Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 29B5F107D for ; Thu, 18 Jan 2018 18:58:17 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ua0-f174.google.com (mail-ua0-f174.google.com [209.85.217.174]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9737FE7 for ; Thu, 18 Jan 2018 18:58:16 +0000 (UTC) Received: by mail-ua0-f174.google.com with SMTP id t6so14752145ual.7 for ; Thu, 18 Jan 2018 10:58:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=j4N2vcKBUeYqLnDUC+2AZAg4n0sZ8TzxuFlt9xdO7Wo=; b=SCFE7lrzuod6D5fAENb/osYLsOnztlNIp7246sYkYeg2/ec872ovNXLdgzJdkkxt+o IYMA82R0ajcBrYn4IHZvKGqq/C4eHAF5rUXABLKMghQH6xA6NHm/pj+/Kt78G+wqoPdu TBhfbgUYGvL0Sk5guuOfzJhdowjzOFIC/L93rhTB2wjkQ3IkBFwv2/leM/UZFnDh75jl /dPH6lJyZidecg7JQps9wjhB1Jk+3sQ1OXv+VE8JHzNKJMSRYcUJOXEXvkYf1ASx8RuG rjyvE1ptao7deSK3K6duHR0IiISLyq9TAXVRLNl5JeNusQBUxeaUY0oCAnIFZ2ABIUKR Auxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=j4N2vcKBUeYqLnDUC+2AZAg4n0sZ8TzxuFlt9xdO7Wo=; b=OmMitZSlmsZmIOUWLwLTLJ0CR6kyZwpL3Skhqj+c/HV9BHfoJkmDaNw6AHNJgOMDh2 O1PGeppVcCkZyBaaO1cDh1PgF22TGM2Dqm6mLZpOxmea1/ZhC7Q6B9J2ajpmcB6gw0Ko noW5ZR5R5u2xAZDr8WTHqbCjyT90NZ2Eu6LwS45//I0szmzac3unA1JnhngXPLKt5kXK k6CNF1mxNY8R/6l2YucpAXlgEczkwoGWbyEbufW/OHKYeHHePmRmfsIqJpJpAD3SDFKJ rWcoTg1uE+L+v9kGiuRk1EddZxhI6xdGRf8cJp37U6fpe3B0PpplebopWOTB9SKrxIuY 2gww== X-Gm-Message-State: AKwxyteEuI6b4N8If9M2Q+eQl3uCR4vBKzNhFuZTjARjGuu7c5QGR3yK omiVsg9fY5koBxGh2aP7mEqXvo9RqWQ4GEOIo0plnA== X-Google-Smtp-Source: ACJfBoslTNHJS5/R3vyGZVBTUq8ZO0EJ82ae29UQ27Klc6VNY6Sl1JSsu4YQXovliIw5mV6Kuxihl2KUm6USTxqaNJ8= X-Received: by 10.176.83.76 with SMTP id y12mr6386236uay.109.1516301895646; Thu, 18 Jan 2018 10:58:15 -0800 (PST) MIME-Version: 1.0 Sender: gmaxwell@gmail.com Received: by 10.103.85.152 with HTTP; Thu, 18 Jan 2018 10:58:14 -0800 (PST) In-Reply-To: References: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com> <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com> From: Gregory Maxwell Date: Thu, 18 Jan 2018 18:58:14 +0000 X-Google-Sender-Auth: Uj0uLuO1QWtBbw9CuVgrtvoXNXs Message-ID: To: =?UTF-8?Q?Ond=C5=99ej_Vejpustek?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 18:58:17 -0000 On Thu, Jan 18, 2018 at 4:59 PM, Ond=C5=99ej Vejpustek wrote: >> If being secure against partial share leakage is really part of your >> threat model the current proposal is gratuitously insecure against it. > > I don't think that is true. Shared secret is an input of KDF which > should prevent this kind of attack. My post provided a concrete example. I'd be happy to answer any questions about it, but otherwise I'm not sure how to make it more clear. > Actually, we've been considering something like that. We concluded that i= t is to much "rolling your own crypto". Instead of diffusion layer we decid= ed to apply KDF on the shared secret. Quite the opposite-- a large block cipher is a standard construction... and the off-label application of a KDF that you've used here doesn't provide any protection against the example I gave.