path: root/d9/8f57d13635a68092ca3634808bf901fb7c9822

Return-Path: <willtech@live.com.au>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id CF020E8A
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 13 Jan 2018 02:11:13 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from APC01-HK2-obe.outbound.protection.outlook.com
	(mail-oln040092255021.outbound.protection.outlook.com [40.92.255.21])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 93595D0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 13 Jan 2018 02:11:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; 
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=DvALsYBqhEMUPqGHIaSGSm1gCvGkRNMTlNq90FDwVlo=;
	b=dRW2IYCfxD0KEtdoCL29+2WTmdeZE1uKynYMjK6RJTDUdAXNSVYTcono0yQ6RuAjjCHAwBezpVEg3wjzivXdeHiKRdAm/y9kKkJH4Uk3kPowwdwRK8Gcgrdv3KktClJzf5RZhfDD0NErwSJ2BlPQqJSyGhAzyls/ThL2vEB+39ywesDQa1hF7EHWgHLdoz+gq9oslhKCtbEa82XSjnHFp50R1GGSmUVOD63OGv2PEddWXhF169jBae+6o3C8BjurqNjVI6lEi/c7CO6AmQ5zEIVXrk9xVIKbRdDEa9XNwsZxTkObjPA3KzUy/MWyUitSmCSNF1oKKc1O0o5Q8SDUEQ==
Received: from HK2APC01FT035.eop-APC01.prod.protection.outlook.com
	(10.152.248.54) by HK2APC01HT100.eop-APC01.prod.protection.outlook.com
	(10.152.248.251) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.302.6;
	Sat, 13 Jan 2018 02:11:09 +0000
Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.52) by
	HK2APC01FT035.mail.protection.outlook.com (10.152.248.182) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.345.19 via
	Frontend Transport; Sat, 13 Jan 2018 02:11:09 +0000
Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) by
	PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([10.171.225.19]) with mapi id
	15.20.0407.009; Sat, 13 Jan 2018 02:11:09 +0000
From: Damian Williamson <willtech@live.com.au>
To: nullius <nullius@nym.zone>, Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Thread-Topic: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret
	shared private key scheme)
Thread-Index: AQHTi7XyOL4NDlZYiUOH4MIN2TDy66NxDwIt
Date: Sat, 13 Jan 2018 02:11:08 +0000
Message-ID: <PS2P216MB01793245561CC130C6FEEC9A9D140@PS2P216MB0179.KORP216.PROD.OUTLOOK.COM>
References: <CAAS2fgR-or=zksQ929Muvgr=sgzNSugGp669ZWYC6YkvEG=H5w@mail.gmail.com>
	<ae570ccf-3a2c-a11c-57fa-6dad78cfb1a5@satoshilabs.com>
	<CAAS2fgRQvpa8VXE8YAYSfugDvCu=1+5ANsGk1V_OXtHPGD=Ltw@mail.gmail.com>
	<vJsDz9YdeNQQ_PZRf5HP1W0FmcWyKHIuwN9QeNgN-WXCdQcRmXLtkQ3wfTO7YUCgG6AFgOkKeU6fdsGTKkGcnk-_OOY_jyNlfWkFQ31d2ZU=@protonmail.com>
	<20180109011335.GA22039@savin.petertodd.org>
	<274aad5c-4573-2fdd-f8b0-c6c2d662ab7c@gibsonic.org>
	<20180112095058.GA9175@savin.petertodd.org>,
	<3b45c17a256326b6b183587d9d15690c@nym.zone>
In-Reply-To: <3b45c17a256326b6b183587d9d15690c@nym.zone>
Accept-Language: en-AU, en-US
Content-Language: en-AU
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-incomingtopheadermarker: OriginalChecksum:70763BC61684C952FA189048988F42BB59FDB6DDDF39F06338B1E6ECB2624699;
	UpperCasedChecksum:DCC2C090462BEB07ED3C94844688AD4476BD77C0CE99C2FD85BAE75B717CD9FD;
	SizeAsReceived:7578; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [7veiwha2tpjGZETERmic9q+AN4kfe99m]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HK2APC01HT100;
	6:ZrwWjRqAcS7oOyHJn6HilXJyjRYlCjHaRAp188qoUNPopRgYHh38qb/zlGCLkiCXUgZo+PdcV79NOk8cHZScCDPxC2K7zHn5000ky369a98k2SsY103QBUm7rC+WQJKdmgeDbuDaejLrKnvow1/nWPqWyt36Djh03B2v1eUdR2UGQqTMLja7BolK0rCMjP2ItOGFHPeN6gD+zasnUsHTWzFPQN80yHcTrdyy5SijZKNIX3RC7XA9WSBAucHs8incpG1LWoue2mLijMPlvE5YKQMHAP3iR7aDlzF2+HxGVObj0jVI8z552tu63Vv+0WCuQ/cv3/+yUebCIXEiRYgfo0eD3Fm9NIj1hq28q9FruGA=;
	5:6CPy0GCeWvmMaks21Wb3XwVm3UV9SPc7opt/IY9dYkFseh6RazdizAd83fHphHR/HeY2IM57QF3g/ZvEa8GSO8ZXEWur/v3cOGeK1fZEVK3byzFcmcUbVxqy8ofwnimuZR6banyU0HvA2QhriQSuXxBuplbATmF+o8VEIy/dWuw=;
	24:wyYIOz5pdfMHa2ls/Ra5y9ja7xpD0fKXcEuOxAYXCqlYmlGd2KsGDpDuhlPcnhj7nZQjAOmOYGO+a+ngok1lDYKskKqnivkwXVQyYTSIORw=;
	7:Q0MTwASLBEoefRf/viu7/L7iHJJrlDsW3HgDg2CVRgsG2H2tY6phTY9MBaPw+5jmIGfDdErfRX9xqWnu5uS4D8vidAJtPH47H4YqNpfWr2IZKeWZNcxr/yWqMCPqkws45Ng/W6bcc7rbwqp3KMdwRenpEKiEX9ioayDwQ3dVnkrnTyYESdKmNqWWlSsQG2k5/EQNpdomDxP+eiy+74wOIpP3XYS4xeDj8pgMgdVZiv2Pi5aYeCjTaoZsgUbQKC3r
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020090)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045);
	SRVR:HK2APC01HT100; 
x-ms-traffictypediagnostic: HK2APC01HT100:
x-ms-office365-filtering-correlation-id: 45d0f5f1-0150-45e5-bba4-08d55a2ae92e
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031);
	SRVR:HK2APC01HT100; BCL:0; PCL:0;
	RULEID:(100000803101)(100110400095); SRVR:HK2APC01HT100; 
x-forefront-prvs: 05514B7026
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT;
	SFP:1901; SCL:1; SRVR:HK2APC01HT100;
	H:PS2P216MB0179.KORP216.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
	boundary="_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45d0f5f1-0150-45e5-bba4-08d55a2ae92e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2018 02:11:08.9604 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT100
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 13 Jan 2018 04:18:45 +0000
Subject: Re: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret
 shared private key scheme)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2018 02:11:13 -0000

