Relating to the nonce facet channel assaults detailed in posts like this one by Blockstream. Which references this mailing listing by Pieter Wuille. The concept is so as to add one other layer of safety towards a malicious {hardware} pockets by requiring it to show that it incorporates some randomness supplied by the software program pockets that’s used to broadcast the signed transaction.
Evaluating the anti-exfil protocol to deterministic nonce, Pieter says:
In case HW makes use of a deterministic algorithm, it’s potential to guard towards
the MHW case by spot checking HW’s habits, through the use of an externally recognized
secret/seed. Nevertheless, we would wish to have higher than simply spot checking
safety, and for defense towards side-channel assaults we might want
one thing that retains working even when randomness is utilized by HW.
However that is exactly what I like in regards to the deterministic nonce. I should buy as many {hardware} wallets as I wish to confirm that all of them produce the identical signature. And even take a look at it towards some airgapped software program wallets like Electrum. I may even write my very own simplistic RFC6979-compliant pockets with python to confirm the signature is identical.
- With deterministic nonce, there isn’t any restrict to the variety of {hardware} and software program wallets with which I can signal the identical transaction to confirm that the signature is identical. With anti-exfil, I’m restricted to solely the one HW and the one SW used to broadcast the transaction and should hope that at the very least one is just not compromised.
- The entire thought of {hardware} wallets is that we consider them as safer than the software program pockets/scorching machine. So absolutely 2 {hardware} wallets (used to confirm deterministic signature matches) is safer than one {hardware} and one software program pockets as talked about in level #1?
