Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id CF020E8A for ; Sat, 13 Jan 2018 02:11:13 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-oln040092255021.outbound.protection.outlook.com [40.92.255.21]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 93595D0 for ; Sat, 13 Jan 2018 02:11:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DvALsYBqhEMUPqGHIaSGSm1gCvGkRNMTlNq90FDwVlo=; b=dRW2IYCfxD0KEtdoCL29+2WTmdeZE1uKynYMjK6RJTDUdAXNSVYTcono0yQ6RuAjjCHAwBezpVEg3wjzivXdeHiKRdAm/y9kKkJH4Uk3kPowwdwRK8Gcgrdv3KktClJzf5RZhfDD0NErwSJ2BlPQqJSyGhAzyls/ThL2vEB+39ywesDQa1hF7EHWgHLdoz+gq9oslhKCtbEa82XSjnHFp50R1GGSmUVOD63OGv2PEddWXhF169jBae+6o3C8BjurqNjVI6lEi/c7CO6AmQ5zEIVXrk9xVIKbRdDEa9XNwsZxTkObjPA3KzUy/MWyUitSmCSNF1oKKc1O0o5Q8SDUEQ== Received: from HK2APC01FT035.eop-APC01.prod.protection.outlook.com (10.152.248.54) by HK2APC01HT100.eop-APC01.prod.protection.outlook.com (10.152.248.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.302.6; Sat, 13 Jan 2018 02:11:09 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.52) by HK2APC01FT035.mail.protection.outlook.com (10.152.248.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.345.19 via Frontend Transport; Sat, 13 Jan 2018 02:11:09 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) by PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) with mapi id 15.20.0407.009; Sat, 13 Jan 2018 02:11:09 +0000 From: Damian Williamson To: nullius , Bitcoin Protocol Discussion Thread-Topic: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared private key scheme) Thread-Index: AQHTi7XyOL4NDlZYiUOH4MIN2TDy66NxDwIt Date: Sat, 13 Jan 2018 02:11:08 +0000 Message-ID: References: <20180109011335.GA22039@savin.petertodd.org> <274aad5c-4573-2fdd-f8b0-c6c2d662ab7c@gibsonic.org> <20180112095058.GA9175@savin.petertodd.org>, <3b45c17a256326b6b183587d9d15690c@nym.zone> In-Reply-To: <3b45c17a256326b6b183587d9d15690c@nym.zone> Accept-Language: en-AU, en-US Content-Language: en-AU X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:70763BC61684C952FA189048988F42BB59FDB6DDDF39F06338B1E6ECB2624699; UpperCasedChecksum:DCC2C090462BEB07ED3C94844688AD4476BD77C0CE99C2FD85BAE75B717CD9FD; SizeAsReceived:7578; Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [7veiwha2tpjGZETERmic9q+AN4kfe99m] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; HK2APC01HT100; 6:ZrwWjRqAcS7oOyHJn6HilXJyjRYlCjHaRAp188qoUNPopRgYHh38qb/zlGCLkiCXUgZo+PdcV79NOk8cHZScCDPxC2K7zHn5000ky369a98k2SsY103QBUm7rC+WQJKdmgeDbuDaejLrKnvow1/nWPqWyt36Djh03B2v1eUdR2UGQqTMLja7BolK0rCMjP2ItOGFHPeN6gD+zasnUsHTWzFPQN80yHcTrdyy5SijZKNIX3RC7XA9WSBAucHs8incpG1LWoue2mLijMPlvE5YKQMHAP3iR7aDlzF2+HxGVObj0jVI8z552tu63Vv+0WCuQ/cv3/+yUebCIXEiRYgfo0eD3Fm9NIj1hq28q9FruGA=; 5:6CPy0GCeWvmMaks21Wb3XwVm3UV9SPc7opt/IY9dYkFseh6RazdizAd83fHphHR/HeY2IM57QF3g/ZvEa8GSO8ZXEWur/v3cOGeK1fZEVK3byzFcmcUbVxqy8ofwnimuZR6banyU0HvA2QhriQSuXxBuplbATmF+o8VEIy/dWuw=; 24:wyYIOz5pdfMHa2ls/Ra5y9ja7xpD0fKXcEuOxAYXCqlYmlGd2KsGDpDuhlPcnhj7nZQjAOmOYGO+a+ngok1lDYKskKqnivkwXVQyYTSIORw=; 7:Q0MTwASLBEoefRf/viu7/L7iHJJrlDsW3HgDg2CVRgsG2H2tY6phTY9MBaPw+5jmIGfDdErfRX9xqWnu5uS4D8vidAJtPH47H4YqNpfWr2IZKeWZNcxr/yWqMCPqkws45Ng/W6bcc7rbwqp3KMdwRenpEKiEX9ioayDwQ3dVnkrnTyYESdKmNqWWlSsQG2k5/EQNpdomDxP+eiy+74wOIpP3XYS4xeDj8pgMgdVZiv2Pi5aYeCjTaoZsgUbQKC3r x-incomingheadercount: 46 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020090)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:HK2APC01HT100; x-ms-traffictypediagnostic: HK2APC01HT100: x-ms-office365-filtering-correlation-id: 45d0f5f1-0150-45e5-bba4-08d55a2ae92e x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:HK2APC01HT100; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HK2APC01HT100; x-forefront-prvs: 05514B7026 x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:HK2APC01HT100; H:PS2P216MB0179.KORP216.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 45d0f5f1-0150-45e5-bba4-08d55a2ae92e X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2018 02:11:08.9604 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT100 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 13 Jan 2018 04:18:45 +0000 Subject: Re: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared private key scheme) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jan 2018 02:11:13 -0000 --_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable The same problems exist for users of whole disk encrypted operating systems= . Once the device (or, the initial password authentication) is found, the a= dversary knows that there is something to see. The objective of plausible d= eniability is to present some acceptable (plausible) alternative while keep= ing the actual hidden (denied). If the adversary does not believe you, you do indeed risk everything. Regards, Damian Williamson ________________________________ From: bitcoin-dev-bounces@lists.linuxfoundation.org on behalf of nullius via bitcoin-dev Sent: Friday, 12 January 2018 10:06:33 PM To: Peter Todd; Bitcoin Protocol Discussion Subject: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared= private key scheme) On 2018-01-12 at 09:50:58 +0000, Peter Todd wrote: >On Tue, Jan 09, 2018 at 12:43:48PM +0000, Perry Gibson wrote: >>>Trezor's "plausible deniability" scheme could very well result in you >>>going to jail for lying to border security, because it's so easy for >>>them to simply brute force alternate passwords based on your seeds. >>>With that, they have proof that you lied to customs, a serious >>>offense. >>The passphrase scheme as I understand it allows a maximum of 50 >>characters to be used. Surely even with the HD seed, that search >>space is too large to brute force. Or is there a weakness in the >>scheme I haven't clocked? > >While passphrases *can* be long, most user's aren't going to understand >the risk. For example, Trezors blog(1) doesn't make it clear that the >passphrases could be bruteforced and used as evidence against you, and >even suggests the contrary: [...quote...] I despise the term =93plausible deniability=94; and that=92s really the wro= ng term to use in this discussion. =93Plausible deniability=94 is a transparent excuse for explaining away an indisputable fact which arouses suspicion=97when you got some serious =92splain=92 to do. This is usually used in the context of some pseudolega= l argument about introducing =93reasonable doubt=94, or even making =93probab= le cause=94 a wee bit less probable. =93Why yes, officer: I was seen carrying an axe down the street near the site of an axe murder, at approximately the time of said axe murder. But I do have a fireplace; so it is plausible that I was simply out gathering wood.=94 I rather suspect the concept of =93plausible deniability=94 of having been invented by a detective or agent provocateur. There are few concepts more useful for helping suspects shoot themselves in the foot, or frankly, for entrapping people. One of the worst examples I have seen is in discussions of Monero, whereby I=92ve seen proponents claim that even under the worst known active attacks, their mix scheme reduces transaction linking to a maximum of 20=9640% probability. =93That=92s not good enough to convince a jury!=94 No, but it is certainly adequate for investigators to identify you as a person of interest. Then, your (mis)deeds can be subjected to powerful confirmation attacks based on other data; blockchains do not exist in isolation. I usually stay out of such discussions; for I have no interest in helping the sorts of people whose greatest concern in life is what story to foist on a jury. In the context of devices such as Trezor, what is needed is not =93plausible deniability=94, but rather the ability to obviate any need to deny anything at all. I must repeat, information does not exist in isolation. If you are publicly known to be deepy involved in Bitcoin, then nobody will believe that your one-and-only wallet contains only 0.01 BTC. That=92s not even =93plausible=94. But if you have overall privacy practic= es which leave nobody knowing or suspecting that you have any Bitcoin at all, then there is nothing to =93deny=94; and should a Trezor with (supposedly) 0.01 BTC be found in your possession, that=92s much better than =93plausible=94. It=92s completely unremarkable. Whereas if you are known or believed to own large amounts of BTC, a realistic bad guy=92s response to your =93decoy=94 wallet could be, =93I do= n=92t believe you; and it costs me nothing to keep beating you with rubber hose until you tell me the *real* password.=94 It could be worse, too. In a kidnapping scenario, the bad guys could say, =93I don=92t believe you. Hey, I also read Trezor=92s website about =91plausible deniability=92. Now, I will maim your kid for life just to test whether you told me the *real* password. And if you still don=92t tell me the real password after you see that little Johnny can no longer walk, then I will kill him.=94 The worst part is that you have no means of proving that you really *did* give the real password. Indeed, it can be proved if you=92re lying by finding a password which reveals a hidden wallet=97but *you* have no means of affirmatively proving that you are telling the truth! If the bad guys overestimated your riches (or if they=92re in a bad mood), then little Johnny is dead either way. In a legalistic scenario, if =93authorities=94 believe you have 1000 BTC an= d you only reveal a password for 0.01 BTC, the likely response will not be to let you go. Rather, =93You will now sit in jail until you tell the *real* password.=94 And again: You have no means of proving that you did give the real password! =93Plausible deniability=94 schemes can backfire quite badly. >Also note how this blog doesn't mention anti-forensics: the wallet >software itself may leave traces of the other wallets on the computer. >Have they really audited it sufficiently to be sure this isn't the >case? What about data obtained via the network? I don=92t *only* refer to dragnet surveillance. See for but one e.g., Goldfelder, et al., =93When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies=94 https://arxiv.org/abs/1708.04748 Your identity can be tied to your wallet all sorts of ways, any of which could be used to prove that you have more Bitcoin than you=92re revealing. Do you know what databases of cross-correlated analysis data customs agents have immediate access to nowadays=97or will, tomorrow? I don=92t. In the scenario under discussion, that may not immediately prove =93beyond a reasonable doubt=94 that you lied specifically about your Trezor. But it could give plenty of cause to keep you locked up in a small room while your hard drive is examined for evidence that Trezor apps handled *addresses already known to be linked to you*. Why even bother with bruteforce? Low-hanging fruit abound. >1) https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphras= es-f2e0834026eb -- nullius@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested: 3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG) (PGP RSA: 0x36EBB4AB699A10EE) =93=91If you=92re not doing anything wrong, you have nothing to hide.=92 No! Because I do nothing wrong, I have nothing to show.=94 =97 nullius --_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

