Nostr Web Client

To start, as both disclosure and a background, I have signed a mutual NDA with a large company that makes SEs. This does *not* include a non-disparagement clause, and what is covered by NDA is technical documentation.

> Not to mention (well, I guess I'm mentioning) the risks of a supply chain attack for the secure elements.

This depends on the secure element. The company that I work with, and many other reputable vendors, have strong countermeasures against supply chain attacks:

- Each chip gets a unique key to identify it, that proves it is genuine

- Production of chips is tightly monitored

- Sensitive key material is stored in dedicated hardware only

and so on.

Cheap SEs, like the ATECC series, to my knowledge do not do this.

> And at this point, secure elements are securing crazy amounts of money. So the temptation must be off the scale.

It has always been, even before Bitcoin. Passports, credit cards, other digital signature systems, etc.

And yet, there are few attacks discovered in high-quality SEs. Almost none apply to real-world scenarios.

> Secure elements are closed-hardware

That is true. But the off-the-shelf MCUs are also closed hardware. Everything is closed hardware. Unfortunately, due to how the IC industry works, building a chip requires proprietary IP, and any company that gives it away is shooting themselves in the foot, really.

Economic incentives are very real, while the amount of protection open sourcing a SE is not. (how do you verify the chip you got equals the open source design?)

> Secure elements ... require NDAs

This will change.

Wonteet Zebugs 7mo ago

My problem with the NDA being necessary to view the technical documentation is that they'll be even less eyes on the design. How many can double-check that there are no bugs.

It's true that for an off-the-shelf MCU, we're trusting the vendor. One of the things that I like about Jade is that since they're using off the shelf MCUs with open source software, we can DIY build one. Granted, probably not too many people do that.

Passports, credit cards, etc, and secure elements : there's no do-over in btc whereas it's not too hard to do a do-over in the fiat and KYC world.

Jade Plus also offer a stateless signer option (if you can trust that the hardware really doesn't keep anything when it shouldn't).

So overall, can I assume that you prefer the odds of a secure element being hacked compared to the odds of both a Jade being stolen and the oracle server being compromised?

Reply to this note

Please Login to reply.

Discussion

semisol 7mo ago

> There’ll be less eyes on the design

Same issue with MCUs, really. Anyway, large SE companies conduct their own testing *and* rigorous independent certifications. (semi-formal validation)

Not sure you can reach that level even if you open source, because the majority of the security is in the physical design, and so physical attack tests. And not the logic.

I have also significantly reviewed the design of the SE I am using.

> There’s no do over in BTC but there is in the fiat world

In the end, there is still damage. Fake digital signatures can be as damaging as blindly signing contracts. Credit card fraud can lead to millions lost for banks.

In the end, *someone* is losing something from it being insecure, and so they have a strong incentive to ensure they buy secure products.

> we can DIY build one

But does anyone? Or do we rely on the manufacturer and Espressif to solely deliver a correct product?

What if the boot ROM on the MCU logs your seed to a hidden area on the chip?

Wonteet Zebugs 7mo ago

Those are all good points.

But that just leads me back to the basics : do we have better odds with a Jade without secure element but where both the Jade and the oracle server have to be compromised, or do we have better odds relying only on a secure element?

But, I must admit that hardware wallets are probably not the best choice for really huge amounts. I remember reading Greg Maxwell saying he preferred an offline computer (probably with a live-dvd, I assume).

semisol 7mo ago

For large amount it’s always multisig

Also, I think quality SEs are better. But low quality ones are significantly worse

Wonteet Zebugs 7mo ago

Multisig : that's debatable. I remember Francis Pouliot writing this a couple years ago, on twitter :

"Having a strong BIP39 passphrase and redundant backups is superior to a multisig for security, accesability and loss prevention. I can't imagine the stress of multisig as a personal solution. No wonder people pay 3rd parties to hold their multisig keys!"

Francis has been in bitcoin for a long while and has been involved in customer-facing businesses (btc businesses) for about as long (the Bitcoin Embassy in MTL and then bullbitcoin.com).

I remember even electrum (older version) messing up the multisig setup so badly that such that electrum couldn't access the funds put in that multisig. And electrum is a very OG project.