📅 Original date posted:2013-11-16
📝 Original message:On Sun, Nov 17, 2013 at 12:49:04AM +0100, Pavol Rusnak wrote:
> On 03/11/13 08:40, Timo Hanke wrote:
> > Trezor picks random s and sends S=s*G to computer, keeping s secret.
>
> That's a really neat trick!
>
> > One question remains: if you only write down the mnemonic how can you be
> > sure that it is correct and corresponds to the secret in Trezor?
>
> Right. That's a problem. I'm not sure if this whole cryptomagic is
> benefitial at all.
>
> I'd suggest to go the easy way for now, i.e. prove that external entropy
> was used while generating the master seed. If the user does not trust
> our firmware, he can use his own built one.
No, this question of mine was regardless of any cryptomagic or neat
tricks like Thomas' suggestion. It has nothing do with auditing the
entropy. It was just a backup question.
I recently had an experience where I thought coins were lost because the
secrets I had didn't match the public keys that I thought they'd match.
>From now on I will always recover my wallet first, from the backed up
secrets, before sending any coins to the pubkeys in the wallet. I will
never again generate a wallet, backup the secrets, and hope the secrets
indeed match the pubkeys.. without testing that. My question was how
Trezor allows me to verify my backup.
All this makes me think if having one device generating and displaying
the secret, and making a backing from the display, is the right way to
go. Since you would need a second device to verify your backup is sane,
you could have two devices to start with. One is your hardware wallet
and it only imports secrets (restores backups). The other is an entropy
generator and it only generates secrets.
Best regards,
Timo
p.s. The question about auditing entropy would only apply to the generator,
not the wallet. Is it yet documented how Trezor proves that external
entropy was used?
--
Timo Hanke
PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8
Timo Hanke [ARCHIVE] /
npub1dd…pgp9a
2023-06-07 15:08:34
in reply to nevent1q…am4j
Author Public Key
npub1ddqaln8xsfmy6sxqplt9sz5ev99kh052sveqsh02q7hmc3a6n68shpgp9aPublished at
2023-06-07 15:08:34Event JSON
{
"id": "11389d9e6286c6eded116ead48bc715ff13cb1ca77208836516d7909ca8494c5",
"pubkey": "6b41dfcce682764d40c00fd6580a99614b6bbe8a8332085dea07afbc47ba9e8f",
"created_at": 1686150514,
"kind": 1,
"tags": [
[
"e",
"29113580fa19bfa912e033228b5744547f424bd6ae7dcc6dbdef306e0b87998e",
"",
"root"
],
[
"e",
"846df5b34e4a7c80b75da58bad355f63793bc61be44d6bd3b3948dfb0909f3e1",
"",
"reply"
],
[
"p",
"7631397e469f47f3535567311f5f7c17129e0ff2cb253df015e3d92ddfd92c63"
]
],
"content": "📅 Original date posted:2013-11-16\n📝 Original message:On Sun, Nov 17, 2013 at 12:49:04AM +0100, Pavol Rusnak wrote:\n\u003e On 03/11/13 08:40, Timo Hanke wrote:\n\u003e \u003e Trezor picks random s and sends S=s*G to computer, keeping s secret.\n\u003e \n\u003e That's a really neat trick!\n\u003e \n\u003e \u003e One question remains: if you only write down the mnemonic how can you be\n\u003e \u003e sure that it is correct and corresponds to the secret in Trezor?\n\u003e \n\u003e Right. That's a problem. I'm not sure if this whole cryptomagic is\n\u003e benefitial at all.\n\u003e \n\u003e I'd suggest to go the easy way for now, i.e. prove that external entropy\n\u003e was used while generating the master seed. If the user does not trust\n\u003e our firmware, he can use his own built one.\n\nNo, this question of mine was regardless of any cryptomagic or neat\ntricks like Thomas' suggestion. It has nothing do with auditing the\nentropy. It was just a backup question.\n\nI recently had an experience where I thought coins were lost because the\nsecrets I had didn't match the public keys that I thought they'd match.\n\u003eFrom now on I will always recover my wallet first, from the backed up\nsecrets, before sending any coins to the pubkeys in the wallet. I will\nnever again generate a wallet, backup the secrets, and hope the secrets\nindeed match the pubkeys.. without testing that. My question was how\nTrezor allows me to verify my backup.\n\nAll this makes me think if having one device generating and displaying\nthe secret, and making a backing from the display, is the right way to\ngo. Since you would need a second device to verify your backup is sane,\nyou could have two devices to start with. One is your hardware wallet\nand it only imports secrets (restores backups). The other is an entropy\ngenerator and it only generates secrets.\n\nBest regards,\nTimo\n\np.s. The question about auditing entropy would only apply to the generator,\nnot the wallet. Is it yet documented how Trezor proves that external\nentropy was used? \n\n-- \nTimo Hanke\nPGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8",
"sig": "ef1adcea5188daf50721dbf22aedb44630fda5fa679d8c10bff9db6e96f576c214000f50f685b682e557607871308562c01db54f71e2c65e8098a664b2ee6bc9"
}