summaryrefslogtreecommitdiff
path: root/d9/8f57d13635a68092ca3634808bf901fb7c9822
blob: 6938ee65d78f551e23989d5a9860e42d3ac6883e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
Return-Path: <willtech@live.com.au>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id CF020E8A
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 13 Jan 2018 02:11:13 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from APC01-HK2-obe.outbound.protection.outlook.com
	(mail-oln040092255021.outbound.protection.outlook.com [40.92.255.21])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 93595D0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 13 Jan 2018 02:11:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; 
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=DvALsYBqhEMUPqGHIaSGSm1gCvGkRNMTlNq90FDwVlo=;
	b=dRW2IYCfxD0KEtdoCL29+2WTmdeZE1uKynYMjK6RJTDUdAXNSVYTcono0yQ6RuAjjCHAwBezpVEg3wjzivXdeHiKRdAm/y9kKkJH4Uk3kPowwdwRK8Gcgrdv3KktClJzf5RZhfDD0NErwSJ2BlPQqJSyGhAzyls/ThL2vEB+39ywesDQa1hF7EHWgHLdoz+gq9oslhKCtbEa82XSjnHFp50R1GGSmUVOD63OGv2PEddWXhF169jBae+6o3C8BjurqNjVI6lEi/c7CO6AmQ5zEIVXrk9xVIKbRdDEa9XNwsZxTkObjPA3KzUy/MWyUitSmCSNF1oKKc1O0o5Q8SDUEQ==
Received: from HK2APC01FT035.eop-APC01.prod.protection.outlook.com
	(10.152.248.54) by HK2APC01HT100.eop-APC01.prod.protection.outlook.com
	(10.152.248.251) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.302.6;
	Sat, 13 Jan 2018 02:11:09 +0000
Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.52) by
	HK2APC01FT035.mail.protection.outlook.com (10.152.248.182) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.345.19 via
	Frontend Transport; Sat, 13 Jan 2018 02:11:09 +0000
Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) by
	PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) with mapi id
	15.20.0407.009; Sat, 13 Jan 2018 02:11:09 +0000
From: Damian Williamson <willtech@live.com.au>
To: nullius <nullius@nym.zone>, Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Thread-Topic: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret
	shared private key scheme)
Thread-Index: AQHTi7XyOL4NDlZYiUOH4MIN2TDy66NxDwIt
Date: Sat, 13 Jan 2018 02:11:08 +0000
Message-ID: <PS2P216MB01793245561CC130C6FEEC9A9D140@PS2P216MB0179.KORP216.PROD.OUTLOOK.COM>
References: <CAAS2fgR-or=zksQ929Muvgr=sgzNSugGp669ZWYC6YkvEG=H5w@mail.gmail.com>
	<ae570ccf-3a2c-a11c-57fa-6dad78cfb1a5@satoshilabs.com>
	<CAAS2fgRQvpa8VXE8YAYSfugDvCu=1+5ANsGk1V_OXtHPGD=Ltw@mail.gmail.com>
	<vJsDz9YdeNQQ_PZRf5HP1W0FmcWyKHIuwN9QeNgN-WXCdQcRmXLtkQ3wfTO7YUCgG6AFgOkKeU6fdsGTKkGcnk-_OOY_jyNlfWkFQ31d2ZU=@protonmail.com>
	<20180109011335.GA22039@savin.petertodd.org>
	<274aad5c-4573-2fdd-f8b0-c6c2d662ab7c@gibsonic.org>
	<20180112095058.GA9175@savin.petertodd.org>,
	<3b45c17a256326b6b183587d9d15690c@nym.zone>
In-Reply-To: <3b45c17a256326b6b183587d9d15690c@nym.zone>
Accept-Language: en-AU, en-US
Content-Language: en-AU
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-incomingtopheadermarker: OriginalChecksum:70763BC61684C952FA189048988F42BB59FDB6DDDF39F06338B1E6ECB2624699;
	UpperCasedChecksum:DCC2C090462BEB07ED3C94844688AD4476BD77C0CE99C2FD85BAE75B717CD9FD;
	SizeAsReceived:7578; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [7veiwha2tpjGZETERmic9q+AN4kfe99m]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HK2APC01HT100;
	6:ZrwWjRqAcS7oOyHJn6HilXJyjRYlCjHaRAp188qoUNPopRgYHh38qb/zlGCLkiCXUgZo+PdcV79NOk8cHZScCDPxC2K7zHn5000ky369a98k2SsY103QBUm7rC+WQJKdmgeDbuDaejLrKnvow1/nWPqWyt36Djh03B2v1eUdR2UGQqTMLja7BolK0rCMjP2ItOGFHPeN6gD+zasnUsHTWzFPQN80yHcTrdyy5SijZKNIX3RC7XA9WSBAucHs8incpG1LWoue2mLijMPlvE5YKQMHAP3iR7aDlzF2+HxGVObj0jVI8z552tu63Vv+0WCuQ/cv3/+yUebCIXEiRYgfo0eD3Fm9NIj1hq28q9FruGA=;
	5:6CPy0GCeWvmMaks21Wb3XwVm3UV9SPc7opt/IY9dYkFseh6RazdizAd83fHphHR/HeY2IM57QF3g/ZvEa8GSO8ZXEWur/v3cOGeK1fZEVK3byzFcmcUbVxqy8ofwnimuZR6banyU0HvA2QhriQSuXxBuplbATmF+o8VEIy/dWuw=;
	24:wyYIOz5pdfMHa2ls/Ra5y9ja7xpD0fKXcEuOxAYXCqlYmlGd2KsGDpDuhlPcnhj7nZQjAOmOYGO+a+ngok1lDYKskKqnivkwXVQyYTSIORw=;
	7:Q0MTwASLBEoefRf/viu7/L7iHJJrlDsW3HgDg2CVRgsG2H2tY6phTY9MBaPw+5jmIGfDdErfRX9xqWnu5uS4D8vidAJtPH47H4YqNpfWr2IZKeWZNcxr/yWqMCPqkws45Ng/W6bcc7rbwqp3KMdwRenpEKiEX9ioayDwQ3dVnkrnTyYESdKmNqWWlSsQG2k5/EQNpdomDxP+eiy+74wOIpP3XYS4xeDj8pgMgdVZiv2Pi5aYeCjTaoZsgUbQKC3r
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020090)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045);
	SRVR:HK2APC01HT100; 
x-ms-traffictypediagnostic: HK2APC01HT100:
x-ms-office365-filtering-correlation-id: 45d0f5f1-0150-45e5-bba4-08d55a2ae92e
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031);
	SRVR:HK2APC01HT100; BCL:0; PCL:0;
	RULEID:(100000803101)(100110400095); SRVR:HK2APC01HT100; 
x-forefront-prvs: 05514B7026
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT;
	SFP:1901; SCL:1; SRVR:HK2APC01HT100;
	H:PS2P216MB0179.KORP216.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
	boundary="_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45d0f5f1-0150-45e5-bba4-08d55a2ae92e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2018 02:11:08.9604 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT100
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 13 Jan 2018 04:18:45 +0000
Subject: Re: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret
 shared private key scheme)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2018 02:11:13 -0000

--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

The same problems exist for users of whole disk encrypted operating systems=
. Once the device (or, the initial password authentication) is found, the a=
dversary knows that there is something to see. The objective of plausible d=
eniability is to present some acceptable (plausible) alternative while keep=
ing the actual hidden (denied).


If the adversary does not believe you, you do indeed risk everything.


Regards,

Damian Williamson

________________________________
From: bitcoin-dev-bounces@lists.linuxfoundation.org <bitcoin-dev-bounces@li=
sts.linuxfoundation.org> on behalf of nullius via bitcoin-dev <bitcoin-dev@=
lists.linuxfoundation.org>
Sent: Friday, 12 January 2018 10:06:33 PM
To: Peter Todd; Bitcoin Protocol Discussion
Subject: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared=
 private key scheme)

On 2018-01-12 at 09:50:58 +0000, Peter Todd <pete@petertodd.org> wrote:
>On Tue, Jan 09, 2018 at 12:43:48PM +0000, Perry Gibson wrote:
>>>Trezor's "plausible deniability" scheme could very well result in you
>>>going to jail for lying to border security, because it's so easy for
>>>them to simply brute force alternate passwords based on your seeds.
>>>With that, they have proof that you lied to customs, a serious
>>>offense.
>>The passphrase scheme as I understand it allows a maximum of 50
>>characters to be used.  Surely even with the HD seed, that search
>>space is too large to brute force.  Or is there a weakness in the
>>scheme I haven't clocked?
>
>While passphrases *can* be long, most user's aren't going to understand
>the risk. For example, Trezors blog(1) doesn't make it clear that the
>passphrases could be bruteforced and used as evidence against you, and
>even suggests the contrary:  [...quote...]

I despise the term =93plausible deniability=94; and that=92s really the wro=
ng
term to use in this discussion.

=93Plausible deniability=94 is a transparent excuse for explaining away an
indisputable fact which arouses suspicion=97when you got some serious
=92splain=92 to do.  This is usually used in the context of some pseudolega=
l
argument about introducing =93reasonable doubt=94, or even making =93probab=
le
cause=94 a wee bit less probable.

=93Why yes, officer:  I was seen carrying an axe down the street near the
site of an axe murder, at approximately the time of said axe murder.
But I do have a fireplace; so it is plausible that I was simply out
gathering wood.=94

I rather suspect the concept of =93plausible deniability=94 of having been
invented by a detective or agent provocateur.  There are few concepts
more useful for helping suspects shoot themselves in the foot, or
frankly, for entrapping people.

One of the worst examples I have seen is in discussions of Monero,
whereby I=92ve seen proponents claim that even under the worst known
active attacks, their mix scheme reduces transaction linking to a
maximum of 20=9640% probability.  =93That=92s not good enough to convince a
jury!=94  No, but it is certainly adequate for investigators to identify
you as a person of interest.  Then, your (mis)deeds can be subjected to
powerful confirmation attacks based on other data; blockchains do not
exist in isolation.  I usually stay out of such discussions; for I have
no interest in helping the sorts of people whose greatest concern in
life is what story to foist on a jury.

In the context of devices such as Trezor, what is needed is not
=93plausible deniability=94, but rather the ability to obviate any need to
deny anything at all.  I must repeat, information does not exist in
isolation.

If you are publicly known to be deepy involved in Bitcoin, then nobody
will believe that your one-and-only wallet contains only 0.01 BTC.
That=92s not even =93plausible=94.  But if you have overall privacy practic=
es
which leave nobody knowing or suspecting that you have any Bitcoin at
all, then there is nothing to =93deny=94; and should a Trezor with
(supposedly) 0.01 BTC be found in your possession, that=92s much better
than =93plausible=94.  It=92s completely unremarkable.

Whereas if you are known or believed to own large amounts of BTC, a
realistic bad guy=92s response to your =93decoy=94 wallet could be, =93I do=
n=92t
believe you; and it costs me nothing to keep beating you with rubber
hose until you tell me the *real* password.=94

It could be worse, too.  In a kidnapping scenario, the bad guys could
say, =93I don=92t believe you.  Hey, I also read Trezor=92s website about
=91plausible deniability=92.  Now, I will maim your kid for life just to
test whether you told me the *real* password.  And if you still don=92t
tell me the real password after you see that little Johnny can no longer
walk, then I will kill him.=94

The worst part is that you have no means of proving that you really
*did* give the real password.  Indeed, it can be proved if you=92re lying
by finding a password which reveals a hidden wallet=97but *you* have no
means of affirmatively proving that you are telling the truth!  If the
bad guys overestimated your riches (or if they=92re in a bad mood), then
little Johnny is dead either way.

In a legalistic scenario, if =93authorities=94 believe you have 1000 BTC an=
d
you only reveal a password for 0.01 BTC, the likely response will not be
to let you go.  Rather, =93You will now sit in jail until you tell the
*real* password.=94  And again:  You have no means of proving that you did
give the real password!

=93Plausible deniability=94 schemes can backfire quite badly.

>Also note how this blog doesn't mention anti-forensics: the wallet
>software itself may leave traces of the other wallets on the computer.
>Have they really audited it sufficiently to be sure this isn't the
>case?

What about data obtained via the network?  I don=92t *only* refer to
dragnet surveillance.  See for but one e.g., Goldfelder, et al., =93When
the cookie meets the blockchain:  Privacy risks of web payments via
cryptocurrencies=94 https://arxiv.org/abs/1708.04748  Your identity can be
tied to your wallet all sorts of ways, any of which could be used to
prove that you have more Bitcoin than you=92re revealing.  Do you know
what databases of cross-correlated analysis data customs agents have
immediate access to nowadays=97or will, tomorrow?  I don=92t.

In the scenario under discussion, that may not immediately prove =93beyond
a reasonable doubt=94 that you lied specifically about your Trezor.  But
it could give plenty of cause to keep you locked up in a small room
while your hard drive is examined for evidence that Trezor apps handled
*addresses already known to be linked to you*.  Why even bother with
bruteforce?  Low-hanging fruit abound.

