APP下载

Blockchain-Based Key Management Scheme Using Rational Secret Sharing

2024-05-25XingfanZhaoChanggenPengWeijieTanandKunNiu

Computers Materials&Continua 2024年4期

Xingfan Zhao ,Changgen Peng,,⋆ ,Weijie Tan and Kun Niu

1State Key Laboratory of Public Big Data,College of Computer Science and Technology,Guizhou University,Guiyang,550025,China

2Guizhou Big Data Academy,Guizhou University,Guiyang,550025,China

ABSTRACT Traditional blockchain key management schemes store private keys in the same location,which can easily lead to security issues such as a single point of failure.Therefore,decentralized threshold key management schemes have become a research focus for blockchain private key protection.The security of private keys for blockchain user wallet is highly related to user identity authentication and digital asset security.The threshold blockchain private key management schemes based on verifiable secret sharing have made some progress,but these schemes do not consider participants’self-interested behavior,and require trusted nodes to keep private key fragments,resulting in a narrow application scope and low deployment efficiency,which cannot meet the needs of personal wallet private key escrow and recovery in public blockchains.We design a private key management scheme based on rational secret sharing that considers the self-interest of participants in secret sharing protocols,and constrains the behavior of rational participants through reasonable mechanism design,making it more suitable in distributed scenarios such as the public blockchain.The proposed scheme achieves the escrow and recovery of personal wallet private keys without the participation of trusted nodes,and simulate its implementation on smart contracts.Compared to other existing threshold wallet solutions and key management schemes based on password-protected secret sharing(PPSS),the proposed scheme has a wide range of applications,verifiable private key recovery,low communication overhead,higher computational efficiency when users perform one-time multi-key escrow,no need for trusted nodes,and personal rational constraints and anti-collusion attack capabilities.

KEYWORDS Blockchain;smart contract;rational secret sharing;key management

1 Introduction

Key Escrow [1] refers to the storage of decryption keys in a key escrow system (also known as a key recovery system),and in some cases,authorizes third parties to access these keys,which is a key management mechanism for statutory escrow agency.Government and law enforcement agencies’needs to access encrypted data and recover commercial data have made key escrow a popular research topic in the 1990s [2].Key Escrow faces two challenges: the trust level of the key escrow agent and the ability to protect the keys [3].It is easy for a single key escrow party to collaborate with illegal organizations to obtain confidential data,facing widespread user doubts.A single key escrow node also faces the risk of a single point of failure.Therefore,split key escrow has gradually become a new direction for the development of key escrow[4].In this stage,Shamir[5]proposed partial key escrow for DES keys,Lenstra et al.[6]proposed a time-constrained key escrow system,and Micali et al.[7]proposed shared random functions and key escrow schemes.However,based on Shamir[8]and Blakley[9],independently proposed the concept of key dispersed management,using threshold secret sharing as the representative threshold cryptography as the theoretical basis,comprehensively considering the security and implementation difficulty of the scheme,studying threshold key escrow schemes has become the main trend of key split escrow.Therefore,the key to designing a threshold key escrow scheme that meets actual needs lies in studying and developing corresponding threshold secret sharing technology.

Shamir’s threshold secret sharing and other early-stage secret sharing schemes assumed that the secret distributor and participants were honest without considering deceptive behavior.In response,Chor et al.[10] proposed the concept of verifiable secret sharing (VSS),which added a verification algorithm to the traditional secret sharing scheme.However,this scheme required an interactive process,resulting in low efficiency.Bai et al.[11]proposed a verifiable quantum secret sharing scheme based on d-dimensional Greenberger-Horne-Zeilinger(GHZ)state and analyzed its security against three main quantum attacks:interception retransmission attack,entanglement measurement attack,and honest participant attack.Gentry et al.[12] proposed a non-interactive public verifiable secret sharing(PVSS)scheme for large-scale distributed networks,which can be extended to have hundreds or even thousands of participants to support secure computing in large-scale distributed systems.However,these VSS schemes only consider honest participants and suspected fraudulent participants,without considering the motivations and benefits of each participant.For large-scale institutions like governments or enterprises,key escrow participants are usually bound by political orders,business contracts,and other forms of compulsion,which do not need to consider the self-interested behavior of each participant in the threshold key escrow scheme.Whereas,for online distributed systems like blockchain that target a large number of network users,the traditional threshold key escrow scheme does not have such constraints,resulting in participants who do not upload or upload false key shares still being able to obtain reconstructed keys.

