Overview of anti-covert-channel signing techniques

Overview of anti-covert-channel signing techniques

Original Postby Tim Ruffing

Posted on: March 21, 2020 13:34 UTC

The email discusses the potential security concerns with malicious hardware wallets, specifically regarding key generation and signing.

The author notes that if key generation is compromised, then anti-covert channel singing protocols may not be effective. While there are several signing protocols available, there is little research on key generation. One suggestion is a commit-and-reveal protocol for generating a master public key pair using contributions from both hardware and software, followed by BIP32 public derivation for all other keys. However, this idea has drawbacks and is not compatible with hardened derivation. The email also mentions a paper that considers a similar scenario where the hardware wallet is malicious during key generation and assumes threshold signatures with the human user as the trusted party. Moving back to the signing process, the author suggests looking at security against malicious software with parallel signing sessions and notes that Scheme 4 is vulnerable to Wagner's attack. Scheme 5 may be more effective but requires two interaction rounds and state that needs to be kept by the hardware between the rounds. To make the hardware stateless, one suggestion is to let it encrypt and authenticate its state using AEAD or a simple MAC. The email proposes a new scheme, Scheme 7, which uses a synthetic nonce, two interactions, is stateless using MAC, and verifies e. Finally, the author notes that verifying e may be weaker than verifying the signature in some cases, but overall, the proposed solutions aim to improve the security of hardware wallets against potential attacks.