diff options
| author | Gregory Maxwell <greg@xiph.org> | 2018-01-18 14:34:24 +0000 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2018-01-18 14:34:26 +0000 |
| commit | 02c1f16aea0265e5afb5b1c8d41b4d77f6aff1f0 (patch) | |
| tree | 1ebd15bf7300a185ca100a360892c511d36526bf /ad | |
| parent | 8394e42c266159573a9dc18771ce296886d0c19a (diff) | |
| download | pi-bitcoindev-02c1f16aea0265e5afb5b1c8d41b4d77f6aff1f0.tar.gz pi-bitcoindev-02c1f16aea0265e5afb5b1c8d41b4d77f6aff1f0.zip | |
Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
Diffstat (limited to 'ad')
| -rw-r--r-- | ad/140b40331aa1aa19d440167402c29875e3cad8 | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/ad/140b40331aa1aa19d440167402c29875e3cad8 b/ad/140b40331aa1aa19d440167402c29875e3cad8 new file mode 100644 index 000000000..ad13f60b6 --- /dev/null +++ b/ad/140b40331aa1aa19d440167402c29875e3cad8 @@ -0,0 +1,99 @@ +Return-Path: <gmaxwell@gmail.com> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id 7D050E43 + for <bitcoin-dev@lists.linuxfoundation.org>; + Thu, 18 Jan 2018 14:34:26 +0000 (UTC) +X-Greylist: whitelisted by SQLgrey-1.7.6 +Received: from mail-ua0-f193.google.com (mail-ua0-f193.google.com + [209.85.217.193]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id F25645AC + for <bitcoin-dev@lists.linuxfoundation.org>; + Thu, 18 Jan 2018 14:34:25 +0000 (UTC) +Received: by mail-ua0-f193.google.com with SMTP id z47so15692166uac.0 + for <bitcoin-dev@lists.linuxfoundation.org>; + Thu, 18 Jan 2018 06:34:25 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; + h=mime-version:sender:in-reply-to:references:from:date:message-id + :subject:to:cc:content-transfer-encoding; + bh=G17TaBSXsRC5VG9yLWsq5CkCSEd9gRzFPUsPOM+Y1bY=; + b=fG1T9EJxwzzf4E7qu+tAQYeLI1xmjleEcssCEyZHWAWUkdRuDbciJggiG0O2DGboGy + 2DQ+GCH9JAhpw1m+sPcEQtXeUqy/FWNw39KxCZY8AlQf3Kp3T9oXy3BF0sNE8OlSsGfj + 8BEVPUwivuSQxDfAKUjJFXxhUTqZUH6Hl6uEC1huWge8ICS3g+TdJouQqY4ceaGN53ZI + GpZYecrAsMtkKm/2OmivAgNM203zMy7x6ZY7Rxq3Mc9qw/G9MoD0L2NRpidm0pYv89DI + e0HzjwgiUTL9ysk1z2BAdVA52HoHkPdOt5cfD5atONRCoNPnOBh9MCofU1CTeYKPNzjE + RQ/Q== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:mime-version:sender:in-reply-to:references:from + :date:message-id:subject:to:cc:content-transfer-encoding; + bh=G17TaBSXsRC5VG9yLWsq5CkCSEd9gRzFPUsPOM+Y1bY=; + b=Ijtm6vaIbE3JR1nr4kqgE24zdOXhspOBmNWh3haeVW6OeoJWBf//Y1sEwfyBJ5LRBF + MT7Y9Z2NkKRn7FYMm12mRLHy+fAq+4fEtZhrRKtXMtWEnYlCkhhB87fKGUZc/Mp0kw9V + h0weqqyHV6sclglvqBivBID9B489mPVsEjVKzEEWbY468hs8ACW0dCfDtdZ0t+pigTav + /qPv9/r4v9HIQwbTPNUOonRkG8K6CrVAGBYp/YMkyD37lq/tYAIdTMiQGiPUiZkxwL7s + lt1RXGp8wVDWH+l+q+p6KfatPW33SiHKreRewhD5TNdAnJJoYZj2Pv7KptG5fOYPjLuL + wfXA== +X-Gm-Message-State: AKwxytffVAgZxP40EcMtIx4QyApN2moBm6E/alNPSsgQ+gufjBfpxn+h + xPuTZyHqqSBYHXVvAFX+K1/D9whZwM8VmE0XPsQ= +X-Google-Smtp-Source: ACJfBosk0gyKskCQv8jSZCnEsbfIhRAt9xnq+o4cmI3SUP5LlBNtFDZXxhOYTzcRYCDGl4hMU99PvFuSWFWS7k85tWk= +X-Received: by 10.159.53.240 with SMTP id u45mr4865870uad.18.1516286065142; + Thu, 18 Jan 2018 06:34:25 -0800 (PST) +MIME-Version: 1.0 +Sender: gmaxwell@gmail.com +Received: by 10.103.85.152 with HTTP; Thu, 18 Jan 2018 06:34:24 -0800 (PST) +In-Reply-To: <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com> +References: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com> + <CAAS2fgRQk4EUp6FO2f+RkJpDTyZX0N4=uGp7ZF=0aUchZX8hSA@mail.gmail.com> + <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com> +From: Gregory Maxwell <greg@xiph.org> +Date: Thu, 18 Jan 2018 14:34:24 +0000 +X-Google-Sender-Auth: 1Jy4hL5zMmObygi7eqSINyWa2vU +Message-ID: <CAAS2fgSw0mAQPJ-ai-3kFr7pWXd7pjbrEoXN4r6Ak3o4c8_vjw@mail.gmail.com> +To: =?UTF-8?Q?Ond=C5=99ej_Vejpustek?= <ondrej.vejpustek@satoshilabs.com> +Content-Type: text/plain; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable +X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, + DKIM_VALID, FREEMAIL_FROM, + RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org> +Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Thu, 18 Jan 2018 14:34:26 -0000 + +On Thu, Jan 18, 2018 at 1:50 PM, Ond=C5=99ej Vejpustek +<ondrej.vejpustek@satoshilabs.com> wrote: +> (1) Our proposal doesn't use SSS for the whole secret, but it divides +> the secret into bytes and uses SSS for every byte separately. This +> scheme is weaker because to reconstruct n-th byte it suffices to have +> n-th bytes from k shares. + +If being secure against partial share leakage is really part of your +threat model the current proposal is gratuitously insecure against it. +And the choice of check algorithm really doesn't matter for that. + +For example, in a 2-of-3 share say I have the first half of shares +1,2 and the second half of shares 2,3 with the current proposal the +secret is directly revealed, even though I didn't have any single +complete share. + +If partial share disclosure were an actual concern, I would recommend +that after sharing and before encoding for transmission (e.g. before +applying check values and word encoding to the share) the individual +shares be passed through a large block unkeyed cryptographic +permutation. Under reasonable-ish assumptions about the difficulty of +inverting the permutation with partial knowledge, this transformation +would prevent attacks from leaks of partial share information. + |