📅 Original date posted:2014-03-29
📝 Original message:I also think that we can add usability features if the underlying secret remains well protected.
I do not think there is any reason to assume that the knowledge of the degree of the polynomial, would aid an attacker.
Similarly a fingerprint of the secret if it is unrelated to the hash used in the polinomyal should leak no useful information,
The length of such fingerpring (say 4 bytes) and the degree (1 byte) does not seem a big overhead for me.
Remember that the biggest obstacle of Bitcoin is usability not security.
Regards,
Tamas Blummer
http://bitsofproof.com
On 29.03.2014, at 18:52, Alan Reiner <etotheipi at gmail.com> wrote:
> On 03/29/2014 01:19 PM, Matt Whitlock wrote:
>> I intentionally omitted the parameter M (minimum subset size) from the shares because including it would give an adversary a vital piece of information. Likewise, including any kind of information that would allow a determination of whether the secret has been correctly reconstituted would give an adversary too much information. Failing silently when given incorrect shares or an insufficient number of shares is intentional.
>
> I do not believe this is a good tradeoff. It's basically obfuscation of
> something that is already considered secure at the expense of
> usability. It's much more important to me that the user understands
> what is in their hands (or their family members after they get hit by a
> bus), than to obfuscate the parameters of the secret sharing to provide
> a tiny disadvantage to an adversary who gets ahold of one.
>
> The fact that it fails silently is really all downside, not a benefit.
> If I have enough fragments, I can reconstruct the seed and see that it
> produces addresses with money. If not, I know I need more fragments.
> I'm much more concerned about my family having all the info they need to
> recover the money, than an attacker knowing that he needs two more
> fragments instead of which are well-secured anyway.
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140329/ad76bea3/attachment.html>;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140329/ad76bea3/attachment.sig>;
Tamas Blummer [ARCHIVE] /
npub1cc…ex8m8
2023-06-07 15:16:41
in reply to nevent1q…d6w2
Author Public Key
npub1ccegg9n9lnx6huppxg43m95488yur7pfemkn3pz0agjws5ffvtts0ex8m8Seen on
wss://relay.noswhere.comPublished at
2023-06-07 15:16:41Event JSON
{
"id": "97e93bb7487820fb9ec91581d4e362284fb1a678cb8a41c4ca181e7cbfe6a227",
"pubkey": "c632841665fccdabf021322b1d969539c9c1f829ceed38844fea24e8512962d7",
"created_at": 1686151001,
"kind": 1,
"tags": [
[
"e",
"cd470d06d90a3107c21da4b48b344ebdd3b4ab813362bb85b0e7a02311012700",
"",
"root"
],
[
"e",
"11e41244f4ae744df8fdb7e9204829bad97362feb08740e02e0780cf24dba8f4",
"",
"reply"
],
[
"p",
"f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91"
]
],
"content": "📅 Original date posted:2014-03-29\n📝 Original message:I also think that we can add usability features if the underlying secret remains well protected.\nI do not think there is any reason to assume that the knowledge of the degree of the polynomial, would aid an attacker.\n\nSimilarly a fingerprint of the secret if it is unrelated to the hash used in the polinomyal should leak no useful information,\n\nThe length of such fingerpring (say 4 bytes) and the degree (1 byte) does not seem a big overhead for me.\n\nRemember that the biggest obstacle of Bitcoin is usability not security.\n\nRegards,\n\nTamas Blummer\nhttp://bitsofproof.com\n\nOn 29.03.2014, at 18:52, Alan Reiner \u003cetotheipi at gmail.com\u003e wrote:\n\n\u003e On 03/29/2014 01:19 PM, Matt Whitlock wrote:\n\u003e\u003e I intentionally omitted the parameter M (minimum subset size) from the shares because including it would give an adversary a vital piece of information. Likewise, including any kind of information that would allow a determination of whether the secret has been correctly reconstituted would give an adversary too much information. Failing silently when given incorrect shares or an insufficient number of shares is intentional.\n\u003e \n\u003e I do not believe this is a good tradeoff. It's basically obfuscation of\n\u003e something that is already considered secure at the expense of\n\u003e usability. It's much more important to me that the user understands\n\u003e what is in their hands (or their family members after they get hit by a\n\u003e bus), than to obfuscate the parameters of the secret sharing to provide\n\u003e a tiny disadvantage to an adversary who gets ahold of one. \n\u003e \n\u003e The fact that it fails silently is really all downside, not a benefit. \n\u003e If I have enough fragments, I can reconstruct the seed and see that it\n\u003e produces addresses with money. If not, I know I need more fragments. \n\u003e I'm much more concerned about my family having all the info they need to\n\u003e recover the money, than an attacker knowing that he needs two more\n\u003e fragments instead of which are well-secured anyway.\n\u003e \n\u003e \n\u003e \n\u003e ------------------------------------------------------------------------------\n\u003e _______________________________________________\n\u003e Bitcoin-development mailing list\n\u003e Bitcoin-development at lists.sourceforge.net\n\u003e https://lists.sourceforge.net/lists/listinfo/bitcoin-development\n\u003e \n\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140329/ad76bea3/attachment.html\u003e\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 495 bytes\nDesc: Message signed with OpenPGP using GPGMail\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140329/ad76bea3/attachment.sig\u003e",
"sig": "c1a1a7ea0fce8b491c6a39750413ffee770045706b46bde4039dd20576bbdf0c04281ce10013b6ab151a9c1b1e841d3050195b7a1fe6b5bcfbebda47e08b12ea"
}