Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Armory
Author

Topic: Armory Homomorphic encryption explanation (Read 2454 times)

etotheipi
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Armory Homomorphic encryption explanation
May 15, 2013, 11:29:03 AM
#5
Quote from: oakpacific on May 15, 2013, 11:16:01 AM
As long as the chaincode remains secret, the quantum computer resistance of unreused addresses will not be weakened, right?

That's correct.  The terminology I use is that the chaincode is "sensitive" but not "private".  Meaning, that you shouldn't make your chaincode public, but in the absence of QCs, it's just a breach of privacy, not security (people can now see all your wallet transactions, but cannot spend your coins).   If QCs are around, that's a whole different story -- in that case the chaincode would need to be kept securely, though the Bitcoin protocol would be changing to QC-resistant algos, and all this discussion about it is probably moot.
DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Armory Homomorphic encryption explanation
May 15, 2013, 11:25:06 AM
#4
OP should retitle the topic as it is misleading, I thought Armory was doing some experimentation in HE.  As pointed out neither Armory nor any Bitcoin related software uses homomorphic encryption. 

oakpacific
hero member
Activity: 784
Merit: 1000
Re: Armory Homomorphic encryption explanation
May 15, 2013, 11:16:01 AM
#3
Quote from: etotheipi on May 15, 2013, 09:41:40 AM
Armory will be upgrading to BIP32, but at the moment it uses it's own homegrown version of "Type 2" deterministic wallets.  After all, it was the first application to implement them, so I couldn't really have followed any standard Smiley  But it's not homomorphic encryption.  Homomorphic encryption is pretty neat and enables some pretty cool capabilities, in general, but I haven't thought about whether it could be useful for Bitcoin.   I bet, if we upgraded the scripting environment, we could find something interesting, but I'm not sure how useful it would be.  It would certainly be a fun discussion to have...

For reference, Armory's wallet chain together like this:

Code:
PrivKey[0] = Random(32)
Chaincode  = Random(32)
PubKey[0]  = Priv2Pub(PrivKey[0])

Then

Code:
PrivKey[i+1] = (hash256(PubKey[i]) XOR chaincode) * PrivKey[i]
 PubKey[i+1] = (hash256(PubKey[i]) XOR chaincode) *  PubKey[i]

Where the multiplication (*) is scalar-multiplication-mod-N in the first line, and it's elliptic-curve-point-mult-by-scalar on the second line.  The magic of elliptic curve math is that if N is equal to the number of points on the elliptic curve, then you end up with matching private and public keychains on both sides.

I had actually been meaning to document this precisely somewhere.  I guess this was my excuse.

As long as the chaincode remains secret, the unreused deterministic addresses will have the same kind of quantum computer resistance as the non-deterministic ones, right?
etotheipi
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
Re: Armory Homomorphic encryption explanation
May 15, 2013, 09:41:40 AM
#2
Armory will be upgrading to BIP32, but at the moment it uses it's own homegrown version of "Type 2" deterministic wallets.  After all, it was the first application to implement them, so I couldn't really have followed any standard Smiley  But it's not homomorphic encryption.  Homomorphic encryption is pretty neat and enables some pretty cool capabilities, in general, but I haven't thought about whether it could be useful for Bitcoin.   I bet, if we upgraded the scripting environment, we could find something interesting, but I'm not sure how useful it would be.  It would certainly be a fun discussion to have...

For reference, Armory's wallet chain together like this:

Code:
PrivKey[0] = Random(32)
Chaincode  = Random(32)
PubKey[0]  = Priv2Pub(PrivKey[0])

Then

Code:
PrivKey[i+1] = (hash256(PubKey[i]) XOR chaincode) * PrivKey[i]
 PubKey[i+1] = (hash256(PubKey[i]) XOR chaincode) *  PubKey[i]

Where the multiplication (*) is scalar-multiplication-mod-N in the first line, and it's elliptic-curve-point-mult-by-scalar on the second line.  The magic of elliptic curve math is that if N is equal to the number of points on the elliptic curve, then you end up with matching private and public keychains on both sides.

I had actually been meaning to document this precisely somewhere.  I guess this was my excuse.
wingsuit
member
Activity: 64
Merit: 10
2100 trillion sats baby
Re: Armory Homomorphic encryption explanation
May 15, 2013, 06:04:13 AM
#1
Can you give a very brief explanation of the deterministic wallet in Armory, specifically how it achieves public key generation without needing the private keys.

Also your thoughts on how this quote relates to Armory -- 'Visions of a fully homomorphic cryptosystem have been dancing in cryptographers' heads for thirty years. I never expected to see one. It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure.' Bruce Schneier

EDIT: Okay I see that this is discussed here https://en.bitcoin.it/wiki/BIP_0032.
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Armory
Jump to: