[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:05.28,0:00:18.53,Default,,0000,0000,0000,,{\i1}35c3 preroll music{\i0}
Dialogue: 0,0:00:18.53,0:00:25.84,Default,,0000,0000,0000,,Herald: Give a warm welcome applause for\NStephan Verbücheln. He is a ...
Dialogue: 0,0:00:25.84,0:00:33.37,Default,,0000,0000,0000,,{\i1}applause{\i0}\NHe is a cryptologist and also security
Dialogue: 0,0:00:33.37,0:00:40.30,Default,,0000,0000,0000,,analyst, and he will tell us about wallet\Nsecurity. So I'm impressed.
Dialogue: 0,0:00:40.30,0:00:45.70,Default,,0000,0000,0000,,Stephan: Hello, can everybody hear me? Ok.\NSo I'm Stephan and I will talk about
Dialogue: 0,0:00:45.70,0:00:51.84,Default,,0000,0000,0000,,wallet security. First I will give a\Nlittle bit of background what I worked on.
Dialogue: 0,0:00:51.84,0:00:56.22,Default,,0000,0000,0000,,So I am a Diplominformatiker which is like\Nthe old master's degree that they had in
Dialogue: 0,0:00:56.22,0:01:01.60,Default,,0000,0000,0000,,Germany, and I work as a security\Nconsultant in Switzerland. And I've done
Dialogue: 0,0:01:01.60,0:01:07.94,Default,,0000,0000,0000,,more research related to blockchains and\Nbitcoin, which were related to zero-
Dialogue: 0,0:01:07.94,0:01:13.52,Default,,0000,0000,0000,,knowledge proofs, and Zerocoin which is\Nthe predecessor of predecessor of Zcash.
Dialogue: 0,0:01:13.52,0:01:18.98,Default,,0000,0000,0000,,Some people might have heard of Zcash.\NI did research on ECDSA with regards to
Dialogue: 0,0:01:18.98,0:01:26.03,Default,,0000,0000,0000,,bitcoin. This is also what\Nthis talk will be about.
Dialogue: 0,0:01:26.03,0:01:27.54,Default,,0000,0000,0000,,For a few months, I also worked
Dialogue: 0,0:01:27.54,0:01:35.21,Default,,0000,0000,0000,,on my own blockchain project,\Nwhich failed. ({\i1}laughs{\i0})
Dialogue: 0,0:01:35.21,0:01:37.46,Default,,0000,0000,0000,,Later, I worked as a consultant
Dialogue: 0,0:01:37.46,0:01:43.66,Default,,0000,0000,0000,,for another blockchain project which was\Nreleased last month. And I also did wallet
Dialogue: 0,0:01:43.66,0:01:48.34,Default,,0000,0000,0000,,security reviews for several customers who\Nwanted to use their own wallets or wanted
Dialogue: 0,0:01:48.34,0:01:52.52,Default,,0000,0000,0000,,to use a wallet and\Nwanted to have a review.
Dialogue: 0,0:01:52.52,0:01:56.29,Default,,0000,0000,0000,,So this talk will have 5 points.
Dialogue: 0,0:01:56.29,0:02:00.17,Default,,0000,0000,0000,,So first we will have a little recap of\Nbitcoin and ECDSA, a little bit of
Dialogue: 0,0:02:00.17,0:02:03.91,Default,,0000,0000,0000,,background that will help us to\Nunderstand what the next things is about.
Dialogue: 0,0:02:03.91,0:02:07.43,Default,,0000,0000,0000,,Then we will talk about wallets.\NWhat is a wallet?
Dialogue: 0,0:02:07.43,0:02:12.41,Default,,0000,0000,0000,,Then we will see a list of common attacks\Nthat have been found in the last years
Dialogue: 0,0:02:12.41,0:02:16.46,Default,,0000,0000,0000,,and then we will talk about a\Nmore sophisticated attack
Dialogue: 0,0:02:16.46,0:02:22.66,Default,,0000,0000,0000,,and then we will come to some\Nconclusions about wallet security.
Dialogue: 0,0:02:22.66,0:02:27.32,Default,,0000,0000,0000,,So first I think everybody now\Nhas heard of bitcoin. Regarding this talk
Dialogue: 0,0:02:27.32,0:02:33.51,Default,,0000,0000,0000,,I will always talk in terms of bitcoin,\Nbut the same applies to any cryptocurrency
Dialogue: 0,0:02:33.51,0:02:37.04,Default,,0000,0000,0000,,But to make things simpler we will\Nuse bitcoin as an example. So we
Dialogue: 0,0:02:37.04,0:02:41.15,Default,,0000,0000,0000,,have fixed parameters that we work with.
Dialogue: 0,0:02:41.15,0:02:44.81,Default,,0000,0000,0000,,So bitcoin basically is... what we need\Nto know is the public ledger for
Dialogue: 0,0:02:44.81,0:02:49.21,Default,,0000,0000,0000,,transactions.\NUsers have public and private keys.
Dialogue: 0,0:02:49.21,0:02:53.70,Default,,0000,0000,0000,,They use the private keys to sign\Ntransactions, and the transactions are
Dialogue: 0,0:02:53.70,0:03:00.39,Default,,0000,0000,0000,,published in a blockchain so that\Neverybody can verify the transactions.
Dialogue: 0,0:03:00.39,0:03:04.09,Default,,0000,0000,0000,,It works like this:\NWe have Alice, Bob and Carol,
Dialogue: 0,0:03:04.09,0:03:07.38,Default,,0000,0000,0000,,and if Alice wants to send a bitcoin
Dialogue: 0,0:03:07.38,0:03:12.74,Default,,0000,0000,0000,,to Bob, then Alice creates the transaction,\Nsigns it, and broadcast it.
Dialogue: 0,0:03:12.74,0:03:14.78,Default,,0000,0000,0000,,Miners will collect it.
Dialogue: 0,0:03:14.78,0:03:17.97,Default,,0000,0000,0000,,Miners will put them into the block.
Dialogue: 0,0:03:17.97,0:03:23.67,Default,,0000,0000,0000,,And Bob waits until the transaction\Nappears and the blockchain.
Dialogue: 0,0:03:23.67,0:03:28.16,Default,,0000,0000,0000,,So the creation of the transaction\Nconsists of the following steps:
Dialogue: 0,0:03:28.16,0:03:32.04,Default,,0000,0000,0000,,Alice first creates the transaction\Nwhere it says I will send one bitcoin
Dialogue: 0,0:03:32.04,0:03:37.69,Default,,0000,0000,0000,,to Bob. Then she adds Bob's address\Nwhere the bitcoin is going to be
Dialogue: 0,0:03:37.69,0:03:41.59,Default,,0000,0000,0000,,sent to and then she signes it with a\Nprivate key. So what's important for us
Dialogue: 0,0:03:41.59,0:03:46.43,Default,,0000,0000,0000,,now is basically 2 things: The private\Nkeys and public keys. they are used for
Dialogue: 0,0:03:46.43,0:03:53.81,Default,,0000,0000,0000,,signatures, and all the signatures are\Npublished in the blockchain.
