@randhindi This isn't an attack on TEEs in general. It's an attack on Intel SGX, which has literally always been broken.
Anyone who was paying attention already knew SGX was broken; anyone who was still using SGX will make excuses.
Other TEE impls are entirely unaffected.
Cubist is now a node operator for the @AlloraNetwork!
Building on our strong experience 🔐securing keys for Ethereum staking, we are excited to bring our CubeSigner key management technology to Cosmos validators.
Learn more: https://t.co/GZteHk4SUt
@real_philogy Deterministic signatures are good for avoiding randomness bugs, but all else equal they're more vulnerable to side-channel and fault attacks.
Hedged signatures help address this: sample local rng, add to hash input. Even total RNG failure isn't fatal. https://t.co/3h68LowhtJ
@lightclients@nicht_tintin Completely 100% plausible that this results in zero practical attacks, but there's a nonzero gap there.
To be clear, I think EIP-3074 is awesome and I'm super psyched for it to land. But if I had my druthers the hash would include `authority` to prevent this type of thing. 5/5
@lightclients@nicht_tintin Not, sadly, a cryptographic proof-of-knowledge, but hey that would be asking a lot :)
Post EIP-3074, it's possible to send many txns from an address without knowing its sk. That's a weakening of the (already kind of weak, sadly) assurance we get from existing EOAs. 4/n
@lightclients@nicht_tintin Reasonable people can absolutely disagree. Perhaps no concrete attack materializes and the security tradeoff is completely theoretical. Perhaps someone comes up with an awesome application.
But usually what happens is, the attackers get better over time. Hence my concern.
@lightclients@nicht_tintin Is the difference meaningful? I don't know. But it's important to acknowledge that this weakens EOAs for a vague promise of innovation. The use cases mentioned so far can easily be achieved in ways that don't weaken EOAs, so I'm not convinced the security tradeoff is worth it.
@lightclients@nicht_tintin There are much sunnier hills to die on than this one 😅 but it seems like if synthetic accts have actual applications (1) I'd like to see stronger examples and (2) perhaps it's worth having extra functionality for those if it means strengthening security of AUTH...
@lightclients@nicht_tintin Account controlled by BLS signature: nothing here is specific to EIP-3074 as far as I can tell. You can implement a 4337 wallet controlled by a BLS signature.
State channels: description wasn't so clear, but doing this with factory + clones would cost, what, 125k gas per chan?
@lightclients@nicht_tintin Again, "leery" is a pretty weak statement here. I don't have a concrete attack, and it's completely possible that there's no concrete attack. But it's not immediately clear that there are no concrete attacks.
@lightclients@nicht_tintin I'm worried about the invokee: right now when an EOA invokes a contract, it's reasonable to believe that someone knows the secret key. Anyone that relies on that knowledge property for security loses once EIP-3074 goes live. I can't say for certain that no one relies on this.
@lightclients@nicht_tintin To expand on why I'd be leery: long and brutal experience shows that people will assume that the intuitive definition of security is what's implemented. In this case, people will likely assume a valid AUTH implies knowledge of secret, but it doesn't. This is a potential footgun.
@lightclients@nicht_tintin By synthetic, you mean generating an auth signature without having the corresponding secret key? What kind of applications do you have in mind?
I'd be pretty leery of a weaker definition of AUTH than "I have the secret key". Whatever it is currently, it's clearly not that.
@nicht_tintin@lightclients There's probably no attack in the current format (just like it's no attack to generate a fresh signing key). But hashing "authority" is arguably stronger, in the sense that it's (probably, I haven't written a proof) infeasible to AUTH for an address unless you know the secret.
@nicht_tintin@lightclients@nicht_tintin is right, the better thing to do would be to sign
H(MAGIC || authority || chainId || nonce || invoker || commit)
In general it's much safer to include pubkey in sighash. EdDSA does this, e.g. This protects against a large number of well known attacks.