On Wed, 2020-12-23 at 12:14 +0100, Jeff Burdges wrote: > > > On 23 Dec 2020, at 11:03, Martin Schanzenbach < > > [email protected]> wrote: > > From what I understood this is not the problem they are concerned > > with > > specifically. They propose that there is initially a master secret > > "msk" and master public key (mpk). > > This master secret is used to derive a single "hot" sk (and pk) > > once. > > After that, the msk (and mpk) becomes "cold" and cannot be used to > > futher deterministically derive wallets. > > (See the third paragraph in 1.2.) > > You can derive an unlimited number of secret keys from some > randomness using a stream cipher, so no that’s not what’s happens. > > You only need the commutative diagram of compatible public and > private derivation paths if you give someone else the power to derive > your new public key for you, and then you later derive its secret > key. This means the randomness cannot be trusted, well unless you > use fancy zk proofs like MuSig-DN does.
But they do. See also 4.3 last paragraph for more details on how a counter could be used for hot wallets. BR > > > So in my interpretation, the constraint is that every future > > derivation > > of a wallet key pair sk'/pk' is not done using the msk/mpk, but the > > already derived sks (hence "rerandomization" without the "cold" > > msk). > > In GNS, however, we do not have this problem. We could always > > derive > > from msk unless we want to support cold storage of the zone keys. > > The point is someone else controls the derivation in GNS too. > > In tor, only the directory authority control this, but mostly they’re > honest. > > > > I think linkability is a concern for Tor, maybe not GNS not sure. > > > Also enough blockchain folk believe in unlinkability that being > > > linkable arguably makes things worse, not sure really though. > > > I’d > > > expect linkability to be harder. > > > > I think it could be a problem if you could determine that a derived > > public key pk' which you do not know the root master key is > > linkable to > > another pk'' from which you do know the root master key. > > The would compromise zone confidentiality (to some degree). Not > > sure if > > it would be a real problem, though as you still would not know HOW > > it > > was derived or what the record set contains. > > It’s a problem for Tor. It’s also problem for the false sense of > security that crypto currency people attribute to derivation. > > Jeff > >
signature.asc
Description: This is a digitally signed message part
