summaryrefslogtreecommitdiff
path: root/75/a5ff7fa426abc00a978adc48b9f985308463e2
blob: 5834b7d1b704ab218210b3337d62f2e052b2b5db (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <edmund.edgar@gmail.com>) id 1WMCyu-0001hA-0u
	for bitcoin-development@lists.sourceforge.net;
	Sat, 08 Mar 2014 08:51:44 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.192.172 as permitted sender)
	client-ip=209.85.192.172; envelope-from=edmund.edgar@gmail.com;
	helo=mail-pd0-f172.google.com; 
Received: from mail-pd0-f172.google.com ([209.85.192.172])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1WMCys-0000Co-TZ
	for bitcoin-development@lists.sourceforge.net;
	Sat, 08 Mar 2014 08:51:43 +0000
Received: by mail-pd0-f172.google.com with SMTP id p10so5031925pdj.17
	for <bitcoin-development@lists.sourceforge.net>;
	Sat, 08 Mar 2014 00:51:37 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.66.145.166 with SMTP id sv6mr27644017pab.31.1394268697069;
	Sat, 08 Mar 2014 00:51:37 -0800 (PST)
Sender: edmund.edgar@gmail.com
Received: by 10.68.32.5 with HTTP; Sat, 8 Mar 2014 00:51:37 -0800 (PST)
In-Reply-To: <531AD080.40501@gmail.com>
References: <CA+su7OUMgeWgkMFAmmMEpW3eN=cvU47MKt51idDrmCWEiCb+VQ@mail.gmail.com>
	<531AD080.40501@gmail.com>
Date: Sat, 8 Mar 2014 17:51:37 +0900
X-Google-Sender-Auth: Xa0bVA9yfX-eNuDGUHrD-NP60p0
Message-ID: <CA+su7OWx9jrgUJrOH=tg1968vr1G1w7yXjgaRSyYJ0zRBjwpqg@mail.gmail.com>
From: Edmund Edgar <ed@realitykeys.com>
To: bitcoin-development@lists.sourceforge.net
Content-Type: multipart/alternative; boundary=047d7b6783f6690f9504f4147a74
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(edmund.edgar[at]gmail.com)
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [209.85.192.172 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WMCys-0000Co-TZ
Subject: Re: [Bitcoin-development] Is this a safe thing to be doing with ECC
 addition? (Oracle protocol)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 08:51:44 -0000

--047d7b6783f6690f9504f4147a74
Content-Type: text/plain; charset=UTF-8

On 8 March 2014 17:10, Alan Reiner <etotheipi@gmail.com> wrote:


> I create a new keypair, <c_pub> with <c_priv> which I know (it can be any
> arbitrary key pair).  But I don't give you <c_pub>, I give you  <b_pub> =
> <c_pub> minus <a_pub> (which I can do because I've seen <a_pub> before
> doing this).
>
> Sure, I don't know the private key for <b_pub>, but it doesn't matter...
> because what
>
> <b_pub> + <a_pub> = <c_pub> (mine)
>
> You have no way to detect this condition, because you don't know what
> c_pub/c_priv I created, so you can only detect this after it's too late
> (after I abuse the private key)
>

Thanks Alan and Forrest, that makes sense. So to salvage the situation in
the original case, we have to make sure the parties exchange their public
keys first, before they're allowed to see the public keys they'll be
combining them with.

-- 
-- 
Edmund Edgar
Founder, Social Minds Inc (KK)
Twitter: @edmundedgar
Linked In: edmundedgar
Skype: edmundedgar
http://www.socialminds.jp

Reality Keys
@realitykeys
ed@realitykeys.com
https://www.realitykeys.com

--047d7b6783f6690f9504f4147a74
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On 8=
 March 2014 17:10, Alan Reiner <span dir=3D"ltr">&lt;<a href=3D"mailto:etot=
heipi@gmail.com" target=3D"_blank">etotheipi@gmail.com</a>&gt;</span> wrote=
:<br><div>
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex"><div bgcolor=3D"#FFFFFF" text=3D=
"#000000">
    I create a new keypair, &lt;c_pub&gt; with &lt;c_priv&gt; which I
    know (it can be any arbitrary key pair).=C2=A0 But I don&#39;t give you
    &lt;c_pub&gt;, I give you=C2=A0 &lt;b_pub&gt; =3D &lt;c_pub&gt; minus
    &lt;a_pub&gt; (which I can do because I&#39;ve seen &lt;a_pub&gt; befor=
e
    doing this).=C2=A0 <br>
    <br>
    Sure, I don&#39;t know the private key for &lt;b_pub&gt;, but it doesn&=
#39;t
    matter... because what <br>
    <br>
    &lt;b_pub&gt; + &lt;a_pub&gt; =3D &lt;c_pub&gt; (mine)<br>
    <br>
    You have no way to detect this condition, because you don&#39;t know
    what c_pub/c_priv I created, so you can only detect this after it&#39;s
    too late (after I abuse the private key)</div></blockquote><div><br></d=
iv><div>Thanks Alan and Forrest, that makes sense. So to salvage the situat=
ion in the original case, we have to make sure the parties exchange their p=
ublic keys first, before they&#39;re allowed to see the public keys they&#3=
9;ll be combining them with.=C2=A0</div>
</div><div><br></div>-- <br><div dir=3D"ltr"><div>--=C2=A0</div><div>Edmund=
 Edgar</div><div>Founder, Social Minds Inc (KK)</div><div>Twitter: @edmunde=
dgar</div><div>Linked In: edmundedgar</div><div>Skype: edmundedgar</div><di=
v><a href=3D"http://www.socialminds.jp" target=3D"_blank">http://www.social=
minds.jp</a></div>
<div><br></div><div>Reality Keys</div><div>@realitykeys</div><div><a href=
=3D"mailto:ed@realitykeys.com" target=3D"_blank">ed@realitykeys.com</a></di=
v><div><a href=3D"https://www.realitykeys.com" target=3D"_blank">https://ww=
w.realitykeys.com</a></div>
</div>
</div></div>

--047d7b6783f6690f9504f4147a74--