Excellent write up, thanks for putting it together.
On Tue, Mar 3, 2020 at 1:47 PM Pieter Wuille wrote:
When both the HW and the SW are compromised, clearly no security is possible,
as all entities are controlled by the same party in that case.
While all SW being compromised can’t be stopped, splitting the SW over two stages can dramatically increase your security if both HW & SW are compromised. You can do that by:
1) When you setup your storage solution (whatever it may be), export the xpub(s) and verify the receiving addresses match xpubs with external software before receiving.
2) Generate and export withdrawal transactions offline
3) Verify transactions against the same xpub(s) using external software
4) Upload transactions
This mitigates, I believe, all leak vectors besides k/R hacking and prechosen entropy.
I made an external tool to just that here:
Would love to add k commitments when (if?) we settle on best practices for it.