diff options
| author | Ben Kloester <benkloester@gmail.com> | 2018-01-09 09:26:17 +1100 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2018-01-08 22:26:24 +0000 |
| commit | a05dcc354c3c4d8449b30ec42a2ae5d203dd5ad7 (patch) | |
| tree | 290c08ce7b9ad0ffadb35505d948169c4252addf | |
| parent | c7e3c7eb6bb2253a09006c11ddf91a2a1d712f97 (diff) | |
| download | pi-bitcoindev-a05dcc354c3c4d8449b30ec42a2ae5d203dd5ad7.tar.gz pi-bitcoindev-a05dcc354c3c4d8449b30ec42a2ae5d203dd5ad7.zip | |
Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
| -rw-r--r-- | 6d/269f990ed06a5420b04d73533e29127f0ff6ff | 229 |
1 files changed, 229 insertions, 0 deletions
diff --git a/6d/269f990ed06a5420b04d73533e29127f0ff6ff b/6d/269f990ed06a5420b04d73533e29127f0ff6ff new file mode 100644 index 000000000..2d1f86b68 --- /dev/null +++ b/6d/269f990ed06a5420b04d73533e29127f0ff6ff @@ -0,0 +1,229 @@ +Return-Path: <benkloester@gmail.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id A6146EDF + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 8 Jan 2018 22:26:24 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-wr0-f195.google.com (mail-wr0-f195.google.com + [209.85.128.195]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3495544D + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 8 Jan 2018 22:26:23 +0000 (UTC) +Received: by mail-wr0-f195.google.com with SMTP id w107so12308019wrb.9 + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 08 Jan 2018 14:26:23 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=mime-version:in-reply-to:references:from:date:message-id:subject:to + :cc; bh=hTcezkblQNRBlImOjofPNFKKWHjytoLzN7zMuoUIPSU=; + b=PppK8X583hKtcKbfDvBbtGZ67chlhtXpOOwEVufsHgrbqLSdH7q3AIDcK+M5mKawQw + ic6Av4c63M5AAIDcu6TyMML5UmiWo3BVsxcKTO56xzdC/F/62CUMX73NpXfLr+DnUm+m + asXVftmmZHATpspjpGVMjpIXfKC5PSwlS0wSYnvEDhnpqiPPMBCSIVkNNR9N/HbBZCv6 + xliqWUZcCvhQJz1OOxf0EZpqwypgMDHo26j71NiDbJZUjTYXX9g64X4Wt1tkCrpwMSKV + WQRanYBNRgLtgMWgkPoCjezYMtCSRrap5ar+Z4VJKad6CFFyHsjbmp9d6wTGYRpzy+bm + qUAw== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:mime-version:in-reply-to:references:from:date + :message-id:subject:to:cc; + bh=hTcezkblQNRBlImOjofPNFKKWHjytoLzN7zMuoUIPSU=; + b=IaJb2W8lyuCkd8BZ7EkUC/oDT0tvwVwt5rX/JCRe1l6Xz++ZAL+mHpiX2mbklUNGdw + 5CEU0rX5xYWE9GCpZZa3cj9FQa3SH3iE8m1WOboC6D2RY7IQPiP8ViooeClaTa8/5o94 + 5e83jztY2Vyr1GeLSHMJm+Uwp7AcolCBh3HRmMpwDmAQw0U/chEGQ+9rtrZqMwzbg2xX + qw6QzC362tQsR4VlvlPxZQTIATFazAbofdCfuAuIdDrMpf9zTumczQqt0hSvf+yG7PGu + 662cjFBSW31wNs/eUyQP85lHfC61yNiFbj1T7ZV3Ycc3Ju14tZcaPHcMjiy0mXrM+tlC + yd2w== +X-Gm-Message-State: AKGB3mI7lYUZtuuzUKzOY7i+4qowNtkpZ4jTWxCtrWUU+uW4DWkQtAei + Yo1STB0pYbqfhuHW8IbPJRfmgZam2xOvnyiUDA+ymchZ +X-Google-Smtp-Source: ACJfBosEtw3wwm0Rzghx4ecbrsxXgBJ0QFhMxDAT3Y+MXhjyGNnVK9fe1US07b5EKKrUM/v1EAjBgTQaZ9mI0svJv7Q= +X-Received: by 10.223.170.70 with SMTP id q6mr12631226wrd.265.1515450377954; + Mon, 08 Jan 2018 14:26:17 -0800 (PST) +MIME-Version: 1.0 +Received: by 10.223.184.83 with HTTP; Mon, 8 Jan 2018 14:26:17 -0800 (PST) +In-Reply-To: <20180108193714.GA15359@savin.petertodd.org> +References: <CAAS2fgR-or=zksQ929Muvgr=sgzNSugGp669ZWYC6YkvEG=H5w@mail.gmail.com> + <ae570ccf-3a2c-a11c-57fa-6dad78cfb1a5@satoshilabs.com> + <20180108124506.GA13858@savin.petertodd.org> + <5c229def-760a-69eb-e646-bd3c77482b00@satoshilabs.com> + <20180108193714.GA15359@savin.petertodd.org> +From: Ben Kloester <benkloester@gmail.com> +Date: Tue, 9 Jan 2018 09:26:17 +1100 +Message-ID: <CANgJ=T-CNrzLCtS2PdjCXNq+6LzQ=aM9_Fxw-yF5t3vARXwcuQ@mail.gmail.com> +To: Peter Todd <pete@petertodd.org>, + Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> +Content-Type: multipart/alternative; boundary="94eb2c1cc94c73ecb905624b4967" +X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, + RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +X-Mailman-Approved-At: Mon, 08 Jan 2018 23:01:51 +0000 +Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Mon, 08 Jan 2018 22:26:24 -0000 + +--94eb2c1cc94c73ecb905624b4967 +Content-Type: text/plain; charset="UTF-8" + +> This sounds very dangerous. As Gregory Maxwell pointed out, the key +derivation +> function is weak enough that passphrases could be easily brute forced + +So you are essentially imagining that a perpetrator will combine the +crypto-nerd fantasy (brute forcing the passphrase) *with* the 5-dollar +wrench attack, merging both panes of Randall Munroe's comic? Seems +vanishingly unlikely to me - attackers are generally either the wrench +type, or the crypto-nerd type. + +This thread started by you asking Pavol to give an example of a real-life +scenario in which this functionality would be used, and your rebuttal is a +scenario that is even less likely to occur. "Very dangerous" is a huge +stretch. + +When living in Brazil I often carried two (IRL) wallets - one a decoy to +give to muggers, the other with more value stored in it. I heard of plenty +of people getting mugged, but I never heard of anyone who gave a decoy +wallet getting more thoroughly searched and the second wallet found, +despite the relative ease with which a mugger could do this. I'm sure it +has happened, probably many times, but point is there is rarely time for +contemplation in a shakedown, and most perpetrators will take things at +face value and be satisfied with getting something. And searching a +physical person's body is a hell of a lot simpler than cracking a +passphrase. + +Moreover, there's no limit to the number of passphrases you can use. If you +were an atttacker, at what point would you stop, satisfied? After the +first, second, third, fourth wallet that you find/they admit to owning? +Going beyond two is already Bond-supervillain level implausible. + +*Ben Kloester* + +On 9 January 2018 at 06:37, Peter Todd via bitcoin-dev < +bitcoin-dev@lists.linuxfoundation.org> wrote: + +> On Mon, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote: +> > On 08/01/18 13:45, Peter Todd wrote: +> > > Can you explain _exactly_ what scenario the "plausible deniability" +> feature +> > > refers to? +> > +> > +> > https://doc.satoshilabs.com/trezor-user/advanced_settings. +> html#multi-passphrase-encryption-hidden-wallets +> +> This sounds very dangerous. As Gregory Maxwell pointed out, the key +> derivation +> function is weak enough that passphrases could be easily brute forced, at +> which +> point the bad guys have cryptographic proof that you tried to lie to them +> and +> cover up funds. +> +> +> What model of human memory are you assuming here? What specifically are you +> assuming is easy to remember, and hard to remember? What psychology +> research +> backs up your assumptions? +> +> -- +> https://petertodd.org 'peter'[:-1]@petertodd.org +> +> _______________________________________________ +> bitcoin-dev mailing list +> bitcoin-dev@lists.linuxfoundation.org +> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev +> +> + +--94eb2c1cc94c73ecb905624b4967 +Content-Type: text/html; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable + +<div dir=3D"ltr">>=C2=A0<span style=3D"font-size:12.8px">This sounds ver= +y dangerous. As Gregory Maxwell pointed out, the key derivation</span><br s= +tyle=3D"font-size:12.8px"><span style=3D"font-size:12.8px">> function is= + weak enough that passphrases could be easily brute forced</span><br><br><s= +pan style=3D"font-size:12.8px">So you are essentially imagining that a perp= +etrator will combine the crypto-nerd fantasy (brute forcing the passphrase)= + *with* the 5-dollar wrench attack, merging both panes of Randall Munroe= +9;s comic? Seems vanishingly unlikely to me - attackers=C2=A0are generally = +either the wrench type, or the crypto-nerd type.