4

I'm looking for a way for a single individual to sign or otherwise provide proof of ownership of two private keys from keypairs $A$ & $B$.

Simultaneous ownership is important. Alice can't do part of the proof with $A$, then pass the proof to Bob to finish with $B$. The proof requires both keys in a single step. E.g. Signing a message with $A$ then $B$ does not work, as this work could be split between two actors.

Both $A$ & $B$ keypairs are normal, independent keypairs. I.e. this isn't about splitting a single private key into multiple parts to be reconstructed.

Any hints are appreciated, though eventually I'd want to implement this using RSA or ECDSA.

Update: Some further boundaries:

  • This doesn't have to be a single step, or a single signature. As long as it can't be colluded on by two parties without exposing their private keys, any process is acceptable.
Ievgeni
  • 2,653
  • 1
  • 13
  • 35
AlexHeeton
  • 43
  • 4

2 Answers2

4

Alice has the (private, public) EC key pair $(a, A=aG)$, and Bob has $(b, B=bG)$.

Let's say that Alice starts the signature, and gives it to Bob to complete (or somehow collaborates with Bob to complete it). This would mean that either:

  1. You need to ensure that whatever Alice gives to Bob will reveal $a$ to Bob, with no possible way for any scheme to be devised that would prevent Bob from learning $a$ through some form of blinded collaboration.

  2. The signature is not zero-knowledge, and will reveal one of the private keys to the holder of the other private key.

An easy way to achieve option 2 would be to provide a signature by either $A$ or $B$, and to include the value $d=a-b$. A verifier can easily check that $dG\overset{?}{=}A-B$. This means that knowledge of $d$ would allow someone with knowledge of either $a$ or $b$ to recover the value of $b$ or $a$ respectively.

Normally, Alice would not want anyone else to know $d$, as certain signature schemes that do not properly bind to the intended public key would be malleable by someone that wanted to make a signature signed by $A$ look like it was actually signed by $B$. But, this can be avoided as long as the signature scheme is secure against this attack, and this threat may not matter if it is public knowledge that $A$ and $B$ are owned by the same person.

Since this is not a zero-knowledge proof, there is the risk that knowledge of $d$ could have adverse consequences in certain scenarios that I have not imagined.

knaccc
  • 4,880
  • 1
  • 18
  • 33
1

One solution for the ECDSA case is to have the owner sign with the key a+b (that is adding the private keys together mod the order of the curve).

This is straightforward to verify since the public key is also A+B (that is adding the public keys together).

Aman Grewal
  • 1,421
  • 1
  • 10
  • 24