Key Management (voting pools)
Secure Key Creation
Each server in the pool requires an offline, air-gapped machine for key generation called a key server. It is equipped with either a dedicated, non-networked printer, or else a CDR drive. No media of any kind is ever allowed to cross the air gap in the online->offline direction.
The key server generates random BIP32 seeds in batches (default: 52, or enough for one year). When a batch is created, it prints the xpubs (extended public keys) for all 52 seeds on paper as QR codes (alternately on a virgin CDR which is discarded after a single use). This paper is then manually walked to the auditing server and scanned. The auditing server adds each xpub to the keyset definition.
At the same time, the key server also prints two redundant copies of the QR codes containing the xprivs (extended private keys), one per page (one per CD) which the service should hold in some physically secure fashion and back up securely. It is not necessary for all individual services to take extraordinary measures to protect the private keys from physical destruction, since the pool can tolerate a loss of keys that involves less than (n-m) members. One copy held in an offsite location with another copy held on site is sufficient.
Xprivs are loaded into the auditing server in series number order to create the hot series. Each participant in the pool should have a method of being notified when the hot series is close to being exhausted so that an employee can be instructed to load the next xpriv into the auditing server.
New key batches should be generated early before the old batch is consumed (default: 75% used). If for any reason one of the participants is late and does not generate a new batch on time, the last defined series number is used for accepting deposits until the administrators of the other pool members can correct the situation.
The key server must also be equipped with a scanner. Prior to putting any keys into service, they must be validated.
The key server will create the first one million public and private keypairs from each seed in the batch, sign a nonce with each private key and verify the signature with the corresponding public key.
Then the user will scan in the printed public and private keys, and the key server will verify the scanned versions match the original versions and repeat the million keypair test.
Both versions of the test must match identically before placing any of the keys into service.