Re: [bitcoin-dev] BIP 340 updates: even pubkeys, more secure nonce generation

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Lloyd Fournier <lloyd.fourn@gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP 340 updates: even pubkeys, more secure nonce generation
Date: Sun, 22 Mar 2020 16:51:59 +1100	[thread overview]
Message-ID: <CAH5Bsr2A7BepO9qYdL=Vzeajm1ZpoyH7-6AjLjcNDA8k5Qq0fA@mail.gmail.com> (raw)
In-Reply-To: <CAPg+sBgxvRM5ncQAnbNLN=4bdkQrM+-DxibMoTG+6gqk7EY9hQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 795 bytes --]

* To protect against differential power analysis, a different way of
> mixing in this randomness is used (masking the private key completely
> with randomness before continuing, rather than hashing them together,
> which is known in the literature to be vulnerable to DPA in some
> scenarios).
>

I think citation for this would improve the spec.

I haven't studied these attacks but it seems to me that every hardware
wallet would be vulnerable to them while doing key derivation. If the
attacker can get side channel information from hashes in nonce derivation
then they can surely get side channel information from hashes in HD key
derivation. It should actually be easier since the master seed is hashed
for anything the hardware device needs to do including signing.

is this the case?

LL

[-- Attachment #2: Type: text/html, Size: 1126 bytes --]

     prev parent reply	other threads:[~2020-03-22  5:52 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-24  4:26 [bitcoin-dev] BIP 340 updates: even pubkeys, more secure nonce generation Pieter Wuille
     [not found] ` <CAMZUoKkAebw6VzSco3F+wnLptNwsCiEw23t2pLj0xitiOSszMQ@mail.gmail.com>
2020-02-26  3:26   ` [bitcoin-dev] Fwd: " Russell O'Connor
2020-02-26  4:20 ` [bitcoin-dev] " Lloyd Fournier
2020-02-26 15:34   ` Jonas Nick
2020-02-27  4:55     ` Lloyd Fournier
2020-03-22  5:51 ` Lloyd Fournier [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH5Bsr2A7BepO9qYdL=Vzeajm1ZpoyH7-6AjLjcNDA8k5Qq0fA@mail.gmail.com' \
    --to=lloyd.fourn@gmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=pieter.wuille@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox