public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: "Russell O'Connor" <roconnor@blockstream.io>
To: Pavol Rusnak <stick@satoshilabs.com>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Satoshilabs secret shared private key scheme
Date: Tue, 9 Jan 2018 11:20:20 -0500	[thread overview]
Message-ID: <CAMZUoKnWbAF3LHOWcYsbkyfH93HwWWVHzQFz52V1jUKXgEBgZw@mail.gmail.com> (raw)
In-Reply-To: <ae570ccf-3a2c-a11c-57fa-6dad78cfb1a5@satoshilabs.com>

[-- Attachment #1: Type: text/plain, Size: 4106 bytes --]

On Mon, Jan 8, 2018 at 7:39 AM, Pavol Rusnak via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On 08/01/18 05:22, Gregory Maxwell wrote:
> >> https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>
>
> > The 16-bit "checksum" based on sha2 seems pretty poor since basing
> > small checksums on a cryptographic hash results in a fairly poor
> > checksum that is surprisingly likely to accept an errored string. Your
> > wordlist is 10 bits and you have much less than 1023*10 bits of input,
> > so you could easily have a 20 bit code (two words) which guaranteed
> > that up to two errored words would always be detected, and probably
> > could choose one which catches three words much more often 1:2^20
> > (sipa's crc tools can help find codes like this).
>
> Originally, we wanted to use 16-bit of CRC32 for checksum, but after the
> discussion with Daan Sprenkels we were suggested to change this for
> cryptographically strong function. The argument was that CRC32 contains
> less entropy and mixing high-entropy data (secret) with low-entropy data
> (checksum) is not a good idea.
>

This entropy argument seems confused.  Ignoring constant factors, the
entropy of a checksum is the sum over all possible checksums, i, of
-n_i*log(n_i), where n_i is the number of times the ith checksum occurs
over the space of all possible data being checksummed.  In this application
the checksum is being applied to a fixed m-bit blob of uniformly random
data.

The entropy is maximized when every possible checksum occurs equally as
frequently, that is we achieve maximum entropy when all the n_i values are
equal to each other.  Any error correcting code worth it's salt will try to
achieve this property because the designers want every checksum value to
have as much error correcting power as every other checksum value.  I'm
almost certain that the algebraic properties of your typical error
correcting codes allow you to prove that maximum entropy is perfectly
achieved whenever the data-blob size is at least as large as the checksum
size.

Meanwhile the truncated value of a cryptographic hash function is expected
to be slightly under the maximum entropy value, under the assumption that
the hash function it behaves like a random function.

The main properties of a "strong cryptographic hash function" is that it is
infeasible to find collisions and preimages.  However these properties are
lost when you truncate the hash down to 16-bits.  At this point is it
entirely feasible to find collisions and preimages.

So using a truncated cryptographic hash function doesn't provide you with
more entropy (and, in fact, probably a sliver less entropy), and doesn't
provide you with any of the befits of strong cryptographic hash function.


> Also, there is an argument between a checksum and ECC. We discussed that
> ECC might not be a good idea, because it helps the attacker to compute
> missing information, while we only want to check for integrity. Also the
> word mnemonic is itself a ECC, because if you see the word "acadornic"
> it is probably the word "academic".
>

Every checksum is error correcting.  Given an failed checksum, all you have
to do is search around the space of edits to find the smallest set edits
that yield a valid checksum.  With a 2^16 bit checksum one will expect to
find a nearby checksum within 2^16 trails, even when using a truncated hash
function.

What an error-correcting codes gives you isn't the ability to correct
errors, which we have seen is something that all short checksums provide,
rather they provide *guarantees* about the ability to detect (and correct)
certain common classes of errors.  For example we can have an ECC that
guarantees to find the error where are word is accidentally written down
twice (see
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-January/015506.html
).

The advice you have been given will only result in losing any guarantees
about detecting common classes or errors; it won't stop attackers from
recovering missing information, and it won't provide a cryptographically
strong function.

[-- Attachment #2: Type: text/html, Size: 5185 bytes --]

  parent reply	other threads:[~2018-01-09 16:20 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-08  4:22 [bitcoin-dev] Satoshilabs secret shared private key scheme Gregory Maxwell
2018-01-08  6:33 ` nullius
2018-01-08 12:39 ` Pavol Rusnak
2018-01-08 12:45   ` Peter Todd
2018-01-08 13:00     ` Pavol Rusnak
2018-01-08 19:37       ` Peter Todd
2018-01-08 22:26         ` Ben Kloester
2018-01-09  0:37           ` Peter Todd
2018-01-08 23:47   ` Gregory Maxwell
2018-01-09  0:40     ` Rhavar
2018-01-09  1:13       ` Peter Todd
2018-01-09 12:44         ` jens
     [not found]         ` <274aad5c-4573-2fdd-f8b0-c6c2d662ab7c@gibsonic.org>
2018-01-12  9:50           ` Peter Todd
2018-01-12 11:06             ` [bitcoin-dev] Plausible Deniability (Re: Satoshilabs secret shared private key scheme) nullius
2018-01-13  2:11               ` Damian Williamson
2018-01-13  3:44                 ` nullius
2018-01-13  6:11                   ` Peter Todd
2018-01-09 15:12     ` [bitcoin-dev] Satoshilabs secret shared private key scheme Pavol Rusnak
2018-01-10 20:28       ` Pavol Rusnak
2018-01-10 23:47         ` Gregory Maxwell
2018-01-11  9:55           ` Pavol Rusnak
2018-01-09 16:20   ` Russell O'Connor [this message]
2018-01-17 11:39 Ondřej Vejpustek
2018-01-17 15:28 ` Russell O'Connor
2018-01-17 15:36   ` Gregory Maxwell
2018-01-17 15:31 ` Gregory Maxwell
2018-01-18  5:00   ` Matt Corallo
2018-01-18 13:50   ` Ondřej Vejpustek
2018-01-18 14:34     ` Gregory Maxwell
2018-01-18 16:59       ` Ondřej Vejpustek
2018-01-18 18:58         ` Gregory Maxwell
2018-01-22 15:00           ` Ondřej Vejpustek
2018-01-22 19:21           ` Russell O'Connor
2018-01-23  1:05             ` Gregory Maxwell
2018-01-23 13:54           ` Ondřej Vejpustek
2018-01-23 14:16             ` Adam Back

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMZUoKnWbAF3LHOWcYsbkyfH93HwWWVHzQFz52V1jUKXgEBgZw@mail.gmail.com \
    --to=roconnor@blockstream.io \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=stick@satoshilabs.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox