Author: Timo Hanke 2013-11-03 06:41:11
Published on: 2013-11-03T06:41:11+00:00
On November 2, 2013, Thomas Voegtlin wrote an email detailing the development of a method to prove that the seed generated by Trezor was created using a combination of computer-provided entropy and device-provided entropy without leaking full private information to other computers. The goal was to make Trezor blackbox-testable and fully deterministic, with seed generation being the only operation that uses any source of RNG.According to Voegtlin, the user's computer picks a random number (a), and the Trezor picks a random number (b). Then, the Trezor adds a and b in the secp256k1 group, creating a master private key k. The Trezor sends the corresponding master public key K to the computer. Thus, the computer can check that K was derived from a without knowing b. This also allows the computer to verify that any bitcoin address derived from K is derived from a without leaking b. Timo Hanke responded, stating that the computer would use B for the check, and that (k,K) could be rigged by Trezor, who computes b as k-a. He also questioned whether this property would work only with bip32 public derivations, noting that if a private derivation was used, one would need to know k.
Updated on: 2023-06-07T18:20:19.042747+00:00