Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VcXlU-0004JD-AL for bitcoin-development@lists.sourceforge.net; Sat, 02 Nov 2013 09:45:08 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmx.de designates 212.227.17.20 as permitted sender) client-ip=212.227.17.20; envelope-from=thomasv1@gmx.de; helo=mout.gmx.net; Received: from mout.gmx.net ([212.227.17.20]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1VcXlS-0000YP-CG for bitcoin-development@lists.sourceforge.net; Sat, 02 Nov 2013 09:45:08 +0000 Received: from [192.168.1.27] ([86.73.30.143]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MGS9o-1VPOcF38oC-00DH9e for ; Sat, 02 Nov 2013 10:44:59 +0100 Message-ID: <5274C99A.8060304@gmx.de> Date: Sat, 02 Nov 2013 10:44:58 +0100 From: Thomas Voegtlin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: bitcoin-development@lists.sourceforge.net References: <526BDEC2.2090709@gmx.de> <52721F47.30206@gmx.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:XYOZ73cXouOA8UpwLYRmUZMo6gxBpDDZhuESACmQHihuGQS3G4X fMtjO7QyrK+hLb5GNJVd+gPa5MxKblHWCf22ZzdzTTy7zqcxN2KKJ1EjH60pJ9JJFXCeQhz +DJpd5Lff7QSVtNXMY51UcF/Ce3jLrwEOPq8wjUUs48JWW+vpTGy27LjM6Y9VoaV5OVss4j dUFbhcb2ZY0TIMr84JFwQ== X-Spam-Score: -1.2 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [212.227.17.20 listed in list.dnswl.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (thomasv1[at]gmx.de) -0.0 SPF_PASS SPF: sender matches SPF record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (thomasv1[at]gmx.de) X-Headers-End: 1VcXlS-0000YP-CG Subject: Re: [Bitcoin-development] Proposal to replace BIP0039 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 09:45:08 -0000 > To be specific, we (in cooperation with / inspired by Timo Hanke) > developed method how to prove that the seed generated by Trezor has > been created using combination of computer-provided entropy and > device-provided entropy, without leaking full private information to > other computer, just because we want Trezor to be blackbox-testable > and fully deterministic (seed generation is currently the only > operation which uses any source of RNG). > Thanks for the explanation. Here is how I understand how it works, please correct me if I'm wrong: The user's computer picks a random number a, the Trezor picks a random number b. Trezor adds a and b in the secp256k1 group, and this creates a master private key k. Trezor sends the corresponding master public key K to the computer. Thus, the computer can check that K was derived from a, without knowing b. This also allows the computer to check that any bitcoin address derived from K is derived from a, without leaking b. (and reciprocally) However, it seems to me that this property will work only with bip32 public derivations; if a private derivation is used, don't you need to know k?