Greetings All,
With regard to cryptocurrency, we always assume that whatever we type or view on our computers is being remotely viewed by attackers. That’s why almost all of us use a hardware wallet such as a Trezor or Ledger Nano S. The screens on these devices cannot be remotely viewed because they are completely isolated from the host computer.
So we have a very secure way to send secret messages to our blockchains
But what about encrypted messages such as a the location of a secret meeting, or the code to disarm your perimeter defense system, or perhaps a secret cake recipe? For these types of messages we typically use our computers which are subject to remote viewing. This makes no sense to me. If I am going to compose an encrypted message on a device which can be viewed remotely, then what’s the point of bothering to encrypt anything. An attacker doesn’t need to break the encryption, all the attacker needs to do is remotely view what the sender is writing or what the recipient is reading on their computer. This is obviously true because if it wasn’t then we wouldn’t need hardware wallets to send our high value messages.
This was such a concern for me that I built an airgapped device (The Private Key Vault) for reading and writing secret messages. The idea was that messages are written and read from behind the airgap where remote viewing is not possible. This was a fun exercise but it was not very practical because I am the only person on the planet with one of these devices. So I can only securely send secret messages to myself.
Recently the idea came to me that most everyone I want to message with privately has a hardware wallet. So I am imagining something like the following:
Using a wallet application like Eternl, I enter the address of the recipient.
The address is used as the public key which will be used by the hardware wallet to encrypt the message.
Then I press the button on the Eternl application to sign the transaction.
Then the hardware wallet allows me to key in a secret message.
Keying in the message will be tedious with only two buttons to work with but if the message is of high value then the extra work will be worth the effort.
Then the message is encrypted with the recipient’s public key (their address) and then signed with your private key on the hardware wallet to pay for the transaction.
Then the transaction is posted to the Cardano blockchain.
The recipient then sees the transaction in their Eternl wallet but can not read it because Eternl does not have their private key - that’s in the recipients hardware wallet.
So in order to read the message, Eternl must send the message to the hardware wallet where it can be decrypted and viewed with out any chance that the message is being remotely viewed.
I would appreciate any thoughts about the idea.
Is this already being done?
Would the recipients address actually work as the public key?
What organizations would need to cooperate in order to make this work?
Ledger? Trezor? Intersect? IOG? Eternl? Others?
What am I missing that makes this impossible?
What part if any could smart contracts play in this process?
Other ideas?
Not necessarily true. Just because I consider a malware targeting cryptocurrencies (or a supply chain hack on a software wallet) somewhat possible, maybe even likely, I don’t assign the same likelihood to an attack on arbitrary personal secrets.
No, we don’t. Transactions are signed, but not encrypted. There is nothing secret about messages on blockchains.
Just because some attacker might have access to my computer, doesn’t mean that any arbitrary attacker has. And they rarely target people specifically and individually. In order to be profitable, their attacks have to scale to hundreds and thousands of people. They don’t effing care for you personally, they target your wallet app for your cryptocurrency on your operating system if all of them are relevant enough, if there are hundred thousands of users, so that they have enough targets that they could potentially get.
This has three problems:
On Cardano, the address is not the full public key, just the hash of the public key. You would have to have another channel to exchange full public keys. (If there already was a payment from the address, the public key can be found somewhere on-chain in the witness set.)
Even if you use one of the algorithms that basically use the same keys as “our” Cardano signature algorithm hinted to in the StackExchange answer above (or the scheme specified in https://cips.cardano.org/cip/CIP-0008#public-key-based-encryption), those are all not implemented in the hardware wallets up to now. You can’t do that with Ledger, Trezor, or Keystone as is.
We would first have to agree on which of the various schemes to do encryption with Ed25519 signature key pairs we want to use at all and then convince the hardware wallet vendors to implement that.
Thanks @HeptaSean,
I really appreciate your response.
Yes, I see your point. The transaction is signed (encrypted) with the private key and decrypted with the public key which everyone has access to. So we know for sure who signed the message but anyone can decrypt it. So it’s not secret. Please let me know if I still failed to understand.
While I am very grateful that you pointed out my misunderstanding, that point doesn’t affect the viability of the idea because I suggested using the recipients address as the public key when encrypting the message. If I understand correctly, a message encrypted with the public key can only be decrypted with the private key on the recipient’s hardware wallet. So the idea is still alive at this point but may be dead on your next point.
Great! There is still hope! If I want to get paid I will send someone my address via email. So if I want to receive a secret message then I can send my public key via email. I see that Eternl will give me access to the public key in three different flavors.