Halpern et al.[13] considered the selfish behavior of participants and introduced Game theory to secret sharing and secure multi-party computation.They proposed a rational cryptographic protocol represented by rational secret sharing and rational secure multi-party computation for the first time.However,traditional rational secret sharing schemes rely on synchronous communication environments and cannot be applied to distributed systems such as blockchains with asynchronous communication.Kol et al.[14] used cryptographic techniques such as oblivious transfer and secure multi-party computation to construct the first rational secret sharing scheme suitable for asynchronous communication.In addition,Zhang et al.[15]introduced rational cryptography into quantum secret sharing research and proposed a rational quantum secret sharing scheme based on GHZ states,which was implemented on the IBM quantum computer[16].

The wide application of blockchain and smart contracts in the Internet of Things has enabled the fulfillment of resource sharing and automated transactions without trusted centers [17].The public key cryptography technology widely used in blockchain is highly related to the security of user private keys,user asset security,data security,and identity certification security.As there is no trusted third party in the blockchain system,individuals need to locally store their private keys.Once the device where the private key is stored is lost,data is damaged,or even hacked by hackers,it will lead to the loss or leakage of user data and assets.In this context,blockchain private key escrow solutions based on threshold key management technology have become a research hotspot for blockchain private key protection.However,the currently proposed key management schemes for blockchain private key recovery still adopt traditional VSS technology,without considering the rational self-interest behavior of the escrow users[18];the successfully implemented rational secret sharing schemes on blockchain require the secret sharing participants to deliver deposits in advance[19].These schemes do not meet the individual rational constraint in mechanism design,limiting the application and promotion of corresponding blockchain threshold key escrow design.The main contributions of this paper are as follows:

We proposed a threshold multi-key escrow management scheme that satisfied individual rational constraints and incentive compatibility: We first designed a reputation mechanism for participants during the key reconstruction phase with the process of uploading and verifying private key fragments and reporting.Then,according to the ratio of contribution to promote the cooperation and behavioral norms of blockchain users,we also proposed a benefit distribution mechanism that relied on a fair process of cooperative gaming.

We constructed the whole multi-key escrow and reconstruction process based on verifiable random functions(VRF)and analyzed and demonstrated the collusion resistance,security verification ability,incentive compatibility and individual rational constraints of the threshold key escrow scheme through utility function analysis.We also compared it with existing blockchain recoverable key management schemes.

We used the smart contracts to complete a multi-wallet key escrow simulation,demonstrating the ability of the scheme to manage wallet keys in Ethereum.We analyzed the performance and costs of the scheme,providing possibilities for achieving a distributed rational key management system for blockchain.

2 Related Work

2.1 Blockchain and Smart Contract

Nakamoto et al.[20] proposed Bitcoin,a virtual encrypted currency,and the blockchain transaction structure using Proof of Work and timestamp construction in 2008,which marked the birth of decentralized blockchain technology.Blockchain combines with cryptographic technology ensures traceability,immutability,non-repudiation,and non-counterfeiting of transactions,supporting data security sharing and large-scale collaborative computing,protecting user identity and confidential data privacy,and is suitable for high-privacy and secure distributed application scenarios.Traceability refers to the recording of transaction changes in a blockchain in chronological order,immutability and non-repudiation refer to the inability to modify and deny data written into a blockchain,and non-counterfeiting refers to the inability to forge transactions that can be verified by miners and the entire transaction change record.Blockchain uses hash functions,digital signatures,and distributed consensus fault tolerance to increase the difficulty and cost of attackers falsifying,forging,and denying data operations,enhancing data security.

Szabo proposed the smart contract,which is a computerized transaction protocol for executing contract terms[21].In the context of blockchain,smart contracts serve as scripts on blockchain and are stored on the blockchain.As smart contracts are located on the blockchain,they have their unique addresses.We trigger their execution by sending transactions to their addresses.Subsequently,smart contracts will be executed independently and automatically on every node in the network according to the data contained in the triggered transaction.Smart contracts on blockchain possess uniqueness,transparency,predictability,and monitoring and tracking capabilities,and have fostered the concept of a decentralized autonomous organization,allowing blockchain to achieve general computing among users without a trusted central node’s supervision [17].Raj et al.[22] proposed a blockchain smart contract scheme for supply chain management,which replaces the trust intermediary with smart contracts,shortens the payment process,reduces the communication cost,and improves the supply chain transaction efficiency.

2.2 Research on the Security of Blockchain Wallet and Threshold Key Escrow

Blockchain digital wallets provide users with a convenient way to manage private and public keys,while also enabling them to complete digital asset transfers and transactions,and record details of all transactions.The security of the wallet directly relates to the user’s asset security.The comparison of various blockchain key management schemes is shown in Table 1.The existing common wallet solution types include software wallets[23],hardware wallets[24],and custodial wallets[25],but they all have security risks in terms of centralized private key storage.To address these issues,decentralized secure threshold wallet schemes have emerged,which can split private keys into multiple parts and store them on different nodes,thereby achieving distributed storage and protection of private keys,while also allowing private keys to be restored.Therefore,this secure threshold wallet scheme is considered an effective protection plan.

Table 1: Comparison of various blockchain key management schemes

A threshold secret sharing-based threshold signature wallet scheme such as[26]does not support the escrow and recovery of personal user wallet private keys,while a threshold wallet management scheme that meets the needs of personal key escrow and recovery,such as [18],is only applicable to consortium blockchain applications,which requires trusted central nodes and identity authentication mechanisms.In addition,the aforementioned threshold wallet schemes have not taken into account the rational self-interest behavior of participants,resulting in high costs and limited applicability,which cannot be satisfied to the safe escrow needs of public blockchain user wallet keys such as Ethereum.Therefore,designing a private key escrow smart contract based on rational secret sharing is beneficial for achieving the escrow and recovery of public blockchain user private keys in an environment without trusted nodes.

3 Preliminaries

3.1 Bilinear Mapping

Definition 1:Let G1and G2be the additive cyclic group and multiplicative cyclic group of a prime number p,respectively,let g be a generator of G.The mapping e:G1×G1→G2is bilinear if it satisfies the following properties:

1)Bilinearity:For any m,n∈G1and a,b∈,exists e=e(m,n)ab.

2)Non-degeneracy:e(g,g)1.

3)Computability:There exists an efficient algorithm to compute e(m,n)for any m,n∈G1.

Definition 2:Elliptic Curve Discrete Logarithm Problem(DCELP):Given an elliptic curve E defined over a finite field Fp,with a base point P∈of order n.Q∈Ewhere Q=IP,I∈n,itis difficult to compute I.

Definition 3:Computational Diffie-Hellman(CDH)Given aP,bP,cP∈G1,it is difficult to compute abP for any a,b∈ZP∗.

Definition 4:Bilinear Diffie-Hellman Problem Given aP,bP,cP∈G1,it is difficult to compute e(P,P)abc for any a,b,c∈This problem relies on the difficulty of the CDH problem in G1.

3.2 Game Theory Related Knowledge

3.2.1 Incentive Compatibility

Incentive compatibility refers to the consistency between individual incentive mechanisms and overall benefits in a game.It includes Bayesian incentive compatibility and dominant strategy incentive compatibility.It should be noted that Bayesian incentive compatibility is a weak concept in games,while dominant strategy incentive compatibility is a strong concept.If a game is dominant strategy incentive compatible,then it must be Bayesian incentive compatible.

In mechanism design,Bayesian incentive compatibility is considered a sufficient and necessary condition for participants to speak the truth.A game is Bayesian incentive compatible if and only if,for any playeri,any possible private typeθi,and any other players’strategiesσ-i,the following condition is satisfied:

whereUi(σi,σ-i,θi)represents playeri’s utility when their private type isθi,they choose strategyσi(the true strategy),and the other players choose strategiesσ-i.

In a game,if each player adopts their dominant strategy regardless of the other players’actions,the game is dominant strategy incentive compatible.Mathematically,a game is dominant strategy incentive compatible if and only if for any playeri,any other player’s strategyσ-i,the following condition is satisfied:

whereUi(σi,σ-i)represents playeri’s utility when all players adopt strategyσi,σ-i.

3.2.2 Individual Rationality

In game theory,individual rationality refers to each player choosing strategies that are beneficial to them in pursuit of their own maximum interests.This is also known as the assumption of rational participants.In mechanism design,individual rationality means designing a game mechanism to ensure that each participant has the motivation to participate and will not obtain a worse result due to participation.

