bitcoin-dev

Overview of anti-covert-channel signing techniques

Overview of anti-covert-channel signing techniques

Original Postby Dustin Dettmer

Posted on: March 24, 2020 14:51 UTC

In this context, Dustin is explaining to Tim about a technique to protect against the stealing of funds by malicious hardware or software.

He mentions that there are some side benefits as well. The storage solution could be any way in which bitcoins are stored, and the technique works regardless. If the SW party is split into two, generator and validator, some useful security properties emerge. The generator creates and passes on receiving addresses and withdrawal transactions while remaining offline, whereas the validator double checks everything the generator did. It works best if the validator is written entirely independently of the generator. The external software runs on a second SW, which is the second stage, and it would work with a non-trivial/random unhardened derivation just fine. K commitment is one of the proposed solutions collected by Peter in the thread. By committing to some k value, the hardware wallet cannot sneak out private keys in the R value.