Hi Pieter,

Thanks for the detailed response.
 
/secret key/secret keyI'll try to summarize the discussion we had that led to this choice, but most of it is on https://github.com/sipa/bips/issues/195 if you want the details.

Ahh I can't believe I missed that github issue while searching. I guess I started reading a paper on DPA and got carried away. I can see you got to where I was and then went much further including some empirical analysis. Nice. I agree with the conclusion that xor is more robust than just hashing randomness in the same block as the secret key.
 
Let me first try to address what I think you're overlooking: in a BIP32/Taproot like scenario, the private key that goes into the signing algorithm functions as *both* secret and known to the attacker. That is to say, there is a master secret s, and signing key x that goes into the hash is x=s+a (mod n) for some value a that the attacker knows, and can modify (he cannot control it directly, but he may be able to grind it to have a structure he likes). I believe that means that feeding x to a hash directly itself is already a problem, regardless of what else goes into the hash - interactions between bits inside the hash operation that all come from x itself can leak bit-level information of x.  XORing (or any other simple mix operation that does not expose bit-level information) into the private key before giving it to a hash function seems like it would address this.

This is an subtle point that I didn't cross my mind. My gut feeling is there isn't even a computational argument to made that what I was suggesting is secure against DPA in that setting. DPA seems to be a PITA. A footnote in the BIP with a citation for DPA (the ed25519 one from the issue is good) and a hint about why you should avoid hashing Bitcoin secret keys altogether would be good. This brings us to the next point.

It also assumes that somehow the computation of x itself is immune from leaks (something you pointed out in a previous e-mail, I noticed).

From my reading of the HMAC papers it seems you might be able to vary the BIP32 child index derivation to do this attack. Just thinking about it now, these attacks seem far fetched just because in order for it to be useful you need to have physical access to the device and to be able to accurately measure power consumption in high resolution (which I guess you can't do from a typical USB bus from corrupted software). Then you also need to get the user to do lots of signing or derivation with their device. I guess a malicious cable with some way of exfiltrating power consumption could do it.
 
I'm happy for any input you may have here. In particular, the recent discussions around the interactions between anti-covert channel protection, randomness, and the ability to spot check hardware devices may mean we should revise the advice to consider not adding randomness unless such a anti-covert channel scheme is used.
 
My only comment here is that there will end up being more than one way to do it and I think what you and your collaborators have put forward is at a local optimum of design (now that I understand it). Thanks and well done! It won't be the right optimum for everyone. To me, it seems like a good place to start. If you develop a decent nonce exfiltration protected signing protocol later then I don't see why HW wallets wouldn't compete for favour amongst the community by implementing and updating their devices to conform to it.

LL