matt on Nostr: Problem is you have a device that you cannot realistically audit the supply chain of, ...
Problem is you have a device that you cannot realistically audit the supply chain of, and which is at incredibly high risk of supply chain attacks. Deterministic nonces are great but they’re not auditable - there’s high risk of the machine telling you its doing a deterministic nonce when it is instead leaking your private key with an attacker-derivable nonce!
The point of deterministic nonces is “include a hash of the private key and message in the nonce so that you know you didn’t screw up”, that’s great, but you can also build on top. The computer driving the hardware wallet can input randomness which the hardware wallet can prove was incorporated into the selected nonce. This allows the device to prove to the computer its not leaking your private key, requiring an attacker to compromise *both* your computer and the device, not just the device!
Hardware wallets that don’t use such a protocol should absolutely be considered, at best, incompetent, maybe malicious.
Published at
2023-09-19 15:09:22Event JSON
{
"id": "37e8b62fe32af0525c89c1147ed525e23ebb947153c877a034875bf74003b1bf",
"pubkey": "3d2e51508699f98f0f2bdbe7a45b673c687fe6420f466dc296d90b908d51d594",
"created_at": 1695136162,
"kind": 1,
"tags": [
[
"e",
"3c403306edf67cfce29cd513e6beca0674643d9a38f9aa926cd77b67cb2ecb2c"
],
[
"e",
"66f53b7825ff4f1d84e7874cfe7bd598f4a99cf2ea5ca58d13416303413278d7"
],
[
"p",
"eab0e756d32b80bcd464f3d844b8040303075a13eabc3599a762c9ac7ab91f4f"
],
[
"p",
"efba4c3bc34558d20ff0a433dd81a0fbce0c3734d7b579d6d020d8629bbdcb79"
]
],
"content": "Problem is you have a device that you cannot realistically audit the supply chain of, and which is at incredibly high risk of supply chain attacks. Deterministic nonces are great but they’re not auditable - there’s high risk of the machine telling you its doing a deterministic nonce when it is instead leaking your private key with an attacker-derivable nonce!\n\nThe point of deterministic nonces is “include a hash of the private key and message in the nonce so that you know you didn’t screw up”, that’s great, but you can also build on top. The computer driving the hardware wallet can input randomness which the hardware wallet can prove was incorporated into the selected nonce. This allows the device to prove to the computer its not leaking your private key, requiring an attacker to compromise *both* your computer and the device, not just the device!\n\nHardware wallets that don’t use such a protocol should absolutely be considered, at best, incompetent, maybe malicious.",
"sig": "684440bc5bd84082756c38cf118d0eeb6ec15acc0d689c91cc68f721610380320319de3ce26c9c6b2da4657e3aa0281ee3784c93bf184186f34bdfa74cdf18f9"
}