Minimizing Trust in Hardware Wallets with Two Factor Signatures

 title = {Minimizing Trust in Hardware Wallets with Two Factor Signatures},
 author = {Antonio Marcedone and Rafael Pass and abhi shelat},
 booktitle = {Financial Crypto'2019},
 year = {2019},


We introduce the notion of two-factor signatures (2FS), a generalization of a two-out-of-two threshold signature scheme in which one of the parties is a hardware token which can store a high-entropy secret, and the other party is a human who knows a low-entropy password. The security (unforgeability) property of 2FS requires that an external adversary corrupting either party (the token or the computer the human is using) cannot forge a signature.

            This primitive is useful in contexts like hardware cryptocurrency wallets in which a signature conveys the authorization of a transaction.  By the above security property, a hardware wallet implementing a two-factor signature scheme is secure against attacks mounted by a malicious hardware vendor; in contrast, all currently used wallet systems  break under such an attack (and as such are not secure under our definition).        
    We construct efficient provably-secure 2FS schemes which produce either Schnorr signature (assuming the DLOG assumption), or EC-DSA signatures (assuming security of EC-DSA and the CDH assumption) in the Random Oracle Model, and evaluate the performance of implementations of them. Our EC-DSA based 2FS scheme can directly replace currently used hardware wallets for Bitcoin and other major cryptocurrencies to enable security against malicious hardware vendors.