Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7D050E43 for ; Thu, 18 Jan 2018 14:34:26 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ua0-f193.google.com (mail-ua0-f193.google.com [209.85.217.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id F25645AC for ; Thu, 18 Jan 2018 14:34:25 +0000 (UTC) Received: by mail-ua0-f193.google.com with SMTP id z47so15692166uac.0 for ; Thu, 18 Jan 2018 06:34:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=G17TaBSXsRC5VG9yLWsq5CkCSEd9gRzFPUsPOM+Y1bY=; b=fG1T9EJxwzzf4E7qu+tAQYeLI1xmjleEcssCEyZHWAWUkdRuDbciJggiG0O2DGboGy 2DQ+GCH9JAhpw1m+sPcEQtXeUqy/FWNw39KxCZY8AlQf3Kp3T9oXy3BF0sNE8OlSsGfj 8BEVPUwivuSQxDfAKUjJFXxhUTqZUH6Hl6uEC1huWge8ICS3g+TdJouQqY4ceaGN53ZI GpZYecrAsMtkKm/2OmivAgNM203zMy7x6ZY7Rxq3Mc9qw/G9MoD0L2NRpidm0pYv89DI e0HzjwgiUTL9ysk1z2BAdVA52HoHkPdOt5cfD5atONRCoNPnOBh9MCofU1CTeYKPNzjE RQ/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=G17TaBSXsRC5VG9yLWsq5CkCSEd9gRzFPUsPOM+Y1bY=; b=Ijtm6vaIbE3JR1nr4kqgE24zdOXhspOBmNWh3haeVW6OeoJWBf//Y1sEwfyBJ5LRBF MT7Y9Z2NkKRn7FYMm12mRLHy+fAq+4fEtZhrRKtXMtWEnYlCkhhB87fKGUZc/Mp0kw9V h0weqqyHV6sclglvqBivBID9B489mPVsEjVKzEEWbY468hs8ACW0dCfDtdZ0t+pigTav /qPv9/r4v9HIQwbTPNUOonRkG8K6CrVAGBYp/YMkyD37lq/tYAIdTMiQGiPUiZkxwL7s lt1RXGp8wVDWH+l+q+p6KfatPW33SiHKreRewhD5TNdAnJJoYZj2Pv7KptG5fOYPjLuL wfXA== X-Gm-Message-State: AKwxytffVAgZxP40EcMtIx4QyApN2moBm6E/alNPSsgQ+gufjBfpxn+h xPuTZyHqqSBYHXVvAFX+K1/D9whZwM8VmE0XPsQ= X-Google-Smtp-Source: ACJfBosk0gyKskCQv8jSZCnEsbfIhRAt9xnq+o4cmI3SUP5LlBNtFDZXxhOYTzcRYCDGl4hMU99PvFuSWFWS7k85tWk= X-Received: by 10.159.53.240 with SMTP id u45mr4865870uad.18.1516286065142; Thu, 18 Jan 2018 06:34:25 -0800 (PST) MIME-Version: 1.0 Sender: gmaxwell@gmail.com Received: by 10.103.85.152 with HTTP; Thu, 18 Jan 2018 06:34:24 -0800 (PST) In-Reply-To: <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com> References: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com> <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com> From: Gregory Maxwell Date: Thu, 18 Jan 2018 14:34:24 +0000 X-Google-Sender-Auth: 1Jy4hL5zMmObygi7eqSINyWa2vU Message-ID: To: =?UTF-8?Q?Ond=C5=99ej_Vejpustek?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 14:34:26 -0000 On Thu, Jan 18, 2018 at 1:50 PM, Ond=C5=99ej Vejpustek wrote: > (1) Our proposal doesn't use SSS for the whole secret, but it divides > the secret into bytes and uses SSS for every byte separately. This > scheme is weaker because to reconstruct n-th byte it suffices to have > n-th bytes from k shares. If being secure against partial share leakage is really part of your threat model the current proposal is gratuitously insecure against it. And the choice of check algorithm really doesn't matter for that. For example, in a 2-of-3 share say I have the first half of shares 1,2 and the second half of shares 2,3 with the current proposal the secret is directly revealed, even though I didn't have any single complete share. If partial share disclosure were an actual concern, I would recommend that after sharing and before encoding for transmission (e.g. before applying check values and word encoding to the share) the individual shares be passed through a large block unkeyed cryptographic permutation. Under reasonable-ish assumptions about the difficulty of inverting the permutation with partial knowledge, this transformation would prevent attacks from leaks of partial share information.