Challenge–Response Pair Mechanisms and Multi-Factor Authentication Schemes to Protect Private Keys

Featured Application: Protection of private keys for signing transactions in public key infrastructures for crypto wallets and terminal devices. Crypto wallets store and protect the private keys needed to sign transactions for crypto currencies; they are secured by multi-factor authentication schemes. However, the loss of a wallet, or a dysfunctional factor of authentication, can be catastrophic, as the keys are then lost as well as the crypto currencies. Such difficult tradeoffs between the protection of the private keys and factors of authentication that are easy to use are also present in public key infrastructures, banking cards, smartphones and smartcards. In this paper, we present protocols based on novel challenge–response pair mechanisms that protect private keys, while using factors of authentication that can be lost or misplaced without negative consequences. Examples of factors that are analyzed include passwords, tokens, wearable devices, biometry, and blockchain-based non-fungible tokens. In normal operations, the terminal device uses all factors of authentication to retrieve an ephemeral key, decrypt the private key, and finally sign a transaction. With our solution, users can download the software stack into multiple terminal devices, turning all of them into backups. We present a zero-knowledge multi-factor authentication scheme allowing the secure recovery of private keys when one of the factors is lost, such as the token. The challenge–response pair mechanisms also enable a novel key pair generation protocol in which private keys can be kept secret by the user, while a Keystore can securely authenticate the user and transmit the public key to a distributed network. The standardized LWE post-quantum cryptographic CRYSTALS Dilithium protocol was selected in the experimental section.