I also think that we can add usability features if the underlying secret remains well protected. I do not think there is any reason to assume that the knowledge of the degree of the polynomial, would aid an attacker. Similarly a fingerprint of the secret if it is unrelated to the hash used in the polinomyal should leak no useful information, The length of such fingerpring (say 4 bytes) and the degree (1 byte) does not seem a big overhead for me. Remember that the biggest obstacle of Bitcoin is usability not security. Regards, Tamas Blummer http://bitsofproof.com On 29.03.2014, at 18:52, Alan Reiner wrote: > On 03/29/2014 01:19 PM, Matt Whitlock wrote: >> I intentionally omitted the parameter M (minimum subset size) from the shares because including it would give an adversary a vital piece of information. Likewise, including any kind of information that would allow a determination of whether the secret has been correctly reconstituted would give an adversary too much information. Failing silently when given incorrect shares or an insufficient number of shares is intentional. > > I do not believe this is a good tradeoff. It's basically obfuscation of > something that is already considered secure at the expense of > usability. It's much more important to me that the user understands > what is in their hands (or their family members after they get hit by a > bus), than to obfuscate the parameters of the secret sharing to provide > a tiny disadvantage to an adversary who gets ahold of one. > > The fact that it fails silently is really all downside, not a benefit. > If I have enough fragments, I can reconstruct the seed and see that it > produces addresses with money. If not, I know I need more fragments. > I'm much more concerned about my family having all the info they need to > recover the money, than an attacker knowing that he needs two more > fragments instead of which are well-secured anyway. > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >