简易社交恢复的MPC钱包
方案一:基于密码学的社交恢复MPC钱包(Go实现)
(基于Shamir秘密共享和ECDSA,纯密码学方案,无智能合约依赖)
基于密码学的社交恢复流程图(分模块展示)
1). 密钥生成与分片阶段
flowchart LR
A[用户生成主私钥SK] --> B[通过Shamir算法拆分]
B --> C[生成用户分片(2个)<br/>门限:2-of-2(日常签名用)]
B --> D[生成监护人分片(5个)<br/>门限:3-of-5(恢复用)]
C --> E[用户设备存储分片<br/>(手机+硬件钱包)]
D --> F[监护人存储分片<br/>(朋友1-朋友5)]
2). 日常交易签名阶段
flowchart LR
G[发起转账交易] --> H[用户提供2个设备分片]
H --> I[本地计算部分签名]
I --> J[加密交换中间结果]
J --> K[聚合为完整ECDSA签名]
K --> L[提交区块链验证执行]
3). 社交恢复阶段(私钥丢失后)
flowchart LR
M[用户设备丢失] --> N[新设备生成临时公钥PK_new]
N --> O[向5个监护人发送恢复请求]
O --> P[3个监护人验证身份后<br/>提供各自分片]
P --> Q[聚合3个分片生成临时私钥]
Q --> R[生成与PK_new匹配的新私钥SK_new]
R --> S[新设备获得钱包控制权]
1. 核心密码学工具库(crypto_utils.go)
package main
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha256"
"encoding/binary"
"fmt"
"math/big"
)
// 选用secp256k1曲线(兼容比特币/以太坊)
var curve = elliptic.P256() // 简化示例,实际可用secp256k1
// Share 表示一个密钥分片 (x, y)
type Share struct {
X *big.Int
Y *big.Int
}
// ShamirSplit 将秘密拆分为n个分片,门限为k
func ShamirSplit(secret *big.Int, n, k int) ([]Share, error) {
if k > n {
return nil, fmt.Errorf("门限k不能大于分片数n")
}
// 生成k-1次多项式系数: f(x) = secret + a1*x + ... + a(k-1)*x^(k-1)
coeffs := make([]*big.Int, k)
coeffs[0] = new(big.Int).Set(secret) // 常数项为秘密本身
for i := 1; i < k; i++ {
// 生成[1, curve.Params().N-1]范围内的随机系数
randNum, err := rand.Int(rand.Reader, new(big.Int).Sub(curve.Params().N, big.NewInt(1)))
if err != nil {
return nil, err
}
coeffs[i] = new(big.Int).Add(randNum, big.NewInt(1)) // 确保≥1
}
// 生成n个分片 (x从1到n)
shares := make([]Share, n)
for x := 1; x <= n; x++ {
xBig := big.NewInt(int64(x))
y := new(big.Int).Set(coeffs[0]) // 初始值为常数项
// 计算多项式值: y = sum(ai * x^i) mod N
for i := 1; i < k; i++ {
// 计算x^i
xi := new(big.Int).Exp(xBig, big.NewInt(int64(i)), curve.Params().N)
// 计算ai * x^i
term := new(big.Int).Mul(coeffs[i], xi)
term.Mod(term, curve.Params().N)
// 累加
y.Add(y, term)
y.Mod(y, curve.Params().N)
}
shares[x-1] = Share{X: xBig, Y: y}
}
return shares, nil
}
// ShamirRecover 用k个分片恢复秘密
func ShamirRecover(shares []Share, k int) (*big.Int, error) {
if len(shares) < k {
return nil, fmt.Errorf("分片数量不足,需要至少%d个", k)
}
secret := big.NewInt(0)
n := curve.Params().N
// 拉格朗日插值
for i := 0; i < k; i++ {
xi := shares[i].X
yi := shares[i].Y
// 计算拉格朗日系数 li = product((xj - x0)/(xi - xj)) for j != i
li := big.NewInt(1)
for j := 0; j < k; j++ {
if i == j {
continue
}
xj := shares[j].X
// 分子: (0 - xj) mod n
numerator := new(big.Int).Neg(xj)
numerator.Mod(numerator, n)
// 分母: (xi - xj) mod n
denominator := new(big.Int).Sub(xi, xj)
denominator.Mod(denominator, n)
// 计算分母的模逆
invDenominator := new(big.Int).ModInverse(denominator, n)
if invDenominator == nil {
return nil, fmt.Errorf("无法计算模逆,分母与n不互质")
}
// 累积 li *= (numerator * invDenominator) mod n
term := new(big.Int).Mul(numerator, invDenominator)
term.Mod(term, n)
li.Mul(li, term)
li.Mod(li, n)
}
// 累加 yi * li 到秘密
term := new(big.Int).Mul(yi, li)
term.Mod(term, n)
secret.Add(secret, term)
secret.Mod(secret, n)
}
return secret, nil
}
// ECDSASign 用私钥签名消息
