Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

Makwa sites [1] https://bitcointalk.org/index.php?topic=311000.0 Seems like they independently rediscovered it. Adam On 23 January 2018 at 05:54, Ondřej Vejpustek via bitcoin-dev wrote: >> Yes, this scheme. >>

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

> Yes, this scheme. > https://bitcointalk.org/index.php?topic=311000.msg3342217#msg3342217 In addition to the scheme, I found out, that Makwa (https://www.bolet.org/makwa/), a hashing function which received a special recognition in the Password Hashing Competition, supports a delegation. In

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Mon, Jan 22, 2018 at 7:21 PM, Russell O'Connor wrote: > At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going > to be that much slower than GF(2^8) that we care to make things this > complicated? (I honestly don't know the answer.) I expect it

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Thu, Jan 18, 2018 at 1:58 PM, Gregory Maxwell via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek > wrote: > >> If being secure against partial share leakage is really part of your > >> threat

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

> > My post provided a concrete example. I'd be happy to answer any > questions about it, but otherwise I'm not sure how to make it more > clear. My apologies, I didn't read it carefully. You are absolutely right. Our scheme doesn't protect against the scenario. > Quite the opposite-- a large

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

> If being secure against partial share leakage is really part of your > threat model the current proposal is gratuitously insecure against it. I don't think that is true. Shared secret is an input of KDF which should prevent this kind of attack. > If partial share disclosure were an actual

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

Thank you for your comments, Gregory and Russell! Gregory, thank you for you explanation of perfect secrecy, there is no need for that, however. I'm professional mathematician and cryptographer. > I read the above > as "these are similar because they are based on math"... They are based on

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Thu, Jan 18, 2018 at 1:50 PM, Ondřej Vejpustek wrote: > (1) Our proposal doesn't use SSS for the whole secret, but it divides > the secret into bytes and uses SSS for every byte separately. This > scheme is weaker because to reconstruct n-th byte it suffices

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

Or make it a part of your secret-split logic... Gotta love how fast GF(2^8) is: https://github.com/TheBlueMatt/shamirs/blob/master/main.c#L57 On January 17, 2018 3:31:44 PM UTC, Gregory Maxwell via bitcoin-dev wrote: >If the generalization isn't obvious,

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Wed, Jan 17, 2018 at 3:28 PM, Russell O'Connor via bitcoin-dev wrote: > it is impossible to break SSS. Obligatory repeated point: if the scheme being used actually is SSS and not a Shamir-Shaped-Sharing instead. This should go without mention by my

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

Hi Ondřej, 1. There is no similarity between SSS and RSA or any other public-key or symmetric crypto. SSS is effectively a one-time pad and is information-theoretically secure. 2. Even if there were a problem (which there cannot be, due to (1)), using error correcting codes and truncated hash

[bitcoin-dev] Satoshilabs secret shared private key scheme

The entropy argument is as follows: There is a rule of thumb which says it is safer plaintext to have low redundancy, see https://en.wikipedia.org/wiki/Redundancy_(information_theory), i. e. it's better to encrypt random or compressed data than natural language. This rule is based on Shannon's

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Tue, Jan 09, 2018 at 12:43:48PM +, Perry Gibson wrote: > >Trezor's "plausible deniability" scheme could very well result in you going > >to > >jail for lying to border security, because it's so easy for them to simply > >brute force alternate passwords based on your seeds. With that, they

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On 11/01/18 00:47, Gregory Maxwell wrote: > I believe that can be avoided by having the computer do somewhat more > work and checking the consistency after the fact. > > (or for decode time, having a check value under the encryption...) Can you describe these two methods more in detail? How

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On 09/01/18 16:12, Pavol Rusnak via bitcoin-dev wrote: > On 09/01/18 00:47, Gregory Maxwell wrote: >> Have you considered using blind host-delegated KDFs, where the KDF >> runs on the user's computer instead of the hardware wallet, but the >> computer doesn't learn anything about they keys? > >