>1) https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphras=
es-f2e0834026eb

--
nullius@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
=93=91If you=92re not doing anything wrong, you have nothing to hide.=92
No!  Because I do nothing wrong, I have nothing to show.=94 =97 nullius

--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Helvetica,sans-serif;" dir=3D"ltr">
<p style=3D"margin-top:0;margin-bottom:0">The same problems exist for users=
 of whole disk encrypted operating systems. Once the device (or, the initia=
l password authentication) is found, the adversary knows that there is some=
thing to see. The objective of plausible
 deniability is to present some acceptable (plausible) alternative while ke=
eping the actual hidden (denied).</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">If the adversary does not believe=
 you, you do indeed risk everything.</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">Regards,</p>
<p style=3D"margin-top:0;margin-bottom:0">Damian Williamson<br>
</p>
</div>
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st=
yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> bitcoin-dev-bounces@l=
ists.linuxfoundation.org &lt;bitcoin-dev-bounces@lists.linuxfoundation.org&=
gt; on behalf of nullius via bitcoin-dev &lt;bitcoin-dev@lists.linuxfoundat=
ion.org&gt;<br>
<b>Sent:</b> Friday, 12 January 2018 10:06:33 PM<br>
<b>To:</b> Peter Todd; Bitcoin Protocol Discussion<br>
<b>Subject:</b> [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret=
 shared private key scheme)</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt;=
">
<div class=3D"PlainText">On 2018-01-12 at 09:50:58 &#43;0000, Peter Todd &l=
t;pete@petertodd.org&gt; wrote:<br>
&gt;On Tue, Jan 09, 2018 at 12:43:48PM &#43;0000, Perry Gibson wrote:<br>
&gt;&gt;&gt;Trezor's &quot;plausible deniability&quot; scheme could very we=
ll result in you <br>
&gt;&gt;&gt;going to jail for lying to border security, because it's so eas=
y for <br>
&gt;&gt;&gt;them to simply brute force alternate passwords based on your se=
eds.&nbsp; <br>
&gt;&gt;&gt;With that, they have proof that you lied to customs, a serious =
<br>
&gt;&gt;&gt;offense.<br>
&gt;&gt;The passphrase scheme as I understand it allows a maximum of 50 <br=
>
&gt;&gt;characters to be used.&nbsp; Surely even with the HD seed, that sea=
rch <br>
&gt;&gt;space is too large to brute force.&nbsp; Or is there a weakness in =
the <br>
&gt;&gt;scheme I haven't clocked?<br>
&gt;<br>
&gt;While passphrases *can* be long, most user's aren't going to understand=
 <br>
&gt;the risk. For example, Trezors blog(1) doesn't make it clear that the <=
br>
&gt;passphrases could be bruteforced and used as evidence against you, and =
<br>
&gt;even suggests the contrary:&nbsp; [...quote...]<br>
<br>
I despise the term =93plausible deniability=94; and that=92s really the wro=
ng <br>
term to use in this discussion.<br>
<br>
=93Plausible deniability=94 is a transparent excuse for explaining away an =
<br>
indisputable fact which arouses suspicion=97when you got some serious <br>
=92splain=92 to do.&nbsp; This is usually used in the context of some pseud=
olegal <br>
argument about introducing =93reasonable doubt=94, or even making =93probab=
le <br>
cause=94 a wee bit less probable.<br>
<br>
=93Why yes, officer:&nbsp; I was seen carrying an axe down the street near =
the <br>
site of an axe murder, at approximately the time of said axe murder.&nbsp; =
<br>
But I do have a fireplace; so it is plausible that I was simply out <br>
gathering wood.=94<br>
<br>
I rather suspect the concept of =93plausible deniability=94 of having been =
<br>
invented by a detective or agent provocateur.&nbsp; There are few concepts =
<br>
more useful for helping suspects shoot themselves in the foot, or <br>
frankly, for entrapping people.<br>
<br>
One of the worst examples I have seen is in discussions of Monero, <br>
whereby I=92ve seen proponents claim that even under the worst known <br>
active attacks, their mix scheme reduces transaction linking to a <br>
maximum of 20=9640% probability.&nbsp; =93That=92s not good enough to convi=
nce a <br>
jury!=94&nbsp; No, but it is certainly adequate for investigators to identi=
fy <br>
you as a person of interest.&nbsp; Then, your (mis)deeds can be subjected t=
o <br>
powerful confirmation attacks based on other data; blockchains do not <br>
exist in isolation.&nbsp; I usually stay out of such discussions; for I hav=
e <br>
no interest in helping the sorts of people whose greatest concern in <br>
