On Saturday, 29 March 2014, at 1:52 pm, Alan Reiner wrote: > On 03/29/2014 01:19 PM, Matt Whitlock wrote: > > I intentionally omitted the parameter M (minimum subset size) from the > > shares because including it would give an adversary a vital piece of > > information. Likewise, including any kind of information that would allow a > > determination of whether the secret has been correctly reconstituted would > > give an adversary too much information. Failing silently when given > > incorrect shares or an insufficient number of shares is intentional. > > I do not believe this is a good tradeoff. It's basically obfuscation of > something that is already considered secure at the expense of > usability. It's much more important to me that the user understands > what is in their hands (or their family members after they get hit by a > bus), than to obfuscate the parameters of the secret sharing to provide > a tiny disadvantage to an adversary who gets ahold of one. > > The fact that it fails silently is really all downside, not a benefit. > If I have enough fragments, I can reconstruct the seed and see that it > produces addresses with money. If not, I know I need more fragments. > I'm much more concerned about my family having all the info they need to > recover the money, than an attacker knowing that he needs two more > fragments instead of which are well-secured anyway.
For what it's worth, ssss also omits from the shares any information about the threshold. It will happily return a garbage secret if too few shares are combined. (And actually, it will happily return a garbage secret if too *many* shares are combined, too. My implementation does not have that problem.) ------------------------------------------------------------------------------ _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
