On Sat, Nov 02, 2013 at 10:44:58AM +0100, Thomas Voegtlin wrote: > > >To be specific, we (in cooperation with / inspired by Timo Hanke) > >developed method how to prove that the seed generated by Trezor > >has been created using combination of computer-provided entropy > >and device-provided entropy, without leaking full private > >information to other computer, just because we want Trezor to be > >blackbox-testable and fully deterministic (seed generation is > >currently the only operation which uses any source of RNG). > > > > Thanks for the explanation. Here is how I understand how it works, > please correct me if I'm wrong: > > The user's computer picks a random number a, the Trezor picks a > random number b. > Trezor adds a and b in the secp256k1 group, and this creates a > master private key k. > Trezor sends the corresponding master public key K to the computer. > Thus, the computer can check that K was derived from a, without knowing b.
No. You mean the computer would use B for this check? (k,K) could be rigged by Trezor, who computes b as k-a. Timo > This also allows the computer to check that any bitcoin address > derived from K is derived from a, without leaking b. (and > reciprocally) > > However, it seems to me that this property will work only with bip32 > public derivations; if a private derivation is used, don't you need > to know k? > > > -- Timo Hanke PGP 1EFF 69BC 6FB7 8744 14DB 631D 1BB5 D6E3 AB96 7DA8 ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
