# What is Anti-Exfil and how does it work? Source URL: https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/what-is-anti-exfil-and-how-does-it-work Updated: 2026-04-09T09:36:22.000Z Category: Blockstream Jade Section: FAQs --- A compromised hardware wallet can slowly leak the user’s private key(s) through the signatures it creates, even if those keys were generated with strong randomness. **[Jade](https://blockstream.com/jade) implements Anti-Exfil** to mitigate against this kind of attack. To fully understand how this attack works and how to mitigate it, first let's briefly discuss how signatures work in Bitcoin. Bitcoin's Elliptic Curve Digital Signature Algorithm (ECDSA) combines a random private key with a _nonce_ (a one-time value intended to add randomness to the signature) to produce a transaction signature that other Bitcoin full nodes can validate. Anyone can guess your private key based on your signatures without this random nonce, which would quickly lead to a loss of funds. **Compromised hardware wallets could create a nonce that appears random but is not**. The nonces could be known to an attacker ahead of time. Even worse, the hardware wallet could leak parts of the user’s master private key into individual nonces, which would allow the attacker to guess every private key attributed to a person's wallet given a sufficient number of signatures. Anti-Exfil uses “sign-to-contract” to ask Jade to use its signature nonce **while cryptographically committing to some random data** proposed by the (assumed uncompromised) host computer. The random data’s hash is then combined with the signature nonce to produce the signature. By adding this host-provided randomness into the nonce via sign-to-contract, Anti-Exfil ensures that the nonce is re-randomized, preventing malicious leakage. Navigation: Blockstream Help Center > Blockstream Jade > What is Anti-Exfil and how does it work? ## Related Articles in This Section - [How does Jade protect my recovery phrase with a blind oracle?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/how-does-jade-protect-my-recovery-phrase-with-a-blind-oracle) - [Why doesn't Jade have a secure element?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/why-doesnt-jade-have-a-secure-element) - [Jade security model FAQs](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/jade-security-model-faqs) - [Blockstream Jade vs Blockstream App](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/blockstream-jade-vs-blockstream-app) - [How does a passphrase work on Jade?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/how-does-a-passphrase-work-on-jade) - [How does Jade generate my recovery phrase?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/how-does-jade-generate-my-recovery-phrase) - [How do Lightning accounts work with my Jade?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/how-do-lightning-accounts-work-with-my-jade) - [How do I set up a wallet-erase PIN?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/how-do-i-set-up-a-wallet-erase-pin) - [What is a SeedQR?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/what-is-a-seedqr) - [What is Anti-Exfil and how does it work?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/what-is-anti-exfil-and-how-does-it-work) (current) - [What is the wallet ID shown on the Jade home screen?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/what-is-the-wallet-id-shown-on-the-jade-home-screen) - [Should I export the master blinding key?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/should-i-export-the-master-blinding-key) - [Blockstream Jade Quickstart Guide for iOS](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/blockstream-jade-quickstart-guide-for-ios) - [Blockstream Jade Quickstart Guide for Android](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/blockstream-jade-quickstart-guide-for-android) - [Blockstream Jade Quickstart Guide for Desktop](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/blockstream-jade-quickstart-guide-for-desktop) - [Which Xpub Export settings should I use?](https://helpcenter.dxp-frontend.devserver.app/blockstream-jade/faqs/which-xpub-export-settings-should-i-use)