> To be specific, we (in cooperation with / inspired by Timo Hanke) 
> developed method how to prove that the seed generated by Trezor has 
> been created using combination of computer-provided entropy and 
> device-provided entropy, without leaking full private information to 
> other computer, just because we want Trezor to be blackbox-testable 
> and fully deterministic (seed generation is currently the only 
> operation which uses any source of RNG).

Thanks for the explanation. Here is how I understand how it works, 
please correct me if I'm wrong:

The user's computer picks a random number a, the Trezor picks a random 
number b.
Trezor adds a and b in the secp256k1 group, and this creates a master 
private key k.
Trezor sends the corresponding master public key K to the computer.
Thus, the computer can check that K was derived from a, without knowing b.
This also allows the computer to check that any bitcoin address derived 
from K is derived from a, without leaking b. (and reciprocally)

However, it seems to me that this property will work only with bip32 
public derivations; if a private derivation is used, don't you need to 
know k?

Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
Bitcoin-development mailing list

Reply via email to