Ok, so this is where the fun stops for now. The manufacturers would have to be convinced that their customers want the ability to compose and read secret messages from behind an airgap using a hardware wallet to eliminate the possibility of attackers seeing the message by remotely viewing what is on the computer screen or by remotely installing key loggers on their computers.
Most wallets generate a root private key and then derive new payment and stake private keys from this root key using a “derivation path”. Wallets don’t re-use these keys but instead continue to derive new ones. Here are a couple of references:
The public key is derived from the private key using the asymmetric key cryptology and the address is a hash of the public key.
As @HeptaSean said, only the public key hash is available on-chain initially but once funds are spent from that particular address the public key that was supplied for that transaction is now on-chain. When the user stakes his Ada it would be a reasonable assumption that he paid for that staking transaction using one of his own wallet keys, since the wallets make it easy to stake this way. Therefore you could send messages to the public key that paid for the staking transaction.
As a side note:
The reasoning behind this design (single use derived keys and only storing the hash of public key on-chain) seems to stem from the hashing algorithm being considered quantum resistant whereas the reverse derivation of a private key from a public key considered not so (for elliptic curve ciphers). Therefore if you always use a newly derived address for every deposit, which most wallet apps provide automatically, then your Cardano funds will hopefully remain “SAFU” after quantum computers are developed.
Unfortunately, many exchanges tend to encourage users to store a single withdrawal address for reuse. For example Kraken requires the user to verify the withdrawal address via 2 factor authentication as well as by email before it is saved to their account. But once saved this address can be withdrawn to over and over without further confirmation. If users do reuse this withdrawal address then they are effectively working around this quantum resistance benefit.
Thanks @Terminada!
Appreciate the advice for increasing quantum resistance and the details on how the public key is generated.
I see on Eternl’s SEND tab, there is an option for on-chain encrypted messaging.
I am not sure how that works yet.
I am exploring that now.
I will report back here when I know more.
My hope is that this option can be use with a hardware wallet or a least we can make a case to Eternal and to the Hardware manufacturers supporting the value of being able to compose secret messages on a hardware wallet and to ensure that the recipient reads the message on a hardware wallet where keyloggers can not go and where remote viewing is not possible.
When you activate it, you get to choose a password and the content is only encrypted with that password. Everyone who knows the password can decrypt. And it is done in software and cannot be done on a hardware wallet (until they implement something for it).
Much thanks @HeptaSean!
I see that we can submit feature requests on the Eternl GitHub repository.
I will make my case to them using all the information you have provided.
Thanks for all your help!
I just checked Eternl and Lace and you are correct these both use single-address mode it seems. However, Yoroi and Daedalus generate a new key pair and address. I wonder why Lace doesn’t employ this feature. It seems that good old Yoroi might be better in this regard.
Do you know if you can configure Eternl to generate new key pairs + addresses?
I assume you know elliptic curve keys are not considered quantum resistant, but question what evidence there is that the blake2b hash is quantum resistant? I am certainly no cryptology expert but I have read such arguments in the past. This is what I found googling just now:
… which is remarkably dumb given that all addresses are connected by the stake part.
(I’m flabbergasted that they still give their users that very, very false sense of privacy even after their complete rework of the user interface. That was always false since Shelley. Plus: Even without stake part, the privacy gains are not that stable. That addresses belonging to the same wallet can be identified quite successfully by looking at the transaction patterns has been shown for Bitcoin – which also uses this “always new address” thing … mostly.)
Achieving “quantum resistance” by this obfuscation by a hash, does not really help that much. If we assume that Ed25519 is not safe anymore:
We still have a problem with our stake key pairs. The public key has to be revealed when registering the stake key. Attackers can then always withdraw anyone’s rewards and redelegate everyone to malicious pools all the time.
Exchanges and other whales do use single addresses. Top five:
As a paper on the quantum resistance of Bitcoin https://arxiv.org/abs/1710.10377 points out: Even if addresses/keys are only used once, attackers could try to block transactions that spend (and thereby reveal the public key) long enough to replace them with malicious transactions after quantum-cracking the private key.
There are much more relevant targets if Ed25519 should be broken than Cardano or other cryptocurrencies. Just attack the SSH connections to all the pools’ servers?
Cardano should probably just move to a quantum-resistant signature scheme in the coming years. NIST just published the first standards two weeks ago: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards Interesting problem will be what to do with dormant wallets that won’t follow an update. Other problem is that completely changing the cryptography is not on the roadmap as far as I could see.
thanks @HeptaSean - I’ve posted that in a (currently stalled) attempt to formulate a CIP for this:
… and in the related issue, I believe suggesting Cardano needs a CPS (problem definition) rather than a CIP (practical, immediate solution) on the subject:
