Paper 2024/1118

Shared-Custodial Password-Authenticated Deterministic Wallets

Poulami Das, CISPA Helmholtz Center for Information Security
Andreas Erwig, TU Darmstadt
Sebastian Faust, TU Darmstadt

Cryptographic wallets are an essential tool in Blockchain networks to ensure the secure storage and maintenance of an user's cryptographic keys. Broadly, wallets can be divided into three categories, namely custodial, non-custodial, and shared-custodial wallets. The first two are centralized solutions, i.e., the wallet is operated by a single entity, which inherently introduces a single point of failure. Shared-custodial wallets, on the other hand, are maintained by two independent parties, e.g., the wallet user and a service provider, and hence avoid the single point of failure centralized solutions. Unfortunately, current shared-custodial wallets suffer from significant privacy issues. In our work, we introduce password-authenticated deterministic wallets (PADW), a novel and efficient shared-custodial wallet solution, which exhibits strong security and privacy guarantees. In a nutshell, in a PADW scheme, the secret key of the user is shared between the user and the server. In order to generate a signature, the user first authenticates itself to the server by providing a password and afterwards engages in an interactive signing protocol with the server. Security is guaranteed as long as at most one of the two parties is corrupted. Privacy, on the other hand, guarantees that a corrupted server cannot link a transaction to a particular user. We formally model the notion of PADW schemes and we give an instantiation from blind Schnorr signatures. Our construction allows for deterministic key derivation, a feature that is widely used in practice by existing wallet schemes, and it does not rely on any heavy cryptographic primitives. We prove our scheme secure against adaptive adversaries in the random oracle model and under standard assumptions. That is, our security proof only relies on the assumption that the Schnorr signature scheme is unforgeable and that a public key encryption scheme is CCA-secure.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. To appear at SCN 2024
deterministic walletsblind Schnorrpassword-authentication
Contact author(s)
poulami das @ cispa de
andreas erwig @ tu-darmstadt de
sebastian faust @ tu-darmstadt de
2024-07-10: approved
2024-07-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Poulami Das and Andreas Erwig and Sebastian Faust},
      title = {Shared-Custodial Password-Authenticated Deterministic Wallets},
      howpublished = {Cryptology ePrint Archive, Paper 2024/1118},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.