1. EC Signatures; secret data and linearity s = kG + eP e = H(P, R, m) 2. Nonce reuse; nonce bias (henninger/breitner 2019); undetectable nonce compromise 3. Problem: as a user i can't detect nonce bias (other than by breaking it) Solution: deterministic nonces? unverifiable. ZKPs? expensive and have their own nonces. Multisig with host? (host key management/passphrase management; general complexity) 4. Solution: Anti-Exfil, or nonce commitments to random junk 5. (Bonus slide) Technical problems: 1. If host goes first, can the HWW grind its randomness to bias the nonce? 2. If HWW goes first, can the host bias the nonce? (And if the HWW is deterministic, do a direct extraction?) 3. Can the host verify that the commitment was done? 5. (Bonus slide) Technical solution 1. Host provides *commitment to randomness* 2. HWW derives deterministic nonce based on commitment, publishes public nonce. 3. Host provides actual randomness 4. HWW derives full nonce and produces the signature 6. Implementations: for ECDSA https://github.com/BlockstreamResearch/secp256k1-zkp/blob/master/include/secp256k1_ecdsa_s2c.h for schnorr https://github.com/bitcoin-core/secp256k1/pull/1140 in Jade https://blog.blockstream.com/anti-exfil-stopping-key-exfiltration/ In OTS https://github.com/opentimestamps/python-opentimestamps/pull/14