LogoLogo
  • README
  • Contribute
    • Discuss on Github
  • Example
    • Banana-Powered Bitcoin Wallet Control Protocol
  • Apps
    • The deployment-info.json Specification
  • Wallet
    • Transaction Creation
    • Data Encryption and Decryption
    • Digital Signature Creation and Verification
    • Input Redemption
    • HTTP Wallet Communications Substrate
    • XDM Wallet Communications Substrate
    • Window Wallet Communication Substrate
    • Wallet Transaction Output Tracking (Output Baskets)
    • Submitting Received Payments to a Wallet
    • Certificate Creation and Revelation
    • Unified Abstract Wallet-to-Application Messaging Layer
    • Transaction Labels and List Actions
    • Output Basket Removal and Certificate Deletion
    • Group Permissions for App Access
    • Extensible Proof-Type Format for Specific Key Linkage Claims
    • P Protocols: Allowing future wallet protocol permission schemes
    • P Baskets: Allowing Future Wallet Basket and Digital Asset Permission Schemes
    • Unified, Vendor-Neutral, Unchanging, and Open BSV Blockchain Standard Wallet-to-Application Interface
  • Transactions
    • Everett-style Transaction Envelopes
    • Simplified Payment Verification
    • Merkle proof standardised format
    • TSC Proof Format with Heights
    • Raw Transaction Format
    • TXO Transaction Object Format
    • Transaction Extended Format (EF)
    • Merkle Path JSON format
    • Compound Merkle Path Format
    • Background Evaluation Extended Format (BEEF) Transactions
    • Simplified Payment Verification
    • Merkle Path Binary Format
    • BSV Unified Merkle Path (BUMP) Format
    • Graph Aware Sync Protocol
    • Scalable Transaction Processing in the BSV Network
    • Atomic BEEF Transactions
    • BEEF V2 Txid Only Extension
  • Scripts
    • Bitcoin Script Binary, Hex and ASM Formats
    • Bitcoin Script Assembly Language
    • Pay to Public Key Hash
    • Pay to R Puzzle Hash
    • Pay to False Return
    • Pay to True Return
    • Push TX
    • Bare Multi-Signature
    • Pay to Push Drop
  • Tokens
    • There is no BRC-20
    • Definition of UTXOs as Bitcoin Tokens
    • Token Exchange Protocol for UTXO-based Overlay Networks
    • Mandala Token Protocol
  • Overlays
    • Overlay Network Data Synchronization
    • Confederacy Host Interconnect Protocol (CHIP)
    • Overlay Network Lookup Services
    • Confederacy Lookup Availability Protocol (CLAP)
    • Universal Hash Resolution Protocol
    • Overlay Network Transaction History Tracking
    • Private Overlays with P2PKH Transactions
    • Standardized Naming Conventions for BRC-22 Topic Managers and BRC-24 Lookup Services
    • Overlay Services Synchronization Architecture
    • Diverse Facilitators and URL Protocols for SHIP and SLAP Overlay Advertisements
  • Payments
    • Direct Payment Protocol (DPP)
    • Paymail Payment Destinations
    • Simple Authenticated BSV P2PKH Payment Protocol
    • PacketPay HTTP Payment Mechanism
    • Hybrid Payment Mode for DPP
    • HTTPS Transport Mechanism for DPP
    • Paymail BEEF Transaction
    • HTTP Service Monetization Framework
  • Peer-to-Peer
    • Authrite Mutual Authentication
    • PeerServ Message Relay Interface
    • PeerServ Host Interconnect Protocol
    • Identity Certificates
    • Genealogical Identity Protocol
    • Publishing Trust Anchor Details at an Internet Domain
    • Message Signature Creation and Verification
    • Serialization Format for Portable Encrypted Messages
    • Defining a Scalable IPv6 Multicast Protocol for Blockchain Transaction Broadcast and Update Delivery
    • Proven Identity Key Exchange (PIKE)
    • Peer-to-Peer Mutual Authentication and Certificate Exchange Protocol
    • HTTP Transport for BRC-103 Mutual Authentication
  • Key Derivation
    • BIP32 Key Derivation Scheme
    • BSV Key Derivation Scheme (BKDS)
    • Security Levels, Protocol IDs, Key IDs and Counterparties
    • Admin-reserved and Prohibited Key Derivation Protocols
    • Revealing Key Linkages
    • Protecting BRC-69 Key Linkage Information in Transit
    • Mnemonic For Master Private Key
    • Linked Key Derivation Scheme
    • Bidirectionally Authenticated Derivation of Privacy Restricted Type 42 Keys
    • Limitations of BRC-69 Key Linkage Revelation
    • Verifiable Revelation of Shared Secrets Using Schnorr Protocol
  • Outpoints
    • Format for Bitcoin Outpoints
    • Spending Instructions Extension for UTXO Storage Format
  • Opinions
    • Users should never see an address
    • List of user experiences
    • Legitimate Uses for mAPI
    • Security and Scalability Benefits of UTXO-based Overlay Networks
    • Improving on MLD for BSV Multicast Services
    • Web 3.0 Standard (at a high level)
    • Thoughts on the Mandala Network
    • Outputs, Overlays, and Scripts in the Mandala Network
  • State Machines
    • Simplifying State Machine Event Chains in Bitcoin
Powered by GitBook
On this page
  • Abstract
  • Motivation
  • Specification
  • Overview
  • Entities
  • Notation
  • Protocol Steps
  • Security Analysis
  • Key Points
  • Implementation
  • Integration with BRC-69 and BRC-72
  • Security Considerations
  • Conclusion
  • References

