📅 Original date posted:2013-11-03
📝 Original message:On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote:
>
> >To be specific, we (in cooperation with / inspired by Timo Hanke)
> >developed method how to prove that the seed generated by Trezor
> >has been created using combination of computer-provided entropy
> >and device-provided entropy, without leaking full private
> >information to other computer, just because we want Trezor to be
> >blackbox-testable and fully deterministic (seed generation is
> >currently the only operation which uses any source of RNG).
> >
>
> Thanks for the explanation. Here is how I understand how it works,
> please correct me if I'm wrong:
>
> The user's computer picks a random number a, the Trezor picks a
> random number b.
> Trezor adds a and b in the secp256k1 group, and this creates a
> master private key k.
> Trezor sends the corresponding master public key K to the computer.
> Thus, the computer can check that K was derived from a, without knowing b.
No. You mean the computer would use B for this check?
(k,K) could be rigged by Trezor, who computes b as k-a.
Timo
> This also allows the computer to check that any bitcoin address
> derived from K is derived from a, without leaking b. (and
> reciprocally)
>
> However, it seems to me that this property will work only with bip32
> public derivations; if a private derivation is used, don't you need
> to know k?
>
>
>
--
Timo Hanke
PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8
Timo Hanke [ARCHIVE] /
npub1dd…pgp9a
2023-06-07 15:08:32
in reply to nevent1q…f0xl
Author Public Key
npub1ddqaln8xsfmy6sxqplt9sz5ev99kh052sveqsh02q7hmc3a6n68shpgp9aPublished at
2023-06-07 15:08:32Event JSON
{
"id": "f219053c239f17b429eed38492d20b45b2f1f0f571537f4b09834b9a93481354",
"pubkey": "6b41dfcce682764d40c00fd6580a99614b6bbe8a8332085dea07afbc47ba9e8f",
"created_at": 1686150512,
"kind": 1,
"tags": [
[
"e",
"29113580fa19bfa912e033228b5744547f424bd6ae7dcc6dbdef306e0b87998e",
"",
"root"
],
[
"e",
"63c96928762cb21dfcfd2ee25f0576c6511d55ec36fdfc8fddbe9a5cec6f8d05",
"",
"reply"
],
[
"p",
"7a4ba40070e54012212867182c66beef592603fe7c7284b72ffaafce9da20c05"
]
],
"content": "📅 Original date posted:2013-11-03\n📝 Original message:On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote:\n\u003e \n\u003e \u003eTo be specific, we (in cooperation with / inspired by Timo Hanke)\n\u003e \u003edeveloped method how to prove that the seed generated by Trezor\n\u003e \u003ehas been created using combination of computer-provided entropy\n\u003e \u003eand device-provided entropy, without leaking full private\n\u003e \u003einformation to other computer, just because we want Trezor to be\n\u003e \u003eblackbox-testable and fully deterministic (seed generation is\n\u003e \u003ecurrently the only operation which uses any source of RNG).\n\u003e \u003e\n\u003e \n\u003e Thanks for the explanation. Here is how I understand how it works,\n\u003e please correct me if I'm wrong:\n\u003e \n\u003e The user's computer picks a random number a, the Trezor picks a\n\u003e random number b.\n\u003e Trezor adds a and b in the secp256k1 group, and this creates a\n\u003e master private key k.\n\u003e Trezor sends the corresponding master public key K to the computer.\n\u003e Thus, the computer can check that K was derived from a, without knowing b.\n\nNo. You mean the computer would use B for this check? \n(k,K) could be rigged by Trezor, who computes b as k-a.\n\nTimo\n\n\u003e This also allows the computer to check that any bitcoin address\n\u003e derived from K is derived from a, without leaking b. (and\n\u003e reciprocally)\n\u003e \n\u003e However, it seems to me that this property will work only with bip32\n\u003e public derivations; if a private derivation is used, don't you need\n\u003e to know k?\n\u003e \n\u003e \n\u003e \n\n-- \nTimo Hanke\nPGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8",
"sig": "535a910860097d1851e8633a89e4d6b59f00cb2a202e64bebc64a6c624ca106d292b3389d8c6489999b9c777373f6b9ec17fdf303542fb53f043e11f42ee5cee"
}