New top story on Hacker News: Tell HN: It looks like even air gapped Bitcoin hardware wallets can phone home
Tell HN: It looks like even air gapped Bitcoin hardware wallets can phone home
20 by JonathanBeuys | 7 comments on Hacker News.
We had a great discussion here on HN a few days ago about the question whether it is possible to use Bitcoin in a trustless way. So that you control your Bitcoin yourself and don't have to trust any privileged party to not take it from you: https://ift.tt/MsJCh1Y Interestingly, there was a lot of speculation and misinformation. So even on Hacker News, this topic is still only vaguely understood. But also some very good information came to light. The biggest bomb that was dropped in the thread received little attention: The fact that signing a transaction is not deterministic. This means when a hardware wallet is asked to sign a transaction, it can internally do that multiple times and then chose from multiple valid signatures. This means that it can encode data into the signature. For example, it could choose between two signatures with certain properties (say one results in an even checksum of the bits of the signature and one results in an odd checksum) and thereby signalling one bit to the creator of the wallet. Everytime it signals a bit of your seed phrase home, the security of your coins is cut in half. Here is an article about the fact that elliptic curve signatures are not deterministic: https://ift.tt/sWzb1PH The way I understand it, the wallet can chose from a large number of possible signatures and thereby signal many bits to its creator. In every transaction. I think a dicsussion about this should be started. The way I understand it, it makes it completely impossible to use Bitcoin in a trustless way. Even with an air gapped hardware wallet, you are always at the mercy of the wallet manufacturer and the delivery chain that gets the wallet to you. If it gets swapped out on the way to you, you are at the mercy of whoever swapped it out.
20 by JonathanBeuys | 7 comments on Hacker News.
We had a great discussion here on HN a few days ago about the question whether it is possible to use Bitcoin in a trustless way. So that you control your Bitcoin yourself and don't have to trust any privileged party to not take it from you: https://ift.tt/MsJCh1Y Interestingly, there was a lot of speculation and misinformation. So even on Hacker News, this topic is still only vaguely understood. But also some very good information came to light. The biggest bomb that was dropped in the thread received little attention: The fact that signing a transaction is not deterministic. This means when a hardware wallet is asked to sign a transaction, it can internally do that multiple times and then chose from multiple valid signatures. This means that it can encode data into the signature. For example, it could choose between two signatures with certain properties (say one results in an even checksum of the bits of the signature and one results in an odd checksum) and thereby signalling one bit to the creator of the wallet. Everytime it signals a bit of your seed phrase home, the security of your coins is cut in half. Here is an article about the fact that elliptic curve signatures are not deterministic: https://ift.tt/sWzb1PH The way I understand it, the wallet can chose from a large number of possible signatures and thereby signal many bits to its creator. In every transaction. I think a dicsussion about this should be started. The way I understand it, it makes it completely impossible to use Bitcoin in a trustless way. Even with an air gapped hardware wallet, you are always at the mercy of the wallet manufacturer and the delivery chain that gets the wallet to you. If it gets swapped out on the way to you, you are at the mercy of whoever swapped it out.
No comments