In general don’t use a device dedicated to storing bitcoin to store bitcoin. Any hardware wallet that isn’t (a) exclusively multisig or (b) is designed to not be able to leak your keys via nonce (I believe only bitboxv2 and Jade) should be considered incompetent at best.
Discussion
nostr:npub17777777tpz9x2dcvvlw37sgk5gmpffexl0u30gjjgcd59ty92vrs0atnu0 thoughts?
No private keys were extracted from the Coldcard.
What do you think of coldcard?
Jade does not have a secure element as far as I know. I know only #coldcard and #foundationdevices to be most secure.
💯
I want to know what you mean but this note is confusing. Can you clarify? 🤙
SeedSigner 💪
Fantastic advice matt, really helping.
So why haven’t you implemented provable randomness in the nonce yet? https://damus.io/note1xl5tvtlr9tc9yhyfcy28a4f9uglth9r320y80gp5sadlwsqrkxlszh5gkl
Because it breaks the air gap barrier and it's pointless over engineering
Can’t you generate your own provable randomness with 256 dice rolls with the cold card? Seems Matt is way off-base here.
Point is the signature nonce, not the private key itself
Signature is worthless without the private key 🤷♂️
Signature can leak the private key to an attacker via the nonce :)
Interesting. Would require physical possession though?
Nope, just compromised firmware/hardware.
It seems like the trade off is to either trust your wallet software to not generate leaking nonce or to trust your hardware wallet to not leak via nonce. IMO trusting the hardware wallet is the better option as that is the device that you are trusting to not be compromised already
Nope! There’s no tradeoff, what I’m proposing allows you trust that *both* need to be compromised, instead of just the hardware wallet.
Interesting. This is definitely above my technical expertise, but good to see this being discussed.
I think we can all agree that any hardware wallet (ledger included 🤢) are better than trusting custodians
Ah okay. So you’re saying hardware wallet would use the nonce unless it thought the nonce was leaking, in which case it wouldn’t sign. The change is just that software _could_ specify the nonce to use as an additional security measure
The “air gap barrier” isn’t broken lol. The computer is sending instructions (in the form of amount/address) and the hardware wallet is responding. I’m just saying add a nonce to those instructions.
If the HW device doesn't simply use the provided nonce as-is (seems undesirable due to sensitivity of nonces), can't the HW device still grind it's portion of the nonce to exfil?
It seems like an extra round of communication is unavoidable? (but likely worthwhile!)
Nope! The magic of XOR (or pre-committed EC points) is that neither gets a “part” but rather the full thing is random if either input is fully random.
@NVK could you address this next pod episode?
Did you type this drunk?
Seems oddly bait and switch given RFC6979 advises to use deterministic nonce (which secp256k1 has ecdsa support for and Coldcard Mk4 uses?) while folks are trying to redo nonce impl’s for Schnorr signing because DN
https://github.com/randombit/botan/issues/2939
https://github.com/BlockstreamResearch/secp256k1-zkp/issues/172
https://github.com/bitcoin-core/secp256k1/pull/1140
Btw can also do deterministic build of Coldcard firmware and flash
Problem is you have a device that you cannot realistically audit the supply chain of, and which is at incredibly high risk of supply chain attacks. Deterministic nonces are great but they’re not auditable - there’s high risk of the machine telling you its doing a deterministic nonce when it is instead leaking your private key with an attacker-derivable nonce!
The point of deterministic nonces is “include a hash of the private key and message in the nonce so that you know you didn’t screw up”, that’s great, but you can also build on top. The computer driving the hardware wallet can input randomness which the hardware wallet can prove was incorporated into the selected nonce. This allows the device to prove to the computer its not leaking your private key, requiring an attacker to compromise *both* your computer and the device, not just the device!
Hardware wallets that don’t use such a protocol should absolutely be considered, at best, incompetent, maybe malicious.
FUD. Computers are worst in every respect.
Ppl are not losing money on HWW, they are on computers. Even core devs with high skills have.
So your proposed alternative is the average user does what exactly—use airgapped laptops w/ bitcoin core for everything?
Hmm? No, the average user uses a hardware wallet and corresponding software control wallet which implements such a protocol completely transparently to them.
interesting
Interesting quote from nostr:npub185h9z5yxn8uc7retm0n6gkm88358lejzparxms5kmy9epr236k2qcswrdp
Whenever i say that, people react like
Whaaat! How can you say this!!!
It is always difficult if people already invested in theese things.
but anyway
Thank you Matt for bringing me Light!
Mateusz