Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <natanael.l@gmail.com>) id 1WTz1W-00069z-Te
	for bitcoin-development@lists.sourceforge.net;
	Sat, 29 Mar 2014 19:34:34 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
	designates 74.125.82.51 as permitted sender)
	client-ip=74.125.82.51; envelope-from=natanael.l@gmail.com;
	helo=mail-wg0-f51.google.com; 
Received: from mail-wg0-f51.google.com ([74.125.82.51])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1WTz1W-00011C-1B
	for bitcoin-development@lists.sourceforge.net;
	Sat, 29 Mar 2014 19:34:34 +0000
Received: by mail-wg0-f51.google.com with SMTP id k14so4497217wgh.34
	for <bitcoin-development@lists.sourceforge.net>;
	Sat, 29 Mar 2014 12:34:27 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.37.178 with SMTP id z18mr2953746wij.46.1396121667795;
	Sat, 29 Mar 2014 12:34:27 -0700 (PDT)
Received: by 10.217.89.72 with HTTP; Sat, 29 Mar 2014 12:34:27 -0700 (PDT)
Received: by 10.217.89.72 with HTTP; Sat, 29 Mar 2014 12:34:27 -0700 (PDT)
In-Reply-To: <CAAt2M18j7bGDsKouVw+e4j+FMiJ4vK6-sx+nrkwHyiKLqiH7Jg@mail.gmail.com>
References: <CACsn0ckScTWG4YxNCscxvtdsmcUkxtR2Gi-rdBs2HCkirPz5rA@mail.gmail.com>
	<2135731.4HGHfZWzo5@crushinator> <53370C11.7040109@gmail.com>
	<1701822.mCYDUGhe8d@crushinator>
	<CAAt2M18j7bGDsKouVw+e4j+FMiJ4vK6-sx+nrkwHyiKLqiH7Jg@mail.gmail.com>
Date: Sat, 29 Mar 2014 20:34:27 +0100
Message-ID: <CAAt2M18bDAPHm_=+UjRe4x5wMRbd=xfLrhLtWbktceHxmn3_Zw@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
To: Matt Whitlock <bip@mattwhitlock.name>
Content-Type: multipart/alternative; boundary=e89a8f642e1e12849b04f5c3e8f6
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(natanael.l[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WTz1W-00011C-1B
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Presenting a BIP for Shamir's Secret
 Sharing of Bitcoin private keys
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 29 Mar 2014 19:34:35 -0000

--e89a8f642e1e12849b04f5c3e8f6
Content-Type: text/plain; charset=UTF-8

Den 29 mar 2014 19:15 skrev "Matt Whitlock" <bip@mattwhitlock.name>:
>
> On Saturday, 29 March 2014, at 2:08 pm, Alan Reiner wrote:
> > Regardless of how SSSS does it, I believe that obfuscating that
> > information is bad news from a usability perspective.  Undoubtedly,
> > users will make lots of backups of lots of wallets and think they
> > remember the M-parameter but don't.  They will accidentally mix in some
> > 3-of-5 fragments with their 2-of-4 not realizing they are incompatible,
> > or not able to distinguish them.   Or they'll distribute too many
> > thinking the threshold is higher and end up insecure, or possibly not
> > have enough fragments to restore their wallet thinking the M-value was
> > lower than it actually was.
> >
> > I just don't see the value in adding such complexity for the benefit of
> > obfuscating information an attacker might be able to figure out anyway
> > (most backups will be 2-of-N or 3-of-N) and can't act on anyway (because
> > he doesn't know where the other frags are and they are actually in
> > safe-deposit boxes)
>
> Okay, you've convinced me. However, it looks like the consensus here is
that my BIP is unneeded, so I'm not sure it would be worth the effort for
me to improve it with your suggestions.

I think it should be made an option (with the default being that the
threshold is given and verification is applied. There could certainly be a
few cases where the threshold is set high, you maybe don't have access to a
great enough variety of hiding spots or secure enough hiding spots, and you
want deter an attempt to find all the shares (with the idea being that the
risk of detection would be too high, in particular when you use tamper
evident seals). But for the majority it would be better to find a few
different safeboxes to put the shares in and rely on physical security.

--e89a8f642e1e12849b04f5c3e8f6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Den 29 mar 2014 19:15 skrev &quot;Matt Whitlock&quot; &lt;<a=
 href=3D"mailto:bip@mattwhitlock.name">bip@mattwhitlock.name</a>&gt;:<br>
&gt;<br>
&gt; On Saturday, 29 March 2014, at 2:08 pm, Alan Reiner wrote:<br>
&gt; &gt; Regardless of how SSSS does it, I believe that obfuscating that<b=
r>
&gt; &gt; information is bad news from a usability perspective. =C2=A0Undou=
btedly,<br>
&gt; &gt; users will make lots of backups of lots of wallets and think they=
<br>
&gt; &gt; remember the M-parameter but don&#39;t. =C2=A0They will accidenta=
lly mix in some<br>
&gt; &gt; 3-of-5 fragments with their 2-of-4 not realizing they are incompa=
tible,<br>
&gt; &gt; or not able to distinguish them. =C2=A0 Or they&#39;ll distribute=
 too many<br>
&gt; &gt; thinking the threshold is higher and end up insecure, or possibly=
 not<br>
&gt; &gt; have enough fragments to restore their wallet thinking the M-valu=
e was<br>
&gt; &gt; lower than it actually was.<br>
&gt; &gt;<br>
&gt; &gt; I just don&#39;t see the value in adding such complexity for the =
benefit of<br>
&gt; &gt; obfuscating information an attacker might be able to figure out a=
nyway<br>
&gt; &gt; (most backups will be 2-of-N or 3-of-N) and can&#39;t act on anyw=
ay (because<br>
&gt; &gt; he doesn&#39;t know where the other frags are and they are actual=
ly in<br>
&gt; &gt; safe-deposit boxes)<br>
&gt;<br>
&gt; Okay, you&#39;ve convinced me. However, it looks like the consensus he=
re is that my BIP is unneeded, so I&#39;m not sure it would be worth the ef=
fort for me to improve it with your suggestions.</p>
<p dir=3D"ltr">I think it should be made an option (with the default being =
that the threshold is given and verification is applied. There could certai=
nly be a few cases where the threshold is set high, you maybe don&#39;t hav=
e access to a great enough variety of hiding spots or secure enough hiding =
spots, and you want deter an attempt to find all the shares (with the idea =
being that the risk of detection would be too high, in particular when you =
use tamper evident seals). But for the majority it would be better to find =
a few different safeboxes to put the shares in and rely on physical securit=
y. </p>


--e89a8f642e1e12849b04f5c3e8f6--