Was this helpful?

Edit on GitHub
Export as PDF
  1. Key Derivation

Verifiable Revelation of Shared Secrets Using Schnorr Protocol

PreviousLimitations of BRC-69 Key Linkage RevelationNextFormat for Bitcoin Outpoints

Last updated 6 months ago

Was this helpful?

Ty Everett (ty@projectbabbage.com)

Abstract

This BRC presents a solution to the limitations identified in concerning Method 1 of key linkage revelation. The proposed method utilizes a Schnorr-based zero-knowledge proof (ZKP) scheme to enable provers to reveal a shared secret between their identity key and a counterparty's key while allowing verifiers to independently confirm its validity without accessing private keys. This approach ensures trustless verification of shared secrets, enhancing the security and practical utility of key linkage revelations in privacy-preserving systems.

Motivation

aims to provide methods for revealing key associations under the key derivation scheme. However, as highlighted in , Method 1 suffers from a critical limitation: verifiers cannot confirm the authenticity of the revealed shared secret without knowing the private keys of the prover or counterparty. This dependency undermines the trustless nature of the system and limits its applicability in scenarios requiring independent verification.

To address this issue, we propose leveraging a Schnorr-based zero-knowledge proof scheme. Schnorr protocols are well-known for allowing one party to prove knowledge of a secret (e.g., a private key) without revealing it, and they can be adapted to prove the correctness of a shared secret computation. By employing this cryptographic technique, we can enable verifiers to confirm that the prover knows the private key corresponding to their public key and has correctly computed the shared secret with the counterparty's public key, all without revealing any private keys.

This solution restores the trustless verification capability of Method 1, enhancing the overall security and practicality of key linkage revelations in the BSV ecosystem.

Specification

Overview

The proposed method allows a prover to generate a zero-knowledge proof demonstrating that:

  • They possess the private key corresponding to their public key A.

  • They have correctly computed the shared secret S with the counterparty's public key B.

The verifier can then use this proof to confirm the validity of the shared secret S without access to any private keys.

Entities

  • Prover: The entity revealing the shared secret and proving its correctness.

  • Verifier: The entity verifying the authenticity of the shared secret.

  • Counterparty: The other party involved in the shared secret computation.

Notation

  • Let a be the prover's private key.

