From: Eric Lombrozo <elombrozo@gmail•com>
To: second isogeny <secondisogeny@gmail•com>
Cc: bitcoin-development@lists•sourceforge.net
Subject: Re: [Bitcoin-development] BIP32 - invalidation
Date: Sat, 9 Aug 2014 18:20:09 -0700 [thread overview]
Message-ID: <501F55C1-6307-487B-91D8-9CC0193DA747@gmail.com> (raw)
In-Reply-To: <CAFWhrvR+4wsMwzjvqb7w7XmhESagzc_0pvQuGx3Fn4qeWFbinA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2972 bytes --]
Does bitcoin properly handle the case of a hash collision? no - because it is considered too unlikely. The case of I_L >= n is also astronomically unlikely, so it's more a matter of improved performance and simpler data structures under expected circumstances and taking that less than 1 in 2^127 chance that it will fail, in which case we can recover by moving everything over to a new tree.
-Eric Lombrozo
On Aug 9, 2014, at 5:34 PM, second isogeny <secondisogeny@gmail•com> wrote:
> > Does anyone see any concerns when it comes to security of the proposed
> > change?
>
> Yes. This proposal is less secure.
>
> It is incompatible in theory with existing implementations of the
> specification. The incompatibility is also a potentially a security
> problem because it may cause users to believe a key is worthless when
> it is not or to lose funds when they are unable to spend them.
>
> It is also an untimely proposal and would be inconsiderate other parties
> who have done the work to produce correct and compatible implementations.
>
> > In case I_L >= n assign I_L := I_L mod n.
>
> This will make the selection of private keys uneven.
>
> The unevenness is small and it is unlikely to very matter much but it
> is objectively less secure. Future advances in cryptography may make
> the distinction more important. The change would eliminate any hope of
> the specification ever having provable security equal to random keys.
>
> The bignum modulo operation also requires complex additional logic and is
> just as likely to remain untested in implementations, though unit-testing
> can test these cases by replacing the hash function.
>
> Because of layering no suitable modulo may be available and an incorrect
> implementation could create a devastating weakness, like reflecting a
> large class of keys to a small number of values. A similar error would
> be unlikely for an incorrect implementation of skipping and someone who
> managed to still fail would likely have failed either way.
>
> > most of the implementations don't do the checking at all, because tjen
> > it's rather hard at application level to implement skipping logic. OTOH
>
> There are many corner cases which must be handled in cryptographic
> software.
>
> You must handle the point at infinity cases, you must handle the signature
> having a value of zero (or you leak the private key), in the point
> arithemetics you must handle the special case of adding colinear points.
>
> If someone is unprepared to deal with these and many other complications
> they may want to leave writing this kind of software for other people.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
next prev parent reply other threads:[~2014-08-10 1:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-10 0:34 second isogeny
2014-08-10 1:20 ` Eric Lombrozo [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-08-08 13:19 Pavol Rusnak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=501F55C1-6307-487B-91D8-9CC0193DA747@gmail.com \
--to=elombrozo@gmail$(echo .)com \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
--cc=secondisogeny@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox