public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Timo Hanke <timo.hanke@web•de>
To: Thomas Voegtlin <thomasv1@gmx•de>
Cc: bitcoin-development@lists•sourceforge.net
Subject: Re: [Bitcoin-development] Proposal to replace BIP0039
Date: Sun, 3 Nov 2013 01:41:11 -0500	[thread overview]
Message-ID: <20131103064111.GI16611@crunch> (raw)
In-Reply-To: <5274C99A.8060304@gmx.de>

On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote:
> 
> >To be specific, we (in cooperation with / inspired by Timo Hanke)
> >developed method how to prove that the seed generated by Trezor
> >has been created using combination of computer-provided entropy
> >and device-provided entropy, without leaking full private
> >information to other computer, just because we want Trezor to be
> >blackbox-testable and fully deterministic (seed generation is
> >currently the only operation which uses any source of RNG).
> >
> 
> Thanks for the explanation. Here is how I understand how it works,
> please correct me if I'm wrong:
> 
> The user's computer picks a random number a, the Trezor picks a
> random number b.
> Trezor adds a and b in the secp256k1 group, and this creates a
> master private key k.
> Trezor sends the corresponding master public key K to the computer.
> Thus, the computer can check that K was derived from a, without knowing b.

No. You mean the computer would use B for this check? 
(k,K) could be rigged by Trezor, who computes b as k-a.

Timo

> This also allows the computer to check that any bitcoin address
> derived from K is derived from a, without leaking b. (and
> reciprocally)
> 
> However, it seems to me that this property will work only with bip32
> public derivations; if a private derivation is used, don't you need
> to know k?
> 
> 
> 

-- 
Timo Hanke
PGP 1EFF 69BC 6FB7 8744 14DB  631D 1BB5 D6E3 AB96 7DA8



  reply	other threads:[~2013-11-03  6:41 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-24 17:29 thomasV1
2013-10-24 18:09 ` slush
2013-10-25  9:27   ` Thomas Voegtlin
2013-10-24 18:54 ` slush
2013-10-26 15:24   ` Thomas Voegtlin
2013-10-26 20:47     ` slush
2013-10-26 21:30       ` Pieter Wuille
2013-10-31  9:13         ` Thomas Voegtlin
2013-10-31 10:41           ` slush
2013-10-31 11:07             ` Peter Todd
2013-11-02  9:44             ` Thomas Voegtlin
2013-11-03  6:41               ` Timo Hanke [this message]
2013-11-03  7:03                 ` Thomas Voegtlin
2013-11-03  7:40                   ` Timo Hanke
2013-11-03  8:39                     ` Thomas Voegtlin
2013-11-04 15:10                       ` Timo Hanke
2013-11-16 23:41                         ` Pavol Rusnak
2013-11-16 23:49                     ` Pavol Rusnak
2013-11-17  0:42                       ` Timo Hanke
2013-11-17  0:49                         ` Pavol Rusnak
2013-10-31 11:11           ` slush
2013-10-31 11:18             ` slush
2013-11-02 10:10               ` Thomas Voegtlin
2013-10-24 21:55 ` Luke-Jr

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131103064111.GI16611@crunch \
    --to=timo.hanke@web$(echo .)de \
    --cc=bitcoin-development@lists$(echo .)sourceforge.net \
    --cc=thomasv1@gmx$(echo .)de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox