Author: Stepan Snigirev 2020-02-27 02:59:46
Published on: 2020-02-27T02:59:46+00:00
The article discusses the potential compromise of any hardware wallet or air-gapped computer used to sign transactions through supply chain attacks or malicious firmware updates. It notes that even if the signer is isolated, it could still leak private keys to the outside world by choosing nonces for signatures in a way that an attacker can calculate the private keys. The article proposes a protocol for signing a message that involves the host picking a random number and sending its hash together with the message to the signer, who then computes a nonce they want to use for signing. They commit to the chosen nonce by sending the corresponding point to the host, who then sends the preimage back to the signer before tweaking the nonce and sending back the signature. Hosts verify that the public point in the signature is tweaked by the same amount. The article also suggests that if the signer wants to generate a nonce non-deterministically but doesn't have the ability to store it, they may send meta-information back to the host that would help them regenerate the same nonce later. The article provides an implementation guide for PSBT using key-value pairs and proposing four keys, including PSBT_IN_EXT_NONCE_HASH, PSBT_IN_NONCE_COMMITMENT, PSBT_IN_NONCE_SIGNER_METADATA, and PSBT_IN_EXT_NONCE_PREIMAGE. The article suggests that the standardization of this protocol would be interesting and beneficial. The references include links to previous articles and projects related to the topic.
Updated on: 2023-05-20T21:48:46.204831+00:00