📅 Original date posted:2018-01-18
📝 Original message:> If being secure against partial share leakage is really part of your
> threat model the current proposal is gratuitously insecure against it.
I don't think that is true. Shared secret is an input of KDF which
should prevent this kind of attack.
> If partial share disclosure were an actual concern, I would recommend
> that after sharing and before encoding for transmission (e.g. before
> applying check values and word encoding to the share) the individual
> shares be passed through a large block unkeyed cryptographic
> permutation. Under reasonable-ish assumptions about the difficulty of
> inverting the permutation with partial knowledge, this transformation
> would prevent attacks from leaks of partial share information.
Actually, we've been considering something like that. We concluded that
it is to much "rolling your own crypto". Instead of diffusion layer we
decided to apply KDF on the shared secret.
Ondřej Vejpustek [ARCHIVE] /
npub1f2…svzp8
2023-06-07 18:09:34
in reply to nevent1q…4aa7
Author Public Key
npub1f2v97kt6qhpp6eey57fvtf8yw29rh02nz6rc4zvt2306l6s9nl9swsvzp8Published at
2023-06-07 18:09:34Event JSON
{
"id": "de50b0c53ff4ba84e3fa8b46a03a7b7bb3d22d8abc78ed975de25433868a2c01",
"pubkey": "4a985f597a05c21d6724a792c5a4e4728a3bbd5316878a898b545fafea059fcb",
"created_at": 1686161374,
"kind": 1,
"tags": [
[
"e",
"ac3c87f148ca764c85262d935c0d26818cde51a790aa045223a08240c1ff8e91",
"",
"root"
],
[
"e",
"d38d59a7912c7e23a4435d84d88462a4915610b1438eb1c76420641af3de3fd2",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "📅 Original date posted:2018-01-18\n📝 Original message:\u003e If being secure against partial share leakage is really part of your\n\u003e threat model the current proposal is gratuitously insecure against it.\n\nI don't think that is true. Shared secret is an input of KDF which\nshould prevent this kind of attack.\n\n\u003e If partial share disclosure were an actual concern, I would recommend\n\u003e that after sharing and before encoding for transmission (e.g. before\n\u003e applying check values and word encoding to the share) the individual\n\u003e shares be passed through a large block unkeyed cryptographic\n\u003e permutation. Under reasonable-ish assumptions about the difficulty of\n\u003e inverting the permutation with partial knowledge, this transformation\n\u003e would prevent attacks from leaks of partial share information.\n\nActually, we've been considering something like that. We concluded that\nit is to much \"rolling your own crypto\". Instead of diffusion layer we\ndecided to apply KDF on the shared secret.",
"sig": "7ff5c7ebeac0eb374baed87186eca03086fb1478d17e803077bb8732bf28ac2b118b8ff9368ffd55ac047976ea634e2914e6815d6241b49270c455bf68c562af"
}