public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Eric Lombrozo <elombrozo@gmail.com>
To: second isogeny <secondisogeny@gmail.com>
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] BIP32 - invalidation
Date: Sat, 9 Aug 2014 18:20:09 -0700	[thread overview]
Message-ID: <501F55C1-6307-487B-91D8-9CC0193DA747@gmail.com> (raw)
In-Reply-To: <CAFWhrvR+4wsMwzjvqb7w7XmhESagzc_0pvQuGx3Fn4qeWFbinA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2972 bytes --]

Does bitcoin properly handle the case of a hash collision? no - because it is considered too unlikely. The case of I_L >= n is also astronomically unlikely, so it's more a matter of improved performance and simpler data structures under expected circumstances and taking that less than 1 in 2^127 chance that it will fail, in which case we can recover by moving everything over to a new tree.

-Eric Lombrozo



On Aug 9, 2014, at 5:34 PM, second isogeny <secondisogeny@gmail.com> wrote:

> > Does anyone see any concerns when it comes to security of the proposed
> > change?
> 
> Yes.  This proposal is less secure.
> 
> It is incompatible in theory with existing implementations of the
> specification.  The incompatibility is also a potentially a security
> problem because it may cause users to believe a key is worthless when
> it is not or to lose funds when they are unable to spend them.
> 
> It is also an untimely proposal and would be inconsiderate other parties
> who have done the work to produce correct and compatible implementations.
> 
> > In case I_L >= n assign I_L := I_L mod n.
> 
> This will make the selection of private keys uneven.
> 
> The unevenness is small and it is unlikely to very matter much but it
> is objectively less secure.  Future advances in cryptography may make
> the distinction more important.  The change would eliminate any hope of
> the specification ever having provable security equal to random keys.
> 
> The bignum modulo operation also requires complex additional logic and is
> just as likely to remain untested in implementations, though unit-testing
> can test these cases by replacing the hash function.
> 
> Because of layering no suitable modulo may be available and an incorrect
> implementation could create a devastating weakness, like reflecting a
> large class of keys to a small number of values.  A similar error would
> be unlikely for an incorrect implementation of skipping and someone who
> managed to still fail would likely have failed either way.
> 
> > most of the implementations don't do the checking at all, because tjen
> > it's rather hard at application level to implement skipping logic. OTOH
> 
> There are many corner cases which must be handled in cryptographic
> software.
> 
> You must handle the point at infinity cases, you must handle the signature
> having a value of zero (or you leak the private key), in the point
> arithemetics you must handle the special case of adding colinear points.
> 
> If someone is unprepared to deal with these and many other complications
> they may want to leave writing this kind of software for other people.
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

  reply	other threads:[~2014-08-10  1:20 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-10  0:34 [Bitcoin-development] BIP32 - invalidation second isogeny
2014-08-10  1:20 ` Eric Lombrozo [this message]
  -- strict thread matches above, loose matches on Subject: below --
2014-08-08 13:19 Pavol Rusnak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=501F55C1-6307-487B-91D8-9CC0193DA747@gmail.com \
    --to=elombrozo@gmail.com \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=secondisogeny@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox