[bitcoin-dev] Satoshilabs secret shared private key scheme

Gregory Maxwell greg at xiph.org
Thu Jan 18 14:34:24 UTC 2018


On Thu, Jan 18, 2018 at 1:50 PM, Ondřej Vejpustek
<ondrej.vejpustek at satoshilabs.com> wrote:
>   (1) Our proposal doesn't use SSS for the whole secret, but it divides
> the secret into bytes and uses SSS for every byte separately. This
> scheme is weaker because to reconstruct n-th byte it suffices to have
> n-th bytes from k shares.

If being secure against partial share leakage is really part of your
threat model the current proposal is gratuitously insecure against it.
And the choice of check algorithm really doesn't matter for that.

For example,  in a 2-of-3 share  say I have the first half of shares
1,2 and the second half of shares 2,3  with the current proposal the
secret is directly revealed, even though I didn't have any single
complete share.

If partial share disclosure were an actual concern, I would recommend
that after sharing and before encoding for transmission (e.g. before
applying check values and word encoding to the share) the individual
shares be passed through a large block unkeyed cryptographic
permutation.  Under reasonable-ish assumptions about the difficulty of
inverting the permutation with partial knowledge, this transformation
would prevent attacks from leaks of partial share information.


More information about the bitcoin-dev mailing list