving account that stores a large amount of money andonly refills the same owner's sub-wallet infrequently whenneeded . The sub-wallet is like a spending account that stores asmall amount of fund used by the user for daily expenses .Therefore, if the user's sub-wallet is lost or hacked, she does notlose a significant amount of money .In the classic model [I], every time a user wants to refill hersub-wallet , she sends fund from the super-wallet address to thesub-wallet address . This process is straightforward but hassignificant drawbacks. First, each time the user refills the subwallet, the super-wallet creates a transaction and publishes to theblockchain network . Thus, she pays a miner fee for each suchtransaction . Also, she should wait for confirmation, so refillingthe sub-wallet takes time . Also, refilling the sub-wallet is riskybecause a hacker could perform Man-In-The-Middle (MITM)attack to replace the user's sub-wallet address by his address toreceive fund from the super-wallet. Furthermore, the user mustmaintain the backup of both super-wallet and sub-wallet.Keywords-s-blockchain, cryptocurrency, hardware wallet, smartcard, Bitcoin.I.INTRODUCTIONBlockchain technology and cryptocurrencies becomeincreasingly accessible and usable in various areas frompurchasing a coffee to transferring vehicles ownership . At thesame time, the crypto coins become more attractive and valuablefor hackers to steal, as we read the frequent news of hackersstealing a large amount of money from blockchain users. Amajor security issue in all cryptocurrencies, including Bitcoinand many altcoins , is the safety of users' private key.Cryptocurrencies usually use elliptic-curve asymmetriccryptography to control the ownership of coins or accounts . Inother words, to transfer fund from a user to another, the sendersigns a transaction with her private key, and the blockchainverifies the signature of the transaction with the sender 's publickey. If the blockchain network accepts and confirms thistransaction, nobody can roll it back, unlike the traditional banktransfer. Thus, ifa hacker empties the user account and transfersall her money to his account, she has no way to reverse thetransaction and recover her loss. Unfortunately, many peoplehave experienced this disaster.To resolve these challenges in the super-walletlsub-walletmodel, we propose a new scheme that we call deterministic subwallet. In this model, the sub-wallet seed is derived from thesuper-wallet seed, and this process being executed inside thesuper-wallet. The super-wallet derives the sub-wallet addressesand transfer fund to them in only one blockchain transaction . Torefill, the user transports a seed from the super-wallet to the subwallet instead of creating a blockchain transaction .Consequently, this model can refill multiple sub-walletaddresses with only one mining fee and one-time waiting forconfirmation. It is secure because the super-wallet does not needto get the sub-wallet addresses from the outside ofthe wallet andit prevents a MITM attack . Also, there is no need to back up thesub-wallet, because it can be derived from the super-wallet. Forproof-of-concept, we implement a prototype of our proposeddeterministic sub-wallet in a hardware wallet and evaluate itsperformance. In summary , our contributions in this paper are:A user's private key has full control of the user's fund, andshe should stand on her own feet and keep her private keys safeby herself, which is one of the most critical challenges incryptocurrencies [I], [2]. Users usually employ crypto walletsto generate and store their private keys and sign transactions.Crypto wallets have many forms from online wallets to mobile978-1-7281-4693-5/19/ 31.00 2019 IEEE001 10.11 09/Blockchain.2019.00064 Designing a new super-walletlsub-wallet model whichreduces refilling cost and time, enhances the security, andremoves the necessity for the sub-wallet backup Implementing a proof-of-concept in a hardware wallet419Authorized licensed use limited to: University of Central Florida. Downloaded on June 12,2020 at 03:02:04 UTC from IEEE Xplore. Restrictions apply.
