[Cryptography] Mathematically, how do proxy signatures work?

Bear bear at sonic.net
Thu Mar 20 14:32:00 EDT 2014

I hope that I have at least gotten "proxy signatures" correct as the 
proper name of what I want to ask about...  If not, then please correct 

I have recently seen a feature in Bitcoin, called BIP38 -- but despite
reading their wiki pages and linked materials I can't figure out 
exactly how it works. 

The effect is that given a particular type of persistent public 
key belonging to a Alice, Bob who has no other information about 
or from Alice, can combine that key with a nonce, or with a hash, 
to produce a unique derived asymmetric key.  He can then use 
this derived asymmetric key to encrypt a message that can only 
be decrypted by Alice's private key.  

Carol, Dave, Eve, etc, even given all information except Bob's 
nonce or hash and Alice's private key, cannot identify Bob's 
derived key as being derived from Alice's persistent public key , 
nor identify Bob's message as being one that is encrypted to 
Alice's persistent private key, nor decrypt the message. 

It acts like Alice's persistent public key is one side of a
non-interactive Diffie-Hellman key exchange, except that I have 
no idea what "non-interactive" and "Diffie-Hellman key exchange" 
could possibly mean when used together.  So it seems magical. 

I would like to understand the mathematics that allow these derived 
keys to be created and the mathematics that allow Alice to identify 
and decrypt messages encrypted using these derived keys.  I would 
like to know what Hard mathematical problem prevents Carol, Dave, 
etc, from being able to identify Bob's derived key as being part 
of the set derived from Alice's persistent key.  And if there are 
any special properties that the persistent key Alice publishes must 
have in order to work with this scheme, I would like to understand
those too.  

I do not know whether Alice can recover the nonce Bob used when 
decrypting the message, but that would also be an interesting 
thing to know for security purposes. Should the nonce be treated 
as a shared secret between Bob and Alice?  If so then what are the
downsides of later using the nonce as a shared secret for other
protocol steps?

Anyway, any help you can offer will be appreciated.  


More information about the cryptography mailing list