delvingbitcoin
Non interactive anti-exfil (airgap compatible)
Posted on: August 21, 2024 14:32 UTC
The discussion starts with an analysis of the computational expenses associated with double point multiplications and hashing, particularly emphasizing the significant cost increase with the augmentation of bits.
Despite these challenges, it's posited that small devices might still manage a 4-bit calculation to potentially leak secret information across 64 signatures, suggesting that even limited hardware capabilities can pose substantial security threats if manipulated correctly. The conversation then shifts to consider whether such exploits could be achieved solely through firmware modifications or if they necessitate inherently malicious design intentions from the outset.
The technique of utilizing Forward Error Correction (FEC) codes is introduced as a means to circumvent the need for a device to track which parts of a seed have been leaked. This method involves expanding the secret with a large "checksum" and leaking bits of this checksum in each signature in a deterministic manner, influenced by the message and a unique device key known only to potential attackers or the original manufacturer. This approach theoretically ensures that no two signatures will leak the same checksum bits, allowing an attacker to reassemble the original secret after sufficient data has been extracted, without ever needing to materialize the entire checksum.
However, the feasibility of such an attack is scrutinized, noting that any routine factory or user validation test designed to verify the integrity of signature generation processes, akin to specifications outlined in RFC6979, would likely detect such malicious activity. Furthermore, the text acknowledges that while the chances of success with low bandwidth leaks are minimal due to the high risk of detection during standard testing procedures, there exist scenarios where the device might selectively engage in malicious activities, particularly when dealing with larger transactions or data sets.
In conclusion, while certain conditions might render interactive anti-exfiltration measures ineffective, dismissing the potential for secret exfiltration via computational grinding would be premature. The discussion ultimately suggests that despite the inherent risks and challenges, considering such schemes remains valuable in the broader context of safeguarding against data exfiltration.