In section II, we overview related works includingHierarchical Deterministic wallet and classic super-wal let/subwallet model. In section III we explain our new proposeddeterministic sub -wallet model and Section IV is about ourprototype imp lementation in a hardware wallet, and we evaluateits performance in section V. Next, we define our securityassumptions and threat model and do a security analysis of thealgorithm and its implementation in section VI. Finally, insection VII, we finish the paper with a conclusion .There is also another proposal [8] which defines aconversion algorithm to convert a list of memorable words(mnemonics) to a seed for HD wa llets . The user must writedown these words (12 to 24 words) on a piece of paper and keepthat safe . She can recover whole her key tree on a new walletusing these words. Crypto wallets usually use this conversion toback up the master seed .Finally, there is a large universal tree derived from a wordlist that covers all keys of all coins for a user wallet and eachkey in the tree has a unique path . However, these mechanismsare silent about the super-wallet/sub-wallet model, and there isnot any link between two wallet keys . In our proposed scheme,we use the existing HD wallet structure and add a link betweenthe master seed of the super-wallet and the master seed of thesub-wallet that we called sub-seed.II. RELAT ED WORKSA. Hierarchical Deterministic WalletBitcoin, Ethereurn, Litecoin, and almost all popularcryptocurrencies use elliptic-curve cryptography (ECC) to signand verity transactions. They usually use secp256kl domainparameters with ECC 256-bit [4]. Therefore, the user has a keypair and uses the private key to sign transactions and transferfund to another user's public key. The sender must know thereceiver's public key to perform a transaction, and all userspublish their public key in a specific format called address.Therefore, a user keeps her private key secret and pub lishes heraddress to other users in the network that causes privacyconcerns because everyone that has access to the Internet candiscover the user's addresses and track her transactions.B. Classic Super-Wallet/Sub-Wallet ModelThe idea of super-wallet and sub-wallet is proposed in [I]. Itis separating the main account that conveys a large amount ofmoney from spending account that is used for the dailytransactions. It mimics personal saving account and spendingaccount in traditional banking. A user uses her spending accounton a sub-wallet for day -to-day expenses such as a purchase fromonline stores, pay bills or buy a coffee. On the other hand, sheuses her saving account on a super-wallet just for receiving likea deposit of salary and refill her spending account on the sub wallet. Therefore, she uses her super-wallet rarely , e.g., one ortwo times per month, and her sub-wallet several times per day .Thus, anonymity is a challenge in most cryptocurrenciesbecause all transaction history is on the blockchain network. Totack le this problem, the user should use a new address in eachtransaction to receive fund from others or return the reminingvalue of spending transaction called 'change address' . It meansthat she generates a new key pair for each transaction. Thus,nobody can track her just by watching her transaction history,and this is a best-practice in Bitcoin and many cryptocurrencies[5]. However, generating a random private key for eachtransaction requires maintaining a lot of private keys which ishard to manage. Deterministic wallets are invented to solve thisproblem and use a predictable algorithm to generate new privatekeys , and because it can be hierarchical, they are calledHierarchical Deterministic (HD) wallets [6]. In HD wallet, theuser has a tree of private keys which any node can be derivedfrom its parent using Child Key Derivation (CKD) algorithm.The root of this tree is a private key which is called ' masterprivate key' and derived from an random va lue called 'masterseed' . In other words, anyone who has the master seed canderive all subordinate private keys and addresses. Consequently,the user only needs to keep one seed value safe and generates alot of pseudo-random addresses which provide anonymity.The classic solution to build super-wallet and sub -walletproposed in [I] is straightforward. The user should have tworegular wallets. She designates one wallet as super-wallet andstores all of her fund on that. Then, each time she wants to refillthe sub -wallet (second wallet), she retrieves a receiving addressfrom the sub -wallet and sends fund from the super-wallet to thisaddress. In this mechanism, the user creates a transaction in thesuper-wallet each time she wants to refill the sub-wallet. Thisprocess requires paying miner fee and waiting a period forconfirmations. Because usually, the terminal (e .g., laptop orsmartphone) is vulnerable to malware attacks, it is possible thata hacker rep laces the sub-wallet address by his own address tosteal funds from the super-wallet. Furthermore, the user shouldback up both super-wallet and sub -wallet similar to all regularwallets. In the next section, we address these issues with ourproposed model.III. PROPOSED DET ERMINISTIC SUB - WALLETIn contrast to classic super-wallet/sub-wallet model withunlinked key trees , in our new scheme, deterministic sub -wallet,we derive the sub -wallet seeds from the super-wallet masterseed . Therefore, the super-wallet can bui ld all sub -wallet keytrees . So, the super-wallet refills several sub-wallet addresseswith one blockchain transaction, and refills the sub-wallet withtransporting one sub -seed .HD wallet uses a path to address each key in the key tree thatis a sequence of a letter and a few numbers. The first element inthe path is letter ' rn' that denotes master seed and subsequentnumbers are the input indexes for CKD algorithm in thecorresponding round [6]. In addition to HD wallet basealgorithms, the cryptocurrency community proposed acomplementary standard to define a universal path format for allcoins (Bitcoin, Ethereurn, Litecoin, and other coins) [7]. Theformat of this addressing is as follows :path m/purpose'/coin'/account'/change/address indexCompared to the classic super-wallet/sub-wal let model , theadvantages of our proposed deterministic sub-wallet are : (I)Deterministic sub -wallet is cheaper in terms ofthe miner feebecause it can refi ll mu ltiple sub-wallet addresses with one420Authorized licensed use limited to: University of Central Florida. Downloaded on June 12,2020 at 03:02:04 UTC from IEEE Xplore. Restrictions apply.
