Return-Path: Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 147CDC0177 for ; Tue, 24 Mar 2020 14:51:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id F194220353 for ; Tue, 24 Mar 2020 14:51:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JGU1DnYw74C for ; Tue, 24 Mar 2020 14:51:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ot1-f53.google.com (mail-ot1-f53.google.com [209.85.210.53]) by silver.osuosl.org (Postfix) with ESMTPS id C50FC20130 for ; Tue, 24 Mar 2020 14:51:44 +0000 (UTC) Received: by mail-ot1-f53.google.com with SMTP id t28so17258230ott.5 for ; Tue, 24 Mar 2020 07:51:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=d5t1CC3OY82+eJr3LFKb7oijMWko8JYNCJYfk5p0M1Q=; b=ozSJ5uPtaafY1CFuPSaspEGV+OFhgZh2qGZcjo/xSF2jyt1Nof9nB5/G/fU8onpe8S DeMm0XTa4Amaqgbaod7bPhf1Oe0wgwBb3SHsYw6h39ZJNbwi94XJ7pQEkLzlRByeLri0 lYOSYEtrrUyQZJ6Gh22HaOlJccI1wnjt019SbIYP1fnjYzk5jbC04pt1HUzyuTd78NKw zTDvRpkvyBKElNIdejBuhJSXIArWwQEn9Cfni1CyfI1meKFQgDzOTNMsj5F9M5chzlvQ T94FTprFGLYYFy0Rln4N8m3+7kNIFSCzbwe7dcXgL5DcfANIuSJucHBwo7uDtcyAGE9Q K2/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d5t1CC3OY82+eJr3LFKb7oijMWko8JYNCJYfk5p0M1Q=; b=Sh0mTM9FniU/SOTHU3PgWtnNv7/Mmf/IELrOh1FNQ82hp4xMOYfAOJYC5uvZ9AJaGm Y+HXIbM7PdivKKvOiDhn6FhwPNV3RuKcjO8JKzQvLZBxq7NQ0B8kSjY5/vkmDXqNGFd5 xqqfxGJ6bAcWVHXfmM6c/2tRPZIg6vxwAUDoMs+1lFy1XGLhhHLVxFfjwlE9FyvlbUc6 A/Xy3auJo+DabEUBvjd4IS5sEwdY4R8cvBo3sAM/fGZ3UWSr368hE7dk8a7fmhQ10SeP oDkMCwUkj5siS8PP8H+R3NEr7TlFTtv1RXakq4wXPaDy5fMgNcZ8s+UMr/vOpmg9/vfV cPcQ== X-Gm-Message-State: ANhLgQ1PwycyGCJgXAiBveCzoXJYjeplklNOxbAN+Mxz8d2kTzPo9sHK s2FtYSL34s8O2e81NQEwESPGLiS/AzvVmfhaugQ= X-Google-Smtp-Source: ADFU+vsek+n9c6MV+0JbX38RIMfAMELfYds4n+B9tBObq9HmFKfaiaSWNf/lkULQaHGhuwQwzJRaaGeR7tnvFVoD67M= X-Received: by 2002:a05:6830:2428:: with SMTP id k8mr2436404ots.345.1585061503721; Tue, 24 Mar 2020 07:51:43 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dustin Dettmer Date: Tue, 24 Mar 2020 07:51:32 -0700 Message-ID: To: Tim Ruffing Content-Type: multipart/alternative; boundary="000000000000e085ba05a19ae3e9" X-Mailman-Approved-At: Tue, 24 Mar 2020 15:01:16 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Overview of anti-covert-channel signing techniques X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2020 14:51:46 -0000 --000000000000e085ba05a19ae3e9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Tim, Hm, so what vectors is this supposed to mitigate? Leaking through the > generated public keys? Anything else? The main thing it=E2=80=99s protecting against is the stealing of your fund= s by malicious hardware & software. There are some side benefits as well though. - What are you trying to achieve? You seem to describe how you get > from the setup to the goal in four steps but I don't understand what > the setup is or what the goal is. (What's a storage solution?) =E2=80=9CStorage solution=E2=80=9D is however you=E2=80=99re storing bitcoi= ns today. Could be 12 words on some paper plus a computer running electrum. Could be a Ledger + computer. Point is this technique works regardless of how you=E2=80=99re st= oring your bitcoin. - "all SW being compromised" do you mean "SW and HW compromised"? Note > that SW and HW are parties in Pieter's writeup, not just abbreviations > for software and hardware. Yeah =E2=80=94 if you split the SW party into two, =E2=80=9Cgenerator=E2=80= =9D and =E2=80=9Cvalidator=E2=80=9D some interesting and useful security properties emerge. - Where are the two stages? You mention four steps. =E2=80=9CGenerator=E2=80=9D and =E2=80=9Cvalidator=E2=80=9D. The generator = creates and passes on receiving addresses and withdrawal transactions (while remaining offline). The validator double checks everything the generator did.. It works best if the validator is written entirely independently of the generator. - Where do you run the external software? On a second SW? Is this the > second stage? Yes - Do you use unhardened derivation? It=E2=80=99s an open ended solution =E2=80=94 it would work with a (presuma= bly non-trivial/random) unhardened derivation just fine. - What's a k commitment? It is one of the proposed solutions presented (collected?) by Peter in this thread. As I understand it k is used to generate R in the signature. By committing to some k value the hardware wallet can=E2=80=99t =E2=80=9Csneak= out=E2=80=9D your private key(s) in the R value. Best, Dustin > --000000000000e085ba05a19ae3e9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Tim,

=
Hm, so what vecto= rs is this supposed to mitigate? Leaking through the
generated public keys? Anything else?

The main thing it=E2=80=99s protecting against is the = stealing of your funds by malicious hardware & software. There are some= side benefits as well though.

=C2=A0- What are you trying to achieve? You seem to= describe how you get
from the setup to the goal in four steps but I don't understand what the setup is or what the goal is. (What's a storage solution?)

=E2=80=9CStorage solution= =E2=80=9D is however you=E2=80=99re storing bitcoins today. Could be 12 wor= ds on some paper plus a computer running electrum. Could be a Ledger + comp= uter. Point is this technique works regardless of how you=E2=80=99re storin= g your bitcoin.

=C2=A0- "all SW being compromised" do you mean "SW and HW co= mpromised"? Note
that SW and HW are parties in Pieter's writeup, not just abbreviations<= br> for software and hardware.

Yeah =E2=80=94 if you split the SW party into two, =E2=80=9Cgene= rator=E2=80=9D and =E2=80=9Cvalidator=E2=80=9D some interesting and useful = security properties emerge.

=C2=A0- Where are the two stages? You mention four steps.

=E2=80=9CGenerator=E2=80=9D and = =E2=80=9Cvalidator=E2=80=9D. The generator creates and passes on receiving = addresses and withdrawal transactions (while remaining offline). The valida= tor double checks everything the generator did..
It works best if the validator is written entirely= independently of the generator.

=C2=A0- Where do you run the external software? On a second SW? Is this the=
second stage?

Yes=

=C2=A0- Do you use unhardened derivation?
It=E2=80=99s an open ended solution =E2=80=94 it w= ould work with a (presumably non-trivial/random) unhardened derivation just= fine.

=C2=A0- What's a k commitment?

=
It is one of the proposed solutions presented (collected?= ) by Peter in this thread. As I understand it k is used to generate R in th= e signature. By committing to some k value the hardware wallet can=E2=80=99= t =E2=80=9Csneak out=E2=80=9D your private key(s) in the R value.

Best,
Dust= in
--000000000000e085ba05a19ae3e9--