From: Gregory Maxwell <gmaxwell@gmail.com>
To: Peter Todd <pete@petertodd.org>
Cc: Bitcoin Development <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] New side channel attack that can recover Bitcoin keys
Date: Wed, 5 Mar 2014 11:51:25 -0800 [thread overview]
Message-ID: <CAAS2fgR+q4fDs3JfX9az8b17Dk7VKjC3SxYja-2spwU-kM74fA@mail.gmail.com> (raw)
In-Reply-To: <20140305193910.GA24917@tilt>
On Wed, Mar 5, 2014 at 11:39 AM, Peter Todd <pete@petertodd.org> wrote:
> If you're following good practices you're not particularly vulneable to
> it, if at all, even if you make use of shared hosting. First of all you
> shouldn't be re-using addresses, which means you won't be passing that
> ~200 sig threshold.
>
> More important though is you shouldn't be using single factor Bitcoin
> addresses. Use n-of-m multisig instead and architect your system such
Both of these things have long been promoted as virtuous in part
because they increase robustness against this sort of thing.
But while I don't disagree with these things the reality is that many
people do not follow either of these piece of advice and following
them requires behavioral changes that will not be adopted quickly...
so I don't think that advice is especially useful.
And even if it were—, good security involves defense in depth, so
adding on top of them things like side-channel resistant signing is
important.
I haven't had a chance to sit down and think through it completely but
I believe oleganza's recent blind signature scheme for ECDSA may be
helpful (http://oleganza.com/blind-ecdsa-draft-v2.pdf):
The idea is that instead of (or in addition to— belt and suspenders)
making the signing constant time, you use the blinding scheme to first
locally blind the private key and point being signed, then sign, then
unblind. This way even if you are reusing a key every signing
operation is handling different private data... and the only point
where unblinded private data is handled is a simple scalar addition.
next prev parent reply other threads:[~2014-03-05 19:51 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-05 12:49 [Bitcoin-development] New side channel attack that can recover Bitcoin keys Mike Hearn
2014-03-05 12:56 ` Pieter Wuille
2014-03-05 13:18 ` Jean-Paul Kogelman
2014-03-05 14:04 ` Pieter Wuille
2014-03-05 16:21 ` Kevin
2014-03-05 19:39 ` Peter Todd
2014-03-05 19:51 ` Gregory Maxwell [this message]
2014-03-05 20:32 ` Peter Todd
2014-03-05 20:54 ` Gregory Maxwell
2014-03-12 9:44 ` Peter Todd
2014-03-05 22:17 ` James Hartig
2014-03-05 22:26 ` Eric Lombrozo
2014-03-06 7:02 ` Odinn Cyberguerrilla
2014-03-08 19:34 ` Luke-Jr
2014-03-09 1:57 ` Gregory Maxwell
2014-03-05 21:31 ` Eric Lombrozo
2014-03-05 21:44 ` Gregory Maxwell
2014-03-05 22:14 ` Eric Lombrozo
2014-03-05 22:25 ` Gregory Maxwell
2014-03-06 8:38 ` Mike Hearn
2014-03-06 10:00 ` Natanael
2014-03-25 13:39 ` Troy Benjegerdes
2014-03-25 13:50 ` Gavin Andresen
2014-03-08 19:29 ` Gustav Simonsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAS2fgR+q4fDs3JfX9az8b17Dk7VKjC3SxYja-2spwU-kM74fA@mail.gmail.com \
--to=gmaxwell@gmail.com \
--cc=bitcoin-development@lists.sourceforge.net \
--cc=pete@petertodd.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox