Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id C7E04C0177 for ; Sun, 22 Mar 2020 05:52:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id ABAD68765A for ; Sun, 22 Mar 2020 05:52:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMLInTVX87qC for ; Sun, 22 Mar 2020 05:52:26 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-il1-f177.google.com (mail-il1-f177.google.com [209.85.166.177]) by whitealder.osuosl.org (Postfix) with ESMTPS id C5CD887657 for ; Sun, 22 Mar 2020 05:52:26 +0000 (UTC) Received: by mail-il1-f177.google.com with SMTP id r5so5310241ilq.6 for ; Sat, 21 Mar 2020 22:52:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vmF7LGuMLXlPRqHZ40b6neEUbmYURFFW/Ot83+p1OZg=; b=aYw/V6TQJEg7YvJ2SU55ig1kD0b4DBXgAgq3XdNQuXAVju18cF+MUI07zosXXko3RV ePnqxGe7JTTS9igUi74LcptS2yB+KyLDwIJsHoTJR8U54KcTiV9MLTtIQvbgYORPTUbT r6Q39ioSW/i8d03+IgzfdO8c8VT/eC1BljCzHgVa/Mknm/dtnnNSKqGwjqK97jeunuBb 9Dr3gmT6N8rSSarpge1feOpoEdbOt59kkPazGyCppcVavqHcxeUG3kxlh3GkS7GRzVPF JzXso2oOC7a8qRaIAUa4mK95EGiUumgsjliqJwYtSzdR5lmYITiwVxXkn7yA5Ti6QCci Uz1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vmF7LGuMLXlPRqHZ40b6neEUbmYURFFW/Ot83+p1OZg=; b=Fj/LhxOmQZyMzSVV4UiQe1T9nVOBRgCXZwvqfWJ9oP2116AVk+UI/o9p61aQYbLBSe Hpe/qzGLeCnQvUnwG+4AmxCbeptExHAwqP04ySEN/fN+vQx7DJP7WrqjNNMlXfnkQ/Aq 7Pkl0fE5YhuHYc9E8WqluN/gYPFfludvyiDXO8aX7Mzc8y7jBUntVCeo3MM6C1e1+j/C oTdiLm/ggzgOfOYz1oYOF5InpL0j4G/3Kh3B6XnMPN9pI24x2kZfv7H8atrmQ2kE5l0Z luWlyc0VD8bpAwT6MiIPZ/6yxlRp0OC/Q3N7fDVu7dbiU4TBUEvUmJ/C3chV/xj/w2BD L9IQ== X-Gm-Message-State: ANhLgQ38eVJDZyJ7hatnUfyaT6anEs35BEfRSz1+zsPz0WYwQUwIKQ/c CWgM5hhpgXaqpHveW3ekKXQXI8YB4Wcxo0NgfDA= X-Google-Smtp-Source: ADFU+vtY6Jh7tzuUwkJYYI3fcVaYpzeQlkMBLuxgqqrNOCXCwjBXJhWj7aLfM95K6MztXVaIvaSHjqmZuNljEtpPurQ= X-Received: by 2002:a92:b6d5:: with SMTP id m82mr15300717ill.17.1584856345927; Sat, 21 Mar 2020 22:52:25 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Lloyd Fournier Date: Sun, 22 Mar 2020 16:51:59 +1100 Message-ID: To: Pieter Wuille , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000084e44205a16b1f9b" X-Mailman-Approved-At: Sun, 22 Mar 2020 05:57:52 +0000 Subject: Re: [bitcoin-dev] BIP 340 updates: even pubkeys, more secure nonce generation X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Mar 2020 05:52:27 -0000 --00000000000084e44205a16b1f9b Content-Type: text/plain; charset="UTF-8" * To protect against differential power analysis, a different way of > mixing in this randomness is used (masking the private key completely > with randomness before continuing, rather than hashing them together, > which is known in the literature to be vulnerable to DPA in some > scenarios). > I think citation for this would improve the spec. I haven't studied these attacks but it seems to me that every hardware wallet would be vulnerable to them while doing key derivation. If the attacker can get side channel information from hashes in nonce derivation then they can surely get side channel information from hashes in HD key derivation. It should actually be easier since the master seed is hashed for anything the hardware device needs to do including signing. is this the case? LL --00000000000084e44205a16b1f9b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
* To protect against diff= erential power analysis, a different way of
mixing in this randomness is used (masking the private key completely
with randomness before continuing, rather than hashing them together,
which is known in the literature to be vulnerable to DPA in some
scenarios).

I think citation for this w= ould improve the spec.

I haven't studied these= attacks but it seems to me that every hardware wallet would=C2=A0be vulner= able to them while doing key derivation. If the attacker can get side chann= el information from hashes in nonce derivation then they can surely get sid= e channel information from hashes in HD key derivation. It should actually = be easier since the master seed is hashed for anything the hardware device = needs to do including signing.

is this the case?

LL
--00000000000084e44205a16b1f9b--