On Thu, Jan 18, 2018 at 4:59 PM, Ondřej Vejpustek <[email protected]> wrote: >> If being secure against partial share leakage is really part of your >> threat model the current proposal is gratuitously insecure against it. > > I don't think that is true. Shared secret is an input of KDF which > should prevent this kind of attack.
My post provided a concrete example. I'd be happy to answer any questions about it, but otherwise I'm not sure how to make it more clear. > Actually, we've been considering something like that. We concluded that it is > to much "rolling your own crypto". Instead of diffusion layer we decided to > apply KDF on the shared secret. Quite the opposite-- a large block cipher is a standard construction... and the off-label application of a KDF that you've used here doesn't provide any protection against the example I gave. _______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
