[bitcoin-dev] Satoshilabs secret shared private key scheme

Gregory Maxwell greg at xiph.org
Tue Jan 23 01:05:44 UTC 2018


On Mon, Jan 22, 2018 at 7:21 PM, Russell O'Connor
<roconnor at blockstream.io> wrote:
> At this point, is it better just to use GF(2^256+n)?  Is GF(2^256+n) going
> to be that much slower than GF(2^8) that we care to make things this
> complicated?  (I honestly don't know the answer.)

I expect it would be especially since operations must be implemented
in sidechannel resistant manners.

Also, binary extension fields are doing to have linear subgroup
properties where leaking part of elements wouldn't be good. Not as
obviously broken as the example I gave above, but still in the domain
of "get chunks of a lot of a supra threshold set of shares, and setup
a latices basis problem that can provide an efficient subspace to
search".


More information about the bitcoin-dev mailing list