From: Dustin Dettmer <dustinpaystaxes@gmail•com>
To: Tim Ruffing <crypto@timruffing•de>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Overview of anti-covert-channel signing techniques
Date: Tue, 24 Mar 2020 07:51:32 -0700 [thread overview]
Message-ID: <CABLeJxT6aZxrFn4apHOrELcdo37iGhmwsLH-BJxNb4Sbhotbog@mail.gmail.com> (raw)
In-Reply-To: <c182227876c47f476000b0b54618dac73e45a03f.camel@timruffing.de>
[-- Attachment #1: Type: text/plain, Size: 1997 bytes --]
Hi Tim,
Hm, so what vectors is this supposed to mitigate? Leaking through the
> generated public keys? Anything else?
The main thing it’s protecting against is the stealing of your funds by
malicious hardware & software. There are some side benefits as well though.
- What are you trying to achieve? You seem to describe how you get
> from the setup to the goal in four steps but I don't understand what
> the setup is or what the goal is. (What's a storage solution?)
“Storage solution” is however you’re storing bitcoins today. Could be 12
words on some paper plus a computer running electrum. Could be a Ledger +
computer. Point is this technique works regardless of how you’re storing
your bitcoin.
- "all SW being compromised" do you mean "SW and HW compromised"? Note
> that SW and HW are parties in Pieter's writeup, not just abbreviations
> for software and hardware.
Yeah — if you split the SW party into two, “generator” and “validator” some
interesting and useful security properties emerge.
- Where are the two stages? You mention four steps.
“Generator” and “validator”. The generator creates and passes on receiving
addresses and withdrawal transactions (while remaining offline). The
validator double checks everything the generator did..
It works best if the validator is written entirely independently of the
generator.
- Where do you run the external software? On a second SW? Is this the
> second stage?
Yes
- Do you use unhardened derivation?
It’s an open ended solution — it would work with a (presumably
non-trivial/random) unhardened derivation just fine.
- What's a k commitment?
It is one of the proposed solutions presented (collected?) by Peter in this
thread. As I understand it k is used to generate R in the signature. By
committing to some k value the hardware wallet can’t “sneak out” your
private key(s) in the R value.
Best,
Dustin
>
[-- Attachment #2: Type: text/html, Size: 3604 bytes --]
prev parent reply other threads:[~2020-03-24 14:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-03 21:35 Pieter Wuille
2020-03-21 13:34 ` Tim Ruffing
2020-03-21 16:59 ` Russell O'Connor
2020-03-22 9:43 ` Tim Ruffing
2020-03-22 15:30 ` Russell O'Connor
2020-03-22 15:38 ` Tim Ruffing
2020-03-21 20:29 ` Marko Bencun
2020-03-23 14:38 ` Dustin Dettmer
2020-03-24 7:49 ` Tim Ruffing
2020-03-24 14:51 ` Dustin Dettmer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABLeJxT6aZxrFn4apHOrELcdo37iGhmwsLH-BJxNb4Sbhotbog@mail.gmail.com \
--to=dustinpaystaxes@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=crypto@timruffing$(echo .)de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox