📅 Original date posted:2014-03-29
📝 Original message:On 03/29/2014 02:00 PM, Matt Whitlock wrote:
> On Saturday, 29 March 2014, at 1:52 pm, Alan Reiner wrote:
>> On 03/29/2014 01:19 PM, Matt Whitlock wrote:
>>> I intentionally omitted the parameter M (minimum subset size) from the shares because including it would give an adversary a vital piece of information. Likewise, including any kind of information that would allow a determination of whether the secret has been correctly reconstituted would give an adversary too much information. Failing silently when given incorrect shares or an insufficient number of shares is intentional.
>> I do not believe this is a good tradeoff. It's basically obfuscation of
>> something that is already considered secure at the expense of
>> usability. It's much more important to me that the user understands
>> what is in their hands (or their family members after they get hit by a
>> bus), than to obfuscate the parameters of the secret sharing to provide
>> a tiny disadvantage to an adversary who gets ahold of one.
>>
>> The fact that it fails silently is really all downside, not a benefit.
>> If I have enough fragments, I can reconstruct the seed and see that it
>> produces addresses with money. If not, I know I need more fragments.
>> I'm much more concerned about my family having all the info they need to
>> recover the money, than an attacker knowing that he needs two more
>> fragments instead of which are well-secured anyway.
> For what it's worth, ssss also omits from the shares any information about the threshold. It will happily return a garbage secret if too few shares are combined. (And actually, it will happily return a garbage secret if too *many* shares are combined, too. My implementation does not have that problem.)
Regardless of how SSSS does it, I believe that obfuscating that
information is bad news from a usability perspective. Undoubtedly,
users will make lots of backups of lots of wallets and think they
remember the M-parameter but don't. They will accidentally mix in some
3-of-5 fragments with their 2-of-4 not realizing they are incompatible,
or not able to distinguish them. Or they'll distribute too many
thinking the threshold is higher and end up insecure, or possibly not
have enough fragments to restore their wallet thinking the M-value was
lower than it actually was.
I just don't see the value in adding such complexity for the benefit of
obfuscating information an attacker might be able to figure out anyway
(most backups will be 2-of-N or 3-of-N) and can't act on anyway (because
he doesn't know where the other frags are and they are actually in
safe-deposit boxes)
Alan Reiner [ARCHIVE] /
npub1sm…mnq7h
2023-06-07 15:16:41
in reply to nevent1q…jcqp
Author Public Key
npub1sm6zhjmk5scuz294jmpkw99wwwjzetjgwp4fu4gn6utqgdz87hkqamnq7hPublished at
2023-06-07 15:16:41Event JSON
{
"id": "3b216daddc9acd2389ec045b0a378bc8a4cd65201ed898952bcd65d40dd3c310",
"pubkey": "86f42bcb76a431c128b596c36714ae73a42cae48706a9e5513d716043447f5ec",
"created_at": 1686151001,
"kind": 1,
"tags": [
[
"e",
"cd470d06d90a3107c21da4b48b344ebdd3b4ab813362bb85b0e7a02311012700",
"",
"root"
],
[
"e",
"04ef1a2b69643dfae3bf42522bd6d489eca9d79800fa64a33c2cb8ba62110e18",
"",
"reply"
],
[
"p",
"f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91"
]
],
"content": "📅 Original date posted:2014-03-29\n📝 Original message:On 03/29/2014 02:00 PM, Matt Whitlock wrote:\n\u003e On Saturday, 29 March 2014, at 1:52 pm, Alan Reiner wrote:\n\u003e\u003e On 03/29/2014 01:19 PM, Matt Whitlock wrote:\n\u003e\u003e\u003e I intentionally omitted the parameter M (minimum subset size) from the shares because including it would give an adversary a vital piece of information. Likewise, including any kind of information that would allow a determination of whether the secret has been correctly reconstituted would give an adversary too much information. Failing silently when given incorrect shares or an insufficient number of shares is intentional.\n\u003e\u003e I do not believe this is a good tradeoff. It's basically obfuscation of\n\u003e\u003e something that is already considered secure at the expense of\n\u003e\u003e usability. It's much more important to me that the user understands\n\u003e\u003e what is in their hands (or their family members after they get hit by a\n\u003e\u003e bus), than to obfuscate the parameters of the secret sharing to provide\n\u003e\u003e a tiny disadvantage to an adversary who gets ahold of one. \n\u003e\u003e\n\u003e\u003e The fact that it fails silently is really all downside, not a benefit. \n\u003e\u003e If I have enough fragments, I can reconstruct the seed and see that it\n\u003e\u003e produces addresses with money. If not, I know I need more fragments. \n\u003e\u003e I'm much more concerned about my family having all the info they need to\n\u003e\u003e recover the money, than an attacker knowing that he needs two more\n\u003e\u003e fragments instead of which are well-secured anyway.\n\u003e For what it's worth, ssss also omits from the shares any information about the threshold. It will happily return a garbage secret if too few shares are combined. (And actually, it will happily return a garbage secret if too *many* shares are combined, too. My implementation does not have that problem.)\n\nRegardless of how SSSS does it, I believe that obfuscating that\ninformation is bad news from a usability perspective. Undoubtedly,\nusers will make lots of backups of lots of wallets and think they\nremember the M-parameter but don't. They will accidentally mix in some\n3-of-5 fragments with their 2-of-4 not realizing they are incompatible,\nor not able to distinguish them. Or they'll distribute too many\nthinking the threshold is higher and end up insecure, or possibly not\nhave enough fragments to restore their wallet thinking the M-value was\nlower than it actually was. \n\nI just don't see the value in adding such complexity for the benefit of\nobfuscating information an attacker might be able to figure out anyway\n(most backups will be 2-of-N or 3-of-N) and can't act on anyway (because\nhe doesn't know where the other frags are and they are actually in\nsafe-deposit boxes)",
"sig": "f6827ea103f96eb450af2930d426fa3a4c5a35f921f88bb98147d1331fb18f9ef417b403ad0064c9599979a316fa2d542fd04cab7a478c3a5c4da773427460a1"
}