The issue with exfil is that the computer can’t detect whether the nonce is malicious or not, so it can’t block the attack. What you really want is for the nonce used to sign to be provably random, by simply having the computer add some of its own randomness to nonce, plus some deterministic message+pk hash from the hardware wallet (ala 6979). That way the HWW cannot exfil.
While you’re at it you should also include randomness from the computer in the seed generation process so that the private keys themselves don’t rely on only the HWW.
Neither of these are complicated, FROST is built around the same kind of nonce agreement protocol and including the randomness from the computer in key gen is just a matter of adding a second private key.
matt / Matt Corallo
npub185…swrdp
2024-08-06 19:21:47
in reply to nevent1q…6rt8
Author Public Key
npub185h9z5yxn8uc7retm0n6gkm88358lejzparxms5kmy9epr236k2qcswrdpPublished at
2024-08-06 19:21:47Event JSON
{
"id": "55a88865d7a0b5f31a7f81c9fb02f4980e5b081b54df4ccd6ba4a7f6703eab1a",
"pubkey": "3d2e51508699f98f0f2bdbe7a45b673c687fe6420f466dc296d90b908d51d594",
"created_at": 1722972107,
"kind": 1,
"tags": [
[
"e",
"4fb39bbf66c7e0231f4896ae3d2797e4148fa4fd5312cd0847ea1a1e3c18d058",
"",
"root"
],
[
"e",
"131f2fb9dd232a6a2b9a45a6e74dbaa25380b6dfa18acace5fce8093694f4b8b",
"",
"reply"
],
[
"p",
"e88a691e98d9987c964521dff60025f60700378a4879180dcbbb4a5027850411"
],
[
"p",
"8685ebef665338dd6931e2ccdf3c19d9f0e5a1067c918f22e7081c2558f8faf8"
]
],
"content": "The issue with exfil is that the computer can’t detect whether the nonce is malicious or not, so it can’t block the attack. What you really want is for the nonce used to sign to be provably random, by simply having the computer add some of its own randomness to nonce, plus some deterministic message+pk hash from the hardware wallet (ala 6979). That way the HWW cannot exfil.\n\nWhile you’re at it you should also include randomness from the computer in the seed generation process so that the private keys themselves don’t rely on only the HWW.\n\nNeither of these are complicated, FROST is built around the same kind of nonce agreement protocol and including the randomness from the computer in key gen is just a matter of adding a second private key.",
"sig": "9865cdd1f462623a3ac5ec848542f17e32e8e085dbb2edb1b9e5478130c009a897a67eef067b260aac3f7515fcaa7135fa1640dda98b00db1e9d8c6a84e8c289"
}