š
Original date posted:2013-11-02
š Original message:> To be specific, we (in cooperation with / inspired by Timo Hanke)
> developed method how to prove that the seed generated by Trezor has
> been created using combination of computer-provided entropy and
> device-provided entropy, without leaking full private information to
> other computer, just because we want Trezor to be blackbox-testable
> and fully deterministic (seed generation is currently the only
> operation which uses any source of RNG).
>
Thanks for the explanation. Here is how I understand how it works,
please correct me if I'm wrong:
The user's computer picks a random number a, the Trezor picks a random
number b.
Trezor adds a and b in the secp256k1 group, and this creates a master
private key k.
Trezor sends the corresponding master public key K to the computer.
Thus, the computer can check that K was derived from a, without knowing b.
This also allows the computer to check that any bitcoin address derived
from K is derived from a, without leaking b. (and reciprocally)
However, it seems to me that this property will work only with bip32
public derivations; if a private derivation is used, don't you need to
know k?
Thomas Voegtlin [ARCHIVE] /
npub10fā¦7ej47
2023-06-07 17:08:32
in reply to nevent1qā¦2p48
Author Public Key
npub10f96gqrsu4qpygfgvuvzce47aavjvql703egfde0l2hua8dzpszs67ej47Published at
2023-06-07 17:08:32Event JSON
{
"id": "63c96928762cb21dfcfd2ee25f0576c6511d55ec36fdfc8fddbe9a5cec6f8d05",
"pubkey": "7a4ba40070e54012212867182c66beef592603fe7c7284b72ffaafce9da20c05",
"created_at": 1686150512,
"kind": 1,
"tags": [
[
"e",
"29113580fa19bfa912e033228b5744547f424bd6ae7dcc6dbdef306e0b87998e",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "š
Original date posted:2013-11-02\nš Original message:\u003e To be specific, we (in cooperation with / inspired by Timo Hanke) \n\u003e developed method how to prove that the seed generated by Trezor has \n\u003e been created using combination of computer-provided entropy and \n\u003e device-provided entropy, without leaking full private information to \n\u003e other computer, just because we want Trezor to be blackbox-testable \n\u003e and fully deterministic (seed generation is currently the only \n\u003e operation which uses any source of RNG).\n\u003e\n\nThanks for the explanation. Here is how I understand how it works, \nplease correct me if I'm wrong:\n\nThe user's computer picks a random number a, the Trezor picks a random \nnumber b.\nTrezor adds a and b in the secp256k1 group, and this creates a master \nprivate key k.\nTrezor sends the corresponding master public key K to the computer.\nThus, the computer can check that K was derived from a, without knowing b.\nThis also allows the computer to check that any bitcoin address derived \nfrom K is derived from a, without leaking b. (and reciprocally)\n\nHowever, it seems to me that this property will work only with bip32 \npublic derivations; if a private derivation is used, don't you need to \nknow k?",
"sig": "63db7bcbf7c06ba70b31dfcdc2196869b36cbee801d0afdff9f3db775023bea8dc7e2cd27b3b3e8ac4d0872a908801a2020f24ca5346d0f78402ff6eac51810f"
}