func ECDSASign(privateKey *ecdsa.PrivateKey, message []byte) (r, s *big.Int, err error) {
hash := sha256.Sum256(message)
return ecdsa.Sign(rand.Reader, privateKey, hash[:])
}
// ECDSAVerify 用公钥验证签名
func ECDSAVerify(publicKey *ecdsa.PublicKey, message []byte, r, s *big.Int) bool {
hash := sha256.Sum256(message)
return ecdsa.Verify(publicKey, hash[:], r, s)
}
2. MPC钱包核心逻辑(mpc_wallet.go)
package main
import (
"crypto/ecdsa"
"fmt"
"math/big"
)
// MPCWallet 基于密码学的社交恢复MPC钱包
type MPCWallet struct {
numGuardians int // 监护人数量
recoveryThreshold int // 恢复门限
userShares []Share // 用户自持分片
guardianShares map[string]Share // 监护人分片 (ID -> 分片)
privateKey *ecdsa.PrivateKey // 原始私钥(仅初始化时存在)
publicKey *ecdsa.PublicKey // 钱包公钥
}
// NewMPCWallet 创建新钱包
func NewMPCWallet(numGuardians, recoveryThreshold int) *MPCWallet {
return &MPCWallet{
numGuardians: numGuardians,
recoveryThreshold: recoveryThreshold,
guardianShares: make(map[string]Share),
}
}
// Initialize 初始化钱包:生成密钥并拆分
func (w *MPCWallet) Initialize(userDeviceCount int) error {
// 生成随机私钥
privateKey, err := ecdsa.GenerateKey(curve, rand.Reader)
if err != nil {
return err
}
w.privateKey = privateKey
w.publicKey = &privateKey.PublicKey
// 拆分私钥为用户分片(日常签名用)
userShares, err := ShamirSplit(privateKey.D, userDeviceCount, userDeviceCount)
if err != nil {
return err
}
w.userShares = userShares
// 拆分私钥为监护人分片(恢复用)
guardianShares, err := ShamirSplit(privateKey.D, w.numGuardians, w.recoveryThreshold)
if err != nil {
return err
}
for i, share := range guardianShares {
w.guardianShares[fmt.Sprintf("guardian_%d", i+1)] = share
}
return nil
}
// SignTransaction 用用户分片签名交易
func (w *MPCWallet) SignTransaction(userShareIndices []int, message []byte) (r, s *big.Int, err error) {
if len(userShareIndices) < len(w.userShares) {
return nil, nil, fmt.Errorf("需要所有%d个用户分片", len(w.userShares))
}
// 提取选中的用户分片
selectedShares := make([]Share, len(userShareIndices))
for i, idx := range userShareIndices {
if idx < 0 || idx >= len(w.userShares) {
return nil, nil, fmt.Errorf("无效的分片索引: %d", idx)
}
selectedShares[i] = w.userShares[idx]
}
// 恢复私钥并签名
recoveredSK, err := ShamirRecover(selectedShares, len(w.userShares))
if err != nil {
return nil, nil, err
}
privateKey := ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: curve,
X: new(big.Int),
Y: new(big.Int),
},
D: recoveredSK,
}
privateKey.PublicKey.X, privateKey.PublicKey.Y = curve.ScalarBaseMult(recoveredSK.Bytes())
return ECDSASign(&privateKey, message)
}
// SocialRecovery 通过监护人分片恢复钱包
func (w *MPCWallet) SocialRecovery(guardianIDs []string) (*ecdsa.PrivateKey, error) {
if len(guardianIDs) < w.recoveryThreshold {
return nil, fmt.Errorf("需要至少%d个监护人", w.recoveryThreshold)
}
// 提取监护人分片
guardianShares := make([]Share, len(guardianIDs))
for i, id := range guardianIDs {
share, exists := w.guardianShares[id]
if !exists {
return nil, fmt.Errorf("监护人不存在: %s", id)
}
guardianShares[i] = share
}
// 恢复原始私钥
recoveredSK, err := ShamirRecover(guardianShares, w.recoveryThreshold)
if err != nil {
return nil, err
}
// 生成新私钥(替换旧私钥)
newSK, err := ecdsa.GenerateKey(curve, rand.Reader)
if err != nil {
return nil, err
}
w.privateKey = newSK
w.publicKey = &newSK.PublicKey
return newSK, nil
}
3. 使用示例(main.go)
package main
import (
"fmt"
)
func main() {
// 初始化钱包:5个监护人,3-of-5恢复门限
wallet := NewMPCWallet(5, 3)
err := wallet.Initialize(2) // 用户2个设备分片(2-of-2签名)
if err != nil {
panic(err)
}
fmt.Printf("钱包公钥: (X: %x, Y: %x)\n",
wallet.publicKey.X.Bytes(),
wallet.publicKey.Y.Bytes())
// 1. 日常交易签名(使用2个用户分片)
message := []byte("transfer 1 ETH to 0x742d35Cc6634C0532925a3b844Bc454e4438f44e")
r, s, err := wallet.SignTransaction([]int{0, 1}, message)
if err != nil {
panic(err)
}
fmt.Printf("交易签名: (r: %x, s: %x)\n", r.Bytes(), s.Bytes())
// 验证签名
valid := ECDSAVerify(wallet.publicKey, message, r, s)
fmt.Printf("签名验证结果: %v\n", valid) // 输出: true
// 2. 模拟私钥丢失,执行社交恢复
// 收集3个监护人的分片
guardianIDs := []string{"guardian_1", "guardian_2", "guardian_3"}
newSK, err := wallet.SocialRecovery(guardianIDs)
if err != nil {
panic(err)
}
fmt.Printf("恢复后的新私钥: %x\n", newSK.D.Bytes())
// 验证新私钥有效性
newR, newS, _ := ECDSASign(newSK, message)
newValid := ECDSAVerify(&newSK.PublicKey, message, newR, newS)
fmt.Printf("新私钥签名验证: %v\n", newValid) // 输出: true
}
方案二:基于智能合约的社交恢复钱包(Go+Solidity)
(Go实现合约交互逻辑,Solidity实现智能合约)
基于智能合约的社交恢复流程图(分模块展示)
1). 合约部署与初始化阶段
flowchart LR
A[部署社交恢复合约] --> B[写入链上配置:<br/>- 监护人列表(5人)<br/>- 恢复门限(3/5)<br/>- 时间锁(72小时)]
B --> C[绑定初始控制私钥SK_old<br/>(公钥PK_old写入合约)]
B --> D[合约地址作为钱包地址<br/>接收用户资产]
2). 日常操作阶段
flowchart LR
E[用户发起交易] --> F[用SK_old签名交易数据]
F --> G[合约验证签名是否匹配PK_old]
G -->|验证通过| H[执行交易并更新状态]
G -->|验证失败| I[交易被驳回]
3). 链上社交恢复阶段(私钥丢失后)
flowchart LR
J[SK_old丢失] --> K[新设备生成PK_new]
K --> L[调用合约提交恢复提案<br/>(含PK_new+提交时间戳)]
L --> M[合约事件通知所有监护人]
M --> N[3个监护人调用signProposal<br/>提交链上签名]
N --> O[等待72小时时间锁到期]
O --> P[调用finalizeRecovery<br/>合约更新控制公钥为PK_new]
P --> Q[新设备用SK_new获得控制权]
1. 智能合约(SocialRecoveryWallet.sol)
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
import "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";
contract SocialRecoveryWallet is ReentrancyGuard {
using ECDSA for bytes32;
address public owner;
address[] public guardians;
uint256 public recoveryThreshold;
uint256 public timelockDelay;
mapping(bytes32 => uint256) public recoverySignatures;
mapping(bytes32 => address) public activeProposals;
event ProposalCreated(bytes32 indexed proposalHash, address newOwner, uint256 timestamp);
event ProposalSigned(bytes32 indexed proposalHash, address guardian);
event WalletRecovered(address oldOwner, address newOwner);
constructor(
address[] memory _guardians,
uint256 _recoveryThreshold,
uint256 _timelockDelay
) {
require(_guardians.length > 0, "至少需要1个监护人");
require(_recoveryThreshold <= _guardians.length, "门限不能超过监护人数量");
owner = msg.sender;
guardians = _guardians;
recoveryThreshold = _recoveryThreshold;
timelockDelay = _timelockDelay;
}
function isGuardian(address _addr) public view returns (bool) {
for (uint i = 0; i < guardians.length; i++) {
if (guardians[i] == _addr) return true;
}
return false;
}
function createRecoveryProposal(address _newOwner) external {
bytes32 proposalHash = keccak256(abi.encodePacked(_newOwner, block.timestamp));
activeProposals[proposalHash] = _newOwner;
emit ProposalCreated(proposalHash, _newOwner, block.timestamp);
}
function signProposal(address _newOwner, uint256 _timestamp, bytes calldata _signature) external {
require(isGuardian(msg.sender), "不是监护人");
bytes32 proposalHash = keccak256(abi.encodePacked(_newOwner, _timestamp));
require(activeProposals[proposalHash] == _newOwner, "提案不存在");
bytes32 messageHash = proposalHash.toEthSignedMessageHash();
address signer = messageHash.recover(_signature);
require(signer == msg.sender, "签名无效");
recoverySignatures[proposalHash]++;
emit ProposalSigned(proposalHash, msg.sender);
}
function finalizeRecovery(address _newOwner, uint256 _timestamp) external nonReentrant {
bytes32 proposalHash = keccak256(abi.encodePacked(_newOwner, _timestamp));
require(recoverySignatures[proposalHash] >= recoveryThreshold, "签名不足");
require(block.timestamp >= _timestamp + timelockDelay, "时间锁未到期");
address oldOwner = owner;
owner = _newOwner;
delete activeProposals[proposalHash];
delete recoverySignatures[proposalHash];
emit WalletRecovered(oldOwner, _newOwner);
}
function executeTransaction(
address _to,
uint256 _value,
bytes calldata _data,
bytes calldata _signature
) external payable nonReentrant returns (bool) {
bytes32 txHash = keccak256(abi.encodePacked(_to, _value, _data, block.chainid));
address signer = txHash.toEthSignedMessageHash().recover(_signature);
require(signer == owner, "签名无效");
(bool success, ) = _to.call{value: _value}(_data);
return success;
}
receive() external payable {}
}
2. 智能合约ABI(简化版,对应之前的Solidity合约)
// socialRecoveryABI.ts
export const SocialRecoveryABI = [
"constructor(address[] _guardians, uint256 _recoveryThreshold, uint256 _timelockDelay)",
"event ProposalCreated(bytes32 indexed proposalHash, address newOwner, uint256 timestamp)",
"event ProposalSigned(bytes32 indexed proposalHash, address guardian, uint256 signatureCount)",
"event WalletRecovered(address oldOwner, address newOwner, uint256 timestamp)",
"function createRecoveryProposal(address newOwner)",
"function signProposal(address newOwner, uint256 timestamp, bytes signature)",
"function finalizeRecovery(address newOwner, uint256 timestamp) returns (bool)",
"function executeTransaction(address to, uint256 value, bytes data, bytes signature) returns (bool)",
"function isGuardian(address _addr) view returns (bool)",
"function owner() view returns (address)",
"function recoverySignatures(bytes32) view returns (uint256)",
] as const;
3. 核心交互类(SocialRecoveryWallet.ts)
import { ethers, Signer, Contract, utils, Wallet } from "ethers";
import { SocialRecoveryABI } from "./socialRecoveryABI";
// 类型定义
type Proposal = {
proposalHash: string;
newOwner: string;
timestamp: bigint;
signatures: number;
};
export class SocialRecoveryWallet {
private contract: Contract; // 智能合约实例
private signer: Signer; // 交互签名者(用户或监护人)
/**
* 初始化钱包客户端
* @param contractAddress 智能合约地址
* @param provider 区块链 provider(如Infura/Alchemy)
* @param signer 签名者(可选,如用户私钥或监护人私钥)
*/
constructor(
contractAddress: string,
provider: ethers.providers.Provider,
signer?: Signer
) {
this.contract = new Contract(
contractAddress,
SocialRecoveryABI,
signer || provider
);
this.signer = signer || provider.getSigner();
}
/**
* 获取当前合约所有者(钱包控制者)
*/
async getOwner(): Promise<string> {
return this.contract.owner();
}
/**
* 验证地址是否为监护人
*/
async isGuardian(address: string): Promise<boolean> {
return this.contract.isGuardian(address);
}
/**
* 创建恢复提案
* @param newOwner 新所有者地址(用户新设备的公钥地址)
*/
async createRecoveryProposal(newOwner: string): Promise<Proposal> {
const signerAddr = await this.signer.getAddress();
console.log(`[用户 ${signerAddr}] 创建恢复提案,新所有者: ${newOwner}`);
// 发送交易:调用合约createRecoveryProposal
const tx = await this.contract.createRecoveryProposal(newOwner);
const receipt = await tx.wait(); // 等待交易确认
// 解析事件获取提案信息
const event = receipt.events?.find(
(e: any) => e.event === "ProposalCreated"
);
if (!event) throw new Error("提案创建失败,未找到事件");
const proposal: Proposal = {
proposalHash: event.args.proposalHash,
newOwner: event.args.newOwner,
timestamp: event.args.timestamp,
signatures: 0,
};
return proposal;
}
/**
* 监护人签名恢复提案
* @param proposal 待签名的提案
* @param guardianSigner 监护人的签名者(含私钥)
*/
async signProposal(
proposal: Proposal,
guardianSigner: Signer
): Promise<Proposal> {
const guardianAddr = await guardianSigner.getAddress();
// 验证是否为监护人
const isGuard = await this.isGuardian(guardianAddr);
if (!isGuard) throw new Error(`${guardianAddr} 不是监护人`);
// 1. 计算提案哈希(与合约逻辑一致)
const proposalHash = utils.keccak256(
utils.defaultAbiCoder.encode(
["address", "uint256"],
[proposal.newOwner, proposal.timestamp]
)
);
// 2. 监护人签名(EIP-191标准)
const message = utils.arrayify(proposalHash);
const signature = await guardianSigner.signMessage(message);
console.log(`[监护人 ${guardianAddr}] 签名提案,哈希: ${proposalHash}`);
// 3. 发送签名到合约
const tx = await this.contract.connect(guardianSigner).signProposal(
proposal.newOwner,
proposal.timestamp,
signature
);
const receipt = await tx.wait();
// 解析事件获取签名计数
const event = receipt.events?.find(
(e: any) => e.event === "ProposalSigned"
);
if (event) {
proposal.signatures = event.args.signatureCount;
}
return proposal;
}
/**
* 完成恢复(时间锁到期后执行)
* @param proposal 已收集足够签名的提案
*/
async finalizeRecovery(proposal: Proposal): Promise<boolean> {
const currentTime = (await this.contract.provider.getBlock("latest")).timestamp;
const timelockDelay = 259200; // 72小时(需与合约初始化参数一致)
// 检查时间锁是否到期
if (currentTime < Number(proposal.timestamp) + timelockDelay) {
throw new Error(`时间锁未到期,剩余 ${Number(proposal.timestamp) + timelockDelay - currentTime} 秒`);
}
// 检查签名数量是否达标
const signatureCount = await this.contract.recoverySignatures(proposal.proposalHash);
const recoveryThreshold = 3; // 需与合约初始化参数一致
if (signatureCount < recoveryThreshold) {