--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

The same problems exist for users of whole disk encrypted operating systems=
. Once the device (or, the initial password authentication) is found, the a=
dversary knows that there is something to see. The objective of plausible d=
eniability is to present some acceptable (plausible) alternative while keep=
ing the actual hidden (denied).


If the adversary does not believe you, you do indeed risk everything.


Regards,

Damian Williamson

________________________________
From: bitcoin-dev-bounces@lists.linuxfoundation.org <bitcoin-dev-bounces@li=
sts.linuxfoundation.org> on behalf of nullius via bitcoin-dev <bitcoin-dev@=
lists.linuxfoundation.org>
Sent: Friday, 12 January 2018 10:06:33 PM
To: Peter Todd; Bitcoin Protocol Discussion
Subject: [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared=
 private key scheme)

On 2018-01-12 at 09:50:58 +0000, Peter Todd <pete@petertodd.org> wrote:
>On Tue, Jan 09, 2018 at 12:43:48PM +0000, Perry Gibson wrote:
>>>Trezor's "plausible deniability" scheme could very well result in you
>>>going to jail for lying to border security, because it's so easy for
>>>them to simply brute force alternate passwords based on your seeds.
>>>With that, they have proof that you lied to customs, a serious
>>>offense.
>>The passphrase scheme as I understand it allows a maximum of 50
>>characters to be used.  Surely even with the HD seed, that search
>>space is too large to brute force.  Or is there a weakness in the
>>scheme I haven't clocked?
>
>While passphrases *can* be long, most user's aren't going to understand
>the risk. For example, Trezors blog(1) doesn't make it clear that the
>passphrases could be bruteforced and used as evidence against you, and
>even suggests the contrary:  [...quote...]

I despise the term =93plausible deniability=94; and that=92s really the wro=
ng
term to use in this discussion.

=93Plausible deniability=94 is a transparent excuse for explaining away an
indisputable fact which arouses suspicion=97when you got some serious
=92splain=92 to do.  This is usually used in the context of some pseudolega=
l
argument about introducing =93reasonable doubt=94, or even making =93probab=
le
cause=94 a wee bit less probable.

=93Why yes, officer:  I was seen carrying an axe down the street near the
site of an axe murder, at approximately the time of said axe murder.
But I do have a fireplace; so it is plausible that I was simply out
gathering wood.=94

I rather suspect the concept of =93plausible deniability=94 of having been
invented by a detective or agent provocateur.  There are few concepts
more useful for helping suspects shoot themselves in the foot, or
frankly, for entrapping people.

One of the worst examples I have seen is in discussions of Monero,
whereby I=92ve seen proponents claim that even under the worst known
active attacks, their mix scheme reduces transaction linking to a
maximum of 20=9640% probability.  =93That=92s not good enough to convince a
jury!=94  No, but it is certainly adequate for investigators to identify
you as a person of interest.  Then, your (mis)deeds can be subjected to
powerful confirmation attacks based on other data; blockchains do not
exist in isolation.  I usually stay out of such discussions; for I have
no interest in helping the sorts of people whose greatest concern in
life is what story to foist on a jury.

In the context of devices such as Trezor, what is needed is not
=93plausible deniability=94, but rather the ability to obviate any need to
deny anything at all.  I must repeat, information does not exist in
isolation.

If you are publicly known to be deepy involved in Bitcoin, then nobody
will believe that your one-and-only wallet contains only 0.01 BTC.
That=92s not even =93plausible=94.  But if you have overall privacy practic=
es
which leave nobody knowing or suspecting that you have any Bitcoin at
all, then there is nothing to =93deny=94; and should a Trezor with
(supposedly) 0.01 BTC be found in your possession, that=92s much better
than =93plausible=94.  It=92s completely unremarkable.

Whereas if you are known or believed to own large amounts of BTC, a
realistic bad guy=92s response to your =93decoy=94 wallet could be, =93I do=
n=92t
believe you; and it costs me nothing to keep beating you with rubber
hose until you tell me the *real* password.=94

It could be worse, too.  In a kidnapping scenario, the bad guys could
say, =93I don=92t believe you.  Hey, I also read Trezor=92s website about
=91plausible deniability=92.  Now, I will maim your kid for life just to
test whether you told me the *real* password.  And if you still don=92t
tell me the real password after you see that little Johnny can no longer
walk, then I will kill him.=94

The worst part is that you have no means of proving that you really
*did* give the real password.  Indeed, it can be proved if you=92re lying
by finding a password which reveals a hidden wallet=97but *you* have no
means of affirmatively proving that you are telling the truth!  If the
bad guys overestimated your riches (or if they=92re in a bad mood), then
little Johnny is dead either way.

In a legalistic scenario, if =93authorities=94 believe you have 1000 BTC an=
d
you only reveal a password for 0.01 BTC, the likely response will not be
to let you go.  Rather, =93You will now sit in jail until you tell the
*real* password.=94  And again:  You have no means of proving that you did
give the real password!

=93Plausible deniability=94 schemes can backfire quite badly.

>Also note how this blog doesn't mention anti-forensics: the wallet
>software itself may leave traces of the other wallets on the computer.
>Have they really audited it sufficiently to be sure this isn't the
>case?

What about data obtained via the network?  I don=92t *only* refer to
dragnet surveillance.  See for but one e.g., Goldfelder, et al., =93When
the cookie meets the blockchain:  Privacy risks of web payments via
cryptocurrencies=94 https://arxiv.org/abs/1708.04748  Your identity can be
tied to your wallet all sorts of ways, any of which could be used to
prove that you have more Bitcoin than you=92re revealing.  Do you know
what databases of cross-correlated analysis data customs agents have
immediate access to nowadays=97or will, tomorrow?  I don=92t.

In the scenario under discussion, that may not immediately prove =93beyond
a reasonable doubt=94 that you lied specifically about your Trezor.  But
it could give plenty of cause to keep you locked up in a small room
while your hard drive is examined for evidence that Trezor apps handled
*addresses already known to be linked to you*.  Why even bother with
bruteforce?  Low-hanging fruit abound.

>1) https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphras=
es-f2e0834026eb

--
nullius@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)  (PGP RSA: 0x36EBB4AB699A10EE)
=93=91If you=92re not doing anything wrong, you have nothing to hide.=92
No!  Because I do nothing wrong, I have nothing to show.=94 =97 nullius

