# Gavin Andresen
# 2011-06-18 19:07:58
# https://bitcointalk.org/index.php?topic=19080.msg239156#msg239156

So I've been thinking a lot about wallet security; Matt's password patch is a good first step, but maybe we can at least build in some infrastructure for a better solution. @p{par}

We really need a solution where transactions are generated on one device and then verified on a second device, so malware must compromise both devices (e.g. computer and mobile phone, or web wallet and mobile phone) to steal coins. @p{par}

gmaxwell from IRC thinks it can be done without multiple signatures (just with the standard transaction we have now), and staring at the ECDSA math @p{(link}on this wikipedia page@p{link)} I think he's right.  I believe he was inspired by ByteCoin's observation that you can create a vanity public key generating service that is secure@p{--} the service can generate the public key but not know the private key. @p{par}

I'm mostly writing this to convince myself it could work and to give ByteCoin and Hal and gmaxwell and anybody else who knows a whole lot more crypto than me a chance to poke holes in it. And then point me to a FIPS standard that has it all figured out already... @p{par}

So:  generating an ECDSA keypair means choosing a private key d_{A}, then calculating the public key Q_{A} = d_{A}G (where G is a fixed point on the elliptic curve). @p{par}

The key generation can be split; have device 1 choose d_{A1} and device 2 choose d_{A2}.  Device 1 then sends Q_{A1} to Device 2, and it can calculate Q_{A1}d_{A2} = Q_{A1*A2}.  Or in english, Device 1 finds a public key on the curve.  Then Device 2 uses its part of the private key to do a bunch more elliptic curve multiplies to find the composite public key without ever knowing Device 1's public key. @p{par}

So great, neither Device 1 or 2 needs to ever have both parts of the private key on them to generate the shared public key. @p{par}

Now lets say Device 1 wants to spend a TxOut that is one of these split keys.  The key bit of the signature generation algorithm (see the Wikipedia page: @p{(link}@s{(link)}#Signature_generation_algorithm@p{link)} ) is: @p{brk}
... @p{brk}
4. Calculate s = k^{-1}(z+rd_{A})(mod n) @p{brk}
... @p{brk}
That can be rewritten as: @p{par}

Calculate s = k^{-1}(z+rd_{A1}d_{A2})(mod n) @p{par}

And now I'm stuck.  Can that equation be refactored so that Device 1 can compute part of the signature, send its partial result to Device 2, and have Device 2 complete the signature (without Device 2 being able to figure out 1's part of the private key?)? @p{brk}