Mathematically,individual rationality satisfies the following conditions:

For each participanti,individual rationality requires that their returns after participating in the mechanism are not less than their worst returns from leaving the mechanism,i.e.,

whereUi(∅)represents the returns of participantiwhen they do not participate in the mechanism.

3.2.3 Fairness of Cooperative Game and Shapley Value Principle

Fairness is a concept to measure the justice of a game.In Game theory,fairness usually refers to whether a game satisfies some fair principles,such as the symmetry principle in a zero-sum game and the Shapley value principle in a cooperative game.

In a cooperative game,the Shapley value principle means that each player should get the corresponding reward for his contribution to the game.Specifically,the Shapley value refers to the average contribution of a player to all possible coalitions.If a player’s Shapley value is lower than other players,this situation is also unfair.

3.2.4 Rational Fairness

In Game Theory,rational fairness refers to the participants in a game mechanism pursuing their own interests (rationality) while also obtaining fair results.Rational fairness requires participants to consider not only their own interests but also the interests of other participants when choosing strategies,in order to achieve a fair balance.

Rational fairness should satisfy the following conditions:

For each participant,rational fairness requires that the chosen strategy is an optimal response,i.e.,

3.2.5 Resisting Collusion Attack

In Game Theory,a Collusion Attack refers to participants secretly collaborating or cooperating to devise strategies for their own benefits while disregarding the interests of other participants.This collusion may distort the results of the game,sacrificing fairness and balance.Resisting Collusion Attack refers to a feature of strategic or mechanism design that aims to prevent participants from forming collusion or cooperation that could harm the fairness or balance of the game.

Reference[27]proposed a definition of a computable anti-collusion equilibrium:in a game Γ=letTrepresent a collusion group andkbe a secure parameter of a cryptographic protocol.Assuming that for each collusion group,the non-collusive strategy isaT,the collusive strategy isand the non-collusion group’s strategy isa-i,we call the strategic combinationa=(a1,...,an)∈Aa computable anti-collusion equilibrium if forPi∈T,there exists a negligible functionε(k)such that the game remains in

3.3 Verifiable Random Function

Verifiable Random Function (VRF) [28] is a random function with verification capabilities.It can generate an output and allow a verifier to verify that the output was generated from a specific input and key while maintaining the randomness and unpredictability of the output.Reference [29]proposed an efficient verifiable random function based on bilinear pairs.The scheme includes the following components:

a)Public-private key generation moduleGen:Input 1k,outputSK=s,PK=gs.

b)Encryption moduleFSK(x):InputSK,x,outputy=FSK(x)=

c)Evidence moduleπSK(x):InputSK,x,outputπ=πSK(x)=

d)Verification moduleVPK(x,y,π):Determine whetheryis the output corresponding tox,input(PK,x,y,π),verify whethere(g·pk,π)=e(g,g)andy=e(g,π)are both true,and output 1 if both are true,otherwise output 0.

4 Multi-Key Management Scheme Based on Rational Secret Sharing

Based on the anti-collusion rational secret sharing [27],and taking into account the practical situation of blockchain key escrow,the current and long-term benefits of secret-sharing participants,and the advantages of blockchain smart contracts,a multi-private key management scheme based on rational secret sharing is proposed as follows.

4.1 System Parameters

The parameters involved in the proposed scheme are shown in Table 2.

Table 2: The parameters of the proposed key management scheme

4.2 Key Generation Phase

This algorithm is executed by the system administrator to generate public key and private key ofPi.After executing this algorithm,the administrator will exit this program permanently.Especially,the setup algorithm inputs security parameter 1kand generates the public keypkiand the private keyskiby using Shamir’s(t,n)-threshold secret sharing scheme forPi.Moreover,blockchain administrators use multiple servers provided by the blockchain platform to secretly obtain randomly generated two-dimensional point coordinates,reconstruct Lagrange polynomials,and generate private keys by substituting additional random values.Its purpose is to avoid the risk of a single point of failure during the user’s local private key generation process.

