On Thu, Jan 18, 2018 at 1:58 PM, Gregory Maxwell via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek > <ondrej.vejpus...@satoshilabs.com> wrote: > >> If being secure against partial share leakage is really part of your > >> threat model the current proposal is gratuitously insecure against it. > > > > I don't think that is true. Shared secret is an input of KDF which > > should prevent this kind of attack. > > My post provided a concrete example. I'd be happy to answer any > questions about it, but otherwise I'm not sure how to make it more > clear. > > > Actually, we've been considering something like that. We concluded that > it is to much "rolling your own crypto". Instead of diffusion layer we > decided to apply KDF on the shared secret. > > > Quite the opposite-- a large block cipher is a standard > construction... and the off-label application of a KDF that you've > used here doesn't provide any protection against the example I gave. > At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going to be that much slower than GF(2^8) that we care to make things this complicated? (I honestly don't know the answer.)
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
