Oddbean new post about | logout
matt | 1 years ago (raw) | root | parent | reply | flag 
 Point is the signature nonce, not the private key itself
bitbuybyte | 1 years ago (raw) | root | parent | reply | flag +1 
 Signature is worthless without the private key 🤷‍♂️
matt | 1 years ago (raw) | root | parent | reply | flag +2 
 Signature can leak the private key to an attacker via the nonce :)
bitbuybyte | 1 years ago (raw) | root | parent | reply | flag +1 
 Interesting. Would require physical possession though?
matt | 1 years ago (raw) | root | parent | reply | flag +1 
 Nope, just compromised firmware/hardware.
isaac-asdf | 1 years ago (raw) | root | parent | reply | flag 
 It seems like the trade off is to either trust your wallet software to not generate leaking nonce or to trust your hardware wallet to not leak via nonce. IMO trusting the hardware wallet is the better option as that is the device that you are trusting to not be compromised already
matt | 1 years ago (raw) | root | parent | reply | flag +2 
 Nope! There’s no tradeoff, what I’m proposing allows you trust that *both* need to be compromised, instead of just the hardware wallet.
bitbuybyte | 1 years ago (raw) | root | parent | reply | flag +1 
 Interesting. This is definitely above my technical expertise, but good to see this being discussed. 
I think we can all agree that any hardware wallet (ledger included 🤢) are better than trusting custodians
isaac-asdf | 1 years ago (raw) | root | parent | reply | flag 
 Ah okay. So you’re saying hardware wallet would use the nonce unless it thought the nonce was leaking, in which case it wouldn’t sign. The change is just that software _could_ specify the nonce to use as an additional security measure