Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2018-01-10 📝 Original message:On Wed, Jan 10, 2018 at ...
📅 Original date posted:2018-01-10
📝 Original message:On Wed, Jan 10, 2018 at 8:28 PM, Pavol Rusnak <stick at satoshilabs.com> wrote:
> On 09/01/18 16:12, Pavol Rusnak via bitcoin-dev wrote:
>> On 09/01/18 00:47, Gregory Maxwell wrote:
>>> Have you considered using blind host-delegated KDFs, where the KDF
>>> runs on the user's computer instead of the hardware wallet, but the
>>> computer doesn't learn anything about they keys?
>>
>> Any examples of these?
Yes, this scheme.
https://bitcointalk.org/index.php?topic=311000.msg3342217#msg3342217
> Actually, scratch that. HW wallet would not know whether the host
> computer is lying or not. The computer would not learn about the keys,
> but still could be malicious and provide invalid result. Is that correct?
I believe that can be avoided by having the computer do somewhat more
work and checking the consistency after the fact.
(or for decode time, having a check value under the encryption...)
📝 Original message:On Wed, Jan 10, 2018 at 8:28 PM, Pavol Rusnak <stick at satoshilabs.com> wrote:
> On 09/01/18 16:12, Pavol Rusnak via bitcoin-dev wrote:
>> On 09/01/18 00:47, Gregory Maxwell wrote:
>>> Have you considered using blind host-delegated KDFs, where the KDF
>>> runs on the user's computer instead of the hardware wallet, but the
>>> computer doesn't learn anything about they keys?
>>
>> Any examples of these?
Yes, this scheme.
https://bitcointalk.org/index.php?topic=311000.msg3342217#msg3342217
> Actually, scratch that. HW wallet would not know whether the host
> computer is lying or not. The computer would not learn about the keys,
> but still could be malicious and provide invalid result. Is that correct?
I believe that can be avoided by having the computer do somewhat more
work and checking the consistency after the fact.
(or for decode time, having a check value under the encryption...)