Dialogue: 0,0:03:53.81,0:03:58.66,Default,,0000,0000,0000,,So the signature algorithm that's used in\Nbitcoin and in most other blockchains
Dialogue: 0,0:03:58.66,0:04:00.94,Default,,0000,0000,0000,,is ECDSA.
Dialogue: 0,0:04:00.94,0:04:06.19,Default,,0000,0000,0000,,I think most people have heard about it\Nbut will give a quick recap on what it is
Dialogue: 0,0:04:06.19,0:04:11.96,Default,,0000,0000,0000,,and how it works. So the abbreviation\Nstands for Elliptic-Curve Digital
Dialogue: 0,0:04:11.96,0:04:20.69,Default,,0000,0000,0000,,Signature Algorithm and it's related to\Nmany other well-known algorithms. I think
Dialogue: 0,0:04:20.69,0:04:24.87,Default,,0000,0000,0000,,everybody has heard about the Diffie-\NHellman key exchange. This was pretty much
Dialogue: 0,0:04:24.87,0:04:31.59,Default,,0000,0000,0000,,the first public key private key\Nalgorithm. It was based on discrete
Dialogue: 0,0:04:31.59,0:04:39.28,Default,,0000,0000,0000,,logarithm modulo a number p. And then Mr.\NEl-Gamal, who is also the inventor of SSL,
Dialogue: 0,0:04:39.28,0:04:44.64,Default,,0000,0000,0000,,he created the first signature scheme\Nbased on Diffie-Hellman. And then Mr.
Dialogue: 0,0:04:44.64,0:04:50.72,Default,,0000,0000,0000,,Schnorr, Professor Schnorr from Frankfurt,\Nhe made the signature scheme more
Dialogue: 0,0:04:50.72,0:04:59.08,Default,,0000,0000,0000,,efficient. And then the American\Ngovernment took the Schnorr signature and
Dialogue: 0,0:04:59.08,0:05:06.09,Default,,0000,0000,0000,,created the Digital Signature Algorithm,\Nwhich is a standardized version of the
Dialogue: 0,0:05:06.09,0:05:15.65,Default,,0000,0000,0000,,Schnorr signature, which also standardizes\Nto use SHA as a hash function. And ECDSA
Dialogue: 0,0:05:15.65,0:05:23.05,Default,,0000,0000,0000,,is the same algorithm as DSA, but built on\Nelliptic curves instead of discrete
Dialogue: 0,0:05:23.05,0:05:28.51,Default,,0000,0000,0000,,logarithm with numbers. So what's an\Nelliptic curve? Oh, no first: Why do we
Dialogue: 0,0:05:28.51,0:05:33.13,Default,,0000,0000,0000,,use elliptic curves in the first place?\NThe problem with the old algorithms, most
Dialogue: 0,0:05:33.13,0:05:38.76,Default,,0000,0000,0000,,importantly RSA and DH, Diffie-Hellman,\Nand also DSA, which is related to Diffie-
Dialogue: 0,0:05:38.76,0:05:42.35,Default,,0000,0000,0000,,Hellman, they have, unfortunately, they\Nhave no future, because the keys are
Dialogue: 0,0:05:42.35,0:05:48.29,Default,,0000,0000,0000,,pretty big. The algorithm gets fit gets\Npretty inefficient. And now if you
Dialogue: 0,0:05:48.29,0:05:54.99,Default,,0000,0000,0000,,increase the key size you don't gain much\Nmore security. If you want to have a key.
Dialogue: 0,0:05:54.99,0:06:01.33,Default,,0000,0000,0000,,So, if you have a 2000 bit RSA key and a\N4000 bit RSA key then the 4000 bit key is
Dialogue: 0,0:06:01.33,0:06:07.07,Default,,0000,0000,0000,,not twice as secure, but only a little bit\Nmore secure. And if you really would like
Dialogue: 0,0:06:07.07,0:06:11.84,Default,,0000,0000,0000,,to have a twice as secure key for RSA for\Nexample, or for Diffie-Hellman, you would
Dialogue: 0,0:06:11.84,0:06:21.27,Default,,0000,0000,0000,,need 15000 bits, and that's very\Ninefficient. So, elliptic curves are quite
Dialogue: 0,0:06:21.27,0:06:29.19,Default,,0000,0000,0000,,a solution that's used nowadays in order\Nto get a more efficient algorithm. So
Dialogue: 0,0:06:29.19,0:06:35.42,Default,,0000,0000,0000,,what's an elliptic curve? Elliptic curves\Nare curves that are defined by an equation
Dialogue: 0,0:06:35.42,0:06:44.84,Default,,0000,0000,0000,,y² = x³ + ax + b. And the element\Nthat we are talking about in the algorithm
Dialogue: 0,0:06:44.84,0:06:53.61,Default,,0000,0000,0000,,are points on that curve, so we can see\Nthe curve on these pictures and the curve
Dialogue: 0,0:06:53.61,0:07:01.46,Default,,0000,0000,0000,,has the property that, if you draw a\Nstraight crossing the curve, the straight
Dialogue: 0,0:07:01.46,0:07:11.65,Default,,0000,0000,0000,,will like intersect the curve only at a\Nmaximum of three points. And based on that
Dialogue: 0,0:07:11.65,0:07:18.13,Default,,0000,0000,0000,,we define operations. So we can, for\Nexample, define additional points: So if
Dialogue: 0,0:07:18.13,0:07:24.07,Default,,0000,0000,0000,,you see on the left picture the points P\Nand Q, if you want to define an addition
Dialogue: 0,0:07:24.07,0:07:33.07,Default,,0000,0000,0000,,of the two points then we say P + Q + R is\Nneutral because those are all points on
Dialogue: 0,0:07:33.07,0:07:44.20,Default,,0000,0000,0000,,the straight line. So we define P + Q to\Nbe -R, and -R is the point opposite to R.
