Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <tamas@bitsofproof.com>) id 1WTxo6-00074R-1G for bitcoin-development@lists.sourceforge.net; Sat, 29 Mar 2014 18:16:38 +0000 X-ACL-Warn: Received: from wp059.webpack.hosteurope.de ([80.237.132.66]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1WTxo4-0006fm-36 for bitcoin-development@lists.sourceforge.net; Sat, 29 Mar 2014 18:16:38 +0000 Received: from [37.143.74.116] (helo=[192.168.2.2]); authenticated by wp059.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1WTxnx-0004yh-6s; Sat, 29 Mar 2014 19:16:29 +0100 Content-Type: multipart/signed; boundary="Apple-Mail=_F4DD87E0-15B5-4313-887A-C78574E68B24"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Tamas Blummer <tamas@bitsofproof.com> In-Reply-To: <53370854.5050303@gmail.com> Date: Sat, 29 Mar 2014 19:16:28 +0100 Message-Id: <19FE9882-7FC2-4518-BD50-8818B059271B@bitsofproof.com> References: <CACsn0ckScTWG4YxNCscxvtdsmcUkxtR2Gi-rdBs2HCkirPz5rA@mail.gmail.com> <4906130.DUyjhm1C93@crushinator> <5336FBE7.7030209@gmail.com> <15872432.k8h0hUxqlf@crushinator> <53370854.5050303@gmail.com> To: Alan Reiner <etotheipi@gmail.com> X-Mailer: Apple Mail (2.1510) X-bounce-key: webpack.hosteurope.de; tamas@bitsofproof.com; 1396116996; 7978ee6c; X-Spam-Score: 1.0 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1WTxo4-0006fm-36 Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Sat, 29 Mar 2014 18:16:38 -0000 --Apple-Mail=_F4DD87E0-15B5-4313-887A-C78574E68B24 Content-Type: multipart/alternative; boundary="Apple-Mail=_E3FC2F3D-C240-43DE-B860-1AF00BC883C3" --Apple-Mail=_E3FC2F3D-C240-43DE-B860-1AF00BC883C3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I also think that we can add usability features if the underlying secret = remains well protected. I do not think there is any reason to assume that the knowledge of the = degree of the polynomial, would aid an attacker. Similarly a fingerprint of the secret if it is unrelated to the hash = used in the polinomyal should leak no useful information, The length of such fingerpring (say 4 bytes) and the degree (1 byte) = does not seem a big overhead for me. Remember that the biggest obstacle of Bitcoin is usability not security. Regards, Tamas Blummer http://bitsofproof.com On 29.03.2014, at 18:52, Alan Reiner <etotheipi@gmail.com> wrote: > On 03/29/2014 01:19 PM, Matt Whitlock wrote: >> I intentionally omitted the parameter M (minimum subset size) from = the shares because including it would give an adversary a vital piece of = information. Likewise, including any kind of information that would = allow a determination of whether the secret has been correctly = reconstituted would give an adversary too much information. Failing = silently when given incorrect shares or an insufficient number of shares = is intentional. >=20 > I do not believe this is a good tradeoff. It's basically obfuscation = of > something that is already considered secure at the expense of > usability. It's much more important to me that the user understands > what is in their hands (or their family members after they get hit by = a > bus), than to obfuscate the parameters of the secret sharing to = provide > a tiny disadvantage to an adversary who gets ahold of one.=20 >=20 > The fact that it fails silently is really all downside, not a benefit.=20= > If I have enough fragments, I can reconstruct the seed and see that it > produces addresses with money. If not, I know I need more fragments.=20= > I'm much more concerned about my family having all the info they need = to > recover the money, than an attacker knowing that he needs two more > fragments instead of which are well-secured anyway. >=20 >=20 >=20 > = --------------------------------------------------------------------------= ---- > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >=20 --Apple-Mail=_E3FC2F3D-C240-43DE-B860-1AF00BC883C3 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I = also think that we can add usability features if the underlying secret = remains well protected.<div>I do not think there is any reason to assume = that the knowledge of the degree of the polynomial, would aid an = attacker.</div><div><br></div><div>Similarly a fingerprint of the secret = if it is unrelated to the hash used in the polinomyal should leak no = useful information,</div><div><br></div><div>The length of such = fingerpring (say 4 bytes) and the degree (1 byte) does not seem a big = overhead for me.</div><div><br></div><div>Remember that the biggest = obstacle of Bitcoin is usability not security.