Re: How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys
It would require a conspiracy with the host device. Such a conspiracy can simply not be prevented... e.g. if _Every_ device you have is lying to you about what transaction you're authorizing you could be authorizing anything.
Depends on what kind of attack you are looking at. As I said, a full attack application on Bitcoin requires some additional steps. But even without that, it is an attack with the offline property.The host does not really have to actively do anything. All information about the keys may eventually be on the host, and only the attacker can know that. It would have to be offline as well.
Quote
Yes, it requires schnorr signatures. Which is why it's not in use yet in Bitcoin; though we have soft plans to adopt schnorr signatures for many other reasons in any case.
Interesting. 
Quote
I think it matters greatly... you're certainly not going to see a trezor like device generating such at thing. And, as you noted... the ZKP has freedom and can create a side-channel. (and I believe thats inherent if the zero knowledge is perfect).
Yes, it is not suitable for an embedded wallet, but that is not the only offline wallet. For a disconnected PC this wouldn't be a problem.Quote
On the plus side, you can prevent the attacker from seeing the proof, which would help.
Yes, but that is no different to your blind-signature solution. If your host successfully keeps the messages from the protocol secret, it would be fine. And both (my proof or your protocol messages) don't have to be stored after once used/verified.