4.3 Key Escrow Negotiation Phase

As shown in Fig.1,the key escrow user sets a threshold valuetaccording to its own needs,determines the number of participantsnto sign the key escrow agreement based on the active degree of the blockchain nodes andpencrypted keyss0,s1,...,sp-1,then negotiates the cost of the escrow contractM=M1+M2,determines the parameters of the geometric distributionλbased on the estimated benefits of the participants (see Section 6.3 for details) and generates a secure parameterr∗∈Z+(Z+is a positive integer set)based on this geometric distribution.The key escrow user learns the addresses of all participants and establishes secure channels with each participant.Send the private keyski(i=1,2,...,n)to the participantithrough a secure channel and upload the public data to the smart contract:a)pki(i=1,2,...,n),b)M=M1+M2.

Figure 1: Key escrow negotiation process

4.4 Key Sharing Phase

Step 2: To avoid duplicate numerical pairs causing failure during the key reconstruction phase,the key escrow user selectsn+p-tsmallest integersd1,d2,...,dn+p-tfrom [p,q-1] -{h(Addi||r)|i=1,2,...,n;r=1,2,...,r∗}.

The process of key sharing phase is shown in Fig.2.

4.5 Key Reconstruction Phase

Figure 2: Key sharing process

Step 3:Performs automatic contract verification of the reported account in order of submission.If the verification result is 0,the reputation value of the reported account will beRvfl-1,and the contribution value will beCvld-1.At the same time,the reporter will be rewarded with a reputation value ofRvld+1 and a contribution value ofCvld+1.If the reporterldhas not uploadedandwithinT1,they can resubmit after theStep 3contract automatic verification is completed and return toStep 2.If the verification result is 1,the reputation value of the reported account will remain unchanged,and the contribution value will beCvfl+1.At the same time,the reporter will be penalized with a reputation value ofRvld-1 and a contribution value ofCvld-1.

Step 4:WithinT3,the key escrow user calls the local resource to verify the remaining unreported participants one by one.If the participanti’s verification result is 0,the user will report feedback to the contract.After being verified by the contract,Cvi-1,mr-1.If the result is 1,it will continue to verify the participanti+1.Complete the verification of all participants andmr≥t,then proceed toStep 5.

Step 7: Check ifM2(r)in the current contract is not less than the maximum costLof the next round.If it is,proceed toStep 8;if not,notify the key escrow user to make up the payment(not less thanL-M2(r))withinT5.If the payment is made promptly,proceed toStep 8.If not,the contract will be assigned to each participant with the corresponding contribution valueAi=·M1,andM2(r)will be returned to the key escrow.The contract will be terminated.

Step 8:The contract executesr+1,and return toStep 1.

The process of the key reconstruction phase is shown in Fig.3.The algorithm pseudocode mainly executed by the smart contract is shown in Fig.4.

Figure 3: Key reconstruction process

Figure 4: Pseudocode for the main algorithms in the smart contract

5 Scheme Analysis

5.1 Correctness Analysis

5.2 Smart Contract Participant Utility Analysis

ForStep 1,the contract setting does not allow participants to upload duplicate data to avoid“free-riding” behavior in a round of polynomial reconstruction,which would improperly increase the contribution valueCvand allow participants to obtain rewards that do not belong to them.Not allowing participants satisfiedRv<0 to upload data reflects punishment for malicious participants(those who often engage in dishonest behavior).

ForStep 2toStep 4,participantsldand participantsflcan be viewed as the following extended game (a complete information dynamic game,which means participants know each other’s payoffs,the available actions,and the order in which moves are made):

The game tree for two players is shown in Fig.5(a>b>c>d>e):

Figure 5: Participants’game in key reconstruction phase

It is easy to find that the game has two optimal choices (true,silence) and (false,report) for participantld.For the participantfl,is a strictly dominant strategyσfl="true",and from the perspective of individual rationality,the participant is more inclined to honestly upload their own data.When malicious participants upload false data,the contract can effectively use the reporting mechanism to punish malicious participants promptly.Ultimately,a unique pure strategy Nash equilibrium in the sequential game could be found:honestly uploading data in the data uploading stage and not making false reports in the verification stage.

ForStep 5toStep 8,there is actually no effective contribution value gain among participants,but only a reputation value reward is given to honest declaration behavior when the key escrow user declares deception to the contract.In principle,the key escrow user has no motivation to deceive,because the key escrow user needs to pay the contract verification overhead,and declaring success only increases the contract polynomial reconstruction overhead by 1 time when the polynomial is not reconstructed successfully.If the key escrow user does not declare reconstruction success inT4whenr=r∗,only the amount belonging to the userM2(r)will be consumed by the contract until it is not more than one round of the maximum contract overhead valueLto stop.