Dialogue: 0,0:07:44.20,0:07:57.40,Default,,0000,0000,0000,,And in the second picture we see, if we\Nwant to add a point to itself, then we
Dialogue: 0,0:07:57.40,0:08:03.32,Default,,0000,0000,0000,,draw the tangential to the point and the\Ntangential will cross the curve at another
Dialogue: 0,0:08:03.32,0:08:10.56,Default,,0000,0000,0000,,point and the inverse of that point will\Nbe used as a result. So we have, if we
Dialogue: 0,0:08:10.56,0:08:20.75,Default,,0000,0000,0000,,want to add Q to Q, we say 2Q to this, the\Nresult is -P. And with that we have a way
Dialogue: 0,0:08:20.75,0:08:29.62,Default,,0000,0000,0000,,to add points to themselves and we can\Nscale this up. We can also add Q to Q and
Dialogue: 0,0:08:29.62,0:08:39.02,Default,,0000,0000,0000,,Q again, so three times Q, four times Q\N... and this operation has a nice
Dialogue: 0,0:08:39.02,0:08:46.71,Default,,0000,0000,0000,,property, because multiplying a point with\Na number is easy, but the inverse
Dialogue: 0,0:08:46.71,0:08:51.38,Default,,0000,0000,0000,,operation is hard to compute. So this is\Nthe operation where the whole algorithm is
Dialogue: 0,0:08:51.38,0:09:00.82,Default,,0000,0000,0000,,based on. So how are signatures with ECDSA\Ngenerated? So first we have a point G
Dialogue: 0,0:09:00.82,0:09:05.89,Default,,0000,0000,0000,,which is a fixed point that's already, for\Nexample with bitcoin, it's already defined
Dialogue: 0,0:09:05.89,0:09:12.35,Default,,0000,0000,0000,,to be a certain point. The point has the\Norder n, which means that if you add the
Dialogue: 0,0:09:12.35,0:09:18.02,Default,,0000,0000,0000,,point to itself n times you will go back\Nto the same point. And we also have a hash
Dialogue: 0,0:09:18.02,0:09:25.28,Default,,0000,0000,0000,,function h, in the case of bitcoin\NSHA-256, and we have a private key d which
Dialogue: 0,0:09:25.28,0:09:29.51,Default,,0000,0000,0000,,is a number, so all lowercase letters here\Nare numbers, and we have a public key
Dialogue: 0,0:09:29.51,0:09:39.42,Default,,0000,0000,0000,,which is the point Q that you get when you\Nmultiply the point G by the number d. So,
Dialogue: 0,0:09:39.42,0:09:48.03,Default,,0000,0000,0000,,to generate the signature you have to pick\Na random number k. This is also
Dialogue: 0,0:09:48.03,0:09:53.29,Default,,0000,0000,0000,,highlighted as red. We will see later that\Nit is important to keep the red numbers,
Dialogue: 0,0:09:53.29,0:09:59.92,Default,,0000,0000,0000,,so the nonce and the key secret. You\Ncompute a point R by multiplying the
Dialogue: 0,0:09:59.92,0:10:08.22,Default,,0000,0000,0000,,generator point with k. Then you take the\Nx coordinate and then you compute the
Dialogue: 0,0:10:08.22,0:10:12.61,Default,,0000,0000,0000,,formula in the first line. It is not\Nreally important how the formula works for
Dialogue: 0,0:10:12.61,0:10:18.52,Default,,0000,0000,0000,,us. It's more important which values have\Nto be kept secret and which values are
Dialogue: 0,0:10:18.52,0:10:24.59,Default,,0000,0000,0000,,published later. And then you return r and\Ns. So r and s is a signature for the
Dialogue: 0,0:10:24.59,0:10:31.54,Default,,0000,0000,0000,,message m. And to verify it you compute\Nthe following formula. It's not important
Dialogue: 0,0:10:31.54,0:10:36.75,Default,,0000,0000,0000,,to see immediately that it works but this\Nis how the algorithm is defined. What's
Dialogue: 0,0:10:36.75,0:10:44.91,Default,,0000,0000,0000,,important to know is that for verifying\Nyou don't need to know the secret k and
Dialogue: 0,0:10:44.91,0:10:53.41,Default,,0000,0000,0000,,you also don't need to know the private\Nkey of course but you use a public key Q.
Dialogue: 0,0:10:53.41,0:10:59.32,Default,,0000,0000,0000,,So this algorithm has the property that\Nwas already published with the first paper
Dialogue: 0,0:10:59.32,0:11:06.46,Default,,0000,0000,0000,,where the algorithm was defined. The nonce\Nk which is highlighted as red and needs to
Dialogue: 0,0:11:06.46,0:11:12.55,Default,,0000,0000,0000,,be kept secret, because if you know the\Nnonce k you can use the parameters that
Dialogue: 0,0:11:12.55,0:11:21.36,Default,,0000,0000,0000,,you get in the signature to compute the\Nprivate key. And so stealing the nonce k
Dialogue: 0,0:11:21.36,0:11:26.63,Default,,0000,0000,0000,,for one signature is equivalent to\Nstealing the secret key. That's common
Dialogue: 0,0:11:26.63,0:11:32.83,Default,,0000,0000,0000,,knowledge. But it will be important later\Non. So now we will talk about what the
Dialogue: 0,0:11:32.83,0:11:37.95,Default,,0000,0000,0000,,wallet is. So we have seen Bitcoin\Nbasically in bitcoin you have a private
Dialogue: 0,0:11:37.95,0:11:44.64,Default,,0000,0000,0000,,key and a public key and the private key\Nis used to spend Bitcoins. So if someone
Dialogue: 0,0:11:44.64,0:11:49.53,Default,,0000,0000,0000,,gets access to your private key he will be\Nable to spend your bitcoins. So you want
Dialogue: 0,0:11:49.53,0:11:52.99,Default,,0000,0000,0000,,to protect your private key and the\Nsoftware that you use to manage your
Dialogue: 0,0:11:52.99,0:11:58.44,Default,,0000,0000,0000,,private keys is called wallets. So there\Nare different types of wallets that you
Dialogue: 0,0:11:58.44,0:12:05.01,Default,,0000,0000,0000,,can distinguish. So the simplest type is\Nsoftware wallets. You just have the
Dialogue: 0,0:12:05.01,0:12:09.32,Default,,0000,0000,0000,,software that generates your keys and\Nstores your keys in a file, potentially
Dialogue: 0,0:12:09.32,0:12:14.45,Default,,0000,0000,0000,,protected with a password. A software\Nwallet is easy to use. It can be used on a
Dialogue: 0,0:12:14.45,0:12:19.55,Default,,0000,0000,0000,,desktop, on a laptop, on the phone, on the\Nserver - if you have an online shop. It's
Dialogue: 0,0:12:19.55,0:12:26.15,Default,,0000,0000,0000,,flexible: You can modify it, you can\Nupdate it. But it has the problem that the
Dialogue: 0,0:12:26.15,0:12:30.29,Default,,0000,0000,0000,,keys are on a machine where a lot of\Nthings are working. So if you have for
Dialogue: 0,0:12:30.29,0:12:37.01,Default,,0000,0000,0000,,example malware on the machine it can be\Nstolen. Then you have hardware wallets.
