From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VcrNC-0005AW-6W for bitcoin-development@lists.sourceforge.net; Sun, 03 Nov 2013 06:41:22 +0000 Received: from mout.web.de ([212.227.15.14]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1VcrNA-00022A-IL for bitcoin-development@lists.sourceforge.net; Sun, 03 Nov 2013 06:41:22 +0000 Received: from crunch ([66.68.149.162]) by smtp.web.de (mrweb102) with ESMTPA (Nemesis) id 0MJCSM-1VfcWZ1FSE-002qlc for ; Sun, 03 Nov 2013 07:41:14 +0100 Date: Sun, 3 Nov 2013 01:41:11 -0500 From: Timo Hanke To: Thomas Voegtlin Message-ID: <20131103064111.GI16611@crunch> References: <526BDEC2.2090709@gmx.de> <52721F47.30206@gmx.de> <5274C99A.8060304@gmx.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5274C99A.8060304@gmx.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-Provags-ID: V03:K0:UlP5dCHoGuomhmnSpf7SILK31iHfzKdpr0vdM7KPkBWxwMegUWl 3t426oXpAZd4jFEkwIyY8bESR7a8yvxtTDi8gDECMX/XFNlI1oCzcOee8mbqJgClFBWH47V wOune7VqUq3N5TumRKncPdODn4ejWA35ZwcXlGMXLE5pfDmOnMtP0L4IGWwVWcE3YR7DwTm qRavC3Avrsw1Q1ncx0twQ== X-Spam-Score: 0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (timo.hanke[at]web.de) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [212.227.15.14 listed in list.dnswl.org] -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain X-Headers-End: 1VcrNA-00022A-IL Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Proposal to replace BIP0039 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: timo.hanke@web.de List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Nov 2013 06:41:22 -0000 On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote: > > >To be specific, we (in cooperation with / inspired by Timo Hanke) > >developed method how to prove that the seed generated by Trezor > >has been created using combination of computer-provided entropy > >and device-provided entropy, without leaking full private > >information to other computer, just because we want Trezor to be > >blackbox-testable and fully deterministic (seed generation is > >currently the only operation which uses any source of RNG). > > > > Thanks for the explanation. Here is how I understand how it works, > please correct me if I'm wrong: > > The user's computer picks a random number a, the Trezor picks a > random number b. > Trezor adds a and b in the secp256k1 group, and this creates a > master private key k. > Trezor sends the corresponding master public key K to the computer. > Thus, the computer can check that K was derived from a, without knowing b. No. You mean the computer would use B for this check? (k,K) could be rigged by Trezor, who computes b as k-a. Timo > This also allows the computer to check that any bitcoin address > derived from K is derived from a, without leaking b. (and > reciprocally) > > However, it seems to me that this property will work only with bip32 > public derivations; if a private derivation is used, don't you need > to know k? > > > -- Timo Hanke PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8