[Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys

Tamas Blummer tamas at bitsofproof.com
Sat Mar 29 18:16:28 UTC 2014 

I also think that we can add usability features if the underlying secret remains well protected.
I do not think there is any reason to assume that the knowledge of the degree of the polynomial, would aid an attacker.

Similarly a fingerprint of the secret if it is unrelated to the hash used in the polinomyal should leak no useful information,

The length of such fingerpring (say 4 bytes) and the degree (1 byte) does not seem a big overhead for me.

Remember that the biggest obstacle of Bitcoin is usability not security.

Regards,

Tamas Blummer
http://bitsofproof.com

On 29.03.2014, at 18:52, Alan Reiner <etotheipi at gmail.com> wrote:

> On 03/29/2014 01:19 PM, Matt Whitlock wrote:
>> I intentionally omitted the parameter M (minimum subset size) from the shares because including it would give an adversary a vital piece of information. Likewise, including any kind of information that would allow a determination of whether the secret has been correctly reconstituted would give an adversary too much information. Failing silently when given incorrect shares or an insufficient number of shares is intentional.
> 
> I do not believe this is a good tradeoff.  It's basically obfuscation of
> something that is already considered secure at the expense of
> usability.  It's much more important to me that the user understands
> what is in their hands (or their family members after they get hit by a
> bus), than to obfuscate the parameters of the secret sharing to provide
> a tiny disadvantage to an adversary who gets ahold of one. 
> 
> The fact that it fails silently is really all downside, not a benefit. 
> If I have enough fragments, I can reconstruct the seed and see that it
> produces addresses with money.  If not, I know I need more fragments. 
> I'm much more concerned about my family having all the info they need to
> recover the money, than an attacker knowing that he needs two more
> fragments instead of which are well-secured anyway.
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140329/ad76bea3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140329/ad76bea3/attachment.sig>

More information about the bitcoin-dev mailing list