Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7AF6AB5C for ; Tue, 12 Jan 2016 12:08:22 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7DEE413B for ; Tue, 12 Jan 2016 12:08:21 +0000 (UTC) Received: by mail-lb0-f170.google.com with SMTP id cl12so53718439lbc.1 for ; Tue, 12 Jan 2016 04:08:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Bs3pVU9r26hFrHHwJq1jWRxeuN9qntqgP3xx0ZrQgHY=; b=ZymnU9ad7ZztvKAojUhBkHWRWrP7cc2hCrKTWFCo4q5AiZWtKonBt/yJLssWJqKI92 m1jonWf0Y19hu2a1cXASqhKsdp/dD5uEXieWoOIDIARjNXgSMX1lQTjx0qlrcwRJIntr G+XoN3hlnAEiCgjmKBPf7thsbE7fPb0U+ucCqFjQ/l3LL5GcTLJiJwKJnNgy4Zb9q30B NAbuKFGdWhwbBMZ8ZhazB6ZyQP6tn7sQh+de7CK/Og4QWxHRdd6AP9hT1ioz6yLcvb7m WuBfnkDs/0qZimYAdUc4YQj87dErXzj0Ycj1LJeggwMqVhWXMP1yagrKOAzLeXc+ISCU V9mQ== MIME-Version: 1.0 X-Received: by 10.112.157.69 with SMTP id wk5mr48512435lbb.74.1452600499104; Tue, 12 Jan 2016 04:08:19 -0800 (PST) Received: by 10.25.79.208 with HTTP; Tue, 12 Jan 2016 04:08:18 -0800 (PST) In-Reply-To: References: <8760z4rbng.fsf@rustcorp.com.au> <8737u8qnye.fsf@rustcorp.com.au> <20160108153329.GA15731@sapphire.erisian.com.au> Date: Tue, 12 Jan 2016 07:08:18 -0500 Message-ID: From: Gavin Andresen To: Bitcoin Dev Content-Type: multipart/alternative; boundary=001a11c2abd6c0041e052921e87f X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,LOTS_OF_MONEY, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 12 Jan 2016 13:15:39 +0000 Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jan 2016 12:08:22 -0000 --001a11c2abd6c0041e052921e87f Content-Type: text/plain; charset=UTF-8 I'm convinced-- it is a good idea to worry about 80-bit collision attacks now. Thanks to all the people smarter than me who contributed to this discussion, I learned a lot about collision attacks that I didn't know before. Would this be a reasonable "executive summary" : If you are agreeing to lock up funds with somebody else, and they control what public key to use, you are susceptible to collision attacks. It is very likely an 80-bit-collision-in-ten-minutes attack will cost less than $1million in 10 to twenty years (possibly sooner if there are crypto breaks in that time). If you don't trust the person with whom you're locking up funds and you're locking up a significant amount of money (tens of millions of dollars today, tens of thousands of dollars in a few years): Then you should avoid using pay-to-script-hash addresses and instead use the payment protocol and "raw" multisig outputs. AND/OR Have them give you a hierarchical deterministic (BIP32) seed, and derive a public key for them to use. ---------- Following the security in depth and validate all input secure coding principles would mean doing both-- avoid p2sh AND have all parties to a transaction exchange HD seeds, add randomness, and use the resulting public keys in the transaction. -- -- Gavin Andresen --001a11c2abd6c0041e052921e87f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I'm convinced-- it is a good idea to worry about 80-bi= t collision attacks now.

Thanks to all the people smarte= r than me who contributed to this discussion, I learned a lot about collisi= on attacks that I didn't know before.

Would th= is be a reasonable "executive summary" :

If you are agreeing to lock up funds with somebody else, and they control = what public key to use, you are susceptible to collision attacks.

It is very likely an 80-bit-collision-in-ten-minutes attack= will cost less than $1million in 10 to twenty years (possibly sooner if th= ere are crypto breaks in that time).

If you don= 9;t trust the person with whom you're locking up funds and you're l= ocking up a significant amount of money (tens of millions of dollars today,= tens of thousands of dollars in a few years):

The= n you should avoid using pay-to-script-hash addresses and instead use the p= ayment protocol and "raw" multisig outputs.

<= div>AND/OR

Have them give you a hierarchical deter= ministic (BIP32) seed, and derive a public key for them to use.
<= br>

----------

Following = the security in depth and validate all input secure coding principles would= mean doing both-- avoid p2sh AND have all parties to a transaction exchang= e HD seeds, add randomness, and use the resulting public keys in the transa= ction.


--
--
Gavin Andresen
--001a11c2abd6c0041e052921e87f--