1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 7D050E43
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Jan 2018 14:34:26 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f193.google.com (mail-ua0-f193.google.com
[209.85.217.193])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id F25645AC
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Jan 2018 14:34:25 +0000 (UTC)
Received: by mail-ua0-f193.google.com with SMTP id z47so15692166uac.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 18 Jan 2018 06:34:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:to:cc:content-transfer-encoding;
bh=G17TaBSXsRC5VG9yLWsq5CkCSEd9gRzFPUsPOM+Y1bY=;
b=fG1T9EJxwzzf4E7qu+tAQYeLI1xmjleEcssCEyZHWAWUkdRuDbciJggiG0O2DGboGy
2DQ+GCH9JAhpw1m+sPcEQtXeUqy/FWNw39KxCZY8AlQf3Kp3T9oXy3BF0sNE8OlSsGfj
8BEVPUwivuSQxDfAKUjJFXxhUTqZUH6Hl6uEC1huWge8ICS3g+TdJouQqY4ceaGN53ZI
GpZYecrAsMtkKm/2OmivAgNM203zMy7x6ZY7Rxq3Mc9qw/G9MoD0L2NRpidm0pYv89DI
e0HzjwgiUTL9ysk1z2BAdVA52HoHkPdOt5cfD5atONRCoNPnOBh9MCofU1CTeYKPNzjE
RQ/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:to:cc:content-transfer-encoding;
bh=G17TaBSXsRC5VG9yLWsq5CkCSEd9gRzFPUsPOM+Y1bY=;
b=Ijtm6vaIbE3JR1nr4kqgE24zdOXhspOBmNWh3haeVW6OeoJWBf//Y1sEwfyBJ5LRBF
MT7Y9Z2NkKRn7FYMm12mRLHy+fAq+4fEtZhrRKtXMtWEnYlCkhhB87fKGUZc/Mp0kw9V
h0weqqyHV6sclglvqBivBID9B489mPVsEjVKzEEWbY468hs8ACW0dCfDtdZ0t+pigTav
/qPv9/r4v9HIQwbTPNUOonRkG8K6CrVAGBYp/YMkyD37lq/tYAIdTMiQGiPUiZkxwL7s
lt1RXGp8wVDWH+l+q+p6KfatPW33SiHKreRewhD5TNdAnJJoYZj2Pv7KptG5fOYPjLuL
wfXA==
X-Gm-Message-State: AKwxytffVAgZxP40EcMtIx4QyApN2moBm6E/alNPSsgQ+gufjBfpxn+h
xPuTZyHqqSBYHXVvAFX+K1/D9whZwM8VmE0XPsQ=
X-Google-Smtp-Source: ACJfBosk0gyKskCQv8jSZCnEsbfIhRAt9xnq+o4cmI3SUP5LlBNtFDZXxhOYTzcRYCDGl4hMU99PvFuSWFWS7k85tWk=
X-Received: by 10.159.53.240 with SMTP id u45mr4865870uad.18.1516286065142;
Thu, 18 Jan 2018 06:34:25 -0800 (PST)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 10.103.85.152 with HTTP; Thu, 18 Jan 2018 06:34:24 -0800 (PST)
In-Reply-To: <4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com>
References: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com>
<CAAS2fgRQk4EUp6FO2f+RkJpDTyZX0N4=uGp7ZF=0aUchZX8hSA@mail.gmail.com>
<4003eed1-584f-9773-8cf9-6300ebd1eac6@satoshilabs.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Thu, 18 Jan 2018 14:34:24 +0000
X-Google-Sender-Auth: 1Jy4hL5zMmObygi7eqSINyWa2vU
Message-ID: <CAAS2fgSw0mAQPJ-ai-3kFr7pWXd7pjbrEoXN4r6Ak3o4c8_vjw@mail.gmail.com>
To: =?UTF-8?Q?Ond=C5=99ej_Vejpustek?= <ondrej.vejpustek@satoshilabs.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 14:34:26 -0000
On Thu, Jan 18, 2018 at 1:50 PM, Ond=C5=99ej Vejpustek
<ondrej.vejpustek@satoshilabs.com> wrote:
> (1) Our proposal doesn't use SSS for the whole secret, but it divides
> the secret into bytes and uses SSS for every byte separately. This
> scheme is weaker because to reconstruct n-th byte it suffices to have
> n-th bytes from k shares.
If being secure against partial share leakage is really part of your
threat model the current proposal is gratuitously insecure against it.
And the choice of check algorithm really doesn't matter for that.
For example, in a 2-of-3 share say I have the first half of shares
1,2 and the second half of shares 2,3 with the current proposal the
secret is directly revealed, even though I didn't have any single
complete share.
If partial share disclosure were an actual concern, I would recommend
that after sharing and before encoding for transmission (e.g. before
applying check values and word encoding to the share) the individual
shares be passed through a large block unkeyed cryptographic
permutation. Under reasonable-ish assumptions about the difficulty of
inverting the permutation with partial knowledge, this transformation
would prevent attacks from leaks of partial share information.
|
