On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote:
> >To be specific, we (in cooperation with / inspired by Timo Hanke)
> >developed method how to prove that the seed generated by Trezor
> >has been created using combination of computer-provided entropy
> >and device-provided entropy, without leaking full private
> >information to other computer, just because we want Trezor to be
> >blackbox-testable and fully deterministic (seed generation is
> >currently the only operation which uses any source of RNG).
> >
> Thanks for the explanation. Here is how I understand how it works,
> please correct me if I'm wrong:
> The user's computer picks a random number a, the Trezor picks a
> random number b.
> Trezor adds a and b in the secp256k1 group, and this creates a
> master private key k.
> Trezor sends the corresponding master public key K to the computer.
> Thus, the computer can check that K was derived from a, without knowing b.

No. You mean the computer would use B for this check? 
(k,K) could be rigged by Trezor, who computes b as k-a.


> This also allows the computer to check that any bitcoin address
> derived from K is derived from a, without leaking b. (and
> reciprocally)
> However, it seems to me that this property will work only with bip32
> public derivations; if a private derivation is used, don't you need
> to know k?

Timo Hanke
PGP 1EFF 69BC 6FB7 8744 14DB  631D 1BB5 D6E3 AB96 7DA8

Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
Bitcoin-development mailing list

Reply via email to