Dialogue: 0,0:12:37.01,0:12:40.02,Default,,0000,0000,0000,,Yesterday there was another talk about\Nhardware wallets. So hardware wallets are
Dialogue: 0,0:12:40.02,0:12:47.08,Default,,0000,0000,0000,,dedicated devices for example USB devices\Nor an offline laptop that are used to
Dialogue: 0,0:12:47.08,0:12:54.14,Default,,0000,0000,0000,,manage your keys. So the advantage of it\Nis that you don't have the keys on a host
Dialogue: 0,0:12:54.14,0:12:57.64,Default,,0000,0000,0000,,where malware, for example, could steal\Nthe keys. You have them on a separate
Dialogue: 0,0:12:57.64,0:13:04.64,Default,,0000,0000,0000,,device. One problem with hardware wallets\Nis if you have a small device with only
Dialogue: 0,0:13:04.64,0:13:08.46,Default,,0000,0000,0000,,two buttons you need to make sure that you\Nare actually signing what you think you
Dialogue: 0,0:13:08.46,0:13:14.35,Default,,0000,0000,0000,,are signing, but that's another problem\Nand the new wallets all have quite large
Dialogue: 0,0:13:14.35,0:13:19.34,Default,,0000,0000,0000,,displays where they show the transaction\Nthat they are signing so this is quite a
Dialogue: 0,0:13:19.34,0:13:26.52,Default,,0000,0000,0000,,solved problem. There's actually a third\Ntype of wallet which I put together as a
Dialogue: 0,0:13:26.52,0:13:32.01,Default,,0000,0000,0000,,paper wallet. So you can print out your\Nkey on paper put it in a safe and nobody
Dialogue: 0,0:13:32.01,0:13:37.06,Default,,0000,0000,0000,,will be able to steal it. But of course\Nyou will not be able to use it until you
Dialogue: 0,0:13:37.06,0:13:41.76,Default,,0000,0000,0000,,enter your paper wallet - your key from\Nyour paper wallet - into a computer
Dialogue: 0,0:13:41.76,0:13:48.13,Default,,0000,0000,0000,,because you don't want to do the\Ncomputations by hand. So hardware wallets
Dialogue: 0,0:13:48.13,0:13:53.21,Default,,0000,0000,0000,,have another... So there's another\Ndistinction that you can do different from
Dialogue: 0,0:13:53.21,0:13:57.64,Default,,0000,0000,0000,,hardware wallets and software wallets. You\Ncan use crypto hardware for example every
Dialogue: 0,0:13:57.64,0:14:02.79,Default,,0000,0000,0000,,smartphone nowadays, for example the\NiPhone, has a little chip that's used to
Dialogue: 0,0:14:02.79,0:14:12.68,Default,,0000,0000,0000,,manage keys. So I titled this as Hardware\NKey Storage. So you can have a chip that
Dialogue: 0,0:14:12.68,0:14:19.33,Default,,0000,0000,0000,,generates keys or you import keys and the\Nchip does not allow you to export keys, so
Dialogue: 0,0:14:19.33,0:14:28.66,Default,,0000,0000,0000,,you can be sure that the key will never\Nlose the device - never leave the device and all
Dialogue: 0,0:14:28.66,0:14:32.48,Default,,0000,0000,0000,,the signatures are performed inside the\Nmodule. So you really don't need to see
Dialogue: 0,0:14:32.48,0:14:37.87,Default,,0000,0000,0000,,the key. You only need to ask the module\Nto sign something for you. This kind of
Dialogue: 0,0:14:37.87,0:14:43.64,Default,,0000,0000,0000,,hardware key storages are quite advanced\Nnowadays. They were used in chip cards for
Dialogue: 0,0:14:43.64,0:14:47.32,Default,,0000,0000,0000,,decades. They are used in the iPhone. They\Nare one of the reason why the FBI can't
Dialogue: 0,0:14:47.32,0:14:59.32,Default,,0000,0000,0000,,break the iPhone but there is one note to\Nmake. It's important to have access
Dialogue: 0,0:14:59.32,0:15:04.36,Default,,0000,0000,0000,,control to this hardware key store because\Nfor example if you have a jailbreaked
Dialogue: 0,0:15:04.36,0:15:09.04,Default,,0000,0000,0000,,iPhone then your jailbreaked iPhone can\Nalways pretend to be the app that's
Dialogue: 0,0:15:09.04,0:15:15.33,Default,,0000,0000,0000,,privileged to use the key. So root access\Nalways allows you to use the key. That was
Dialogue: 0,0:15:15.33,0:15:21.45,Default,,0000,0000,0000,,also exploited in the talk yesterday for\Nthe ledger wallet. Once you control the
Dialogue: 0,0:15:21.45,0:15:27.69,Default,,0000,0000,0000,,main CPU and once you boot your own\Nfirmware you can use your own firmware to
Dialogue: 0,0:15:27.69,0:15:37.71,Default,,0000,0000,0000,,access the keys. You cannot read them but\Nyou can use them. And there are some more downsides.
Dialogue: 0,0:15:37.71,0:15:41.96,Default,,0000,0000,0000,,If you have a bug in your\Nhardware key module you cannot fix it.
Dialogue: 0,0:15:41.96,0:15:48.48,Default,,0000,0000,0000,,There was a famous case last year. My work\Nlaptop was actually affected. There was an
Dialogue: 0,0:15:48.48,0:15:52.99,Default,,0000,0000,0000,,Infineon chip, i think, where they had a\Nbad random number generator and it turned
Dialogue: 0,0:15:52.99,0:15:58.29,Default,,0000,0000,0000,,out that chip was used in many products.\NIt was used in the Yubikey device I thing
Dialogue: 0,0:15:58.29,0:16:04.61,Default,,0000,0000,0000,,and it was also used in many HP laptops.\NIt was also used for disk encryption by
Dialogue: 0,0:16:04.61,0:16:11.16,Default,,0000,0000,0000,,windows and the second downside is that\Nthe implementation cannot be validated by
Dialogue: 0,0:16:11.16,0:16:17.45,Default,,0000,0000,0000,,the user. If you have your own computer\Nwhere you have some understanding what's
Dialogue: 0,0:16:17.45,0:16:20.50,Default,,0000,0000,0000,,running what's not running you can always\Nlook at the source code, compile it
Dialogue: 0,0:16:20.50,0:16:24.58,Default,,0000,0000,0000,,yourself and you have some idea what the\Nwallet is doing. If you have just a little
Dialogue: 0,0:16:24.58,0:16:29.66,Default,,0000,0000,0000,,token that you plug in by USB then you\Ndon't actually know what it is doing. And
Dialogue: 0,0:16:29.66,0:16:37.08,Default,,0000,0000,0000,,that will be important later on for our\Ntech. So some examples in servers you have
Dialogue: 0,0:16:37.08,0:16:46.07,Default,,0000,0000,0000,,HSMs. They are sometimes not really used to\Nlike protect keys but also to increase
Dialogue: 0,0:16:46.07,0:16:51.23,Default,,0000,0000,0000,,performance. If a server does a lot of\Nencryption it's better to have a hardware
Dialogue: 0,0:16:51.23,0:16:56.44,Default,,0000,0000,0000,,module but those hardware modules\Ntypically also store keys and then you
Dialogue: 0,0:16:56.44,0:17:04.66,Default,,0000,0000,0000,,have TPM chips in business laptops and you\Nhave smartphones like the iPhone. Yes. So
Dialogue: 0,0:17:04.66,0:17:09.32,Default,,0000,0000,0000,,what are common problems and attacks that\Nwe've seen with wallets so far in the last
Dialogue: 0,0:17:09.32,0:17:15.45,Default,,0000,0000,0000,,years. So the most obvious attack is keys\Nare stolen via network. Someone has a
Dialogue: 0,0:17:15.45,0:17:20.16,Default,,0000,0000,0000,,software wallet on its Windows machine\Ninstalled some malware by accident by
Dialogue: 0,0:17:20.16,0:17:33.22,Default,,0000,0000,0000,,clicking on some e-mail link and the\Nmalware can steal the keys. So another
Dialogue: 0,0:17:33.22,0:17:39.83,Default,,0000,0000,0000,,kind of attack is if you have unsecure\Nstorage for example if you have a phone
Dialogue: 0,0:17:39.83,0:17:45.28,Default,,0000,0000,0000,,where you store your bitcoins and it's\Nstolen and the phone is not encrypted and
Dialogue: 0,0:17:45.28,0:17:52.06,Default,,0000,0000,0000,,the wallet is not encrypted. People can\Nsteal the keys and steal your bitcoins and
