Author: Gregory Maxwell 2018-01-08 23:47:02
Published on: 2018-01-08T23:47:02+00:00
In a discussion between Pavol Rusnak and Gregory Maxwell regarding SLIP-0039, Rusnak discussed the theoretical problem of an attacker reconstructing the seed if they had knowledge of few words from the beginning of shares. Maxwell suggested using a large block cipher mode to eliminate this concern. However, he also mentioned that this threat is not very relevant as partial access to more than a threshold of shares would not harm security unless almost all of them were shown. Maxwell also questioned the design decision behind plausible deniability where it was justified with no rigorous threat model. Additionally, he suggested that the lack of versioning in SLIP-0039 may prevent interoperability. Rusnak argued that having different mnemonics for different versions would lead to worse interoperability. He also mentioned that the original proposal for checksum was 16-bit CRC32 but was changed for a cryptographically strong function after a discussion with Daan Sprenkels. There was also a discussion about whether to use ECC or a checksum for integrity check, where Rusnak argued against using ECC as it could help attackers compute missing information.
Updated on: 2023-05-20T04:41:28.934982+00:00