From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1WTxCb-0004nW-Fq for bitcoin-development@lists.sourceforge.net; Sat, 29 Mar 2014 17:37:53 +0000 X-ACL-Warn: Received: from wp059.webpack.hosteurope.de ([80.237.132.66]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1WTxCZ-0000Xn-KZ for bitcoin-development@lists.sourceforge.net; Sat, 29 Mar 2014 17:37:53 +0000 Received: from [37.143.74.116] (helo=[192.168.2.2]); authenticated by wp059.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1WTxCS-0007E8-MT; Sat, 29 Mar 2014 18:37:44 +0100 Content-Type: multipart/signed; boundary="Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Tamas Blummer In-Reply-To: <4676777.MQU5AqByQt@crushinator> Date: Sat, 29 Mar 2014 18:37:44 +0100 Message-Id: <2F5F0459-B7D7-438C-A617-D116402F02BE@bitsofproof.com> References: <1878927.J1e3zZmtIP@crushinator> <4676777.MQU5AqByQt@crushinator> To: Matt Whitlock X-Mailer: Apple Mail (2.1510) X-bounce-key: webpack.hosteurope.de; tamas@bitsofproof.com; 1396114671; eca66b40; X-Spam-Score: 1.0 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1WTxCZ-0000Xn-KZ Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 17:37:53 -0000 --Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383 Content-Type: multipart/alternative; boundary="Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5" --Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I had Matt's answer already, see below, but then I recognized that the = group was not cc:-d, so I repeat: It would help on the user interface to include into individual shares: 1. Number of shares needed 2. A few bytes fingerprint of the secret so shares that likely belong = together can be identified. I wonder how others weight security vs. usability in these questions. Regards, Tamas Blummer http://bitsofproof.com On Saturday, 29 March 2014, at 6:22 pm, Tamas Blummer wrote: > It might make sense to store the number of shares needed. I know it is = not needed by math, but could help on user interface to say, > you need x more shares.. I intentionally omitted that information because it's a security risk. = If an adversary gains control of one share and can see exactly how many = more shares he needs, he may be able to plan a better attack. If he is = clueless about how many shares he needs, then he may not be able to = execute an attack at all because he may not know whether his information = about what shares exist and where is complete. On 29.03.2014, at 17:54, Matt Whitlock wrote: > On Saturday, 29 March 2014, at 9:44 am, Tamas Blummer wrote: >> I used Shamir's Secret Sharing to decompose a seed for a BIP32 master = key, that is I think more future relevant than a single key. >> Therefore suggest to adapt the BIP for a length used there typically = 16 or 32 bytes and have a magic code to indicate its use as key vs. = seed. >=20 > I have expanded the BIP so that it additionally applies to BIP32 = master seeds of sizes 128, 256, and 512 bits. >=20 > https://github.com/whitslack/btctool/blob/bip/bip-xxxx.mediawiki >=20 > The most significant change versus the previous version is how the = coefficients of the polynomials are constructed. Previously they were = SHA-256 digests. Now they are SHA-512 digests, modulo a prime number = that is selected depending on the size of the secret. >=20 --Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii I had = Matt's answer already, see below, but then I recognized that the group = was not cc:-d, so I repeat:

It would help on the user = interface to include into individual shares:

1. = Number of shares needed
2. A few bytes fingerprint of the = secret so shares that likely belong together can be = identified.

I wonder how others weight security = vs. usability in these questions.

Regards,

http://bitsofproof.com

On Saturday, 29 March 2014, at 6:22 pm, Tamas = Blummer wrote:
It might make sense to store = the number of shares needed. I know it is not needed by math, but could = help on user interface to say,
you need x more = shares..

I intentionally omitted that information = because it's a security risk. If an adversary gains control of one share = and can see exactly how many more shares he needs, he may be able to = plan a better attack. If he is clueless about how many shares he needs, = then he may not be able to execute an attack at all because he may not = know whether his information about what shares exist and where is = complete.

On 29.03.2014, at 17:54, Matt Whitlock = <bip@mattwhitlock.name>= wrote:

On Saturday, 29 March 2014, at 9:44 am, Tamas Blummer = wrote:
I used Shamir's Secret Sharing to = decompose a seed for a BIP32 master key, that is I think more future = relevant than a single key.
Therefore suggest to adapt the BIP for a = length used there typically 16 or 32 bytes and have a magic code to = indicate its use as key vs. seed.

I have expanded = the BIP so that it additionally applies to BIP32 master seeds of sizes = 128, 256, and 512 bits.

= https://github.com/whitslack/btctool/blob/bip/bip-xxxx.mediawiki
The most significant change versus the previous version is how the = coefficients of the polynomials are constructed. Previously they were = SHA-256 digests. Now they are SHA-512 digests, modulo a prime number = that is selected depending on the size of the = secret.


= --Apple-Mail=_0A7AE987-CA14-498C-80EA-2901A195D5E5-- --Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJTNwToAAoJEPZykcUXcTkcpgsH/2VeTWbmsRsHESHOYxnoTfDT 0HEalTPFLGFGMqAc+I/m7i7tSH2m43esgfO3ct3XpgWZlQc7nBthz7LxmpAuBdnJ w33zkRlk2+EpHlXNE4KNKNCoqBK5awfMEGuUoi5Vwquhk36dTZ8kR9n+3OyzooRa xz2rxpnQZ5Ak+zPoUJu4zFcdk10BEXO52+i3B8MHuTwSrH0lFwdicB+7oBZ6q335 RLCmrMJrQZzHDBLp6NjAwim94v31VzhdpRwdqU2PBhGsMRi6X7tIeo+dgkUOzlpr b8EjVW7GIjuTItYi00uRM9Iq4knxSd2/tcpdgMrTqf2yVR8kw/a5Bk1MyGxy3EM= =iOs0 -----END PGP SIGNATURE----- --Apple-Mail=_487DB6AE-0174-4E5C-8BF0-162544E09383--