> If being secure against partial share leakage is really part of your > threat model the current proposal is gratuitously insecure against it.
I don't think that is true. Shared secret is an input of KDF which should prevent this kind of attack. > If partial share disclosure were an actual concern, I would recommend > that after sharing and before encoding for transmission (e.g. before > applying check values and word encoding to the share) the individual > shares be passed through a large block unkeyed cryptographic > permutation. Under reasonable-ish assumptions about the difficulty of > inverting the permutation with partial knowledge, this transformation > would prevent attacks from leaks of partial share information. Actually, we've been considering something like that. We concluded that it is to much "rolling your own crypto". Instead of diffusion layer we decided to apply KDF on the shared secret. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