Dialogue: 0,0:17:52.06,0:17:55.93,Default,,0000,0000,0000,,then you have a third kind of attack.\NWhere you have bad random numbers or
Dialogue: 0,0:17:55.93,0:17:58.91,Default,,0000,0000,0000,,predictable random numbers. That happened\Na lot with bad wallets that were
Dialogue: 0,0:17:58.91,0:18:03.01,Default,,0000,0000,0000,,implemented in JavaScript and then if you\Nhave a bad browser that is generating bad
Dialogue: 0,0:18:03.01,0:18:10.02,Default,,0000,0000,0000,,random numbers, the attacker can guess\Nyour random numbers and this means that
Dialogue: 0,0:18:10.02,0:18:16.47,Default,,0000,0000,0000,,they can guess your keys or they can guess\Nyour nonce k which is equivalent as we
Dialogue: 0,0:18:16.47,0:18:21.82,Default,,0000,0000,0000,,have seen. And one more interesting thing\Nis that is not only important that you
Dialogue: 0,0:18:21.82,0:18:27.78,Default,,0000,0000,0000,,keep your nonce k secret it's also\Nimportant that you use it only once. So if
Dialogue: 0,0:18:27.78,0:18:34.72,Default,,0000,0000,0000,,you use it twice, the attacker can also\Ncompute your private key even without
Dialogue: 0,0:18:34.72,0:18:40.28,Default,,0000,0000,0000,,knowing k. And one problem with bitcoin is\Nall the signatures are published on the
Dialogue: 0,0:18:40.28,0:18:45.44,Default,,0000,0000,0000,,blockchain. So attackers can just scan the\Nblockchain and see if the number k is
Dialogue: 0,0:18:45.44,0:18:49.22,Default,,0000,0000,0000,,appearing for two times and then steal the\Nbitcoins. That happens a lot. So if this
Dialogue: 0,0:18:49.22,0:18:54.39,Default,,0000,0000,0000,,happens to you the bitcoins will probably\Nbe stolen in one hour because somebody is
Dialogue: 0,0:18:54.39,0:18:59.27,Default,,0000,0000,0000,,always scanning the block chain and in the\Nearly days of bitcoin this attack also
Dialogue: 0,0:18:59.27,0:19:10.65,Default,,0000,0000,0000,,happened a lot. But now we want to talk\Nabout a more sophisticated kind of attack
Dialogue: 0,0:19:10.65,0:19:14.76,Default,,0000,0000,0000,,which is the backdoor in a random number\Ngenerator which is not just bad random
Dialogue: 0,0:19:14.76,0:19:18.90,Default,,0000,0000,0000,,numbers but intentionally when random numbers can be predicted by an
Dialogue: 0,0:19:18.90,0:19:23.97,Default,,0000,0000,0000,,attacker. One famous example for\Nbackdoored random number generator was the
Dialogue: 0,0:19:23.97,0:19:30.24,Default,,0000,0000,0000,,Dual_EC_DRBG when it was standardized by\Nthe - so that's the standard by the US
Dialogue: 0,0:19:30.24,0:19:35.78,Default,,0000,0000,0000,,government for random bit generator. And\Nthere were some parameters in this
Dialogue: 0,0:19:35.78,0:19:41.87,Default,,0000,0000,0000,,algorithm that were selected by the US\Ngovernment but they couldn't explain why
Dialogue: 0,0:19:41.87,0:19:46.11,Default,,0000,0000,0000,,they selected them. And there was no need\Nfor selecting them in a cryptographic
Dialogue: 0,0:19:46.11,0:19:53.60,Default,,0000,0000,0000,,point of view. So there was suspicion that\Nthey were selected in a certain way in
Dialogue: 0,0:19:53.60,0:20:00.89,Default,,0000,0000,0000,,order to predict random numbers. And later\Nwhen Edward Snowden had his files released
Dialogue: 0,0:20:00.89,0:20:09.20,Default,,0000,0000,0000,,there was some documentation that they\Nactually did this. So what could an
Dialogue: 0,0:20:09.20,0:20:16.42,Default,,0000,0000,0000,,attacker do with a backdoored random\Nnumber generator. So every time the user
Dialogue: 0,0:20:16.42,0:20:21.41,Default,,0000,0000,0000,,generates a signature it needs to generate\Nan nonce k. And if this nonce k is
Dialogue: 0,0:20:21.41,0:20:30.31,Default,,0000,0000,0000,,generated by the backdoored random number\Ngenerator then the attacker can later on -
Dialogue: 0,0:20:30.31,0:20:39.38,Default,,0000,0000,0000,,so the attacker wants to make the wallet\Nof the victim to generate random number ks
Dialogue: 0,0:20:39.38,0:20:45.05,Default,,0000,0000,0000,,and a nonce k in a bad way. And the\Nattacker then later on scans all the
Dialogue: 0,0:20:45.05,0:20:48.60,Default,,0000,0000,0000,,transactions on the blockchain in order to\Nfind the victim's transactions and the
Dialogue: 0,0:20:48.60,0:20:53.15,Default,,0000,0000,0000,,victim's signatures and then uses his\Nbackdoor knowledge in order to compute the
Dialogue: 0,0:20:53.15,0:21:00.26,Default,,0000,0000,0000,,secret key. And then after he has a secret\Nkey he can steal the bitcoins. So we will
Dialogue: 0,0:21:00.26,0:21:05.40,Default,,0000,0000,0000,,talk about something that's called\NKleptograms. Kleptograms were first
Dialogue: 0,0:21:05.40,0:21:14.78,Default,,0000,0000,0000,,introduced by Adam young and Moti Yung in\N1997. Back then it was based on the
Dialogue: 0,0:21:14.78,0:21:21.12,Default,,0000,0000,0000,,classical DSA but it's very similar to the\Nelliptic curve DSA. Because we have some
Dialogue: 0,0:21:21.12,0:21:27.49,Default,,0000,0000,0000,,more formulas now I will have a little\Ndescription so all lowercase letters are
Dialogue: 0,0:21:27.49,0:21:34.35,Default,,0000,0000,0000,,numbers, all capital letters a points on\Nthe elliptic curve, all Greek letters
Dialogue: 0,0:21:34.35,0:21:40.93,Default,,0000,0000,0000,,are constants and this function R is a\Nrandom number generator but this is not
Dialogue: 0,0:21:40.93,0:21:43.82,Default,,0000,0000,0000,,the backdoored random number generator,\Nbut the real random number generator that
Dialogue: 0,0:21:43.82,0:21:50.89,Default,,0000,0000,0000,,we assume is strong. So it has some\Nproperties for example that it's not
Dialogue: 0,0:21:50.89,0:21:55.65,Default,,0000,0000,0000,,possible to efficiently distinguish\Nbetween the numbers generated by this
Dialogue: 0,0:21:55.65,0:22:02.56,Default,,0000,0000,0000,,random number generator and actual random\Nnumbers. So if you want to do - if you
Dialogue: 0,0:22:02.56,0:22:09.38,Default,,0000,0000,0000,,want to generate two numbers k1 and k2\Nwhich are used as nonces in this ECDSA
Dialogue: 0,0:22:09.38,0:22:15.85,Default,,0000,0000,0000,,signatures and we later want that the\Nattacker can use these signatures to
Dialogue: 0,0:22:15.85,0:22:22.80,Default,,0000,0000,0000,,compute the private key then we can do a\Nsimple thing. The first random number we
Dialogue: 0,0:22:22.80,0:22:29.76,Default,,0000,0000,0000,,can just pick randomly. So we have the\Nrandom number k1 and we can store k1 and
Dialogue: 0,0:22:29.76,0:22:37.93,Default,,0000,0000,0000,,we can output k1 to the wallet and the\Nwallet will use k1 and R1 which is the
Dialogue: 0,0:22:37.93,0:22:47.51,Default,,0000,0000,0000,,point which is - Yes the point that is\Ngenerated if you multiply the point G with
Dialogue: 0,0:22:47.51,0:22:56.15,Default,,0000,0000,0000,,k1. k1 and R1 are used for the signature\Nand R1 will be published on the blockchain
Dialogue: 0,0:22:56.15,0:23:04.16,Default,,0000,0000,0000,,with the signature and then the second\Nround we'll compute k2 as a random number
Dialogue: 0,0:23:04.16,0:23:11.38,Default,,0000,0000,0000,,derived from R1 and here we don't pick a\Nnew random number but we just use the
Dialogue: 0,0:23:11.38,0:23:20.16,Default,,0000,0000,0000,,pseudo random number generator. And then\Nwe output k2 and R2 which is the point for
Dialogue: 0,0:23:20.16,0:23:30.67,Default,,0000,0000,0000,,k2 for the second signature. So what can\Nwe do now? So this the second round again.