  • Let A = a * G be the prover's public key.

  • Let B be the counterparty's public key.

  • Let S = a * B be the shared secret computed by the prover.

  • Let n be the order of the elliptic curve group.

  • Let G be the generator point of the elliptic curve.

  • Let r be a random nonce chosen by the prover.

  • Let R = r * G be the prover's nonce public key.

  • Let S' = r * B be the nonce shared secret.

  • Let e be the challenge scalar computed via a hash function.

  • Let z be the prover's response scalar.

Protocol Steps

Prover Side

  1. Compute the Shared Secret:

    • Compute S = a * B.

  2. Choose a Random Nonce:

    • Select a random nonce r from [1, n-1].

  3. Compute Nonce Public Key and Nonce Shared Secret:

    • Compute R = r * G.

    • Compute S' = r * B.

  4. Compute the Challenge:

    • Compute e = H(A || B || S || S' || R) mod n, where H is a cryptographic hash function (e.g., SHA-256), and || denotes concatenation.

  5. Compute the Response Scalar:

    • Compute z = (r + e * a) mod n.

  6. Provide the Proof:

    • Send the proof consisting of (R, S', z) to the verifier.

Verifier Side

  1. Compute the Challenge:

    • Compute e = H(A || B || S || S' || R) mod n.

  2. Verify the Proof:

    • Verify that z * G = R + e * A.

    • Verify that z * B = S' + e * S.

    Both equations must hold true for the proof to be valid.

Security Analysis

  • Zero-Knowledge Property: The proof does not reveal the prover's private key a or the random nonce r, preserving the confidentiality of sensitive information.

  • Unforgeability: Without knowing the prover's private key, it is computationally infeasible for an attacker to produce a valid proof.

  • Trustless Verification: Verifiers can independently confirm the correctness of the shared secret S without accessing any private keys.

Key Points

  • The prover demonstrates knowledge of a and the correct computation of S without revealing a.

  • The verifier uses only public information and the proof to validate the shared secret.

  • The use of cryptographic hash functions ensures that e is unpredictable and unique for each proof, preventing replay attacks.

Implementation

Integration with BRC-69 and BRC-72

  • Revelation Payload: The prover includes the shared secret S and the proof (R, S', z) in the payload sent to the verifier.

  • Verification: The verifier uses the prover's public key A, the counterparty's public key B, the shared secret S, and the proof to verify the authenticity of the shared secret without requiring any private keys.

Security Considerations

  • Random Nonce Security: The nonce r must be securely generated using a cryptographically secure random number generator to prevent nonce reuse attacks.

  • Hash Function Collision Resistance: The hash function H used in computing the challenge e should be collision-resistant (e.g., SHA-256).

  • No Private Key Exposure: At no point are private keys a or r exposed to the verifier or any third party.

Conclusion

References

See .

Encryption: As per , the payload can be encrypted using to ensure confidentiality during transit.

By incorporating a Schnorr-based zero-knowledge proof protocol, we provide a solution to the limitations identified in for Method 1 of . This method allows provers to reveal shared secrets while enabling verifiers to independently confirm their validity without accessing private keys. This enhancement restores trustless verification capabilities, strengthening the security and practicality of key linkage revelations in privacy-preserving applications within the BSV blockchain ecosystem.

BRC-93
BRC-69
BRC-69
BRC-42
BRC-93
Schnorr.ts
BRC-72
BRC-2
BRC-93
BRC-69
BRC-42: BSV Key Derivation Scheme (BKDS)
BRC-43: Security Levels, Protocol IDs, Key IDs and Counterparties
BRC-69: Revealing Key Linkages
BRC-72: Protecting BRC-69 Key Linkage Information in Transit
BRC-93: Limitations of BRC-69 Key Linkage Revelation
Schnorr, C.P. "Efficient signature generation by smart cards". Journal of Cryptology, 1991.
Bitcoin Improvement Proposal 340 (BIP-340): Schnorr Signatures for secp256k1