* To protect against differential power analysis, a different way of > mixing in this randomness is used (masking the private key completely > with randomness before continuing, rather than hashing them together, > which is known in the literature to be vulnerable to DPA in some > scenarios). >
I think citation for this would improve the spec. I haven't studied these attacks but it seems to me that every hardware wallet would be vulnerable to them while doing key derivation. If the attacker can get side channel information from hashes in nonce derivation then they can surely get side channel information from hashes in HD key derivation. It should actually be easier since the master seed is hashed for anything the hardware device needs to do including signing. is this the case? LL
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
