📅 Original date posted:2018-01-18
📝 Original message:On Thu, Jan 18, 2018 at 1:50 PM, Ondřej Vejpustek
<ondrej.vejpustek at satoshilabs.com> wrote:
> (1) Our proposal doesn't use SSS for the whole secret, but it divides
> the secret into bytes and uses SSS for every byte separately. This
> scheme is weaker because to reconstruct n-th byte it suffices to have
> n-th bytes from k shares.
If being secure against partial share leakage is really part of your
threat model the current proposal is gratuitously insecure against it.
And the choice of check algorithm really doesn't matter for that.
For example, in a 2-of-3 share say I have the first half of shares
1,2 and the second half of shares 2,3 with the current proposal the
secret is directly revealed, even though I didn't have any single
complete share.
If partial share disclosure were an actual concern, I would recommend
that after sharing and before encoding for transmission (e.g. before
applying check values and word encoding to the share) the individual
shares be passed through a large block unkeyed cryptographic
permutation. Under reasonable-ish assumptions about the difficulty of
inverting the permutation with partial knowledge, this transformation
would prevent attacks from leaks of partial share information.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:09:33
in reply to nevent1q…f9gh
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:09:33Event JSON
{
"id": "d38d59a7912c7e23a4435d84d88462a4915610b1438eb1c76420641af3de3fd2",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161373,
"kind": 1,
"tags": [
[
"e",
"ac3c87f148ca764c85262d935c0d26818cde51a790aa045223a08240c1ff8e91",
"",
"root"
],
[
"e",
"8fcfa268c540f9228f1d8bffa5aba916e2409ccf66621a055caf86e7e9354c0e",
"",
"reply"
],
[
"p",
"4a985f597a05c21d6724a792c5a4e4728a3bbd5316878a898b545fafea059fcb"
]
],
"content": "📅 Original date posted:2018-01-18\n📝 Original message:On Thu, Jan 18, 2018 at 1:50 PM, Ondřej Vejpustek\n\u003condrej.vejpustek at satoshilabs.com\u003e wrote:\n\u003e (1) Our proposal doesn't use SSS for the whole secret, but it divides\n\u003e the secret into bytes and uses SSS for every byte separately. This\n\u003e scheme is weaker because to reconstruct n-th byte it suffices to have\n\u003e n-th bytes from k shares.\n\nIf being secure against partial share leakage is really part of your\nthreat model the current proposal is gratuitously insecure against it.\nAnd the choice of check algorithm really doesn't matter for that.\n\nFor example, in a 2-of-3 share say I have the first half of shares\n1,2 and the second half of shares 2,3 with the current proposal the\nsecret is directly revealed, even though I didn't have any single\ncomplete share.\n\nIf partial share disclosure were an actual concern, I would recommend\nthat after sharing and before encoding for transmission (e.g. before\napplying check values and word encoding to the share) the individual\nshares be passed through a large block unkeyed cryptographic\npermutation. Under reasonable-ish assumptions about the difficulty of\ninverting the permutation with partial knowledge, this transformation\nwould prevent attacks from leaks of partial share information.",
"sig": "443495f9a30d104f62258d6850f5b8241e122bdb80420a6b7fcd48d76f004e3995a316db44fe752ef9854668a07a96b4c2e2e2cf6c608a43050d0575d6219b2e"
}