When making a signature you need entropy for each signature(true for Schnorr & ECDSA).
Why?
Well that's how you hide your private key, you mix your private key with this random number(slightly more complicated)
So every time you sign a TX you need a fresh new nonce(entropy) for the signature.
The thing is that even if you have 1 single bit of bias in your entropy an attacker can guess your private key.
(Yes this happened IRL quite a bit 2013, there are ofc some caveats which I'll hand wave :p)
So a new standard was made where you create deterministic entropy(statistically evenly distributed) to be used for signatures.
More info on the standard:
https://datatracker.ietf.org/doc/html/rfc6979
The "funny" part about entropy is that you can't tell if something is actually random.
An actually random number can legitimately have well any digits there.
There is absolutely no way to tell if something is truly random or not.
So the only option to be safe is to make sure the devices you use do what they were mean to do.
How do you know that your hww is actually using this standard and not rogue entropy?
Well, one solution is to contribute to this entropy using your device that communicates with the hww (like your laptop)
This is called "anti-klepto" and is currently only implemented by
@BitBoxSwiss
and
@BlockstreamJade
.
In the below example, the attacker modified the firmware of the SeedSigner so that it contributes bad entropy to the signature for the TX in question, and this will not raise any suspicion to the user.
The reason this was successful is BECAUSE they used a malicious firmware, so if you check the "correct" firmware is loaded on youfirmwarer device you should be ok.
But what if there was an error made by the people who implement the wallet firmare?
Well, that's why something like the anti-klepto helps.
(wrote this a few days ago when someone asked me, seems fit to repost in regards to his new post :D)
This is a reply to this post:
