0

It turns out that what I was attempting to do was create a form of ECDSA threshold signature protocol by just giving away multiple public keys and then having the two parties solve for the private.

Original Question

I am currently working on building an application and I have a question about the triviality of deriving private keys from multiple public keys. I have read many places that it is possible to derive multiple public keys from a single private key but that publicly revealing more than one will jeopardize the private keys security. If I want to produce two public keys from a single private key (ECDSA) and derive the private key later using only the public keys, how much does knowing the two public keys help. Will two public keys easily yield a single private key? Will introducing more than two public keys reduce the amount of computation that it takes to derive a private key if it is computational difficult?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
Adam
  • 3
  • 3
  • 2
    I guess you meant "that it is possible to derive multiple public keys from a single private key but that publicly revealing more than one will jeopardize the private key's security". Please give a link to where that is explained, as it I fail to understand what is meant, especially in an ECDSA context. – fgrieu Mar 24 '18 at 07:00
  • Link, Link does this only apply to trap doors like RSA? That may be where I am misunderstanding. – Adam Mar 24 '18 at 14:17

1 Answers1

2

Responding to comment-implied intended question:

The RSA alternative public keys revealing the secret factors of $N$ is not a suitable means to implement threshold protocols. Instead you should be using actual threshold protocols, such as t-of-n or n-of-n signature schemes.

ECDSA uses DSA, not Schnorr, so my usual suggestions do not apply. Although a quick search for "threshold dsa" yields:

Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme

Old answer (kept for alternative interest)

This sounds like key-blinding, where you derive a subkey from a master pair. Say you have the secret key $k$, public key $Gk$ and the blinding factor $b$, the subkey secret is $kb$ and the subkey public is $Gkb$.

$Gkb$ and $Gk$ cannot be used to recover $k$ nor $b$, without breaking Diffie-Hellman. $b$ may be derived from $Gk$ plus some contextual string, this allows someone with the master public and master secret to compute the subkeys respectively. These keys are tightly related, given $kb$ and $b$, you can recover $k$. If you give someone $kb$ but keep $b$ secret, they cannot recover $k$. If $kb = k * b$ then $k = kb / b$.

If deriving a subkey from a public key gave you any information useful to recover the secret key, the scheme is broken with only one public key.

cypherfox
  • 1,422
  • 7
  • 16