It looks like even air gapped hardware wallets can phone home

We had a great discussion here on Hacker News a few days ago, about the question whether it is possible to use Bitcoin in a trustless way. So that you control your Bitcoin yourself and don't have to trust any privileged party to not take it from you:

Interestingly, there was a *lot* of speculation and misinformation. So even on Hacker News, this topic is still only vaguely understood.

But also some very good information came to light.

The biggest bomb that was dropped in the thread received little attention: The fact that signing a transaction is not deterministic. This means when a hardware wallet is asked to sign a transaction, it can internally do that multiple times and then chose from multiple valid signatures. This means that it can encode data into the signature. For example, it could choose between two signatures with certain properties (say one results in an even checksum of the bits of the signature and one results in an odd checksum) and thereby signalling one bit to the creator of the wallet.

Everytime it signals a bit of your seed phrase home, the security of your coins is cut in half.

Here is an article about the fact that elliptic curve signatures are not deterministic:

The way I understand it, the wallet can chose from a large number of possible signatures and thereby signal many bits to its creator. In every transaction.

I think a dicsussion about this should be started. The way I understand it, it makes it completely impossible to use Bitcoin in a trustless way. Even with an air gapped hardware wallet, you are always at the mercy of the wallet manufacturer and the delivery chain that gets the wallet to you. If it gets swapped out on the way to you, you are at the mercy of whoever swapped it out.

submitted by /u/JonathanBeuys
[link] [comments]

Leave a Reply

Your email address will not be published. Required fields are marked *