📅 Original date posted:2018-01-18
📝 Original message:On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek
<ondrej.vejpustek at satoshilabs.com> wrote:
>> If being secure against partial share leakage is really part of your
>> threat model the current proposal is gratuitously insecure against it.
>
> I don't think that is true. Shared secret is an input of KDF which
> should prevent this kind of attack.
My post provided a concrete example. I'd be happy to answer any
questions about it, but otherwise I'm not sure how to make it more
clear.
> Actually, we've been considering something like that. We concluded that it is to much "rolling your own crypto". Instead of diffusion layer we decided to apply KDF on the shared secret.
Quite the opposite-- a large block cipher is a standard
construction... and the off-label application of a KDF that you've
used here doesn't provide any protection against the example I gave.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:09:34
in reply to nevent1q…m2hf
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:09:34Event JSON
{
"id": "3eee65e09454a24711b8cfa812ab2e6e998a88d61d917b9a8e972ab0bd2542c7",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161374,
"kind": 1,
"tags": [
[
"e",
"ac3c87f148ca764c85262d935c0d26818cde51a790aa045223a08240c1ff8e91",
"",
"root"
],
[
"e",
"de50b0c53ff4ba84e3fa8b46a03a7b7bb3d22d8abc78ed975de25433868a2c01",
"",
"reply"
],
[
"p",
"4a985f597a05c21d6724a792c5a4e4728a3bbd5316878a898b545fafea059fcb"
]
],
"content": "📅 Original date posted:2018-01-18\n📝 Original message:On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek\n\u003condrej.vejpustek at satoshilabs.com\u003e wrote:\n\u003e\u003e If being secure against partial share leakage is really part of your\n\u003e\u003e threat model the current proposal is gratuitously insecure against it.\n\u003e\n\u003e I don't think that is true. Shared secret is an input of KDF which\n\u003e should prevent this kind of attack.\n\nMy post provided a concrete example. I'd be happy to answer any\nquestions about it, but otherwise I'm not sure how to make it more\nclear.\n\n\u003e Actually, we've been considering something like that. We concluded that it is to much \"rolling your own crypto\". Instead of diffusion layer we decided to apply KDF on the shared secret.\n\n\nQuite the opposite-- a large block cipher is a standard\nconstruction... and the off-label application of a KDF that you've\nused here doesn't provide any protection against the example I gave.",
"sig": "a7f2e758bb24f9bf88ea4bef37083c58702991ee7f28db8d4bebdaee699b4505d333cdcbd5acf9f65b128128649073490251d817678ea40081dd2d2f75f6b5b9"
}