The same problems exist for users= of whole disk encrypted operating systems. Once the device (or, the initia= l password authentication) is found, the adversary knows that there is some= thing to see. The objective of plausible deniability is to present some acceptable (plausible) alternative while ke= eping the actual hidden (denied).


If the adversary does not believe= you, you do indeed risk everything.


Regards,

Damian Williamson


From: bitcoin-dev-bounces@l= ists.linuxfoundation.org <bitcoin-dev-bounces@lists.linuxfoundation.org&= gt; on behalf of nullius via bitcoin-dev <bitcoin-dev@lists.linuxfoundat= ion.org>
Sent: Friday, 12 January 2018 10:06:33 PM
To: Peter Todd; Bitcoin Protocol Discussion
Subject: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret= shared private key scheme)
 
On 2018-01-12 at 09:50:58 +0000, Peter Todd &l= t;pete@petertodd.org> wrote:
>On Tue, Jan 09, 2018 at 12:43:48PM +0000, Perry Gibson wrote:
>>>Trezor's "plausible deniability" scheme could very we= ll result in you
>>>going to jail for lying to border security, because it's so eas= y for
>>>them to simply brute force alternate passwords based on your se= eds. 
>>>With that, they have proof that you lied to customs, a serious =
>>>offense.
>>The passphrase scheme as I understand it allows a maximum of 50 >>characters to be used.  Surely even with the HD seed, that sea= rch
>>space is too large to brute force.  Or is there a weakness in = the
>>scheme I haven't clocked?
>
>While passphrases *can* be long, most user's aren't going to understand=
>the risk. For example, Trezors blog(1) doesn't make it clear that the <= br> >passphrases could be bruteforced and used as evidence against you, and =
>even suggests the contrary:  [...quote...]

I despise the term =93plausible deniability=94; and that=92s really the wro= ng
term to use in this discussion.

