An Air-Gapped 2-Factor Authentication for Smart-Contract Wallets Ivan Homoliak ∗‡ ihomoliak@sutd.edu.sg Dominik Breitenbacher † dominik@sutd.edu.sg Alexander Binder † alexander binder@sutd.edu.sg Pawel Szalachowski † pawel@sutd.edu.sg ∗ STE-SUTD Cyber Security Laboratory † Singapore University of Technology and Design ‡ Faculty of Information Technology, Brno University of Technology Abstract—With the recent rise of cryptocurrencies, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users, their software, or their providers, which have resulted in significant financial losses. To remedy these issues, many wallet solutions have been proposed to store users’ crypto-tokens. However, these solutions lack either essential security features, or usability, or do not allow users to express their spending rules. In this paper, we propose a smart-contract cryptocurrency wallet framework that gives a flexible, usable, and secure way of managing crypto-tokens in a self-sovereign fashion. The proposed framework consists of three components (i.e., an authenticator, a client, and a smart contract) and provides 2-factor authentication performed in two stages of interaction with the blockchain. Our framework utilizes one-time passwords (OTPs) aggregated by a Merkle tree that is distributed across the components in such a way that for every authentication only a single OTP is transferred from the authenticator to the client. Such a novel setting enables us to make a fully air-gapped authenticator with 16B-long OTPs, while offering resilience against quantum cryptanalysis. We implemented our approach basing on the Ethereum cryptocurrency and the Solidity language. We have performed a cost analysis of the implementation and showed that the average cost of a transfer operation is less than $0.15. Index Terms—cryptocurrency wallets • smart contracts • 2- factor authentication • Merkle tree • one-time passwords • post- quantum computing I. I NTRODUCTION Cryptocurrencies are successful beyond all expectations. Their amazing rise in the last decade has resulted in various open and decentralized platforms that allow users to conduct monetary transfers, write smart contracts used as financial agreements, or participate in predictive markets. If success- ful, cryptocurrencies promise to revolutionize many fields and businesses. Cryptocurrencies introduce their own crypto- tokens used as a currency. Crypto-tokens can be transferred in transactions authenticated by private keys that belong to crypto-token owners. These private keys are managed by wallet software that gives users an interface to interact with the cryptocurrency. There are many cases of stolen keys that were secured by various means [1], [2], [3]. Such cases have brought the attention of the research community to the security issues related to key management in cryptocurrencies [4], [5], [6]. As enumerated by the previous work [4], [6], there are a few categories of key management approaches in Bitcoin, also applicable to other cryptocurrencies. Password-protected wallets encrypt private keys with user- selected passwords. Unfortunately, users often choose weak passwords that can be brute-forced if stolen by cryptocurrency- stealing malware [7]; optionally, such malware may use a keylogger for capturing a passphrase [6], [8]. Another similar option is to use password-derived wallets that generate keys based on a provided password. However, they also suffer from the possibility of weak passwords [2]. Hardware wallets is a category that promises the provision of better security by introducing devices that enable only the signing of transac- tions, without revealing the private keys stored on a device. However, these wallets do not provide protection from an attacker with full access to a device [4], and more importantly, as presented by recent research [9], they can be exploited by sophisticated malware due to missing two-way authentication in inter-process communication mechanisms. Multi-factor (or multi-step) authentication is provided by wallets from the split control category, which enables spending crypto-tokens only when n of m secrets are used together. This can be achieved by threshold cryptography wallets [5], [10], multi-signature wallets [11], [12], [13], [14], and state-aware smart-contract wallets [15], [16], [17]. This last class of wallets is interesting, as spending rules are encoded in a smart contract; hence, it can be adjusted almost arbitrarily to the user’s needs. A popular option for storing private keys is to deposit (or even generate) them at server-side hosted wallets and currency- exchange services [18], [19], [20]. In contrast to the previous categories, server-side hosted wallets imply trust in a third party, which is a potential risk of such a solution. Due to infamous cases of compromising server-side wallets [21], [22], [23], [24] or fraudulent currency-exchange operators [25], client-side hosted wallets have started to proliferate. In such wallets, the main functionality, including the storage of private keys, has moved to the user’s browser or a local application (e.g., [26], [27], [28], [29], [30]). Alternatively, this category contains wallets that store only encrypted versions of keys by a third party (e.g., [31], [32]). Therefore, trust in the third party has been partially reduced, but the users still depend on the third party’s infrastructure.