throw new Error(`签名数量不足,需 ${recoveryThreshold} 个,当前 ${signatureCount} 个`);
}
// 执行恢复
console.log(`执行恢复,新所有者: ${proposal.newOwner}`);
const tx = await this.contract.finalizeRecovery(
proposal.newOwner,
proposal.timestamp
);
await tx.wait();
return true;
}
/**
* 执行交易(日常转账)
* @param to 接收地址
* @param value 转账金额(wei)
* @param data 附加数据(如合约调用参数)
*/
async executeTransaction(
to: string,
value: bigint,
data: string = "0x"
): Promise<boolean> {
const ownerAddr = await this.getOwner();
const signerAddr = await this.signer.getAddress();
if (ownerAddr !== signerAddr) {
throw new Error(`签名者不是所有者,当前所有者: ${ownerAddr}`);
}
// 构建交易哈希并签名
const chainId = (await this.contract.provider.getNetwork()).chainId;
const txHash = utils.keccak256(
utils.defaultAbiCoder.encode(
["address", "uint256", "bytes", "uint256"],
[to, value, data, chainId]
)
);
const signature = await this.signer.signMessage(utils.arrayify(txHash));
// 发送交易
console.log(`[所有者 ${signerAddr}] 执行交易: 向 ${to} 转账 ${value} wei`);
const tx = await this.contract.executeTransaction(to, value, data, signature);
await tx.wait();
return true;
}
}
4. 使用示例(main.ts)
import { ethers } from "ethers";
import { SocialRecoveryWallet } from "./SocialRecoveryWallet";
// 模拟区块链环境(实际使用Infura/Alchemy等测试网)
const provider = new ethers.providers.JsonRpcProvider("https://rpc.ankr.com/eth_sepolia");
// 模拟用户和监护人私钥(实际中需安全存储)
const userPrivateKey = "0x5f8..."; // 用户初始私钥
const guardianKeys = [
"0x6a9...", // 监护人1私钥
"0x7b3...", // 监护人2私钥
"0x8c4...", // 监护人3私钥
"0x9d5...", // 监护人4私钥
"0xae6...", // 监护人5私钥
];
// 智能合约地址(需提前部署)
const contractAddress = "0x123...";
async function main() {
// 1. 初始化客户端(用户视角)
const userSigner = new ethers.Wallet(userPrivateKey, provider);
const wallet = new SocialRecoveryWallet(contractAddress, provider, userSigner);
console.log("当前所有者:", await wallet.getOwner());
// 2. 日常交易示例
await wallet.executeTransaction(
"0xabc...", // 接收地址
ethers.utils.parseEther("0.1") // 转账0.1 ETH
);
// 3. 模拟私钥丢失,执行社交恢复
const newOwner = "0xdef..."; // 用户新设备地址
const proposal = await wallet.createRecoveryProposal(newOwner);
// 4. 监护人签名(收集3个签名)
const guardianSigners = guardianKeys.map(k => new ethers.Wallet(k, provider));
for (let i = 0; i < 3; i++) { // 满足3-of-5门限
await wallet.signProposal(proposal, guardianSigners[i]);
}
// 5. 等待时间锁到期后完成恢复
setTimeout(async () => {
const success = await wallet.finalizeRecovery(proposal);
if (success) {
console.log("恢复成功,新所有者:", await wallet.getOwner());
}
}, 1000); // 实际中需等待72小时
}
main().catch(console.error);
核心逻辑说明
- 智能合约交互:通过
ethers.Contract调用合约方法,封装创建提案、签名、恢复等流程。 - 签名机制:
- 提案哈希由
newOwner和timestamp计算,确保唯一性。 - 监护人签名采用EIP-191标准,与合约
recover函数兼容。
- 提案哈希由
- 安全校验:
- 验证监护人身份(
isGuardian)。 - 检查时间锁延迟(防止恶意恢复)。
- 校验签名数量是否达标(
recoveryThreshold)。
- 验证监护人身份(
实际应用注意事项
- 私钥管理:示例中私钥明文存储,实际需用安全存储(如加密钱包、硬件钱包)。
- Gas优化:交易需合理设置
gasLimit和gasPrice,避免交易失败。 - 事件监听:通过监听合约事件(如
ProposalSigned)实时跟踪恢复进度。 - 多链兼容:可通过修改
provider适配不同EVM链(如Polygon、BSC)。
本文来自博客园,作者:ffffox,转载请注明原文链接:https://www.cnblogs.com/ffffox/p/18999245
浙公网安备 33010602011771号