=93Plausible deniability=94 is a transparent excuse for explaining away an =
indisputable fact which arouses suspicion=97when you got some serious
=92splain=92 to do.  This is usually used in the context of some pseud= olegal
argument about introducing =93reasonable doubt=94, or even making =93probab= le
cause=94 a wee bit less probable.

=93Why yes, officer:  I was seen carrying an axe down the street near = the
site of an axe murder, at approximately the time of said axe murder.  =
But I do have a fireplace; so it is plausible that I was simply out
gathering wood.=94

I rather suspect the concept of =93plausible deniability=94 of having been =
invented by a detective or agent provocateur.  There are few concepts =
more useful for helping suspects shoot themselves in the foot, or
frankly, for entrapping people.

One of the worst examples I have seen is in discussions of Monero,
whereby I=92ve seen proponents claim that even under the worst known
active attacks, their mix scheme reduces transaction linking to a
maximum of 20=9640% probability.  =93That=92s not good enough to convi= nce a
jury!=94  No, but it is certainly adequate for investigators to identi= fy
you as a person of interest.  Then, your (mis)deeds can be subjected t= o
powerful confirmation attacks based on other data; blockchains do not
exist in isolation.  I usually stay out of such discussions; for I hav= e
no interest in helping the sorts of people whose greatest concern in
life is what story to foist on a jury.

In the context of devices such as Trezor, what is needed is not
=93plausible deniability=94, but rather the ability to obviate any need to =
deny anything at all.  I must repeat, information does not exist in isolation.

If you are publicly known to be deepy involved in Bitcoin, then nobody
will believe that your one-and-only wallet contains only 0.01 BTC.  That=92s not even =93plausible=94.  But if you have overall privacy pr= actices
which leave nobody knowing or suspecting that you have any Bitcoin at
all, then there is nothing to =93deny=94; and should a Trezor with
(supposedly) 0.01 BTC be found in your possession, that=92s much better than =93plausible=94.  It=92s completely unremarkable.

Whereas if you are known or believed to own large amounts of BTC, a
realistic bad guy=92s response to your =93decoy=94 wallet could be, =93I do= n=92t
believe you; and it costs me nothing to keep beating you with rubber
hose until you tell me the *real* password.=94

It could be worse, too.  In a kidnapping scenario, the bad guys could =
say, =93I don=92t believe you.  Hey, I also read Trezor=92s website ab= out
=91plausible deniability=92.  Now, I will maim your kid for life just = to
test whether you told me the *real* password.  And if you still don=92= t
tell me the real password after you see that little Johnny can no longer walk, then I will kill him.=94

The worst part is that you have no means of proving that you really
*did* give the real password.  Indeed, it can be proved if you=92re ly= ing
by finding a password which reveals a hidden wallet=97but *you* have no means of affirmatively proving that you are telling the truth!  If the=
bad guys overestimated your riches (or if they=92re in a bad mood), then little Johnny is dead either way.

In a legalistic scenario, if =93authorities=94 believe you have 1000 BTC an= d
you only reveal a password for 0.01 BTC, the likely response will not be to let you go.  Rather, =93You will now sit in jail until you tell the=
*real* password.=94  And again:  You have no means of proving tha= t you did
give the real password!

=93Plausible deniability=94 schemes can backfire quite badly.

>Also note how this blog doesn't mention anti-forensics: the wallet
>software itself may leave traces of the other wallets on the computer.&= nbsp;
>Have they really audited it sufficiently to be sure this isn't the
>case?

What about data obtained via the network?  I don=92t *only* refer to <= br> dragnet surveillance.  See for but one e.g., Goldfelder, et al., =93Wh= en
the cookie meets the blockchain:  Privacy risks of web payments via cryptocurrencies=94 https://ar= xiv.org/abs/1708.04748  Your identity can be
tied to your wallet all sorts of ways, any of which could be used to
prove that you have more Bitcoin than you=92re revealing.  Do you know=
what databases of cross-correlated analysis data customs agents have
immediate access to nowadays=97or will, tomorrow?  I don=92t.

In the scenario under discussion, that may not immediately prove =93beyond =
a reasonable doubt=94 that you lied specifically about your Trezor.  B= ut
it could give plenty of cause to keep you locked up in a small room
while your hard drive is examined for evidence that Trezor apps handled *addresses already known to be linked to you*.  Why even bother with <= br> bruteforce?  Low-hanging fruit abound.

>1) https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphrases-f= 2e0834026eb

--
nullius@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
=93=91If you=92re not doing anything wrong, you have nothing to hide.=92 No!  Because I do nothing wrong, I have nothing to show.=94 =97 nulliu= s
--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_--