pull down to refresh

100 sats \ 2 replies \ @BlueSlime 21 Nov 2023 \ on: How would you attack self-custody? bitcoin

Nonce tampering would be my bet.

  • BIP340 recommends adding random auxiliary data to the nonce formula, which eliminates deterministic generation.
  • If you can't replay how the nonce was generated, you can't verify if the nonce has been tampered with.
  • There are a number of ways to compromise the nonce value so that a signature from your device leaks your private key.
  • You can even execute this attack on a firmware or hardware level, so that no software changes are required.

ECDSA standard currently specifies a deterministic k value, but for other reasons. I think nonce verification is a pretty good reason though, as the current nonce formula is just 1 operation away from leaking your private key.

I have noticed that wallets are now taking to adding randomness to their k values. Which is probably fine because wallet providers are mainly good actors who do take measures to secure their software and infrastructure.

However if nonce generation were to be compromised, you wouldn't be able to replay the signature on a different device in order to prove it. It would be impossible to know!

Kind of scary to think about to be honest.

write
preview
0 sats \ 1 reply \ @TSW OP 21 Nov 2023

Ah yes, I just learned about that in this episode: https://fountain.fm/episode/XlD5eSY0ekb1pjDXAwmU

I haven't listened to that episode again, but it would require a certain amount of transactions to leak the private key right? Still, if that is already on the firmware level then that is bound to happen at some point if the number of transactions required is not too large.

reply
10 sats \ 0 replies \ @BlueSlime 21 Nov 2023

you can perform this attack with a single transaction

reply