> To be specific, we (in cooperation with / inspired by Timo Hanke) > developed method how to prove that the seed generated by Trezor has > been created using combination of computer-provided entropy and > device-provided entropy, without leaking full private information to > other computer, just because we want Trezor to be blackbox-testable > and fully deterministic (seed generation is currently the only > operation which uses any source of RNG). >
Thanks for the explanation. Here is how I understand how it works, please correct me if I'm wrong: The user's computer picks a random number a, the Trezor picks a random number b. Trezor adds a and b in the secp256k1 group, and this creates a master private key k. Trezor sends the corresponding master public key K to the computer. Thus, the computer can check that K was derived from a, without knowing b. This also allows the computer to check that any bitcoin address derived from K is derived from a, without leaking b. (and reciprocally) However, it seems to me that this property will work only with bip32 public derivations; if a private derivation is used, don't you need to know k? ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