life is what story to foist on a jury.<br>
<br>
In the context of devices such as Trezor, what is needed is not <br>
=93plausible deniability=94, but rather the ability to obviate any need to =
<br>
deny anything at all.&nbsp; I must repeat, information does not exist in <b=
r>
isolation.<br>
<br>
If you are publicly known to be deepy involved in Bitcoin, then nobody <br>
will believe that your one-and-only wallet contains only 0.01 BTC.&nbsp; <b=
r>
That=92s not even =93plausible=94.&nbsp; But if you have overall privacy pr=
actices <br>
which leave nobody knowing or suspecting that you have any Bitcoin at <br>
all, then there is nothing to =93deny=94; and should a Trezor with <br>
(supposedly) 0.01 BTC be found in your possession, that=92s much better <br=
>
than =93plausible=94.&nbsp; It=92s completely unremarkable.<br>
<br>
Whereas if you are known or believed to own large amounts of BTC, a <br>
realistic bad guy=92s response to your =93decoy=94 wallet could be, =93I do=
n=92t <br>
believe you; and it costs me nothing to keep beating you with rubber <br>
hose until you tell me the *real* password.=94<br>
<br>
It could be worse, too.&nbsp; In a kidnapping scenario, the bad guys could =
<br>
say, =93I don=92t believe you.&nbsp; Hey, I also read Trezor=92s website ab=
out <br>
=91plausible deniability=92.&nbsp; Now, I will maim your kid for life just =
to <br>
test whether you told me the *real* password.&nbsp; And if you still don=92=
t <br>
tell me the real password after you see that little Johnny can no longer <b=
r>
walk, then I will kill him.=94<br>
<br>
The worst part is that you have no means of proving that you really <br>
*did* give the real password.&nbsp; Indeed, it can be proved if you=92re ly=
ing <br>
by finding a password which reveals a hidden wallet=97but *you* have no <br=
>
means of affirmatively proving that you are telling the truth!&nbsp; If the=
 <br>
bad guys overestimated your riches (or if they=92re in a bad mood), then <b=
r>
little Johnny is dead either way.<br>
<br>
In a legalistic scenario, if =93authorities=94 believe you have 1000 BTC an=
d <br>
you only reveal a password for 0.01 BTC, the likely response will not be <b=
r>
to let you go.&nbsp; Rather, =93You will now sit in jail until you tell the=
 <br>
*real* password.=94&nbsp; And again:&nbsp; You have no means of proving tha=
t you did <br>
give the real password!<br>
<br>
=93Plausible deniability=94 schemes can backfire quite badly.<br>
<br>
&gt;Also note how this blog doesn't mention anti-forensics: the wallet <br>
&gt;software itself may leave traces of the other wallets on the computer.&=
nbsp; <br>
&gt;Have they really audited it sufficiently to be sure this isn't the <br>
&gt;case?<br>
<br>
What about data obtained via the network?&nbsp; I don=92t *only* refer to <=
br>
dragnet surveillance.&nbsp; See for but one e.g., Goldfelder, et al., =93Wh=
en <br>
the cookie meets the blockchain:&nbsp; Privacy risks of web payments via <b=
r>
cryptocurrencies=94 <a href=3D"https://arxiv.org/abs/1708.04748">https://ar=
xiv.org/abs/1708.04748</a>&nbsp; Your identity can be
<br>
tied to your wallet all sorts of ways, any of which could be used to <br>
prove that you have more Bitcoin than you=92re revealing.&nbsp; Do you know=
 <br>
what databases of cross-correlated analysis data customs agents have <br>
immediate access to nowadays=97or will, tomorrow?&nbsp; I don=92t.<br>
<br>
In the scenario under discussion, that may not immediately prove =93beyond =
<br>
a reasonable doubt=94 that you lied specifically about your Trezor.&nbsp; B=
ut <br>
it could give plenty of cause to keep you locked up in a small room <br>
while your hard drive is examined for evidence that Trezor apps handled <br=
>
*addresses already known to be linked to you*.&nbsp; Why even bother with <=
br>
bruteforce?&nbsp; Low-hanging fruit abound.<br>
<br>
&gt;1) <a href=3D"https://blog.trezor.io/hide-your-trezor-wallets-with-mult=
iple-passphrases-f2e0834026eb">
https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphrases-f=
2e0834026eb</a><br>
<br>
-- <br>
nullius@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C<br>
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:<br>
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)&nbsp; (PGP RSA: 0x36EBB4AB699A10EE)<br>
=93=91If you=92re not doing anything wrong, you have nothing to hide.=92<br=
>
No!&nbsp; Because I do nothing wrong, I have nothing to show.=94 =97 nulliu=
s<br>
</div>
</span></font></div>
</body>
</html>

--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_--