Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WW8Hb-0001nG-U8 for bitcoin-development@lists.sourceforge.net; Fri, 04 Apr 2014 17:52:04 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.217.175 as permitted sender) client-ip=209.85.217.175; envelope-from=gmaxwell@gmail.com; helo=mail-lb0-f175.google.com; Received: from mail-lb0-f175.google.com ([209.85.217.175]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1WW8Hb-00041c-14 for bitcoin-development@lists.sourceforge.net; Fri, 04 Apr 2014 17:52:03 +0000 Received: by mail-lb0-f175.google.com with SMTP id w7so2697033lbi.6 for ; Fri, 04 Apr 2014 10:51:56 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.152.235.3 with SMTP id ui3mr9610506lac.2.1396633916400; Fri, 04 Apr 2014 10:51:56 -0700 (PDT) Received: by 10.112.89.68 with HTTP; Fri, 4 Apr 2014 10:51:56 -0700 (PDT) In-Reply-To: <60732286.zdbbI6td0e@crushinator> References: <1888881.3JyvKYNUFa@crushinator> <60732286.zdbbI6td0e@crushinator> Date: Fri, 4 Apr 2014 10:51:56 -0700 Message-ID: From: Gregory Maxwell To: Matt Whitlock Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.4 (++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 4.0 HK_SCAM_N2 BODY: HK_SCAM_N2 -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1WW8Hb-00041c-14 Cc: bitcoin-development Subject: Re: [Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2014 17:52:05 -0000 On Fri, Apr 4, 2014 at 10:16 AM, Matt Whitlock wrot= e: > Honestly, that sounds a lot more complicated than what I have now. I made= my current implementation because I just wanted something simple that woul= d let me divide a private key into shares for purposes of dissemination to = my next of kin et al. I suggest you go look at some of the other secret sharing implementations that use GF(2^8), they end up just being a couple of dozen lines of code. Pretty simple stuff, and they work efficiently for all sizes of data, there are implementations in a multitude of languages. There are a whole bunch of these. > I already have a fairly polished implementation of my BIP, and it's not w= ritten in a "very high-level language"; it's C++, and the parts that do the= big-integer arithmetic are basically C. I'm using the GMP library: very st= raightforward, very reliable, very fast. With respect for the awesome work that GMP is=E2=80=94 It's 250,000 lines = of LGPLed code. It's not just "pic microcontrollers" that would find that scale of a dependency unwelcome. > Do you have a use case in mind that would benefit from byte-wise operatio= ns rather than big-integer operations? I mean, I guess if you were trying t= o implement this BIP on a PIC microcontroller, it might be nice to process = the secret in smaller bites. (No pun intended.) But I get this feeling that= you're only pushing me away from the present incarnation of my proposal be= cause you think it's too similar (but not quite similar enough) to a thresh= old ECDSA key scheme. It lets you efficiently scale to any size data being encoded without extra overhead or having additional primes. It can be compactly implemented in Javascript (there are several implementations you can find if you google), it shouldn't be burdensome to implement on a device like a trezor (much less a real microcontroller). And yea, sure, it's distinct from the implementation you'd use for threshold signing. A threshold singing one would lack the size agility or the easy of implementation on limited devices. So I do think that if there is to be two it would be good to gain the advantages that can't be achieved in an threshold ECDSA compatible approach.