1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
Return-Path: <lloyd.fourn@gmail.com>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id C7E04C0177
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 05:52:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by whitealder.osuosl.org (Postfix) with ESMTP id ABAD68765A
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 05:52:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dMLInTVX87qC
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 05:52:26 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-il1-f177.google.com (mail-il1-f177.google.com
[209.85.166.177])
by whitealder.osuosl.org (Postfix) with ESMTPS id C5CD887657
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 22 Mar 2020 05:52:26 +0000 (UTC)
Received: by mail-il1-f177.google.com with SMTP id r5so5310241ilq.6
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 21 Mar 2020 22:52:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=vmF7LGuMLXlPRqHZ40b6neEUbmYURFFW/Ot83+p1OZg=;
b=aYw/V6TQJEg7YvJ2SU55ig1kD0b4DBXgAgq3XdNQuXAVju18cF+MUI07zosXXko3RV
ePnqxGe7JTTS9igUi74LcptS2yB+KyLDwIJsHoTJR8U54KcTiV9MLTtIQvbgYORPTUbT
r6Q39ioSW/i8d03+IgzfdO8c8VT/eC1BljCzHgVa/Mknm/dtnnNSKqGwjqK97jeunuBb
9Dr3gmT6N8rSSarpge1feOpoEdbOt59kkPazGyCppcVavqHcxeUG3kxlh3GkS7GRzVPF
JzXso2oOC7a8qRaIAUa4mK95EGiUumgsjliqJwYtSzdR5lmYITiwVxXkn7yA5Ti6QCci
Uz1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=vmF7LGuMLXlPRqHZ40b6neEUbmYURFFW/Ot83+p1OZg=;
b=Fj/LhxOmQZyMzSVV4UiQe1T9nVOBRgCXZwvqfWJ9oP2116AVk+UI/o9p61aQYbLBSe
Hpe/qzGLeCnQvUnwG+4AmxCbeptExHAwqP04ySEN/fN+vQx7DJP7WrqjNNMlXfnkQ/Aq
7Pkl0fE5YhuHYc9E8WqluN/gYPFfludvyiDXO8aX7Mzc8y7jBUntVCeo3MM6C1e1+j/C
oTdiLm/ggzgOfOYz1oYOF5InpL0j4G/3Kh3B6XnMPN9pI24x2kZfv7H8atrmQ2kE5l0Z
luWlyc0VD8bpAwT6MiIPZ/6yxlRp0OC/Q3N7fDVu7dbiU4TBUEvUmJ/C3chV/xj/w2BD
L9IQ==
X-Gm-Message-State: ANhLgQ38eVJDZyJ7hatnUfyaT6anEs35BEfRSz1+zsPz0WYwQUwIKQ/c
CWgM5hhpgXaqpHveW3ekKXQXI8YB4Wcxo0NgfDA=
X-Google-Smtp-Source: ADFU+vtY6Jh7tzuUwkJYYI3fcVaYpzeQlkMBLuxgqqrNOCXCwjBXJhWj7aLfM95K6MztXVaIvaSHjqmZuNljEtpPurQ=
X-Received: by 2002:a92:b6d5:: with SMTP id m82mr15300717ill.17.1584856345927;
Sat, 21 Mar 2020 22:52:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAPg+sBgxvRM5ncQAnbNLN=4bdkQrM+-DxibMoTG+6gqk7EY9hQ@mail.gmail.com>
In-Reply-To: <CAPg+sBgxvRM5ncQAnbNLN=4bdkQrM+-DxibMoTG+6gqk7EY9hQ@mail.gmail.com>
From: Lloyd Fournier <lloyd.fourn@gmail.com>
Date: Sun, 22 Mar 2020 16:51:59 +1100
Message-ID: <CAH5Bsr2A7BepO9qYdL=Vzeajm1ZpoyH7-6AjLjcNDA8k5Qq0fA@mail.gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000084e44205a16b1f9b"
X-Mailman-Approved-At: Sun, 22 Mar 2020 05:57:52 +0000
Subject: Re: [bitcoin-dev] BIP 340 updates: even pubkeys,
more secure nonce generation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 05:52:27 -0000
--00000000000084e44205a16b1f9b
Content-Type: text/plain; charset="UTF-8"
* To protect against differential power analysis, a different way of
> mixing in this randomness is used (masking the private key completely
> with randomness before continuing, rather than hashing them together,
> which is known in the literature to be vulnerable to DPA in some
> scenarios).
>
I think citation for this would improve the spec.
I haven't studied these attacks but it seems to me that every hardware
wallet would be vulnerable to them while doing key derivation. If the
attacker can get side channel information from hashes in nonce derivation
then they can surely get side channel information from hashes in HD key
derivation. It should actually be easier since the master seed is hashed
for anything the hardware device needs to do including signing.
is this the case?
LL
--00000000000084e44205a16b1f9b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">* To protect against diff=
erential power analysis, a different way of<br>
mixing in this randomness is used (masking the private key completely<br>
with randomness before continuing, rather than hashing them together,<br>
which is known in the literature to be vulnerable to DPA in some<br>
scenarios).<br></blockquote><div><br></div><div>I think citation for this w=
ould improve the spec.</div><div><br></div><div>I haven't studied these=
attacks but it seems to me that every hardware wallet would=C2=A0be vulner=
able to them while doing key derivation. If the attacker can get side chann=
el information from hashes in nonce derivation then they can surely get sid=
e channel information from hashes in HD key derivation. It should actually =
be easier since the master seed is hashed for anything the hardware device =
needs to do including signing.</div><div><br></div><div>is this the case?</=
div><div><br></div><div>LL</div></div></div>
--00000000000084e44205a16b1f9b--
|