From: "Russell O'Connor" <roconnor@blockstream.io>
To: "Ondřej Vejpustek" <ondrej.vejpustek@satoshilabs.com>,
"Bitcoin Protocol Discussion"
<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
Date: Wed, 17 Jan 2018 10:28:15 -0500 [thread overview]
Message-ID: <CAMZUoKnJM+U0QrVgD1VP4Q=krYDHmCn-poydVrz79r-w-89+yw@mail.gmail.com> (raw)
In-Reply-To: <51280a45-f86b-3191-d55e-f34e880c1da8@satoshilabs.com>
[-- Attachment #1: Type: text/plain, Size: 4336 bytes --]
Hi Ondřej,
1. There is no similarity between SSS and RSA or any other public-key or
symmetric crypto. SSS is effectively a one-time pad and is
information-theoretically secure.
2. Even if there were a problem (which there cannot be, due to (1)), using
error correcting codes and truncated hash functions create identical
amounts of information theoretic redundancy.
Let me repeat that SSS is "information-theoretically secure"! It isn't
only computationally infeasible to break SSS; it is impossible to break
SSS. If you have all but one necessary share of SSS, there is no
information leaked about the the hidden data, because for every possible
message that could be encoded, there exists some final share that would
decode to that message. Any of the possibilities for the missing final
share are equally as likely.
It is of no use to apply the precautionary principle against impossible
attacks, especially at the cost of losing the useful properties of a real
error correcting codes that would provide actual guarantees against likely
errors.
On Wed, Jan 17, 2018 at 6:39 AM, Ondřej Vejpustek via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> The entropy argument is as follows:
>
> There is a rule of thumb which says it is safer plaintext to have low
> redundancy, see
> https://en.wikipedia.org/wiki/Redundancy_(information_theory), i. e.
> it's better to encrypt random or compressed data than natural language.
> This rule is based on Shannon's information theory which means that a
> breach of the rule usually doesn't induce a vulnerability (there is no
> known generic attack). This rule is application of a precautionary
> principle.
>
> Nevertheless, here are some examples of cryptographic attacks which may
> be considered as a consequence of the breach of the rule:
> * Related Message Attack by Coppersmith, Franklin, Patarin, Reiter
> (https://pdfs.semanticscholar.org/899a/4fdc048102471875e24f7fecb3fb89
> 98d754.pdf)
> - given RSA ciphertext of two plaintexts x and a*x + b, where a, b are
> known, it's possible to effectively compute x provided public exponent
> is three. From the informaton-theoretic point of view the second message
> is redundant, because it's determined by the first one. Which means that
> relative redundancy of both messages is at least one half.
> * Stereotyped Messages by Coppersmith
> (https://www.di.ens.fr/~fouque/ens-rennes/coppersmith.pdf, section 7) -
> given RSA ciphertext and (1-1/e) fraction of plaintext (where e is
> public exponent), it's possible to effectively compute x. Message is
> highly redundant, because only 1/e of the message is unknown. Relative
> redundancy of the message is at least (1-1/e).
>
> Consider a few notes:
> * Nowadays there exists more complicated variants of mentioned attacks
> which have weaker premisses.
> * There is a considerable similarity between RSA and SSS. Both schemes
> are algebraically-based (rather than boolean function based).
> * CRCs (and error-correcting codes generally) introduce redundancy
> into the message. Moreover the redundancy is induced by a linear
> relationship among message (compare with the premise of the Related
> Message Attack).
> * Related Message Attack wouldn't be possible if you had two
> plaintexts x and hash(x). The relationship between messages has to be
> (algebraically) uncomplicated. From the information-theoretic point of
> view the situation is the same, but from the practical point of view it
> is completely different.
>
> To sum it up, there is a precautionary principle which tells us not to
> increase redundancy of a message unless it is introduced in a
> complicated way (for example by a hash function). That's why we use SHA
> rather than CRC. One more reason why we stick to the principle is that
> there's no randomisation in our scheme (such as padding or
> initialisation vector). We understood advantages of error-correctings
> codes over hash functions (minimal codewords distance property,
> performance) and we considered it thoroughly.
>
> Ondřej Vejpustek
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 5503 bytes --]
next prev parent reply other threads:[~2018-01-17 15:28 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-17 11:39 [bitcoin-dev] Satoshilabs secret shared private key scheme Ondřej Vejpustek
2018-01-17 15:28 ` Russell O'Connor [this message]
2018-01-17 15:36 ` Gregory Maxwell
2018-01-17 15:31 ` Gregory Maxwell
2018-01-18 5:00 ` Matt Corallo
2018-01-18 13:50 ` Ondřej Vejpustek
2018-01-18 14:34 ` Gregory Maxwell
2018-01-18 16:59 ` Ondřej Vejpustek
2018-01-18 18:58 ` Gregory Maxwell
2018-01-22 15:00 ` Ondřej Vejpustek
2018-01-22 19:21 ` Russell O'Connor
2018-01-23 1:05 ` Gregory Maxwell
2018-01-23 13:54 ` Ondřej Vejpustek
2018-01-23 14:16 ` Adam Back
-- strict thread matches above, loose matches on Subject: below --
2018-01-08 4:22 Gregory Maxwell
2018-01-08 6:33 ` nullius
2018-01-08 12:39 ` Pavol Rusnak
2018-01-08 12:45 ` Peter Todd
2018-01-08 13:00 ` Pavol Rusnak
2018-01-08 19:37 ` Peter Todd
2018-01-08 22:26 ` Ben Kloester
2018-01-09 0:37 ` Peter Todd
2018-01-08 23:47 ` Gregory Maxwell
2018-01-09 0:40 ` Rhavar
2018-01-09 1:13 ` Peter Todd
2018-01-09 12:44 ` jens
[not found] ` <274aad5c-4573-2fdd-f8b0-c6c2d662ab7c@gibsonic.org>
2018-01-12 9:50 ` Peter Todd
2018-01-09 15:12 ` Pavol Rusnak
2018-01-10 20:28 ` Pavol Rusnak
2018-01-10 23:47 ` Gregory Maxwell
2018-01-11 9:55 ` Pavol Rusnak
2018-01-09 16:20 ` Russell O'Connor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMZUoKnJM+U0QrVgD1VP4Q=krYDHmCn-poydVrz79r-w-89+yw@mail.gmail.com' \
--to=roconnor@blockstream.io \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=ondrej.vejpustek@satoshilabs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox