Overview of anti-covert-channel signing techniques

The author notes that if key generation is compromised, then anti-covert channel singing protocols may not be effective. While there are several signing protocols available, there is little research on key generation. One suggestion is a commit-and-reveal protocol for generating a master public key pair using contributions from both hardware and software, followed by BIP32 public derivation for all other keys. However, this idea has drawbacks and is not compatible with hardened derivation. The email also mentions a paper that considers a similar scenario where the hardware wallet is malicious during key generation and assumes threshold signatures with the human user as the trusted party. Moving back to the signing process, the author suggests looking at security against malicious software with parallel signing sessions and notes that Scheme 4 is vulnerable to Wagner's attack. Scheme 5 may be more effective but requires two interaction rounds and state that needs to be kept by the hardware between the rounds. To make the hardware stateless, one suggestion is to let it encrypt and authenticate its state using AEAD or a simple MAC. The email proposes a new scheme, Scheme 7, which uses a synthetic nonce, two interactions, is stateless using MAC, and verifies e. Finally, the author notes that verifying e may be weaker than verifying the signature in some cases, but overall, the proposed solutions aim to improve the security of hardware wallets against potential attacks.