A compromised hardware wallet can slowly leak the user’s private key(s) through the signatures it creates, despite the private key being generated with strong randomness. Blockstream Jade has implemented Anti-Exfil to mitigate against this kind of attack.
Understanding Anti-Exfil
To fully understand how this attack and mitigation works, we need a very short overview on how signatures work in Bitcoin.
With ECDSA (the digital signature algorithm used in Bitcoin), a random private key is combined with a nonce, which is a one-time value intended to add randomness to the signature to ultimately produce a transaction signature that can be validated by other users’ Bitcoin full nodes. Anyone can guess your private key based on your signatures without this random nonce, which is as bad as it sounds!
Compromised hardware wallets could create a nonce that appears random but is not. The nonces could be known to an attacker ahead of time. Even worse, the hardware wallet could leak parts of the user’s master private key into individual nonces, which would allow the attacker to guess every private key given a sufficient number of signatures.
Anti-Exfil uses “sign-to-contract” to ask Jade to use its signature nonce while cryptographically committing to some random data proposed by the (assumed uncompromised) host computer. The random data’s hash is then combined with the signature nonce to produce the signature.
By use of this protocol, the nonce is re-randomized, thus preventing the attack.