For the entire key escrow protocol,the actual benefits for each participant areUi=Ai=

5.3 Analysis of Smart Contract Fairness

5.3.1 Fairness Analysis of Cooperative Game

5.3.2 Rational Fairness Analysis

In this scheme,everyone’s choice strategy={"true",("false","report")}∈BRi(s-i)satisfies the requirement of rational fairness.

5.4 Mechanism Design Analysis

5.4.1 Fairness Analysis of Cooperative Game

5.4.2 Personal Rational Analysis

In the key escrow contract scheme,it was found in the utility analysis in Section 5.2 thatUi=·M1≥0=Ui{∅},the condition for personal rationality in mechanism design is satisfied.

6 Security Analysis

6.1 Unforgeability of VRF

First,the challenger setsG1andG2,determines the bilinear transformationeand generatorg.Then,the challenger randomly selectsξ∈{0,1}without revealing it toB.Ifξ=0,let Γ=e(g,g);ifξ=1,then let Γ ∈G2.

Phase 2:Repeat the process of Phase 1.

6.2 Threshold Security:No More Than t-1 Participants Cannot Obtain Information about p Encrypted Keys

Public information(d1,G(d1)),...,consists ofn+p-tnumerical pairs,and no more thann+p-1 numerical pairs can be determined when no more thant-1 participants cooperate,making it impossible to determine a polynomial ofn+p-1 degree as in Eq.(6)and obtain information about the correspondingpencrypted keys.

6.3 Resisting Collusion Attacks

7 Performance Analysis

7.1 Communication Cost

7.2 User Communication Overhead

As shown in Table 3,during the key distribution phase,whether it is Ogata’s scheme [30],Ra’s scheme[31],or the proposed scheme in this paper,it is necessary to transmit the corresponding key shares tonserver/participant nodes through secure channels.When the server/participant nodes are honest,Ogata’s scheme[30]only needs to communicate and interact during the reconstruction phase without the verification stage of server information.Ra’s scheme[31]needs to communicate with each server through an interactive verification method and determine whether the corresponding node is malicious.When there areemalicious nodes among the server/participant nodes,the former cannot correctly reconstruct the corresponding escrow key,while the latter needs to communicate with theseemalicious nodes for an additional round during the verification stage.For the proposed scheme in this paper,whether there are malicious nodes or not,in each round of key escrow user node verification,it only needs to obtain the verification information uploaded by each participant from the chain,that is,the communication overhead per round of verification isO(1),and the communication overhead ofr∗rounds of verification isO(r∗)=Afterr∗rounds of iteration,the user reconstructs successfully locally and communicates with the smart contract deployed on the blockchain once,that is,the communication overhead of the reconstruction phase isO(1).However,for the proposed scheme,the overall communication complexity isOdue to the participants broadcasting communication interactions during the reconstruction phase.

Table 3: User communication overhead comparison

7.3 Feature Comparison

As shown in Table 4,the current password-protected secret sharing (PPSS)-based key recovery management schemes for blockchain can meet the key recovery needs of blockchain with semihonest nodes,such as the consortium blockchain[30,31].However,these schemes require interactive verification between users and servers and often require synchronous communication.At the same time,they do not consider the rational self-interested behavior of blockchain,and cannot realize key recovery in more blockchain application scenarios such as the public blockchain.Our scheme uses rational secret sharing and the non-interactive verification method Elliptic Curve VRF(ECVRF)to meet all the requirements in the table,thus realizing the key recovery needs of blockchain users in the asynchronous communication environment of the public blockchain.

Table 4: Feature comparison

7.4 Computational Efficiency Analysis

Based on the calculation efficiency analysis in Ra et al.[31] and the key distribution and reconstruction process proposed in the proposed scheme,we compare the computational complexity of Ogata’s scheme[30],Ra’s scheme[31],and the proposed scheme,as shown in Table 5.

Table 5: Computational complexity comparison

The computational complexity of Shamir’s secret sharing is denoted asS,the time complexity of generating random numbers is denoted ask,the time complexity of performing one ECVRF execution is denoted asT,and the number of executions of the proposed scheme during secret reconstruction is denoted asr∗.

