Nonce of transactions

[edbfraga]

I'd like to know if the nounce transaction of Krux use a safe randon number.
I'm not and expert, so I came here to know that.
Tkz

[odudex]

Krux uses Embit(same as SpecterDIY and SeedSigner) and secp256k1 from Blockstream.
Krux code does not have influence on nonce generation, which is made by secp256k1 lib .
If you are afraid of nonce vulnerabilities the best is to use a multisig setup.
@jreesun please correct me if I'm wrong.

[tadeubas]

@edbfraga you could use Jade that has Anti-Exfil to avoid this type of attack if that worries you

[ghost]

@odudex is right that Krux itself isn't implementing the signing logic, the embit library that Krux uses is.

To answer your question though, embit is not using a random number for the nonce. Instead, it's following RFC6979 which is a standard for using a deterministic, yet hard-to-guess value for the nonce made up of the hash of the private key + message.

Here's the relevant code: https://github.com/diybitcoinhardware/embit/blob/be13c6c9789055f39f515389ab3fbf2e1c6beaf3/src/embit/util/key.py#L409-L458

In Krux's case, this is preferable to a random number because there isn't a good source of entropy on the embedded devices it runs on. We could explore allowing the user themselves to provide entropy via dice rolls or the camera when signing a transaction, but I'd be inclined to stick with RFC6979 until/unless any weaknesses have been discovered with that method.