Makwa sites [1] https://bitcointalk.org/index.php?topic=311000.0
Seems like they independently rediscovered it.
Adam
On 23 January 2018 at 05:54, Ondřej Vejpustek via bitcoin-dev
wrote:
>> Yes, this scheme.
>>
> Yes, this scheme.
> https://bitcointalk.org/index.php?topic=311000.msg3342217#msg3342217
In addition to the scheme, I found out, that Makwa
(https://www.bolet.org/makwa/), a hashing function which received a
special recognition in the Password Hashing Competition, supports a
delegation. In
On Mon, Jan 22, 2018 at 7:21 PM, Russell O'Connor
wrote:
> At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going
> to be that much slower than GF(2^8) that we care to make things this
> complicated? (I honestly don't know the answer.)
I expect it
On Thu, Jan 18, 2018 at 1:58 PM, Gregory Maxwell via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek
> wrote:
> >> If being secure against partial share leakage is really part of your
> >> threat
>
> My post provided a concrete example. I'd be happy to answer any
> questions about it, but otherwise I'm not sure how to make it more
> clear.
My apologies, I didn't read it carefully. You are absolutely right. Our
scheme doesn't protect against the scenario.
> Quite the opposite-- a large
> If being secure against partial share leakage is really part of your
> threat model the current proposal is gratuitously insecure against it.
I don't think that is true. Shared secret is an input of KDF which
should prevent this kind of attack.
> If partial share disclosure were an actual
Thank you for your comments, Gregory and Russell!
Gregory, thank you for you explanation of perfect secrecy, there is no
need for that, however. I'm professional mathematician and cryptographer.
> I read the above
> as "these are similar because they are based on math"...
They are based on
On Thu, Jan 18, 2018 at 1:50 PM, Ondřej Vejpustek
wrote:
> (1) Our proposal doesn't use SSS for the whole secret, but it divides
> the secret into bytes and uses SSS for every byte separately. This
> scheme is weaker because to reconstruct n-th byte it suffices
Or make it a part of your secret-split logic... Gotta love how fast GF(2^8) is:
https://github.com/TheBlueMatt/shamirs/blob/master/main.c#L57
On January 17, 2018 3:31:44 PM UTC, Gregory Maxwell via bitcoin-dev
wrote:
>If the generalization isn't obvious,
On Wed, Jan 17, 2018 at 3:28 PM, Russell O'Connor via bitcoin-dev
wrote:
> it is impossible to break SSS.
Obligatory repeated point: if the scheme being used actually is SSS
and not a Shamir-Shaped-Sharing instead. This should go without
mention by my
Hi Ondřej,
1. There is no similarity between SSS and RSA or any other public-key or
symmetric crypto. SSS is effectively a one-time pad and is
information-theoretically secure.
2. Even if there were a problem (which there cannot be, due to (1)), using
error correcting codes and truncated hash
The entropy argument is as follows:
There is a rule of thumb which says it is safer plaintext to have low
redundancy, see
https://en.wikipedia.org/wiki/Redundancy_(information_theory), i. e.
it's better to encrypt random or compressed data than natural language.
This rule is based on Shannon's
On Tue, Jan 09, 2018 at 12:43:48PM +, Perry Gibson wrote:
> >Trezor's "plausible deniability" scheme could very well result in you going
> >to
> >jail for lying to border security, because it's so easy for them to simply
> >brute force alternate passwords based on your seeds. With that, they
On 11/01/18 00:47, Gregory Maxwell wrote:
> I believe that can be avoided by having the computer do somewhat more
> work and checking the consistency after the fact.
>
> (or for decode time, having a check value under the encryption...)
Can you describe these two methods more in detail? How
On 09/01/18 16:12, Pavol Rusnak via bitcoin-dev wrote:
> On 09/01/18 00:47, Gregory Maxwell wrote:
>> Have you considered using blind host-delegated KDFs, where the KDF
>> runs on the user's computer instead of the hardware wallet, but the
>> computer doesn't learn anything about they keys?
>
>
On Mon, Jan 8, 2018 at 7:39 AM, Pavol Rusnak via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On 08/01/18 05:22, Gregory Maxwell wrote:
> >> https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>
>
> > The 16-bit "checksum" based on sha2 seems pretty poor since basing
>
Trezor's "plausible deniability" scheme could very well result in you going to
jail for lying to border security, because it's so easy for them to simply
brute force alternate passwords based on your seeds. With that, they have proof
that you lied to customs, a serious offense.
The passphrase
On Mon, Jan 08, 2018 at 07:40:38PM -0500, Rhavar via bitcoin-dev wrote:
> I think you're under-appreciating how useful the "plausible deniability".
> Someone I know was (solo) traveling to the United States when a border agent
> asked her to unlocked her phone; thumbed through her apps, ended up
ach other.
I will hypothesize that if one of my wallets was for something like buying
stuff on dark markets there's simply no way anyone is going to ever know way
you're going to be to tell short of some movie-plot level police effort.
-Ryan
> Original Message ----
>Subject:
On Tue, Jan 09, 2018 at 09:26:17AM +1100, Ben Kloester wrote:
> > This sounds very dangerous. As Gregory Maxwell pointed out, the key
> derivation
> > function is weak enough that passphrases could be easily brute forced
>
> So you are essentially imagining that a perpetrator will combine the
>
On Mon, Jan 8, 2018 at 12:39 PM, Pavol Rusnak wrote:
> On 08/01/18 05:22, Gregory Maxwell wrote:
>>> https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>
> Hey Gregory!
>
> Thanks for looking into the scheme. I appreciate your time!
>
>> This specification forces
> This sounds very dangerous. As Gregory Maxwell pointed out, the key
derivation
> function is weak enough that passphrases could be easily brute forced
So you are essentially imagining that a perpetrator will combine the
crypto-nerd fantasy (brute forcing the passphrase) *with* the 5-dollar
On Mon, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote:
> On 08/01/18 13:45, Peter Todd wrote:
> > Can you explain _exactly_ what scenario the "plausible deniability" feature
> > refers to?
>
>
>
On 2018-01-08 at 04:22:43 + Gregory Maxwell wrote:
I'm happy to see that there is no obvious way to abuse this one as a
brainwallet scheme!
BIP 39 was designed to make brainwallets secure! If a user generates a
weakling 12-word mnemonic from 16 tiny octets of entropy
On 08/01/18 13:45, Peter Todd wrote:
> Can you explain _exactly_ what scenario the "plausible deniability" feature
> refers to?
https://doc.satoshilabs.com/trezor-user/advanced_settings.html#multi-passphrase-encryption-hidden-wallets
--
Best Regards / S pozdravom,
Pavol "stick" Rusnak
CTO,
On Mon, Jan 08, 2018 at 01:39:20PM +0100, Pavol Rusnak via bitcoin-dev wrote:
> > The construction also
> > will silently result in the user getting a different private key if
> > they enter the wrong passphrase-- which could lead to funds loss.
>
> Again, this is by design and it is main point
On 08/01/18 05:22, Gregory Maxwell wrote:
>> https://github.com/satoshilabs/slips/blob/master/slip-0039.md
Hey Gregory!
Thanks for looking into the scheme. I appreciate your time!
> This specification forces the key being used through a one way
> function, -- so you cannot take a pre-existing
On Sun, Jan 7, 2018 at 3:16 PM, Pavol Rusnak via bitcoin-dev
wrote:
> On 05/01/18 14:58, nullius via bitcoin-dev wrote:
> I am currently drafting a new standard[1] which will allow also Shamir
> Secret Scheme Splitting and there we disallow usage of a custom
28 matches
Mail list logo