As shown in Fig.6,in the key distribution process,when the user only hosts one key,the computational time overhead of the proposed scheme is higher than Ogata’s scheme [30] and Ra’s scheme[31].When the user hosts two keys at once,only in the case ofn=2,the computational time overhead of the proposed scheme is the same as Ogata’s scheme[30],and in other cases,it is lower than Ogata’s scheme[30]and Ra’s scheme[31].When the user hosts three keys at once,the computational time overhead of the proposed scheme is lower than Ogata’s scheme[30]and Ra’s scheme[31].

Figure 6: Computational efficiency comparison during distribution

As shown in Fig.7,when the user only hosts one key in the key recovery process,the computational time overhead of the proposed scheme is higher than Ogata’s scheme[30]and Ra’s scheme[31].When the user hosts five keys at once,in the case ofn≥10,the computational time overhead of the proposed scheme is lower than Ogata’s scheme[30]and Ra’s scheme[31].When the user hosts seven keys at once,in the case ofn≥5,the computational time overhead of the proposed scheme is lower than Ogata’s scheme[30]and Ra’s scheme[31].

We conducted computational cost simulations on a personal computer with a 12th Gen Intel(R)Core(TM)i7-12700H 2.70 GHz CPU and 16.0 GB RAM,using JavaScript language.The number of participants in the proposed scheme is set to ben=1000 and the numberpof private keys that need to be escrowed is denoted asp=5.The computational cost for the negotiation and key sharing stage was 403881 ms,and the computational cost for the key reconstruction stage was 1248453 ms.

Figure 7: Computational efficiency comparison during recovery

7.5 Ether Consumption

Table 6 shows the functions and corresponding Ether costs involved in the smart contract during the refactoring phase of the proposed scheme.However,according to the utility analysis in Section 5.2,participants will comply with the protocol and upload real data without false reporting.In principle,the contract will only execute a polynomial refactoring and hash value verification once,and will not execute the relevant functions of ECVRF(i.e.,serial 2 and 3).

Table 6: Ether cost

8 Conclusion

We proposed a blockchain private key management scheme based on rational secret sharing,which can achieve one-time escrow and recovery of multiple wallet private keys for blockchain private user.This scheme can be applied to the secure backup scenario of digital assets such as blockchain user wallets and encrypted data.The proposed scheme takes into account the self-interested behavior of participants and satisfies individual rational constraints and incentive compatibility.It promotes the cooperation and behavioral norms of blockchain users by designing a reputation mechanism and a revenue distribution mechanism based on contribution value proportion.In addition,the scheme also designed the whole process of multi-key escrow and reconstruction based on verifiable random functions and demonstrated the collusion resistance,security verification ability,communication overhead,computational overhead,incentive compatibility and individual rational constraints through participants’utility function analysis.Finally,the scheme was simulated on Ethereum smart contracts to prove its feasibility on the public blockchain.

In the future work,in order to make the proposed scheme a long-term blockchain key management protocol,we will consider the evolutionary game of blockchain users,adjust the reputation incentive design in this scheme and improve the efficiency of blockchain private key escrow and recovery.In addition,we will consider extending the management of the blockchain user’s private key from the wallet to more application scenarios of blockchain key management.

Acknowledgement:I would like to express my deepest gratitude to all those who have supported and guided me throughout the course of this research.

Funding Statement:This work was supported in part by the State’s Key Project of Research and Development Plan under Grant 2022YFB2701400,in part by the National Natural Science Foundation of China under Grants 62272124 and 62361010,in part by the Science and Technology Planning Project of Guizhou Province under Grant[2020]5017,in part by the Research Project of Guizhou University for Talent Introduction under Grant[2020]61,in part by the Cultivation Project of Guizhou University under Grant [2019]56,in part by the Open Fund of Key Laboratory of Advanced Manufacturing Technology,Ministry of Education under Grant GZUAMT2021KF[01],the Science and Technology Program of Guizhou Province(No.[2023]371).

Author Contributions:The authors confirm contribution to the paper as follows:study conception and design: Xingfan Zhao and Changgen Peng;supervision: Changgen Peng;data collection: Kun Niu;analysis and interpretation of results: Weijie Tan;draft manuscript preparation: Xingfan Zhao.All authors reviewed the results and approved the final version of the manuscript.

Availability of Data and Materials:There is no available data and materials.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.