On Thu, Jan 18, 2018 at 1:50 PM, Ondřej Vejpustek <ondrej.vejpus...@satoshilabs.com> wrote: > (1) Our proposal doesn't use SSS for the whole secret, but it divides > the secret into bytes and uses SSS for every byte separately. This > scheme is weaker because to reconstruct n-th byte it suffices to have > n-th bytes from k shares.
If being secure against partial share leakage is really part of your threat model the current proposal is gratuitously insecure against it. And the choice of check algorithm really doesn't matter for that. For example, in a 2-of-3 share say I have the first half of shares 1,2 and the second half of shares 2,3 with the current proposal the secret is directly revealed, even though I didn't have any single complete share. If partial share disclosure were an actual concern, I would recommend that after sharing and before encoding for transmission (e.g. before applying check values and word encoding to the share) the individual shares be passed through a large block unkeyed cryptographic permutation. Under reasonable-ish assumptions about the difficulty of inverting the permutation with partial knowledge, this transformation would prevent attacks from leaks of partial share information. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev