1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 29B5F107D
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Jan 2018 18:58:17 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f174.google.com (mail-ua0-f174.google.com
[209.85.217.174])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9737FE7
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Jan 2018 18:58:16 +0000 (UTC)
Received: by mail-ua0-f174.google.com with SMTP id t6so14752145ual.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Jan 2018 10:58:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:to:cc:content-transfer-encoding;
bh=j4N2vcKBUeYqLnDUC+2AZAg4n0sZ8TzxuFlt9xdO7Wo=;
b=SCFE7lrzuod6D5fAENb/osYLsOnztlNIp7246sYkYeg2/ec872ovNXLdgzJdkkxt+o
IYMA82R0ajcBrYn4IHZvKGqq/C4eHAF5rUXABLKMghQH6xA6NHm/pj+/Kt78G+wqoPdu
TBhfbgUYGvL0Sk5guuOfzJhdowjzOFIC/L93rhTB2wjkQ3IkBFwv2/leM/UZFnDh75jl
/dPH6lJyZidecg7JQps9wjhB1Jk+3sQ1OXv+VE8JHzNKJMSRYcUJOXEXvkYf1ASx8RuG
rjyvE1ptao7deSK3K6duHR0IiISLyq9TAXVRLNl5JeNusQBUxeaUY0oCAnIFZ2ABIUKR
Auxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:to:cc:content-transfer-encoding;
bh=j4N2vcKBUeYqLnDUC+2AZAg4n0sZ8TzxuFlt9xdO7Wo=;
b=OmMitZSlmsZmIOUWLwLTLJ0CR6kyZwpL3Skhqj+c/HV9BHfoJkmDaNw6AHNJgOMDh2
O1PGeppVcCkZyBaaO1cDh1PgF22TGM2Dqm6mLZpOxmea1/ZhC7Q6B9J2ajpmcB6gw0Ko
noW5ZR5R5u2xAZDr8WTHqbCjyT90NZ2Eu6LwS45//I0szmzac3unA1JnhngXPLKt5kXK
k6CNF1mxNY8R/6l2YucpAXlgEczkwoGWbyEbufW/OHKYeHHePmRmfsIqJpJpAD3SDFKJ
rWcoTg1uE+L+v9kGiuRk1EddZxhI6xdGRf8cJp37U6fpe3B0PpplebopWOTB9SKrxIuY
2gww==
X-Gm-Message-State: AKwxyteEuI6b4N8If9M2Q+eQl3uCR4vBKzNhFuZTjARjGuu7c5QGR3yK
omiVsg9fY5koBxGh2aP7mEqXvo9RqWQ4GEOIo0plnA==
X-Google-Smtp-Source: ACJfBoslTNHJS5/R3vyGZVBTUq8ZO0EJ82ae29UQ27Klc6VNY6Sl1JSsu4YQXovliIw5mV6Kuxihl2KUm6USTxqaNJ8=
X-Received: by 10.176.83.76 with SMTP id y12mr6386236uay.109.1516301895646;
Thu, 18 Jan 2018 10:58:15 -0800 (PST)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 10.103.85.152 with HTTP; Thu, 18 Jan 2018 10:58:14 -0800 (PST)
In-Reply-To: <d6eb0fc3-d729-30cb-986b-b1d7b8aacbd6@satoshilabs.com>
References: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com>
<CAAS2fgRQk4EUp6FO2f+RkJpDTyZX0N4=uGp7ZF=0aUchZX8hSA@mail.gmail.com>
<4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com>
<CAAS2fgSw0mAQPJ-ai-3kFr7pWXd7pjbrEoXN4r6Ak3o4c8_vjw@mail.gmail.com>
<d6eb0fc3-d729-30cb-986b-b1d7b8aacbd6@satoshilabs.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Thu, 18 Jan 2018 18:58:14 +0000
X-Google-Sender-Auth: Uj0uLuO1QWtBbw9CuVgrtvoXNXs
Message-ID: <CAAS2fgQtf_LDDcWDmvM+kjPCSqaQVwVd2rKWVtho4-XSAHpJZQ@mail.gmail.com>
To: =?UTF-8?Q?Ond=C5=99ej_Vejpustek?= <ondrej.vejpustek@satoshilabs.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 18:58:17 -0000
On Thu, Jan 18, 2018 at 4:59 PM, Ond=C5=99ej Vejpustek
<ondrej.vejpustek@satoshilabs.com> wrote:
>> If being secure against partial share leakage is really part of your
>> threat model the current proposal is gratuitously insecure against it.
>
> I don't think that is true. Shared secret is an input of KDF which
> should prevent this kind of attack.
My post provided a concrete example. I'd be happy to answer any
questions about it, but otherwise I'm not sure how to make it more
clear.
> Actually, we've been considering something like that. We concluded that i=
t is to much "rolling your own crypto". Instead of diffusion layer we decid=
ed to apply KDF on the shared secret.
Quite the opposite-- a large block cipher is a standard
construction... and the off-label application of a KDF that you've
used here doesn't provide any protection against the example I gave.
|
