1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gmaxwell@gmail.com>) id 1WLHqn-00053u-Qc
for bitcoin-development@lists.sourceforge.net;
Wed, 05 Mar 2014 19:51:33 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.215.41 as permitted sender)
client-ip=209.85.215.41; envelope-from=gmaxwell@gmail.com;
helo=mail-la0-f41.google.com;
Received: from mail-la0-f41.google.com ([209.85.215.41])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WLHqm-0002Y3-Lh
for bitcoin-development@lists.sourceforge.net;
Wed, 05 Mar 2014 19:51:33 +0000
Received: by mail-la0-f41.google.com with SMTP id gl10so1056948lab.14
for <bitcoin-development@lists.sourceforge.net>;
Wed, 05 Mar 2014 11:51:26 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.152.206.4 with SMTP id lk4mr3690lac.65.1394049086092; Wed,
05 Mar 2014 11:51:26 -0800 (PST)
Received: by 10.112.189.164 with HTTP; Wed, 5 Mar 2014 11:51:25 -0800 (PST)
In-Reply-To: <20140305193910.GA24917@tilt>
References: <CANEZrP25N7W_MeZin_pyVQP5pC8bt5yqJzTXt_tN1P6kWb5i2w@mail.gmail.com>
<53174F20.10207@gmail.com> <20140305193910.GA24917@tilt>
Date: Wed, 5 Mar 2014 11:51:25 -0800
Message-ID: <CAAS2fgR+q4fDs3JfX9az8b17Dk7VKjC3SxYja-2spwU-kM74fA@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.6 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(gmaxwell[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WLHqm-0002Y3-Lh
Cc: Bitcoin Development <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] New side channel attack that can recover
Bitcoin keys
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 19:51:34 -0000
On Wed, Mar 5, 2014 at 11:39 AM, Peter Todd <pete@petertodd.org> wrote:
> If you're following good practices you're not particularly vulneable to
> it, if at all, even if you make use of shared hosting. First of all you
> shouldn't be re-using addresses, which means you won't be passing that
> ~200 sig threshold.
>
> More important though is you shouldn't be using single factor Bitcoin
> addresses. Use n-of-m multisig instead and architect your system such
Both of these things have long been promoted as virtuous in part
because they increase robustness against this sort of thing.
But while I don't disagree with these things the reality is that many
people do not follow either of these piece of advice and following
them requires behavioral changes that will not be adopted quickly...
so I don't think that advice is especially useful.
And even if it were=E2=80=94, good security involves defense in depth, so
adding on top of them things like side-channel resistant signing is
important.
I haven't had a chance to sit down and think through it completely but
I believe oleganza's recent blind signature scheme for ECDSA may be
helpful (http://oleganza.com/blind-ecdsa-draft-v2.pdf):
The idea is that instead of (or in addition to=E2=80=94 belt and suspenders=
)
making the signing constant time, you use the blinding scheme to first
locally blind the private key and point being signed, then sign, then
unblind. This way even if you are reusing a key every signing
operation is handling different private data... and the only point
where unblinded private data is handled is a simple scalar addition.
|