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Mon, Jan 8, 2018 at 7:39 AM, Pavol Rusnak via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On 08/01/18 05:22, Gregory Maxwell wrote: > >> https://github.com/satoshilabs/slips/blob/master/slip-0039.md > > > > The 16-bit "checksum" based on sha2 seems pretty poor since basing >

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

Trezor's "plausible deniability" scheme could very well result in you going to jail for lying to border security, because it's so easy for them to simply brute force alternate passwords based on your seeds. With that, they have proof that you lied to customs, a serious offense. The passphrase

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Mon, Jan 08, 2018 at 07:40:38PM -0500, Rhavar via bitcoin-dev wrote: > I think you're under-appreciating how useful the "plausible deniability". > Someone I know was (solo) traveling to the United States when a border agent > asked her to unlocked her phone; thumbed through her apps, ended up

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

ach other. I will hypothesize that if one of my wallets was for something like buying stuff on dark markets there's simply no way anyone is going to ever know way you're going to be to tell short of some movie-plot level police effort. ​-Ryan ​ > Original Message ---- >Subject:

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Tue, Jan 09, 2018 at 09:26:17AM +1100, Ben Kloester wrote: > > This sounds very dangerous. As Gregory Maxwell pointed out, the key > derivation > > function is weak enough that passphrases could be easily brute forced > > So you are essentially imagining that a perpetrator will combine the >

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Mon, Jan 8, 2018 at 12:39 PM, Pavol Rusnak wrote: > On 08/01/18 05:22, Gregory Maxwell wrote: >>> https://github.com/satoshilabs/slips/blob/master/slip-0039.md > > Hey Gregory! > > Thanks for looking into the scheme. I appreciate your time! > >> This specification forces

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

> This sounds very dangerous. As Gregory Maxwell pointed out, the key derivation > function is weak enough that passphrases could be easily brute forced So you are essentially imagining that a perpetrator will combine the crypto-nerd fantasy (brute forcing the passphrase) *with* the 5-dollar

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Mon, Jan 08, 2018 at 02:00:17PM +0100, Pavol Rusnak wrote: > On 08/01/18 13:45, Peter Todd wrote: > > Can you explain _exactly_ what scenario the "plausible deniability" feature > > refers to? > > >

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On 2018-01-08 at 04:22:43 + Gregory Maxwell wrote: I'm happy to see that there is no obvious way to abuse this one as a brainwallet scheme! BIP 39 was designed to make brainwallets secure! If a user generates a weakling 12-word mnemonic from 16 tiny octets of entropy

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On 08/01/18 13:45, Peter Todd wrote: > Can you explain _exactly_ what scenario the "plausible deniability" feature > refers to? https://doc.satoshilabs.com/trezor-user/advanced_settings.html#multi-passphrase-encryption-hidden-wallets -- Best Regards / S pozdravom, Pavol "stick" Rusnak CTO,

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On Mon, Jan 08, 2018 at 01:39:20PM +0100, Pavol Rusnak via bitcoin-dev wrote: > > The construction also > > will silently result in the user getting a different private key if > > they enter the wrong passphrase-- which could lead to funds loss. > > Again, this is by design and it is main point

Re: [bitcoin-dev] Satoshilabs secret shared private key scheme

On 08/01/18 05:22, Gregory Maxwell wrote: >> https://github.com/satoshilabs/slips/blob/master/slip-0039.md Hey Gregory! Thanks for looking into the scheme. I appreciate your time! > This specification forces the key being used through a one way > function, -- so you cannot take a pre-existing

[bitcoin-dev] Satoshilabs secret shared private key scheme

On Sun, Jan 7, 2018 at 3:16 PM, Pavol Rusnak via bitcoin-dev wrote: > On 05/01/18 14:58, nullius via bitcoin-dev wrote: > I am currently drafting a new standard[1] which will allow also Shamir > Secret Scheme Splitting and there we disallow usage of a custom