Dialogue: 0,0:23:30.67,0:23:37.49,Default,,0000,0000,0000,,So if the attacker now wants to know k2 it\Ncan just scan the blockchain for all
Dialogue: 0,0:23:37.49,0:23:43.05,Default,,0000,0000,0000,,values of R1 which are all published on\Nthe blockchain and then compute k2 by
Dialogue: 0,0:23:43.05,0:23:49.38,Default,,0000,0000,0000,,using the random number generator on R1\Nand then use it to compute the private
Dialogue: 0,0:23:49.38,0:23:53.74,Default,,0000,0000,0000,,key. But there's two problems with this.\NAnyone can use the random number generator
Dialogue: 0,0:23:53.74,0:23:58.79,Default,,0000,0000,0000,,so anyone can compute this. So the\Nquestion is whether we can hide this attack.
Dialogue: 0,0:24:02.29,0:24:08.35,Default,,0000,0000,0000,,So in order to hide the attack the\Nattacker generates his own private key and
Dialogue: 0,0:24:08.35,0:24:15.44,Default,,0000,0000,0000,,public key. The random number generator is\Nthe same as before. And now we generate k1
Dialogue: 0,0:24:15.44,0:24:22.21,Default,,0000,0000,0000,,and k2 again, but in a slightly different\Nway. For k1 it's the same, k1 is just
Dialogue: 0,0:24:22.21,0:24:32.84,Default,,0000,0000,0000,,generated as a random number and it is\Nstored and used for the signature and then
Dialogue: 0,0:24:32.84,0:24:40.38,Default,,0000,0000,0000,,in a second round we pick a random bit t\Nand then we compute the value Z by using
Dialogue: 0,0:24:40.38,0:24:44.77,Default,,0000,0000,0000,,the formula that you see in the second\Nline it is not important to understand the
Dialogue: 0,0:24:44.77,0:24:49.78,Default,,0000,0000,0000,,details of the formula but you need to see\N- the important thing is that the public
Dialogue: 0,0:24:49.78,0:24:59.84,Default,,0000,0000,0000,,key of the attacker A is used in this\Nformula. And then the second nonce k2 is
Dialogue: 0,0:24:59.84,0:25:07.03,Default,,0000,0000,0000,,computed using the random number generator\Non this value Z. And then this value k2 is
Dialogue: 0,0:25:07.03,0:25:13.86,Default,,0000,0000,0000,,used for the second signature. So what\Nhappens now is that because - this is the
Dialogue: 0,0:25:13.86,0:25:22.71,Default,,0000,0000,0000,,second round again. So what happens now is\Nthat the attacker can extract a second
Dialogue: 0,0:25:22.71,0:25:31.18,Default,,0000,0000,0000,,value by doing the following computations\Nusing his private key A. There are two
Dialogue: 0,0:25:31.18,0:25:36.87,Default,,0000,0000,0000,,cases. So there are two candidates for k2.\NAnd it's not clear which one is the right
Dialogue: 0,0:25:36.87,0:25:42.26,Default,,0000,0000,0000,,one but it's only like one bit difference\Nso you can try both and one of them will
Dialogue: 0,0:25:42.26,0:25:47.26,Default,,0000,0000,0000,,be the right one. And because no one else\Nhas the private key A no one else can do
Dialogue: 0,0:25:47.26,0:25:53.49,Default,,0000,0000,0000,,this computation. And because you have the\Nrandom number generator R, you know that
Dialogue: 0,0:25:53.49,0:26:06.26,Default,,0000,0000,0000,,the value - the value for k2 is\Nundistinguishable from real random numbers
Dialogue: 0,0:26:06.26,0:26:11.73,Default,,0000,0000,0000,,because we assume that the random number\Ngenerator is strong. So how do we use this
Dialogue: 0,0:26:11.73,0:26:17.93,Default,,0000,0000,0000,,attack on wallets? So the attacker can do\Nthe following: The attacker can use a
Dialogue: 0,0:26:17.93,0:26:23.19,Default,,0000,0000,0000,,popular wallet and backdoor it or can\Ncreate his own wallet and spread it on the
Dialogue: 0,0:26:23.19,0:26:28.37,Default,,0000,0000,0000,,Internet and wait for people to use it. So\Nthen after that the attacker needs some
Dialogue: 0,0:26:28.37,0:26:34.15,Default,,0000,0000,0000,,patience. The attacker needs to wait until\Nthe victim creates some transactions using
Dialogue: 0,0:26:34.15,0:26:40.92,Default,,0000,0000,0000,,the wallet and doing that. The\Nvictims will publish the transactions on
Dialogue: 0,0:26:40.92,0:26:45.48,Default,,0000,0000,0000,,the blockchain, so all the values that the\Nattacker later wants to have, are published
Dialogue: 0,0:26:45.48,0:26:51.31,Default,,0000,0000,0000,,on the block chain and after a while the\Nattacker can just scan the whole
Dialogue: 0,0:26:51.31,0:26:57.99,Default,,0000,0000,0000,,blockchain for signatures that are\Ngenerated by the same key. And then do the
Dialogue: 0,0:26:57.99,0:27:04.90,Default,,0000,0000,0000,,computation that we've seen in order to\Nderive private keys. So there's one more
Dialogue: 0,0:27:04.90,0:27:09.83,Default,,0000,0000,0000,,footnote to this. The harvest does not\Nhave to actually be after the patient's
Dialogue: 0,0:27:09.83,0:27:18.36,Default,,0000,0000,0000,,phase because even after the attacker\Nsteals bitcoins, no one can detect the
Dialogue: 0,0:27:18.36,0:27:33.74,Default,,0000,0000,0000,,secret in the transaction so it will not -\Nlike it - it will not disclose the attack.
Dialogue: 0,0:27:33.74,0:27:40.07,Default,,0000,0000,0000,,So some properties of the attack are some\Nlimitations. The attack can only be used
Dialogue: 0,0:27:40.07,0:27:46.80,Default,,0000,0000,0000,,if the user uses the same key twice to\Nsign transactions. But that's the
Dialogue: 0,0:27:46.80,0:27:52.98,Default,,0000,0000,0000,,usual typical use in bitcoin you always\Nuse your key several times. Sometimes even
Dialogue: 0,0:27:52.98,0:27:58.95,Default,,0000,0000,0000,,you even use the same key in the same\Ntransaction twice. So in some cases even
Dialogue: 0,0:27:58.95,0:28:11.57,Default,,0000,0000,0000,,one transaction can be enough to leak the\Nprivate key. And there is another footnote
Dialogue: 0,0:28:11.57,0:28:16.59,Default,,0000,0000,0000,,because there is some standard which is\Ncalled BIP32 which is the standard for
Dialogue: 0,0:28:16.59,0:28:24.61,Default,,0000,0000,0000,,deriving many keys in bitcoin from one\Nseed. And it means that the attacker
Dialogue: 0,0:28:24.61,0:28:29.75,Default,,0000,0000,0000,,manages to get one of your private keys it\Nmight be possible for the attacker to
Dialogue: 0,0:28:29.75,0:28:37.21,Default,,0000,0000,0000,,compute more private keys without doing\Nmore attacks. This attack is independent
Dialogue: 0,0:28:37.21,0:28:41.27,Default,,0000,0000,0000,,from how Bitcoin in general works it's\Nindependent from the consensus algorithm
Dialogue: 0,0:28:41.27,0:28:45.69,Default,,0000,0000,0000,,it's independent from mining. It also\Napplies to other blockchains that use
Dialogue: 0,0:28:45.69,0:28:52.10,Default,,0000,0000,0000,,similar signature schemes some use\Ndifferent curves. Some use EdDSA but the
Dialogue: 0,0:28:52.10,0:28:59.08,Default,,0000,0000,0000,,attack works for them as well. And the\Nbackdoor also works with other protocols
Dialogue: 0,0:28:59.08,0:29:02.62,Default,,0000,0000,0000,,that don't have anything to do with\Ncryptocurrency but in cryptocurrency it's
Dialogue: 0,0:29:02.62,0:29:07.72,Default,,0000,0000,0000,,easier because the parameters: the curve\Nand the point and everything is already
Dialogue: 0,0:29:07.72,0:29:13.20,Default,,0000,0000,0000,,defined by the protocol. You cannot use a\Ndifferent curve in Bitcoin. So the
Dialogue: 0,0:29:13.20,0:29:17.68,Default,,0000,0000,0000,,attacker always knows which curve you are\Nusing so the attacker always knows which
Dialogue: 0,0:29:17.68,0:29:27.80,Default,,0000,0000,0000,,curve it has to use to hide the secret. So\Nwhat are the conclusions? What does it
Dialogue: 0,0:29:27.80,0:29:32.82,Default,,0000,0000,0000,,mean for users? So it means that keys can\Nbe leaked through the transactions. You don't
Dialogue: 0,0:29:32.82,0:29:35.55,Default,,0000,0000,0000,,need a side channel. You don't need a\Nsecond connection you don't need
Dialogue: 0,0:29:35.55,0:29:41.11,Default,,0000,0000,0000,,additional data and it cannot be detected\Neven if you're looking at the transactions
Dialogue: 0,0:29:41.11,0:29:46.61,Default,,0000,0000,0000,,because the random number generator is\Nused is indistinguishable from normal
Dialogue: 0,0:29:46.61,0:29:53.35,Default,,0000,0000,0000,,random numbers. So what does it mean for\Nthe user to do? It means that the user
Dialogue: 0,0:29:53.35,0:29:57.52,Default,,0000,0000,0000,,should be careful not using untrusted\Nwallets. Even if you use them offline they
Dialogue: 0,0:29:57.52,0:30:04.95,Default,,0000,0000,0000,,could still leak your keys and that means\Nfor some applications transparency might
Dialogue: 0,0:30:04.95,0:30:10.04,Default,,0000,0000,0000,,be more important than tampering\Nresistance. For example it means that it
Dialogue: 0,0:30:10.04,0:30:14.84,Default,,0000,0000,0000,,might be worth to have a software wallet\Nthat you know what it's doing. In contrast
Dialogue: 0,0:30:14.84,0:30:20.70,Default,,0000,0000,0000,,to a hardware wallet which might protect\Nthe key from theft but you don't really
Dialogue: 0,0:30:20.70,0:30:26.53,Default,,0000,0000,0000,,know what it's doing when it's generating\Na signature.
Dialogue: 0,0:30:26.53,0:30:29.27,Default,,0000,0000,0000,,Yeah, that's it.
Dialogue: 0,0:30:29.27,0:30:32.60,Default,,0000,0000,0000,,{\i1}applaus{\i0}
Dialogue: 0,0:30:32.60,0:30:46.30,Default,,0000,0000,0000,,Herald: So any questions? And so there are\Ntwo microphones. Number 2, Number 1. If
Dialogue: 0,0:30:46.30,0:30:53.05,Default,,0000,0000,0000,,any questions please go to the\Nmicrophones. And if you leave the room
Dialogue: 0,0:30:53.05,0:30:58.16,Default,,0000,0000,0000,,don't do it in front of the camera, that's\Nthe stream. If there is any question from
Dialogue: 0,0:30:58.16,0:31:03.28,Default,,0000,0000,0000,,the Internet make a sign. I see, \Nmicrophone 2 your question.
Dialogue: 0,0:31:03.28,0:31:08.63,Default,,0000,0000,0000,,Microphone 2: Hi. You said that you could\Nderive additional private keys if one of
Dialogue: 0,0:31:08.63,0:31:14.74,Default,,0000,0000,0000,,the keys leaks in BIP32. It's my\Nunderstanding that that is not possible
Dialogue: 0,0:31:14.74,0:31:20.38,Default,,0000,0000,0000,,unless that's the master private key. And\Nyou know the derivation scheme. So could
Dialogue: 0,0:31:20.38,0:31:23.99,Default,,0000,0000,0000,,you elaborate what you meant.\NStephan: No I was just talking about
Dialogue: 0,0:31:23.99,0:31:29.18,Default,,0000,0000,0000,,derived keys in general. Yeah it is not\Nthat simple. So that's also why I didn't
Dialogue: 0,0:31:29.18,0:31:33.33,Default,,0000,0000,0000,,put it on the slides. It depends on the\Nscheme that you use for deriving the keys.
Dialogue: 0,0:31:33.33,0:31:34.52,Default,,0000,0000,0000,,That's true.\NMicrophone 2: All right. Thanks.
Dialogue: 0,0:31:34.52,0:31:38.07,Default,,0000,0000,0000,,Stephan: But depending on the scheme you\Nneed to keep in mind that one key or one
Dialogue: 0,0:31:38.07,0:31:42.99,Default,,0000,0000,0000,,secret might be information that you used\Nto derive other secrets. Yes.
Dialogue: 0,0:31:42.99,0:31:49.34,Default,,0000,0000,0000,,Herald: Okay. Microphone 1.\NMicrophone 1: I would just like to maybe
Dialogue: 0,0:31:49.34,0:31:54.57,Default,,0000,0000,0000,,have a piece of practical advice from you.\NSo given this consideration that you
Dialogue: 0,0:31:54.57,0:31:58.33,Default,,0000,0000,0000,,really need to know a bit of the code that\Nis running on resource on the wallet.
Dialogue: 0,0:31:58.33,0:32:00.15,Default,,0000,0000,0000,,Stephan: Okay. I think speak up a little\Nbit.
Dialogue: 0,0:32:00.15,0:32:02.11,Default,,0000,0000,0000,,Microphone 1: Yes. Do you hear me better\Nnow?
Dialogue: 0,0:32:02.11,0:32:04.13,Default,,0000,0000,0000,,Stephan: Yes.\NMicrophone 1: Okay. So do you think that
Dialogue: 0,0:32:04.13,0:32:09.89,Default,,0000,0000,0000,,would be a good alternative to have softer\Nwallets running air gapped but softer
Dialogue: 0,0:32:09.89,0:32:13.17,Default,,0000,0000,0000,,wallets instead of harder wallets because\Nthey're easier to audit or to see the
Dialogue: 0,0:32:13.17,0:32:16.45,Default,,0000,0000,0000,,source code.\NStephan: Yeah. The point is that it's
Dialogue: 0,0:32:16.45,0:32:19.85,Default,,0000,0000,0000,,better to have a wallet that you control\Nthat you know what it's doing. Because
Dialogue: 0,0:32:19.85,0:32:23.46,Default,,0000,0000,0000,,this if you even if you have a air gap you\Nwill at some point you will put the
Dialogue: 0,0:32:23.46,0:32:27.98,Default,,0000,0000,0000,,transactions from the wallet to the\Nnetwork. And if the secret is inside the
Dialogue: 0,0:32:27.98,0:32:33.93,Default,,0000,0000,0000,,transaction then the air gap will not help\Nyou. That's the point. Yes.
Dialogue: 0,0:32:33.93,0:32:37.45,Default,,0000,0000,0000,,Herald: And microphone 2 you have another\Nquestion. Okay. Microphone 1.
Dialogue: 0,0:32:37.45,0:32:42.84,Default,,0000,0000,0000,,Microphone 1: So if you if I understood\Nyou correctly this makes the strong
Dialogue: 0,0:32:42.84,0:32:49.12,Default,,0000,0000,0000,,assumption that you seed the random number\Ngenerator on the second step with the
Dialogue: 0,0:32:49.12,0:32:51.88,Default,,0000,0000,0000,,point generated from the first step. Is\Nthis correct?
Dialogue: 0,0:32:51.88,0:32:55.32,Default,,0000,0000,0000,,Stephan: Yes.\NMicrophone 1: And this is something which
Dialogue: 0,0:32:55.32,0:33:00.75,Default,,0000,0000,0000,,is like pinstriped from the Bitcoin\Nprotocol or because I don't see any point
Dialogue: 0,0:33:00.75,0:33:05.13,Default,,0000,0000,0000,,in seeding it like this you could seed it\Nalso differently.
Dialogue: 0,0:33:05.13,0:33:13.58,Default,,0000,0000,0000,,Stephan: No the normal - there are\Ndifferent ways to generate the nonce k. So
Dialogue: 0,0:33:13.58,0:33:20.25,Default,,0000,0000,0000,,the original way that's part of the ECDSA\Ngovernment standard is to generate a
Dialogue: 0,0:33:20.25,0:33:24.06,Default,,0000,0000,0000,,random number. So every time you would\Ngenerate a random number. But this
Dialogue: 0,0:33:24.06,0:33:28.17,Default,,0000,0000,0000,,malicious wallet is breaking the protocol\Nit's not using the random number it's
Dialogue: 0,0:33:28.17,0:33:34.23,Default,,0000,0000,0000,,generating a number in a different way.\NAnd then there the additional ideas for
Dialogue: 0,0:33:34.23,0:33:39.89,Default,,0000,0000,0000,,example this RFC6979 that you also have on\Nthe slide now. That's a scheme that
Dialogue: 0,0:33:39.89,0:33:45.98,Default,,0000,0000,0000,,generates deterministic nonces from the\Nprivate key and the message you can
Dialogue: 0,0:33:45.98,0:33:52.04,Default,,0000,0000,0000,,generate a deterministic nonce. So this\Nway you avoid bad random numbers but the
Dialogue: 0,0:33:52.04,0:33:56.88,Default,,0000,0000,0000,,malicious wallet it can always break the\Nprotocol, it does not follow the protocol
Dialogue: 0,0:33:56.88,0:34:03.97,Default,,0000,0000,0000,,and it would use a different number. Yes.\NHerald: Do you have a second question at
Dialogue: 0,0:34:03.97,0:34:12.06,Default,,0000,0000,0000,,microphone 2, you?\NMicrophone 2: Sorry if this is a stupid
Dialogue: 0,0:34:12.06,0:34:16.96,Default,,0000,0000,0000,,question but could you maybe just\Nsummarize the attack vector which you have
Dialogue: 0,0:34:16.96,0:34:25.67,Default,,0000,0000,0000,,on people who use wallets in general? So\Nlike what is the attack vector. Which
Dialogue: 0,0:34:25.67,0:34:30.66,Default,,0000,0000,0000,,permissions do you need to have in order -\Nyeah and which permissions would you gain using your attack
Dialogue: 0,0:34:30.66,0:34:35.55,Default,,0000,0000,0000,,Stephan: The attacker in this case is the\Nauthor of your wallet.
Dialogue: 0,0:34:35.55,0:34:39.31,Default,,0000,0000,0000,,Microphone 2: Okay.\NStephan: So if the attacker has not
Dialogue: 0,0:34:39.31,0:34:44.49,Default,,0000,0000,0000,,touched your wallet the source code or the\Nfirmware or the crypto chip that's used by
Dialogue: 0,0:34:44.49,0:34:49.74,Default,,0000,0000,0000,,the wallet manufacturer then you are safe.\NMicrophone 2: Okay thanks.
Dialogue: 0,0:34:49.74,0:34:55.31,Default,,0000,0000,0000,,Herald: Are there any question from the\Ninternet?
Dialogue: 0,0:34:55.31,0:34:59.53,Default,,0000,0000,0000,,No. Yeah. Then a big applause for Stephan.
Dialogue: 0,0:34:59.53,0:35:06.95,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:35:06.95,0:35:09.23,Default,,0000,0000,0000,,Herald: And keep your keys.
Dialogue: 0,0:35:09.23,0:35:34.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!