Combined summary - Overview of anti-covert-channel signing techniques

Combined summary - Overview of anti-covert-channel signing techniques

Dustin explains to Tim a technique for protecting against the theft of funds by malicious hardware or software.

The technique involves splitting the software into two parts: a generator and a validator. The generator creates addresses and withdrawal transactions offline, while the validator double checks everything the generator does. It is best if the validator is written independently of the generator. This technique works regardless of how bitcoins are stored.Pieter Wuille suggests that splitting the software over two stages can greatly increase security if both hardware and software are compromised. He suggests various measures such as exporting xpubs before receiving, generating and exporting withdrawal transactions offline, and verifying transactions using external software. He also provides a link to a tool called Gatekeeper on GitHub that can be used for this purpose.Russell O'Connor and Tim discuss the importance of addressing both pubkey and signature issues. They agree that a non-deterministic signature scheme proposed in the conversation poses more severe issues than the pubkey problem. They believe that a standardized scheme with the benefits of non-determinism without covert channels is necessary.Tim Ruffing raises concerns about the security of hardware wallets in an email thread. He mentions that key generation is also a concern as the PRG used to derive the seed can be manipulated by manufacturers. Other participants in the discussion argue that public keys can be spot checked for non-standard proposals, but synthetic nonces proposed in the conversation cannot be spot checked. They emphasize the need for anti-covert signing protocols.The conversation includes discussions on secure key generation, signing protocols, and protecting against malicious software. The commit-and-reveal protocol is suggested for generating a master public key pair with contributions from both hardware and software. However, it has drawbacks and is not compatible with hardened derivation. Various schemes are proposed to improve the security of hardware wallets against potential attacks.A discussion on the bitcoin-dev mailing list focuses on the security concerns of hardware wallets. The PRG used for key generation can be manipulated by hardware manufacturers, posing a threat to both signing and key generation. The importance of anti-covert channel signing protocols is emphasized.The article discusses different anti-covert channel signing schemes and their trade-offs. The focus is on the MSW and MHW attack models, assuming a Schnorr-like signature protocol. Various schemes are proposed to prevent predictable nonce values, avoid covert channels, and address issues related to Schnorr signatures. The best solution depends on priorities such as statelessness, protection against failure bias, and resistance against side-channel attacks.While hardware wallets can be hacked, the article notes that it may not be a significant concern. The importance of further research and standardization in this area is emphasized.

Discussion History

Pieter WuilleOriginal Post
March 3, 2020 21:35 UTC
March 21, 2020 13:34 UTC
March 21, 2020 16:59 UTC
March 21, 2020 20:29 UTC
March 22, 2020 09:43 UTC
March 22, 2020 15:30 UTC
March 22, 2020 15:38 UTC
March 23, 2020 14:38 UTC
March 24, 2020 07:49 UTC
March 24, 2020 14:51 UTC