# [Cryptography] Mathematically, how do proxy signatures work?

Bear bear at sonic.net
Thu Mar 20 14:32:00 EDT 2014

```I hope that I have at least gotten "proxy signatures" correct as the
me.

I have recently seen a feature in Bitcoin, called BIP38 -- but despite
exactly how it works.

The effect is that given a particular type of persistent public
key belonging to a Alice, Bob who has no other information about
or from Alice, can combine that key with a nonce, or with a hash,
to produce a unique derived asymmetric key.  He can then use
this derived asymmetric key to encrypt a message that can only
be decrypted by Alice's private key.

Carol, Dave, Eve, etc, even given all information except Bob's
nonce or hash and Alice's private key, cannot identify Bob's
derived key as being derived from Alice's persistent public key ,
nor identify Bob's message as being one that is encrypted to
Alice's persistent private key, nor decrypt the message.

It acts like Alice's persistent public key is one side of a
non-interactive Diffie-Hellman key exchange, except that I have
no idea what "non-interactive" and "Diffie-Hellman key exchange"
could possibly mean when used together.  So it seems magical.

I would like to understand the mathematics that allow these derived
keys to be created and the mathematics that allow Alice to identify
and decrypt messages encrypted using these derived keys.  I would
like to know what Hard mathematical problem prevents Carol, Dave,
etc, from being able to identify Bob's derived key as being part
of the set derived from Alice's persistent key.  And if there are
any special properties that the persistent key Alice publishes must
have in order to work with this scheme, I would like to understand
those too.

I do not know whether Alice can recover the nonce Bob used when
decrypting the message, but that would also be an interesting
thing to know for security purposes. Should the nonce be treated
as a shared secret between Bob and Alice?  If so then what are the
downsides of later using the nonce as a shared secret for other
protocol steps?