This doesn’t require any difficult encryption: just split your private key into two uniformly random strings which XOR to the correct value (ie, generate one half randomly, and XOR it with the private key to get the other).
To maintain a backup, you can either store the private key itself in a safe place, or cut up the key into 3 pieces such that the original can be recovered from any 2.
If you want an adversary to need simultaneous access to both devices, you can periodically refresh the keys.
This doesn’t require any difficult encryption: just split your private key into two uniformly random strings which XOR to the correct value (ie, generate one half randomly, and XOR it with the private key to get the other).This doesn’t require any difficult encryption: just split your private key into two uniformly random strings which XOR to the correct value (ie, generate one half randomly, and XOR it with the private key to get the other).
That doesn’t work. If you do that, then every time you send money, then to sign an outgoing transaction, you have to put the two keys back together on one or the other of the two computers. The point of using homomorphic encryption is to avoid doing that, since it creates an opportunity to steal the combined key.
I see. My earlier proposal defends you against an adversary who steals your computer, but not against one who has root access without your knowledge.
In that case it is sufficient to have secure function evaluation. This is conceptually much easier than homomorphic encryption (having been discovered some 25 years earlier) and is currently much more practical (ie, practical at all). I don’t know much about existing implementations.
This doesn’t require any difficult encryption: just split your private key into two uniformly random strings which XOR to the correct value (ie, generate one half randomly, and XOR it with the private key to get the other).
To maintain a backup, you can either store the private key itself in a safe place, or cut up the key into 3 pieces such that the original can be recovered from any 2.
If you want an adversary to need simultaneous access to both devices, you can periodically refresh the keys.
That doesn’t work. If you do that, then every time you send money, then to sign an outgoing transaction, you have to put the two keys back together on one or the other of the two computers. The point of using homomorphic encryption is to avoid doing that, since it creates an opportunity to steal the combined key.
I see. My earlier proposal defends you against an adversary who steals your computer, but not against one who has root access without your knowledge.
In that case it is sufficient to have secure function evaluation. This is conceptually much easier than homomorphic encryption (having been discovered some 25 years earlier) and is currently much more practical (ie, practical at all). I don’t know much about existing implementations.