[Drip33]

>The fun bit is that the signer can backdoor transactions, and that part isn't something that can be verified by anybody who doesn't have the private keys.

Can you explain this? This is contrary to my knowledge of reviewing the details of a pre-signed transaction.

[RL_Quine]

Sure. The basic idea is that signer can choose a ECDSA nonce (k) that they know, and leak the private key. If I choose a known nonce for my signature, I can recover the private key from the published transaction instantly. With some ECDSA magic, you can even produce a nonce that is only recoverable with another key that you hold. So a hardware wallet for example can backdoor transactions to leak the seed through the signature, or a specific key, or put any data there that they wish. The "offline signing" defense is only good for one way, as there's always data leaving the system which you can't easily audit.

This is only detectable if you have multiple signers signing the same transaction using the same private key and the same method for generating the nonce, and you compare them before broadcasting. So perhaps using hardware wallets from 3 manufacturers which all implement bit-identical implementations of the signer (with RFC6070 deterministic signatures), and treating the signed transaction as a private key leak until you've verified they all match.

For ECDSA a single bit bias in the nonce, or a single bit leakage of the nonce through other methods is enough to completely break the cryptography. So we could have hardware wallets that produce otherwise impeccable transactions and signatures, but leak a bit of the nonce in the ordering of the outputs, the lock time, the sequence numbers, and that would still be enough to steal all of the funds.

This stuff is trickier to get right than most people imagine.

[Drip33]

That requires some sort of malware (or similar) installed on the device/software creating the transactions which has access to the private key to leak it via some predetermined way and is different from what I thought you were saying that a pre-signed transaction could directly send funds to an unwanted address without you knowing by inspecting the signed transaction itself before broadcasting it.

Regardless, whatever job you have where what you've said is a legitimate threat model sounds like the most interesting job in the space.

[RL_Quine]

Oh no, inspecting the transaction means you know where the money goes, absolutely. There's just no assurance that it's all you need to be safe. Given the amount of absurdity going on in this industry you have to be very sure of things like hardware wallets. It would take zero effort to replace a Bitcoin hardware wallet with one that is backdoored, so it's a very real threat to many companies, if they know it or not.

[londons_explore]

If you never reuse an address, all of this concern goes away. Spending any funds from an address means spending them all, and then any private key leaked no longer matters.

[RL_Quine]

That's not actually true, as most private keys are deterministic produced. Leaking one key from a HD wallet leaks them all.

[poontang1]

Leaking a single private key does not leak all the private keys. You would still need the chain code used to derive all private keys, no?