--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Helvetica,sans-serif;" dir=3D"ltr">
<p style=3D"margin-top:0;margin-bottom:0">The same problems exist for users=
 of whole disk encrypted operating systems. Once the device (or, the initia=
l password authentication) is found, the adversary knows that there is some=
thing to see. The objective of plausible
 deniability is to present some acceptable (plausible) alternative while ke=
eping the actual hidden (denied).</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">If the adversary does not believe=
 you, you do indeed risk everything.</p>
<p style=3D"margin-top:0;margin-bottom:0"><br>
</p>
<p style=3D"margin-top:0;margin-bottom:0">Regards,</p>
<p style=3D"margin-top:0;margin-bottom:0">Damian Williamson<br>
</p>
</div>
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st=
yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> bitcoin-dev-bounces@l=
ists.linuxfoundation.org &lt;bitcoin-dev-bounces@lists.linuxfoundation.org&=
gt; on behalf of nullius via bitcoin-dev &lt;bitcoin-dev@lists.linuxfoundat=
ion.org&gt;<br>
<b>Sent:</b> Friday, 12 January 2018 10:06:33 PM<br>
<b>To:</b> Peter Todd; Bitcoin Protocol Discussion<br>
<b>Subject:</b> [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret=
 shared private key scheme)</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt;=
">
<div class=3D"PlainText">On 2018-01-12 at 09:50:58 &#43;0000, Peter Todd &l=
t;pete@petertodd.org&gt; wrote:<br>
&gt;On Tue, Jan 09, 2018 at 12:43:48PM &#43;0000, Perry Gibson wrote:<br>
&gt;&gt;&gt;Trezor's &quot;plausible deniability&quot; scheme could very we=
ll result in you <br>
&gt;&gt;&gt;going to jail for lying to border security, because it's so eas=
y for <br>
&gt;&gt;&gt;them to simply brute force alternate passwords based on your se=
eds.&nbsp; <br>
&gt;&gt;&gt;With that, they have proof that you lied to customs, a serious =
<br>
&gt;&gt;&gt;offense.<br>
&gt;&gt;The passphrase scheme as I understand it allows a maximum of 50 <br=
>
&gt;&gt;characters to be used.&nbsp; Surely even with the HD seed, that sea=
rch <br>
&gt;&gt;space is too large to brute force.&nbsp; Or is there a weakness in =
the <br>
&gt;&gt;scheme I haven't clocked?<br>
&gt;<br>
&gt;While passphrases *can* be long, most user's aren't going to understand=
 <br>
&gt;the risk. For example, Trezors blog(1) doesn't make it clear that the <=
br>
&gt;passphrases could be bruteforced and used as evidence against you, and =
<br>
&gt;even suggests the contrary:&nbsp; [...quote...]<br>
<br>
I despise the term =93plausible deniability=94; and that=92s really the wro=
ng <br>
term to use in this discussion.<br>
<br>
=93Plausible deniability=94 is a transparent excuse for explaining away an =
<br>
indisputable fact which arouses suspicion=97when you got some serious <br>
=92splain=92 to do.&nbsp; This is usually used in the context of some pseud=
olegal <br>
argument about introducing =93reasonable doubt=94, or even making =93probab=
le <br>
cause=94 a wee bit less probable.<br>
<br>
=93Why yes, officer:&nbsp; I was seen carrying an axe down the street near =
the <br>
site of an axe murder, at approximately the time of said axe murder.&nbsp; =
<br>
But I do have a fireplace; so it is plausible that I was simply out <br>
gathering wood.=94<br>
<br>
I rather suspect the concept of =93plausible deniability=94 of having been =
<br>
invented by a detective or agent provocateur.&nbsp; There are few concepts =
<br>
more useful for helping suspects shoot themselves in the foot, or <br>
frankly, for entrapping people.<br>
<br>
One of the worst examples I have seen is in discussions of Monero, <br>
whereby I=92ve seen proponents claim that even under the worst known <br>
active attacks, their mix scheme reduces transaction linking to a <br>
maximum of 20=9640% probability.&nbsp; =93That=92s not good enough to convi=
nce a <br>
jury!=94&nbsp; No, but it is certainly adequate for investigators to identi=
fy <br>
you as a person of interest.&nbsp; Then, your (mis)deeds can be subjected t=
o <br>
powerful confirmation attacks based on other data; blockchains do not <br>
exist in isolation.&nbsp; I usually stay out of such discussions; for I hav=
e <br>
no interest in helping the sorts of people whose greatest concern in <br>
life is what story to foist on a jury.<br>
<br>
In the context of devices such as Trezor, what is needed is not <br>
