Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 89248C0177 for ; Sun, 22 Mar 2020 15:30:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 7492386BC4 for ; Sun, 22 Mar 2020 15:30:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qdxg9Ii2N5Y1 for ; Sun, 22 Mar 2020 15:30:46 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-il1-f170.google.com (mail-il1-f170.google.com [209.85.166.170]) by whitealder.osuosl.org (Postfix) with ESMTPS id 42DF786B50 for ; Sun, 22 Mar 2020 15:30:46 +0000 (UTC) Received: by mail-il1-f170.google.com with SMTP id r5so6005279ilq.6 for ; Sun, 22 Mar 2020 08:30:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YXCwgZLKTVpyh+lSIwEFp3d+m5mBWSekTJeynsdZmUU=; b=Omote9xsS73DtmRU4+gnNEULT5opH0ItT2QpE+35ytx2ZBszQxtSpXwYNEr4728i5V U3I4BpYuvjtC9H8Dobt7c/srF6lGMTTWWONaI/A3WEP4yZ3Y4swOJb4mIkv07yR2do3x bPPChF9kANJcSaf+iVib/sZ5czZ7ldLSGO2zpaHR+qtxlgZXK7ex7otcptOhSRTcWJ8b EwEofcnA9ioZTaiT0fH3hmvHBVU5PBPYm8xrSqH4YSWpUMkyEy/1QGnQtSyQkI1I5INJ YXFHVJL/mRSgJtFC0Om8WIxBVT/yfhGGjJqxtSesMH/FB2P30iokVfWt6YncmzuBaRgC yRSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YXCwgZLKTVpyh+lSIwEFp3d+m5mBWSekTJeynsdZmUU=; b=gbaMAjJ4Wll4QgKDGH4dl0Kzz2IXe64PaJw7AoCdKNoXnBdg4gkgGrHF+XXqcedRmV R+NGvKsEReWZfUbU+pjrWgeftCV5zNmLIzSp7IXiZI4+jwh5pvbcRyG+Pd2ObXz4n1Us JNEPj8ydqgOzm9msYzsM5KUwMKx1QnI8LXqu+J7YRLKlKKJAuy32Q94wfh0HNeKcH2DK ZdHIDYmhvfp7ApdyGNGjd5+D3xwDDbYwLzgyidiYTUJsf0bFSYbVYB83VuXWxZRGmlbu /ALmmFuT79p2SHxO5aIgDzcT+zBALS7ZohuRcObDxK/WPKHwoHfcQUIiv4TqqOnE3nt2 OBQg== X-Gm-Message-State: ANhLgQ1nxW9PJLfvYOts4KmfRzVLZ5Q42XyWXWRSloUfX8nxhXklHCON CGHrVxYwzlGqbCscGRhAlO1pL/zjl/GBVrn6Bw2huA== X-Google-Smtp-Source: ADFU+vu02IZOxbuNo3ebgqtrOjKkK890MFLXI5t6+AMrTW2VtxxCsYNKjOJWZwWzD1OeomgnKn7zRZ+AtOlejT2iHwk= X-Received: by 2002:a92:5a88:: with SMTP id b8mr6260514ilg.151.1584891045513; Sun, 22 Mar 2020 08:30:45 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Russell O'Connor" Date: Sun, 22 Mar 2020 11:30:34 -0400 Message-ID: To: Tim Ruffing Content-Type: multipart/alternative; boundary="000000000000c6a3b205a1733304" Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Overview of anti-covert-channel signing techniques X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Mar 2020 15:30:47 -0000 --000000000000c6a3b205a1733304 Content-Type: text/plain; charset="UTF-8" On Sun, Mar 22, 2020 at 5:43 AM Tim Ruffing wrote: > On Sat, 2020-03-21 at 12:59 -0400, Russell O'Connor wrote: > > Public keys are deterministic and can be spot checked. In fact, > > AFAIU if hardened HD key derivations are not used, then spot checking > > is very easy. > > > > While spot checking isn't ideal, my original concern with the > > synthetic none standard proposal was that it is inherently non- > > deterministic and cannot ever be spot checked. This is why anti- > > covert signing protocols are so important if we are going to use > > synthetic nonces. > > If spot checking means checking a few instances, then I think this is a > pretty weak defense. What if the device starts to behave differently > after a year? > I agree, which is why there perhaps is merit in using a non-hardered derivation path so that the software side of a hardware wallet can check the pubkey. Though I understand there are some disadvantages to the non-hardened paths. However, spot checking can even be done retroactively (and thoroughly). Again, I agree that this is less than ideal, but does let you take some action once you notice a deviation. Your claim is that if we don't fix the pubkey issue there is no point in fixing the signature issue. I disagree. While I think both issues need to be fully addressed, the issues around the original proposed non-deterministic signature scheme are far more severe. The proposal would move us from a deterministic scheme, where spot checks are possible, with all the caveats that entails, to a non-deterministic scheme where spot checks are impossible. My hope is that we can standardise a scheme that has the advantages of non-determinism without the threat of covert channels. --000000000000c6a3b205a1733304 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Sun, Mar 22, 2020 at 5:43 AM Tim Ruffing <crypto@timruffing.de> wrote:
On Sat, 2020-03-21 at 12:59 -04= 00, Russell O'Connor wrote:
> Public keys are deterministic and can be spot checked.=C2=A0 In fact,<= br> > AFAIU if hardened HD key derivations are not used, then spot checking<= br> > is very easy.
>
> While spot checking isn't ideal, my original concern with the
> synthetic none standard proposal was that it is inherently non-
> deterministic and cannot ever be spot checked.=C2=A0 This is why anti-=
> covert signing protocols are so important if we are going to use
> synthetic nonces.

If spot checking means checking a few instances, then I think this is a
pretty weak defense. What if the device starts to behave differently
after a year?

I agree, which is wh= y there perhaps is merit in using a=20 non-hardered derivation path so that the software side of a hardware=20 wallet can check the pubkey. Though I understand there are some=20 disadvantages to the non-hardened paths.

=
However, spot checking can even be done retroactively (and thoroughly). Again, I agree that this is less than ideal, but does let you take some action=20 once you notice a deviation.

Your claim is that if we don't fix the pubkey issue there is no point in=20 fixing the signature issue.=C2=A0 I disagree.=C2=A0 While I think both issu= es need to be fully addressed, the issues around the original proposed=20 non-deterministic signature scheme are far more severe. The proposal=20 would move us from a deterministic scheme, where spot checks are=20 possible, with all the caveats that entails, to a non-deterministic=20 scheme where spot checks are impossible.=C2=A0 My hope is that we can=20 standardise a scheme that has the advantages of non-determinism without=20 the threat of covert channels.
--000000000000c6a3b205a1733304--