Oddbean new post about login | logout In general don’t use a device dedicated to storing bitcoin to store bitcoin. Any hardware wallet that isn’t (a) exclusively multisig or (b) is designed to not be able to leak your keys via nonce (I believe only bitboxv2 and Jade) should be considered incompetent at best.
This is confusing
I want to know what you mean but this note is confusing. Can you clarify? 🤙
Fantastic advice matt, really helping.
So why haven’t you implemented provable randomness in the nonce yet? https://damus.io/note1xl5tvtlr9tc9yhyfcy28a4f9uglth9r320y80gp5sadlwsqrkxlszh5gkl
Because it breaks the air gap barrier and it's pointless over engineering
Can’t you generate your own provable randomness with 256 dice rolls with the cold card? Seems Matt is way off-base here.
Point is the signature nonce, not the private key itself
Signature is worthless without the private key 🤷♂️
Signature can leak the private key to an attacker via the nonce :)
Interesting. Would require physical possession though?
Nope, just compromised firmware/hardware.
It seems like the trade off is to either trust your wallet software to not generate leaking nonce or to trust your hardware wallet to not leak via nonce. IMO trusting the hardware wallet is the better option as that is the device that you are trusting to not be compromised already
Nope! There’s no tradeoff, what I’m proposing allows you trust that *both* need to be compromised, instead of just the hardware wallet.
Interesting. This is definitely above my technical expertise, but good to see this being discussed. I think we can all agree that any hardware wallet (ledger included 🤢) are better than trusting custodians
Ah okay. So you’re saying hardware wallet would use the nonce unless it thought the nonce was leaking, in which case it wouldn’t sign. The change is just that software _could_ specify the nonce to use as an additional security measure
The “air gap barrier” isn’t broken lol. The computer is sending instructions (in the form of amount/address) and the hardware wallet is responding. I’m just saying add a nonce to those instructions.
If the HW device doesn't simply use the provided nonce as-is (seems undesirable due to sensitivity of nonces), can't the HW device still grind it's portion of the nonce to exfil? It seems like an extra round of communication is unavoidable? (but likely worthwhile!)
Did you type this drunk?
Seems oddly bait and switch given RFC6979 advises to use deterministic nonce (which secp256k1 has ecdsa support for and Coldcard Mk4 uses?) while folks are trying to redo nonce impl’s for Schnorr signing because DN https://github.com/randombit/botan/issues/2939 https://github.com/BlockstreamResearch/secp256k1-zkp/issues/172 https://github.com/bitcoin-core/secp256k1/pull/1140 Btw can also do deterministic build of Coldcard firmware and flash
Problem is you have a device that you cannot realistically audit the supply chain of, and which is at incredibly high risk of supply chain attacks. Deterministic nonces are great but they’re not auditable - there’s high risk of the machine telling you its doing a deterministic nonce when it is instead leaking your private key with an attacker-derivable nonce! The point of deterministic nonces is “include a hash of the private key and message in the nonce so that you know you didn’t screw up”, that’s great, but you can also build on top. The computer driving the hardware wallet can input randomness which the hardware wallet can prove was incorporated into the selected nonce. This allows the device to prove to the computer its not leaking your private key, requiring an attacker to compromise *both* your computer and the device, not just the device! Hardware wallets that don’t use such a protocol should absolutely be considered, at best, incompetent, maybe malicious.
So your proposed alternative is the average user does what exactly—use airgapped laptops w/ bitcoin core for everything?
Hmm? No, the average user uses a hardware wallet and corresponding software control wallet which implements such a protocol completely transparently to them.
Most people today are using Sparrow with HWW of choice via PSBT (air-gapped or usb). Maybe specter after that…
Okay? Add an extension to the PSBT with requested nonce. This is really trivial stuff.
Agreed and we have suggested adding as a new field 🤝
Interesting quote from @matt Whenever i say that, people react like Whaaat! How can you say this!!! It is always difficult if people already invested in theese things. but anyway Thank you Matt for bringing me Light! Mateusz nostr:nevent1qqsfvf3e73qt44swyr657f0je682yzf0ev0fsgsmtdw6f99m7r63pfqpz3mhxue69uhhyetvv9ujumn0wd68ytnzvupzq0fw29ggdx0e3u8jhkl853dkw0rg0lnyyr6xdhpfdkgtjzx4r4v5qvzqqqqqqy2ghjsd