[bitcoin-dev] Satoshilabs secret shared private key scheme
Gregory Maxwell
greg at xiph.org
Thu Jan 18 18:58:14 UTC 2018
On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek
<ondrej.vejpustek at satoshilabs.com> wrote:
>> If being secure against partial share leakage is really part of your
>> threat model the current proposal is gratuitously insecure against it.
>
> I don't think that is true. Shared secret is an input of KDF which
> should prevent this kind of attack.
My post provided a concrete example. I'd be happy to answer any
questions about it, but otherwise I'm not sure how to make it more
clear.
> Actually, we've been considering something like that. We concluded that it is to much "rolling your own crypto". Instead of diffusion layer we decided to apply KDF on the shared secret.
Quite the opposite-- a large block cipher is a standard
construction... and the off-label application of a KDF that you've
used here doesn't provide any protection against the example I gave.
More information about the bitcoin-dev
mailing list