Content-Type: multipart/signed;
	boundary="Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Tamas Blummer <tamas@bitsofproof.com>
In-Reply-To: <4676777.MQU5AqByQt@crushinator>
Date: Sat, 29 Mar 2014 18:37:44 +0100
Message-Id: <2F5F0459-B7D7-438C-A617-D116402F02BE@bitsofproof.com>
References: <1878927.J1e3zZmtIP@crushinator>
	<AA48C372-6735-40E4-A8AF-264576F86BB1@bitsofproof.com>
	<4676777.MQU5AqByQt@crushinator>
To: Matt Whitlock <bip@mattwhitlock.name>
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Presenting a BIP for Shamir's Secret
	Sharing of Bitcoin private keys
Precedence: list


--Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5"


--Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I had Matt's answer already, see below, but then I recognized that the =
group was not cc:-d, so I repeat:

It would help on the user interface to include into individual shares:

1. Number of shares needed
2. A few bytes fingerprint of the secret so shares that likely belong =
together can be identified.

I wonder how others weight security vs. usability in these questions.

Regards,

Tamas Blummer
http://bitsofproof.com

On Saturday, 29 March 2014, at 6:22 pm, Tamas Blummer wrote:
> It might make sense to store the number of shares needed. I know it is =
not needed by math, but could help on user interface to say,
> you need x more shares..

I intentionally omitted that information because it's a security risk. =
If an adversary gains control of one share and can see exactly how many =
more shares he needs, he may be able to plan a better attack. If he is =
clueless about how many shares he needs, then he may not be able to =
execute an attack at all because he may not know whether his information =
about what shares exist and where is complete.

On 29.03.2014, at 17:54, Matt Whitlock <bip@mattwhitlock.name> wrote:

> On Saturday, 29 March 2014, at 9:44 am, Tamas Blummer wrote:
>> I used Shamir's Secret Sharing to decompose a seed for a BIP32 master =
key, that is I think more future relevant than a single key.
>> Therefore suggest to adapt the BIP for a length used there typically =
16 or 32 bytes and have a magic code to indicate its use as key vs. =
seed.
>=20
> I have expanded the BIP so that it additionally applies to BIP32 =
master seeds of sizes 128, 256, and 512 bits.
>=20
> https://github.com/whitslack/btctool/blob/bip/bip-xxxx.mediawiki
>=20
> The most significant change versus the previous version is how the =
coefficients of the polynomials are constructed. Previously they were =
SHA-256 digests. Now they are SHA-512 digests, modulo a prime number =
that is selected depending on the size of the secret.
>=20


--Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I had =
Matt's answer already, see below, but then I recognized that the group =
was not cc:-d, so I repeat:<div><br></div><div>It would help on the user =
interface to include into individual shares:</div><div><br></div><div>1. =
Number of shares needed</div><div>2. A few bytes fingerprint of the =
secret so shares that likely belong together can be =
identified.</div><div><br></div><div>I wonder how others weight security =
vs. usability in these questions.</div><div><br></div><div><div =
apple-content-edited=3D"true"><span style=3D"color: rgb(0, 0, 0); =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
display: inline !important; float: none; ">Regards,</span><br =
style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-align: =
-webkit-auto; text-indent: 0px; text-transform: none; white-space: =
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; "><br style=3D"color: rgb(0, 0, 0); =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
"><span style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-align: =
-webkit-auto; text-indent: 0px; text-transform: none; white-space: =
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; display: inline !important; float: none; =
">Tamas Blummer</span><br style=3D"color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: =
none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span =
style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-align: =
-webkit-auto; text-indent: 0px; text-transform: none; white-space: =
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; =
-webkit-text-stroke-width: 0px; display: inline !important; float: none; =
"><a href=3D"http://bitsofproof.com">http://bitsofproof.com</a></span>
</div>
<div><br></div><div>On Saturday, 29 March 2014, at 6:22 pm, Tamas =
Blummer wrote:<br><blockquote type=3D"cite">It might make sense to store =
the number of shares needed. I know it is not needed by math, but could =
help on user interface to say,<br>you need x more =
shares..<br></blockquote><br>I intentionally omitted that information =
because it's a security risk. If an adversary gains control of one share =
and can see exactly how many more shares he needs, he may be able to =
plan a better attack. If he is clueless about how many shares he needs, =
then he may not be able to execute an attack at all because he may not =
know whether his information about what shares exist and where is =
complete.<br></div><br><div><div>On 29.03.2014, at 17:54, Matt Whitlock =
&lt;<a href=3D"mailto:bip@mattwhitlock.name">bip@mattwhitlock.name</a>&gt;=
 wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">On Saturday, 29 March 2014, at 9:44 am, Tamas Blummer =
wrote:<br><blockquote type=3D"cite">I used Shamir's Secret Sharing to =
decompose a seed for a BIP32 master key, that is I think more future =
relevant than a single key.<br>Therefore suggest to adapt the BIP for a =
length used there typically 16 or 32 bytes and have a magic code to =
indicate its use as key vs. seed.<br></blockquote><br>I have expanded =
the BIP so that it additionally applies to BIP32 master seeds of sizes =
128, 256, and 512 bits.<br><br><a =
href=3D"https://github.com/whitslack/btctool/blob/bip/bip-xxxx.mediawiki">=
https://github.com/whitslack/btctool/blob/bip/bip-xxxx.mediawiki</a><br><b=
r>The most significant change versus the previous version is how the =
coefficients of the polynomials are constructed. Previously they were =
SHA-256 digests. Now they are SHA-512 digests, modulo a prime number =
that is selected depending on the size of the =
secret.<br><br></blockquote></div><br></div></body></html>=

--Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5--

--Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJTNwToAAoJEPZykcUXcTkcpgsH/2VeTWbmsRsHESHOYxnoTfDT
0HEalTPFLGFGMqAc+I/m7i7tSH2m43esgfO3ct3XpgWZlQc7nBthz7LxmpAuBdnJ
w33zkRlk2+EpHlXNE4KNKNCoqBK5awfMEGuUoi5Vwquhk36dTZ8kR9n+3OyzooRa
xz2rxpnQZ5Ak+zPoUJu4zFcdk10BEXO52+i3B8MHuTwSrH0lFwdicB+7oBZ6q335
RLCmrMJrQZzHDBLp6NjAwim94v31VzhdpRwdqU2PBhGsMRi6X7tIeo+dgkUOzlpr
b8EjVW7GIjuTItYi00uRM9Iq4knxSd2/tcpdgMrTqf2yVR8kw/a5Bk1MyGxy3EM=
=iOs0
-----END PGP SIGNATURE-----

--Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383--