Peter Todd [ARCHIVE] on Nostr: π Original date posted:2014-03-05 π Original message:On Wed, Mar 05, 2014 at ...
π
Original date posted:2014-03-05
π Original message:On Wed, Mar 05, 2014 at 11:51:25AM -0800, Gregory Maxwell wrote:
> On Wed, Mar 5, 2014 at 11:39 AM, Peter Todd <pete at petertodd.org> wrote:
> > If you're following good practices you're not particularly vulneable to
> > it, if at all, even if you make use of shared hosting. First of all you
> > shouldn't be re-using addresses, which means you won't be passing that
> > ~200 sig threshold.
> >
> > More important though is you shouldn't be using single factor Bitcoin
> > addresses. Use n-of-m multisig instead and architect your system such
>
> Both of these things have long been promoted as virtuous in part
> because they increase robustness against this sort of thing.
>
> But while I don't disagree with these things the reality is that many
> people do not follow either of these piece of advice and following
> them requires behavioral changes that will not be adopted quickly...
> so I don't think that advice is especially useful.
>
> And even if it wereβ, good security involves defense in depth, so
> adding on top of them things like side-channel resistant signing is
> important.
>
> I haven't had a chance to sit down and think through it completely but
> I believe oleganza's recent blind signature scheme for ECDSA may be
> helpful (http://oleganza.com/blind-ecdsa-draft-v2.pdf):
>
> The idea is that instead of (or in addition toβ belt and suspenders)
> making the signing constant time, you use the blinding scheme to first
> locally blind the private key and point being signed, then sign, then
> unblind. This way even if you are reusing a key every signing
> operation is handling different private data... and the only point
> where unblinded private data is handled is a simple scalar addition.
That's nice, but I wrote my advice to show people how even if they don't
know any crypto beyond what the "black boxes" do - the absolute minimum
you need to know to write any Bitcoin software - you can still defend
yourself against that attack and many others.
Point is you can architect systems that remain secure even when parts of
them fail, and you don't need any special cryptographic background to do
so - any competent programmer can.
Meanwhile, if you're not willing to take those simple steps, the Bitcoin
community damn well should look down on your amateur efforts, e.g.
Coinbase and EasyWallet.
--
'peter'[:-1]@petertodd.org
000000000000000f9102d27cfd61ea9e8bb324593593ca3ce6ba53153ff251b3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140305/ab65b44f/attachment.sig>;
π Original message:On Wed, Mar 05, 2014 at 11:51:25AM -0800, Gregory Maxwell wrote:
> On Wed, Mar 5, 2014 at 11:39 AM, Peter Todd <pete at petertodd.org> wrote:
> > If you're following good practices you're not particularly vulneable to
> > it, if at all, even if you make use of shared hosting. First of all you
> > shouldn't be re-using addresses, which means you won't be passing that
> > ~200 sig threshold.
> >
> > More important though is you shouldn't be using single factor Bitcoin
> > addresses. Use n-of-m multisig instead and architect your system such
>
> Both of these things have long been promoted as virtuous in part
> because they increase robustness against this sort of thing.
>
> But while I don't disagree with these things the reality is that many
> people do not follow either of these piece of advice and following
> them requires behavioral changes that will not be adopted quickly...
> so I don't think that advice is especially useful.
>
> And even if it wereβ, good security involves defense in depth, so
> adding on top of them things like side-channel resistant signing is
> important.
>
> I haven't had a chance to sit down and think through it completely but
> I believe oleganza's recent blind signature scheme for ECDSA may be
> helpful (http://oleganza.com/blind-ecdsa-draft-v2.pdf):
>
> The idea is that instead of (or in addition toβ belt and suspenders)
> making the signing constant time, you use the blinding scheme to first
> locally blind the private key and point being signed, then sign, then
> unblind. This way even if you are reusing a key every signing
> operation is handling different private data... and the only point
> where unblinded private data is handled is a simple scalar addition.
That's nice, but I wrote my advice to show people how even if they don't
know any crypto beyond what the "black boxes" do - the absolute minimum
you need to know to write any Bitcoin software - you can still defend
yourself against that attack and many others.
Point is you can architect systems that remain secure even when parts of
them fail, and you don't need any special cryptographic background to do
so - any competent programmer can.
Meanwhile, if you're not willing to take those simple steps, the Bitcoin
community damn well should look down on your amateur efforts, e.g.
Coinbase and EasyWallet.
--
'peter'[:-1]@petertodd.org
000000000000000f9102d27cfd61ea9e8bb324593593ca3ce6ba53153ff251b3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140305/ab65b44f/attachment.sig>;