Thomas Voegtlin [ARCHIVE] on Nostr: 📅 Original date posted:2013-11-02 📝 Original message:> To be specific, we (in ...
📅 Original date posted:2013-11-02
📝 Original message:> To be specific, we (in cooperation with / inspired by Timo Hanke)
> developed method how to prove that the seed generated by Trezor has
> been created using combination of computer-provided entropy and
> device-provided entropy, without leaking full private information to
> other computer, just because we want Trezor to be blackbox-testable
> and fully deterministic (seed generation is currently the only
> operation which uses any source of RNG).
>
Thanks for the explanation. Here is how I understand how it works,
please correct me if I'm wrong:
The user's computer picks a random number a, the Trezor picks a random
number b.
Trezor adds a and b in the secp256k1 group, and this creates a master
private key k.
Trezor sends the corresponding master public key K to the computer.
Thus, the computer can check that K was derived from a, without knowing b.
This also allows the computer to check that any bitcoin address derived
from K is derived from a, without leaking b. (and reciprocally)
However, it seems to me that this property will work only with bip32
public derivations; if a private derivation is used, don't you need to
know k?
📝 Original message:> To be specific, we (in cooperation with / inspired by Timo Hanke)
> developed method how to prove that the seed generated by Trezor has
> been created using combination of computer-provided entropy and
> device-provided entropy, without leaking full private information to
> other computer, just because we want Trezor to be blackbox-testable
> and fully deterministic (seed generation is currently the only
> operation which uses any source of RNG).
>
Thanks for the explanation. Here is how I understand how it works,
please correct me if I'm wrong:
The user's computer picks a random number a, the Trezor picks a random
number b.
Trezor adds a and b in the secp256k1 group, and this creates a master
private key k.
Trezor sends the corresponding master public key K to the computer.
Thus, the computer can check that K was derived from a, without knowing b.
This also allows the computer to check that any bitcoin address derived
from K is derived from a, without leaking b. (and reciprocally)
However, it seems to me that this property will work only with bip32
public derivations; if a private derivation is used, don't you need to
know k?