For some reason this remind me when WEP WiFi was hacked by just watching enough traffic. 😂
Though not really sure if that’s similar what you are referring to.
okay I have to say BIP39 is a horrible fucking standard
first of all implementing it in any way violates the principle of “don’t do secret based memory accesses”
second of all fuck you because you need to run PBKDF on the seedphrase itself and not the entropy bits
cc nostr:npub1fjqqy4a93z5zsjwsfxqhc2764kvykfdyttvldkkkdera8dr78vhsmmleku
Discussion
the problem is basically that someone can figure out information about the length of each word in the seedphrase just from looking at the execution time or power consumption of a device
Clever. Like say it takes less time this means it’s a shorter word, if it takes more time then it’s a long one, and from there randomness is reduced significantly.
But you still have to brute force after that, no?
Also, isn’t transaction signing typically done offline? How can a hacker monitor the time of a chip they can’t even see.
that reduces the security of a 12 word phrase from 128 bits to 100 bits
also about the power consumption, the device in question is a little battery powered ARM system on chip board that you use airgapped, like a jade or a seed signer, i don't understand what you are talking about at all
EMF leaks and the likes
this kind of thing is extremely marginal risk, compared to not having your keys backed up
yeah, I was trying to make a resistant implementation but due to the stupidity of the people that wrote BIP39 it is 1. very space inefficient 2. not constant time
you can always just transcribe hex, or bech32 - for hex you might want to add a CRC32 suffix check string, bech32 includes one
I’m considering doing xprvs
so, a HD seed
i still think you should use a crc32 check, and hex, to make the decoder simple as possible... base32 and base64 are shit in this respect
you could make a simpified 256 word dictionary mnemonic key scheme too, that would be 32 words, plus another 4 for your CRC check or 36 words, they could all be precisely 4 letters long to make storage neat
xprvs are neat but they use the crappy base58check encoding
in the end it’s 64 bytes, so why not bech32m
constant time doesn't matter without an interactive protocol where timing can be observed
you don't keep the words in memory all the time, that's just as retarded as keeping the hex encoding in memory all the time when you need to constantly generate signatures with the secret it encodes... yes, you store the damn bits of the secret
the decoding from the word key is human input and then generate the secret and encrypt with a password and voila
the password encryption is literally just hashing the literal password a shitload of times ind some funny complex pattern like in pbkdf or argon/2 and then XORing that with the secret bytes and it's done
you don't decode the damn word key in a way that leaks any timing information because humans are so slow there's no way the nanoseconds of decoding are going to be a part of any side channel of timing
and btw, keeping the hex encoding in memory is what go-nostr library does, that's been a very big and difficult refactor to do, but the performance increase is outstanding