Problem is you have a device that you cannot realistically audit the supply chain of, and which is at incredibly high risk of supply chain attacks. Deterministic nonces are great but they’re not auditable - there’s high risk of the machine telling you its doing a deterministic nonce when it is instead leaking your private key with an attacker-derivable nonce!

The point of deterministic nonces is “include a hash of the private key and message in the nonce so that you know you didn’t screw up”, that’s great, but you can also build on top. The computer driving the hardware wallet can input randomness which the hardware wallet can prove was incorporated into the selected nonce. This allows the device to prove to the computer its not leaking your private key, requiring an attacker to compromise *both* your computer and the device, not just the device!

Hardware wallets that don’t use such a protocol should absolutely be considered, at best, incompetent, maybe malicious. 

 FUD. Computers are worst in every respect.

Ppl are not losing money on HWW, they are on computers. Even core devs with high skills have. 

 So your proposed alternative is the average user does what exactly—use airgapped laptops w/ bitcoin core for everything? 

 Hmm? No, the average user uses a hardware wallet and corresponding software control wallet which implements such a protocol completely transparently to them. 

 Most people today are using Sparrow with HWW of choice via PSBT (air-gapped or usb). Maybe specter after that… 

 Okay? Add an extension to the PSBT with requested nonce. This is really trivial stuff. 

 Agreed and we have suggested adding as a new field 🤝 

 interesting 

 Quality post! 😯