like Ethereum does not. This paper focuses on first group ofcryptocurrencies, but this design is applicable on Ethereum withan additional Smart Contract like [10].blockchain transaction, while classic model requires ablockchain transaction in each refill. Refilling sub-wallet is real-time in the deterministic subwallet because it is an offline sub-seed transporting fromthe super-wallet to the sub-wallet without any transactionwith blockchain network. The classic model is vulnerable to Man-In-The-Middleattack for key injection similar to other regular wallets, butdeterministic sub-wallet is not because the sub-walletaddresses are generated inside the super-wallet. The user must back up both the super-wallet and the subwallet seeds in the classic model, but in the deterministicsub-wallet, there is no need to back up the sub-wallet seedbecause it is derivable from the super-wallet seed. So, it isenough to back up the super-wallet seed.To refill the sub-wallet, the super-wallet creates and signs amulti-output transaction. The refilling function gets inputs n, iand v that described in TABLE I. This algorithm runs on thesuper-wallet and generates n sub-seeds starting from index iusing sub-wallet seed generation function . Next, it derives thesub-wallet private keys and their addresses with a predefinedfixed path illustrated in Fig. I. This path is fixed for all subseeds and we use only the first address of each sub-seed. In thispath, ' change' is I because the result address is used to transferfunds from the super-wallet to the sub-wallet as an internal use.The super-wallet generates n addresses from n sub-seeds andcreates a transaction that transfers v/n coin to each address. Itdivides the input fund for all addresses equally. Fig. I shows thepseudo-code ofthe sub-wallet refilling algorithm and TABLE I.describes the acronyms ofthe pseudo-code.The abstract process of deterministic sub-wallet refilling isas follows. The super-wallet generates a pool of sub-walletaddresses and constructs a large transaction which transfer fundsfrom one (or more) super-wallet addresses to the generated subwallet addresses. Then , the super-wallet signs and publishes thetransaction. After that , each time the user wants to refill the subwallet, she exports a sub-wallet seed from the super-wallet andimports that to the sub-wallet securely. In our previous paper[9], we proposed a secure cryptographic mechanism to transporta seed between wallets using Elliptic-Curve Diffie-Hellman. Weexplain the details of the process in the following sections.refillSubWallet (n, i, v){for j i to i n {deriveSubSeed(masterSeed, j)SjkjderiveKey(seed s j'path "m/44'/coin'/O'/1/O")ajprivateKeyToAddress(k j)}tx signTX(v/n a j : j i to i n)sendTransaction(tx)A. Sub-Wallet Seed DerivationBoth super-wallet and sub-wallet should be HD wallet tosupport the anonymity and privacy of the user. In our model,one sub-wallet can have only one seed at a time , but the superwallet derives a new seed each time to generate a new sub-walletaddress. So, to implement a deterministic sub-wallet, wepropose a simple function to derive multiple sub-wallet seeds(subSeed) from a super-wallet master seed (masterSeed). Thisfunction is as follows.Fig. J. Sub-wallet refillin g pseudo-codeTA BLE I.S UB-W ALLET R EFILLING PSEUDO-COD E A CRONYMSAcronymnsub Seed HMAC-SHA512(key "Sub-wallet xxxx",data masterSeed)(2)Meaningnumber of sub-wallet addre ssesiindex of the first sub-wallet addr essVsum of fund s to refillSjSub-seed of sub-wallet index jkjPrivate key of sub-wallet index jajAddre ss of sub-wallet index