From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XGH5e-0003VO-65 for bitcoin-development@lists.sourceforge.net; Sun, 10 Aug 2014 00:34:26 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.160.196 as permitted sender) client-ip=209.85.160.196; envelope-from=secondisogeny@gmail.com; helo=mail-yk0-f196.google.com; Received: from mail-yk0-f196.google.com ([209.85.160.196]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XGH5d-0005rm-8M for bitcoin-development@lists.sourceforge.net; Sun, 10 Aug 2014 00:34:26 +0000 Received: by mail-yk0-f196.google.com with SMTP id 9so1341437ykp.7 for ; Sat, 09 Aug 2014 17:34:19 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.236.108.147 with SMTP id q19mr29948642yhg.27.1407630859818; Sat, 09 Aug 2014 17:34:19 -0700 (PDT) Received: by 10.170.36.82 with HTTP; Sat, 9 Aug 2014 17:34:19 -0700 (PDT) Date: Sat, 9 Aug 2014 17:34:19 -0700 Message-ID: From: second isogeny To: bitcoin-development@lists.sourceforge.net Content-Type: multipart/alternative; boundary=089e0160b5a85fdb2205003b99e8 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (secondisogeny[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1XGH5d-0005rm-8M Subject: [Bitcoin-development] BIP32 - invalidation X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2014 00:34:26 -0000 --089e0160b5a85fdb2205003b99e8 Content-Type: text/plain; charset=UTF-8 > Does anyone see any concerns when it comes to security of the proposed > change? Yes. This proposal is less secure. It is incompatible in theory with existing implementations of the specification. The incompatibility is also a potentially a security problem because it may cause users to believe a key is worthless when it is not or to lose funds when they are unable to spend them. It is also an untimely proposal and would be inconsiderate other parties who have done the work to produce correct and compatible implementations. > In case I_L >= n assign I_L := I_L mod n. This will make the selection of private keys uneven. The unevenness is small and it is unlikely to very matter much but it is objectively less secure. Future advances in cryptography may make the distinction more important. The change would eliminate any hope of the specification ever having provable security equal to random keys. The bignum modulo operation also requires complex additional logic and is just as likely to remain untested in implementations, though unit-testing can test these cases by replacing the hash function. Because of layering no suitable modulo may be available and an incorrect implementation could create a devastating weakness, like reflecting a large class of keys to a small number of values. A similar error would be unlikely for an incorrect implementation of skipping and someone who managed to still fail would likely have failed either way. > most of the implementations don't do the checking at all, because tjen > it's rather hard at application level to implement skipping logic. OTOH There are many corner cases which must be handled in cryptographic software. You must handle the point at infinity cases, you must handle the signature having a value of zero (or you leak the private key), in the point arithemetics you must handle the special case of adding colinear points. If someone is unprepared to deal with these and many other complications they may want to leave writing this kind of software for other people. --089e0160b5a85fdb2205003b99e8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
> Does anyone see any concerns when it comes to securit= y of the proposed
> change?

Yes.=C2=A0 This proposal is less s= ecure.

It is incompatible in theory with existing implementations of= the
specification.=C2=A0 The incompatibility is also a potentially a securityproblem because it may cause users to believe a key is worthless when
= it is not or to lose funds when they are unable to spend them.

It is= also an untimely proposal and would be inconsiderate other parties
who have done the work to produce correct and compatible implementations.
> In case I_L >=3D n assign I_L :=3D I_L mod n.

This wil= l make the selection of private keys uneven.

The unevenness is small= and it is unlikely to very matter much but it
is objectively less secure.=C2=A0 Future advances in cryptography may make<= br>the distinction more important.=C2=A0 The change would eliminate any hop= e of
the specification ever having provable security equal to random key= s.

The bignum modulo operation also requires complex additional logic and = is
just as likely to remain untested in implementations, though unit-tes= ting
can test these cases by replacing the hash function.

Because= of layering no suitable modulo may be available and an incorrect
implementation could create a devastating weakness, like reflecting a
la= rge class of keys to a small number of values.=C2=A0 A similar error would<= br>be unlikely for an incorrect implementation of skipping and someone who<= br> managed to still fail would likely have failed either way.

> most= of the implementations don't do the checking at all, because tjen
&= gt; it's rather hard at application level to implement skipping logic. = OTOH

There are many corner cases which must be handled in cryptographic
s= oftware.

You must handle the point at infinity cases, you must handl= e the signature
having a value of zero (or you leak the private key), in= the point
arithemetics you must handle the special case of adding colinear points.
If someone is unprepared to deal with these and many other complicatio= ns
they may want to leave writing this kind of software for other people= .

--089e0160b5a85fdb2205003b99e8--