=C2=A0</span><div><span sty= +le=3D"font-size:12.8px"><br></span></div><div><span style=3D"font-size:12.8= +px">This thread started by you asking Pavol to give an example of a real-li= +fe scenario in which this functionality would be used, and your rebuttal is= + a scenario that is even less likely to occur. "Very dangerous" i= +s a huge stretch.</span><br></div><div><span style=3D"font-size:12.8px"><br= +></span></div><div><span style=3D"font-size:12.8px">When living in Brazil I= + often carried two (IRL) wallets - one a decoy to give to muggers, the othe= +r with more value stored in it. I heard of plenty of people getting mugged,= + but I never heard of anyone who gave a decoy wallet getting more thoroughl= +y searched and the second wallet found, despite the relative ease with whic= +h a mugger could do this. I'm sure it has happened, probably many times= +, but point is there is rarely time for contemplation in a shakedown, and m= +ost perpetrators will take things at face value and be satisfied with getti= +ng something. And searching a physical person's body is a hell of a lot= + simpler than cracking a passphrase.<br><br>Moreover, there's no limit = +to the number of passphrases you can use. If you were an atttacker, at what= + point would you stop, satisfied? After the first, second, third, fourth wa= +llet that you find/they admit to owning? Going beyond two is already Bond-s= +upervillain level implausible.</span></div></div><div class=3D"gmail_extra"= +><br clear=3D"all"><div><div class=3D"gmail_signature" data-smartmail=3D"gm= +ail_signature"><p><b>Ben Kloester</b><br><span style=3D"font-size:10.0pt;co= +lor:#595959"></span></p></div></div> +<br><div class=3D"gmail_quote">On 9 January 2018 at 06:37, Peter Todd via b= +itcoin-dev <span dir=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxf= +oundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&= +gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 = +0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On Mon= +, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote:<br> +> On 08/01/18 13:45, Peter Todd wrote:<br> +> > Can you explain _exactly_ what scenario the "plausible denia= +bility" feature<br> +> > refers to?<br> +><br> +><br> +> <a href=3D"https://doc.satoshilabs.com/trezor-user/advanced_settings.h= +tml#multi-passphrase-encryption-hidden-wallets" rel=3D"noreferrer" target= +=3D"_blank">https://doc.satoshilabs.com/<wbr>trezor-user/advanced_settings.= +<wbr>html#multi-passphrase-<wbr>encryption-hidden-wallets</a><br> +<br> +</span>This sounds very dangerous. As Gregory Maxwell pointed out, the key = +derivation<br> +function is weak enough that passphrases could be easily brute forced, at w= +hich<br> +point the bad guys have cryptographic proof that you tried to lie to them a= +nd<br> +cover up funds.<br> +<br> +<br> +What model of human memory are you assuming here? What specifically are you= +<br> +assuming is easy to remember, and hard to remember? What psychology researc= +h<br> +backs up your assumptions?<br> +<div class=3D"HOEnZb"><div class=3D"h5"><br> +--<br> +<a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http= +s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"= + rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br> +</div></div><br>______________________________<wbr>_________________<br> +bitcoin-dev mailing list<br> +<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.= +<wbr>linuxfoundation.org</a><br> +<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" = +rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org= +/mailman/listinfo/bitcoin-<wbr>dev</a><br> +<br></blockquote></div><br></div> + +--94eb2c1cc94c73ecb905624b4967-- + |