With the recent rise of cryptocurrencies' popularity, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users and providers, which have resulted in significant financial losses. To remedy these issues, several wallet solutions have been proposed. However, these solutions often lack either essential security features, usability, or do not allow users to customize their spending rules. In this paper, we propose SmartOTPs, a smart-contract wallet framework that gives a flexible, usable, and secure way of managing crypto-tokens in a self-sovereign fashion. The proposed framework consists of four components (i.e., an authenticator, a client, a hardware wallet, and a smart contract), and it provides 2-factor authentication (2FA) performed in two stages of interaction with the blockchain. To the best of our knowledge, our framework is the first one that utilizes one-time passwords (OTPs) in the setting of the public blockchain. In SmartOTPs, the OTPs are aggregated by a Merkle tree and hash chains whereby for each authentication only a short OTP (e.g., 16B-long) is transferred from the authenticator to the client. Such a novel setting enables us to make a fully air-gapped authenticator by utilizing small QR codes or a few mnemonic words, while additionally offering resilience against quantum cryptanalysis. We have made a proof-of-concept based on the Ethereum platform. Our cost analysis shows that the average cost of a transfer operation is comparable to existing 2FA solutions using smart contracts with multi-signatures.

翻译：摘要：随着近年来加密货币的普及，加密代币的安全与管理变得至关重要。我们目睹了大量针对用户和提供商的攻击，这些攻击造成了巨大的经济损失。为解决这些问题，业界提出了多种钱包解决方案。然而，这些方案通常缺乏关键安全特性或可用性，或者不允许用户自定义支付规则。本文提出SmartOTPs，一个智能合约钱包框架，以自我主权的方式提供灵活、可用且安全的加密代币管理方法。该框架由四个组件（即认证器、客户端、硬件钱包和智能合约）组成，并通过与区块链的两阶段交互实现双因素认证（2FA）。据我们所知，本框架是首个在公有区块链环境中使用一次性密码（OTP）的方案。在SmartOTPs中，OTP通过Merkle树和哈希链聚合，每次认证仅需从认证器向客户端传输短OTP（例如16字节）。这种创新设计使我们能够通过小型二维码或少量助记词实现完全离线的认证器，同时具备抗量子密码分析能力。我们基于以太坊平台完成了概念验证，成本分析表明，其转账操作的平均成本与现有使用多重签名智能合约的2FA解决方案相当。