1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
|
Return-Path: <benkloester@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id A6146EDF
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 8 Jan 2018 22:26:24 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f195.google.com (mail-wr0-f195.google.com
[209.85.128.195])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3495544D
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 8 Jan 2018 22:26:23 +0000 (UTC)
Received: by mail-wr0-f195.google.com with SMTP id w107so12308019wrb.9
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 08 Jan 2018 14:26:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=hTcezkblQNRBlImOjofPNFKKWHjytoLzN7zMuoUIPSU=;
b=PppK8X583hKtcKbfDvBbtGZ67chlhtXpOOwEVufsHgrbqLSdH7q3AIDcK+M5mKawQw
ic6Av4c63M5AAIDcu6TyMML5UmiWo3BVsxcKTO56xzdC/F/62CUMX73NpXfLr+DnUm+m
asXVftmmZHATpspjpGVMjpIXfKC5PSwlS0wSYnvEDhnpqiPPMBCSIVkNNR9N/HbBZCv6
xliqWUZcCvhQJz1OOxf0EZpqwypgMDHo26j71NiDbJZUjTYXX9g64X4Wt1tkCrpwMSKV
WQRanYBNRgLtgMWgkPoCjezYMtCSRrap5ar+Z4VJKad6CFFyHsjbmp9d6wTGYRpzy+bm
qUAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=hTcezkblQNRBlImOjofPNFKKWHjytoLzN7zMuoUIPSU=;
b=IaJb2W8lyuCkd8BZ7EkUC/oDT0tvwVwt5rX/JCRe1l6Xz++ZAL+mHpiX2mbklUNGdw
5CEU0rX5xYWE9GCpZZa3cj9FQa3SH3iE8m1WOboC6D2RY7IQPiP8ViooeClaTa8/5o94
5e83jztY2Vyr1GeLSHMJm+Uwp7AcolCBh3HRmMpwDmAQw0U/chEGQ+9rtrZqMwzbg2xX
qw6QzC362tQsR4VlvlPxZQTIATFazAbofdCfuAuIdDrMpf9zTumczQqt0hSvf+yG7PGu
662cjFBSW31wNs/eUyQP85lHfC61yNiFbj1T7ZV3Ycc3Ju14tZcaPHcMjiy0mXrM+tlC
yd2w==
X-Gm-Message-State: AKGB3mI7lYUZtuuzUKzOY7i+4qowNtkpZ4jTWxCtrWUU+uW4DWkQtAei
Yo1STB0pYbqfhuHW8IbPJRfmgZam2xOvnyiUDA+ymchZ
X-Google-Smtp-Source: ACJfBosEtw3wwm0Rzghx4ecbrsxXgBJ0QFhMxDAT3Y+MXhjyGNnVK9fe1US07b5EKKrUM/v1EAjBgTQaZ9mI0svJv7Q=
X-Received: by 10.223.170.70 with SMTP id q6mr12631226wrd.265.1515450377954;
Mon, 08 Jan 2018 14:26:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.184.83 with HTTP; Mon, 8 Jan 2018 14:26:17 -0800 (PST)
In-Reply-To: <20180108193714.GA15359@savin.petertodd.org>
References: <CAAS2fgR-or=zksQ929Muvgr=sgzNSugGp669ZWYC6YkvEG=H5w@mail.gmail.com>
<ae570ccf-3a2c-a11c-57fa-6dad78cfb1a5@satoshilabs.com>
<20180108124506.GA13858@savin.petertodd.org>
<5c229def-760a-69eb-e646-bd3c77482b00@satoshilabs.com>
<20180108193714.GA15359@savin.petertodd.org>
From: Ben Kloester <benkloester@gmail.com>
Date: Tue, 9 Jan 2018 09:26:17 +1100
Message-ID: <CANgJ=T-CNrzLCtS2PdjCXNq+6LzQ=aM9_Fxw-yF5t3vARXwcuQ@mail.gmail.com>
To: Peter Todd <pete@petertodd.org>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="94eb2c1cc94c73ecb905624b4967"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 08 Jan 2018 23:01:51 +0000
Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 22:26:24 -0000
--94eb2c1cc94c73ecb905624b4967
Content-Type: text/plain; charset="UTF-8"
> This sounds very dangerous. As Gregory Maxwell pointed out, the key
derivation
> function is weak enough that passphrases could be easily brute forced
So you are essentially imagining that a perpetrator will combine the
crypto-nerd fantasy (brute forcing the passphrase) *with* the 5-dollar
wrench attack, merging both panes of Randall Munroe's comic? Seems
vanishingly unlikely to me - attackers are generally either the wrench
type, or the crypto-nerd type.
This thread started by you asking Pavol to give an example of a real-life
scenario in which this functionality would be used, and your rebuttal is a
scenario that is even less likely to occur. "Very dangerous" is a huge
stretch.
When living in Brazil I often carried two (IRL) wallets - one a decoy to
give to muggers, the other with more value stored in it. I heard of plenty
of people getting mugged, but I never heard of anyone who gave a decoy
wallet getting more thoroughly searched and the second wallet found,
despite the relative ease with which a mugger could do this. I'm sure it
has happened, probably many times, but point is there is rarely time for
contemplation in a shakedown, and most perpetrators will take things at
face value and be satisfied with getting something. And searching a
physical person's body is a hell of a lot simpler than cracking a
passphrase.
Moreover, there's no limit to the number of passphrases you can use. If you
were an atttacker, at what point would you stop, satisfied? After the
first, second, third, fourth wallet that you find/they admit to owning?
Going beyond two is already Bond-supervillain level implausible.
*Ben Kloester*
On 9 January 2018 at 06:37, Peter Todd via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Mon, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote:
> > On 08/01/18 13:45, Peter Todd wrote:
> > > Can you explain _exactly_ what scenario the "plausible deniability"
> feature
> > > refers to?
> >
> >
> > https://doc.satoshilabs.com/trezor-user/advanced_settings.
> html#multi-passphrase-encryption-hidden-wallets
>
> This sounds very dangerous. As Gregory Maxwell pointed out, the key
> derivation
> function is weak enough that passphrases could be easily brute forced, at
> which
> point the bad guys have cryptographic proof that you tried to lie to them
> and
> cover up funds.
>
>
> What model of human memory are you assuming here? What specifically are you
> assuming is easy to remember, and hard to remember? What psychology
> research
> backs up your assumptions?
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>
--94eb2c1cc94c73ecb905624b4967
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">>=C2=A0<span style=3D"font-size:12.8px">This sounds ver=
y dangerous. As Gregory Maxwell pointed out, the key derivation</span><br s=
tyle=3D"font-size:12.8px"><span style=3D"font-size:12.8px">> function is=
weak enough that passphrases could be easily brute forced</span><br><br><s=
pan style=3D"font-size:12.8px">So you are essentially imagining that a perp=
etrator will combine the crypto-nerd fantasy (brute forcing the passphrase)=
*with* the 5-dollar wrench attack, merging both panes of Randall Munroe=
9;s comic? Seems vanishingly unlikely to me - attackers=C2=A0are generally =
either the wrench type, or the crypto-nerd type.=C2=A0</span><div><span sty=
le=3D"font-size:12.8px"><br></span></div><div><span style=3D"font-size:12.8=
px">This thread started by you asking Pavol to give an example of a real-li=
fe scenario in which this functionality would be used, and your rebuttal is=
a scenario that is even less likely to occur. "Very dangerous" i=
s a huge stretch.</span><br></div><div><span style=3D"font-size:12.8px"><br=
></span></div><div><span style=3D"font-size:12.8px">When living in Brazil I=
often carried two (IRL) wallets - one a decoy to give to muggers, the othe=
r with more value stored in it. I heard of plenty of people getting mugged,=
but I never heard of anyone who gave a decoy wallet getting more thoroughl=
y searched and the second wallet found, despite the relative ease with whic=
h a mugger could do this. I'm sure it has happened, probably many times=
, but point is there is rarely time for contemplation in a shakedown, and m=
ost perpetrators will take things at face value and be satisfied with getti=
ng something. And searching a physical person's body is a hell of a lot=
simpler than cracking a passphrase.<br><br>Moreover, there's no limit =
to the number of passphrases you can use. If you were an atttacker, at what=
point would you stop, satisfied? After the first, second, third, fourth wa=
llet that you find/they admit to owning? Going beyond two is already Bond-s=
upervillain level implausible.</span></div></div><div class=3D"gmail_extra"=
><br clear=3D"all"><div><div class=3D"gmail_signature" data-smartmail=3D"gm=
ail_signature"><p><b>Ben Kloester</b><br><span style=3D"font-size:10.0pt;co=
lor:#595959"></span></p></div></div>
<br><div class=3D"gmail_quote">On 9 January 2018 at 06:37, Peter Todd via b=
itcoin-dev <span dir=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxf=
oundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&=
gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On Mon=
, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote:<br>
> On 08/01/18 13:45, Peter Todd wrote:<br>
> > Can you explain _exactly_ what scenario the "plausible denia=
bility" feature<br>
> > refers to?<br>
><br>
><br>
> <a href=3D"https://doc.satoshilabs.com/trezor-user/advanced_settings.h=
tml#multi-passphrase-encryption-hidden-wallets" rel=3D"noreferrer" target=
=3D"_blank">https://doc.satoshilabs.com/<wbr>trezor-user/advanced_settings.=
<wbr>html#multi-passphrase-<wbr>encryption-hidden-wallets</a><br>
<br>
</span>This sounds very dangerous. As Gregory Maxwell pointed out, the key =
derivation<br>
function is weak enough that passphrases could be easily brute forced, at w=
hich<br>
point the bad guys have cryptographic proof that you tried to lie to them a=
nd<br>
cover up funds.<br>
<br>
<br>
What model of human memory are you assuming here? What specifically are you=
<br>
assuming is easy to remember, and hard to remember? What psychology researc=
h<br>
backs up your assumptions?<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
--<br>
<a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http=
s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"=
rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br>
</div></div><br>______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
<br></blockquote></div><br></div>
--94eb2c1cc94c73ecb905624b4967--
|