=93plausible deniability=94, but rather the ability to obviate any need to =
<br>
deny anything at all.&nbsp; I must repeat, information does not exist in <b=
r>
isolation.<br>
<br>
If you are publicly known to be deepy involved in Bitcoin, then nobody <br>
will believe that your one-and-only wallet contains only 0.01 BTC.&nbsp; <b=
r>
That=92s not even =93plausible=94.&nbsp; But if you have overall privacy pr=
actices <br>
which leave nobody knowing or suspecting that you have any Bitcoin at <br>
all, then there is nothing to =93deny=94; and should a Trezor with <br>
(supposedly) 0.01 BTC be found in your possession, that=92s much better <br=
>
than =93plausible=94.&nbsp; It=92s completely unremarkable.<br>
<br>
Whereas if you are known or believed to own large amounts of BTC, a <br>
realistic bad guy=92s response to your =93decoy=94 wallet could be, =93I do=
n=92t <br>
believe you; and it costs me nothing to keep beating you with rubber <br>
hose until you tell me the *real* password.=94<br>
<br>
It could be worse, too.&nbsp; In a kidnapping scenario, the bad guys could =
<br>
say, =93I don=92t believe you.&nbsp; Hey, I also read Trezor=92s website ab=
out <br>
=91plausible deniability=92.&nbsp; Now, I will maim your kid for life just =
to <br>
test whether you told me the *real* password.&nbsp; And if you still don=92=
t <br>
tell me the real password after you see that little Johnny can no longer <b=
r>
walk, then I will kill him.=94<br>
<br>
The worst part is that you have no means of proving that you really <br>
*did* give the real password.&nbsp; Indeed, it can be proved if you=92re ly=
ing <br>
by finding a password which reveals a hidden wallet=97but *you* have no <br=
>
means of affirmatively proving that you are telling the truth!&nbsp; If the=
 <br>
bad guys overestimated your riches (or if they=92re in a bad mood), then <b=
r>
little Johnny is dead either way.<br>
<br>
In a legalistic scenario, if =93authorities=94 believe you have 1000 BTC an=
d <br>
you only reveal a password for 0.01 BTC, the likely response will not be <b=
r>
to let you go.&nbsp; Rather, =93You will now sit in jail until you tell the=
 <br>
*real* password.=94&nbsp; And again:&nbsp; You have no means of proving tha=
t you did <br>
give the real password!<br>
<br>
=93Plausible deniability=94 schemes can backfire quite badly.<br>
<br>
&gt;Also note how this blog doesn't mention anti-forensics: the wallet <br>
&gt;software itself may leave traces of the other wallets on the computer.&=
nbsp; <br>
&gt;Have they really audited it sufficiently to be sure this isn't the <br>
&gt;case?<br>
<br>
What about data obtained via the network?&nbsp; I don=92t *only* refer to <=
br>
dragnet surveillance.&nbsp; See for but one e.g., Goldfelder, et al., =93Wh=
en <br>
the cookie meets the blockchain:&nbsp; Privacy risks of web payments via <b=
r>
cryptocurrencies=94 <a href=3D"https://arxiv.org/abs/1708.04748">https://ar=
xiv.org/abs/1708.04748</a>&nbsp; Your identity can be
<br>
tied to your wallet all sorts of ways, any of which could be used to <br>
prove that you have more Bitcoin than you=92re revealing.&nbsp; Do you know=
 <br>
what databases of cross-correlated analysis data customs agents have <br>
immediate access to nowadays=97or will, tomorrow?&nbsp; I don=92t.<br>
<br>
In the scenario under discussion, that may not immediately prove =93beyond =
<br>
a reasonable doubt=94 that you lied specifically about your Trezor.&nbsp; B=
ut <br>
it could give plenty of cause to keep you locked up in a small room <br>
while your hard drive is examined for evidence that Trezor apps handled <br=
>
*addresses already known to be linked to you*.&nbsp; Why even bother with <=
br>
bruteforce?&nbsp; Low-hanging fruit abound.<br>
<br>
&gt;1) <a href=3D"https://blog.trezor.io/hide-your-trezor-wallets-with-mult=
iple-passphrases-f2e0834026eb">
https://blog.trezor.io/hide-your-trezor-wallets-with-multiple-passphrases-f=
2e0834026eb</a><br>
<br>
-- <br>
nullius@nym.zone | PGP ECC: 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C<br>
Bitcoin: bc1qcash96s5jqppzsp8hy8swkggf7f6agex98an7h | (Segwit nested:<br>
3NULL3ZCUXr7RDLxXeLPDMZDZYxuaYkCnG)&nbsp; (PGP RSA: 0x36EBB4AB699A10EE)<br>
=93=91If you=92re not doing anything wrong, you have nothing to hide.=92<br=
>
No!&nbsp; Because I do nothing wrong, I have nothing to show.=94 =97 nulliu=
s<br>
</div>
</span></font></div>
</body>
</html>

--_000_PS2P216MB01793245561CC130C6FEEC9A9D140PS2P216MB0179KORP_--