jtxBlockchain tran sactionIn this function , we use a procedure similar to the master keygeneration function in [6] with some modifications. The corefunction is an HMAC-SHA512 with a master seed as input dataand "Sub-wallet xxxx" string as input key. The "xxxx" is theindex of sub-wallet starting from 0 which is a four-digithexadecimal number. For example, the input key for sub-walletnumber I will be "Sub-wallet 0001 ". The output ofthis functionis a 512-bit deterministic pseudo-random value which can beused as a regular seed to construct an HD wallet key tree on thesub-wallet.To clarify this algorithm, we discuss a simplified example ofthe sub-wallet refilling procedure illustrated in Fig. 2. Assumethat the super-wallet address (Super-walletaddressl) has 30 Bitcoinat first. The sub-wallet refilling algorithm creates a transactionwith 5 sub-wallet addresses (n 5) starting from sub-wallet indexI (i I), and the total fund is 2 Bitcoin (v 2). After confirmationby blockchain, the super-wallet address has 28 Bitcoin and eachsub-wallet address (Sub-walletaddressl to Sub-walletsaa-s-,s) has0.4 Bitcoin .B. Sub-Wallet RefillingRefilling many addresses ofthe sub-wallet in one transactionrequires a multi-output transaction. This type of transaction canhave more than one output to send coins to multiple addresses.Cryptocurrencies like Bitcoin and other altcoins that usesUTXO (Unspent Transaction Output) model support the multioutput transaction, while some account-based cryptocurrenciesIn the real world and also our prototype implementationsome details are different. For example, to provide anonymity,a change address is used that means the address of the superwallet to receive remaining fund in the left side is different fromthe input super-wallet address in the right side. Furthermore, thesum of the fund before and after publishing the refillingtransaction are not equal because of the mining fee. Also, the421Authorized licensed use limited to: University of Central Florida. Downloaded on June 12,2020 at 03:02:04 UTC from IEEE Xplore. Restrictions apply.
input super-wallet address could be replaced by multiple superwallet addresses to provide enough fund to refill the sub-walletaddresses.Blockchain Statesmart card to display information to the user with nointermediate terminal. Also , buttons are available in these newsmart cards. Thus, we use a smart card with a screen and a buttonas a hardware crypto wallet to implement our mechanism andFig. 3 shows the photo of such a smart card.Blockchain SlaleE .LiTISuper-walletaddress I : 30 btcLogo for NFC AntennaSuper-walletaddressI : 28 !?! .Sub-walletaddressl : 0.4 btcSub-walletaddress2 : 0.4 btcSub-walletaddress3 : 0.4 btcSub-walletaddress4 : 0.4 btcSub-walletaddress5 : 0.4 btcFig. 3. Smart card with an e-papcr displa y, physical button s, and aprogrammable IC chipFig. 2. The simplified exampl e of sub-wallet refillin g in the blockchain. Theleft side demonstrates the blockchain state befor e publi shin g the subwallet refillin g tran saction, and the right side shows the state after that.To develop a card application for the smart card, we employJava Card technology [14] which is a limited version of JavaRuntime Environment with fewer features. We write andcompile our program in Java , convert it to a Card Application(CAP) and load it to the programmable IC chip on the smartcard. We implement our code with Java Card (JC) 3.0.1 API,and it can run on all JC compatible smart cards, but the screenAPI is vendor-specific.C. Sub-Wallet Seed TransportingWe need an algorithm to transport a sub-wallet seed (subseed) from the super-wallet to the sub-wallet securely. To dothat, we employ a modified version of the seed transportalgorithm that proposed in [9]. This algorithm is based onElliptic-Curve Diffie-Hellman
super-wallet seed, and this process being executed inside the super-wallet. The super-wallet derives the sub-wallet addresses and transfer fund to them in only one blockchain transaction. To refill, the user transports a seed from the super-wallet to the
IEEE 3 Park Avenue New York, NY 10016-5997 USA 28 December 2012 IEEE Power and Energy Society IEEE Std 81 -2012 (Revision of IEEE Std 81-1983) Authorized licensed use limited to: Australian National University. Downloaded on July 27,2018 at 14:57:43 UTC from IEEE Xplore. Restrictions apply.File Size: 2MBPage Count: 86Explore furtherIEEE 81-2012 - IEEE Guide for Measuring Earth Resistivity .standards.ieee.org81-2012 - IEEE Guide for Measuring Earth Resistivity .ieeexplore.ieee.orgAn Overview Of The IEEE Standard 81 Fall-Of-Potential .www.agiusa.com(PDF) IEEE Std 80-2000 IEEE Guide for Safety in AC .www.academia.eduTesting and Evaluation of Grounding . - IEEE Web Hostingwww.ewh.ieee.orgRecommended to you b
Standards IEEE 802.1D-2004 for Spanning Tree Protocol IEEE 802.1p for Class of Service IEEE 802.1Q for VLAN Tagging IEEE 802.1s for Multiple Spanning Tree Protocol IEEE 802.1w for Rapid Spanning Tree Protocol IEEE 802.1X for authentication IEEE 802.3 for 10BaseT IEEE 802.3ab for 1000BaseT(X) IEEE 802.3ad for Port Trunk with LACP IEEE 802.3u for .
and 2015 ACM/IEEE Great-Lake VLSI Test symposium, 2015 ACM/IEEE International Conference on Computer-Aided Design (ICCAD), 2009 IEEE International On-line Test Symposium, 2009 to 2011 IFIP/IEEE International Conference on VLSI, 2014 Haifa Verification Conference, 2012 and 2013 IEEE International Conference on Computer Design (ICCD), 2004 to 2006
Signal Processing, IEEE Transactions on IEEE Trans. Signal Process. IEEE Trans. Acoust., Speech, Signal Process.*(1975-1990) IEEE Trans. Audio Electroacoust.* (until 1974) Smart Grid, IEEE Transactions on IEEE Trans. Smart Grid Software Engineering, IEEE Transactions on IEEE Trans. Softw. Eng.
effort to get a much better Verilog standard in IEEE Std 1364-2001. Objective of the IEEE Std 1364-2001 effort The starting point for the IEEE 1364 Working Group for this standard was the feedback received from the IEEE Std 1364-1995 users worldwide. It was clear from the feedback that users wanted improvements in all aspects of the language.File Size: 2MBPage Count: 791Explore furtherIEEE Standard for Verilog Hardware Description Languagestaff.ustc.edu.cn/ songch/download/I IEEE Std 1800 -2012 (Revision of IEEE Std 1800-2009 .www.ece.uah.edu/ gaede/cpe526/20 IEEE Standard for SystemVerilog— Unified Hardware Design .www.fis.agh.edu.pl/ skoczen/hdl/iee Recommended to you b
IEEE 802.1Q—Virtual LANs with port-based VLANs IEEE 802.1X—Port-based authentication VLAN Support IEEE 802.1W—Rapid spanning tree compatibility IEEE 802.3—10BASE-T IEEE 802.3u—100BASE-T IEEE 802.3ab—1000BASE-T IEEE 802.3ac—VLAN tagging IEEE 802.3ad—Link aggregation IEEE
IEEE 1547-2003 IEEE P1032 IEEE 1378-1997 Controls IEEE 2030-2011 IEEE 1676-2010 IEEE C37.1 Communications IEC 61850-6 IEC TR 61850-90-1 & IEEE 1815.1-2015 IEC TR 61850-90-2 Cyber & Physical Security IEEE 1686-2013 IEEE 1402-2000
IEEE 610-1990 IEEE Standard Glossary of Software Engineering Terminology, IEEE, 1990 IEEE 829-2008 IEEE Std 829 IEEE Standard for Software and System Test Documentation, IEEE, 2008 IEEE 1012-2016 IEEE Standard for System, Software, and Hardware