</div><div><div = apple-content-edited=3D"true"><br style=3D"color: rgb(0, 0, 0); = font-family: Helvetica; font-size: medium; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: = 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: = 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = "><span style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: = medium; font-style: normal; font-variant: normal; font-weight: normal; = letter-spacing: normal; line-height: normal; orphans: 2; text-align: = -webkit-auto; text-indent: 0px; text-transform: none; white-space: = normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; display: inline !important; float: none; = ">Regards,</span><br style=3D"color: rgb(0, 0, 0); font-family: = Helvetica; font-size: medium; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: = none; white-space: normal; widows: 2; word-spacing: 0px; = -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br = style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; = font-style: normal; font-variant: normal; font-weight: normal; = letter-spacing: normal; line-height: normal; orphans: 2; text-align: = -webkit-auto; text-indent: 0px; text-transform: none; white-space: = normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; "><span style=3D"color: rgb(0, 0, 0); = font-family: Helvetica; font-size: medium; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: = 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: = 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = display: inline !important; float: none; ">Tamas Blummer</span><br = style=3D"color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; = font-style: normal; font-variant: normal; font-weight: normal; = letter-spacing: normal; line-height: normal; orphans: 2; text-align: = -webkit-auto; text-indent: 0px; text-transform: none; white-space: = normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; = -webkit-text-stroke-width: 0px; "><span style=3D"color: rgb(0, 0, 0); = font-family: Helvetica; font-size: medium; font-style: normal; = font-variant: normal; font-weight: normal; letter-spacing: normal; = line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: = 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: = 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = display: inline !important; float: none; "><a = href=3D"http://bitsofproof.com">http://bitsofproof.com</a></span> </div> <br><div><div>On 29.03.2014, at 18:52, Alan Reiner <<a = href=3D"mailto:etotheipi@gmail.com">etotheipi@gmail.com</a>> = wrote:</div><br class=3D"Apple-interchange-newline"><blockquote = type=3D"cite">On 03/29/2014 01:19 PM, Matt Whitlock = wrote:<br><blockquote type=3D"cite">I intentionally omitted the = parameter M (minimum subset size) from the shares because including it = would give an adversary a vital piece of information. Likewise, = including any kind of information that would allow a determination of = whether the secret has been correctly reconstituted would give an = adversary too much information. Failing silently when given incorrect = shares or an insufficient number of shares is = intentional.<br></blockquote><br>I do not believe this is a good = tradeoff. It's basically obfuscation of<br>something that is = already considered secure at the expense of<br>usability. It's = much more important to me that the user understands<br>what is in their = hands (or their family members after they get hit by a<br>bus), than to = obfuscate the parameters of the secret sharing to provide<br>a tiny = disadvantage to an adversary who gets ahold of one. <br><br>The fact = that it fails silently is really all downside, not a benefit. <br>If I = have enough fragments, I can reconstruct the seed and see that = it<br>produces addresses with money. If not, I know I need more = fragments. <br>I'm much more concerned about my family having all the = info they need to<br>recover the money, than an attacker knowing that he = needs two more<br>fragments instead of which are well-secured = anyway.<br><br><br><br>---------------------------------------------------= ---------------------------<br>___________________________________________= ____<br>Bitcoin-development mailing list<br><a = href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-developm= ent@lists.sourceforge.net</a><br>https://lists.sourceforge.net/lists/listi= nfo/bitcoin-development<br><br></blockquote></div><br></div></body></html>= --Apple-Mail=_E3FC2F3D-C240-43DE-B860-1AF00BC883C3-- --Apple-Mail=_F4DD87E0-15B5-4313-887A-C78574E68B24 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJTNw38AAoJEPZykcUXcTkcCVkH/jO9W8GMcKuER0UdLA1YnyQ7 lIsIe2l3Mhf9ouUjatu56COJ2eZIm1eh6PBZSHHJvqhGLhgpaNnTy55Su4Bbwukx OBYo2JVCgJd/04oP0eTmPr0Lrxu59rx5Yt9axIu/v5azS6HvNiTKdCWm1C6kjdew tYMGuSoNAByYIOqO+YBhFn3a4AYzF6aiLRB0Rzap1ZOyH1iqjst8j6dgWf8Ly9zG YBBAJcHB+mAeGIBzh2RxiD34wpMJiitJMZEzwavYh8kCFD9XFVdqJ1T4qJa3LdqI ZRuJ9/Xxoa66xAs/wG3IQxFzq15hvOYSk24MTQHuG5JlYgraRjbk8QL7wm5IyS8= =QMZn -----END PGP SIGNATURE----- --Apple-Mail=_F4DD87E0-15B5-4313-887A-C78574E68B24--