Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 5197F305 for ; Sat, 25 Feb 2017 20:42:59 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f171.google.com (mail-wr0-f171.google.com [209.85.128.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6AA11240 for ; Sat, 25 Feb 2017 20:42:58 +0000 (UTC) Received: by mail-wr0-f171.google.com with SMTP id g10so30322131wrg.2 for ; Sat, 25 Feb 2017 12:42:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mS7Prb6EAoLuD6PgEEDSgUN9EVsFlGZ1b27pqbLko2U=; b=RoXNPGgb8ehKDxHRskdWPYqNcpRRpxHUh0L1ur7GgaKrsE85lMWDLo8SLFGD58T4nS DvKsgZmGYm1WUDZ7k6DdH/8tOdfym/f8aFHRUS8jPqc4VZMuzw4/nToTEVRJ+o2tiF/y RneNuoZlSlMaJgxHpKH0XMK0VuedQH0T1cw8gtl9nBjp0PmDfXvVXaQi9nSq81cLXWRa Me0nVYIhVYfjWD04uNsQpHVvrgbongBU1tDgDHLO+Oy3N7H0cGn4iTexhmZUljs0ugGd YOnBYhiGmMQssIiApU4QsTiW6qaPbAjbdi9y5YHDABRqieDowF+7Gjkfzn8jmwC6gx/U sHtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mS7Prb6EAoLuD6PgEEDSgUN9EVsFlGZ1b27pqbLko2U=; b=RTLfhf6UDrXkdA8dp5SZ8PC3lXiadRDAt8+SGGOrvf2xP3cJDGfuW9OshDIJV4tIXk cW0PEweD9JqXAKzneXUcJ61A34mQhr3QLmnbxmWc0RlFoLUocF0UL5wUSI7CHRuDwRxD e28R3hAoLWcCEXh5b+v+U8K44X8afKgP4NK0xVNegPHV6hwjjtCMTy8A0IJZdL0gSjdm sjA9qwXW3VB9nfRF5nHh7FYTAZFj98MpND+XSngdi4v48wB0tSyBrRL1gq1TtjJ5OZJS EF2X2ZgykeLya7KTGmm80K92XQxkZjbN20qZfdjy4gOaxA+5HrcYkL1WcDerUZC0UgNp TBhA== X-Gm-Message-State: AMke39lGmCjfFeNenZXRWZNIfBvHC+AxDOr7aV8SE7h0mExq46VXPiWc16tGv9M5Mr7VJwjkX1hSAaImPOPWlQ== X-Received: by 10.223.171.229 with SMTP id s92mr8263114wrc.64.1488055376967; Sat, 25 Feb 2017 12:42:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.164.18 with HTTP; Sat, 25 Feb 2017 12:42:56 -0800 (PST) In-Reply-To: <20170225191201.GA15472@savin.petertodd.org> References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> <20170225191201.GA15472@savin.petertodd.org> From: Watson Ladd Date: Sat, 25 Feb 2017 12:42:56 -0800 Message-ID: To: Peter Todd , Bitcoin Protocol Discussion Content-Type: text/plain; charset=UTF-8 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 25 Feb 2017 21:06:41 +0000 Cc: Steve Davis Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2017 20:42:59 -0000 On Sat, Feb 25, 2017 at 11:12 AM, Peter Todd via bitcoin-dev wrote: > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via bitcoin-dev wrote: >> >SHA1 is insecure because the SHA1 algorithm is insecure, not because >> 160bits isn't enough. >> >> I would argue that 160-bits isn't enough for collision resistance. Assuming >> RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), collisions > > That's something that we're well aware of; there have been a few discussions on > this list about how P2SH's 160-bits is insufficient in certain use-cases such > as multisig. > > However, remember that a 160-bit *security level* is sufficient, and RIPEMD160 > has 160-bit security against preimage attacks. Thus things like > pay-to-pubkey-hash are perfectly secure: sure you could generate two pubkeys > that have the same RIPEMD160(SHA256()) digest, but if someone does that it > doesn't cause the Bitcoin network itself any harm, and doing so is something > you choose to do to yourself. P2SH is not secure against collision. I could write two scripts with the same hash, one of which is an escrow script and the other which pays it to me, have someone pay to the escrow script, and then get the payment. Some formal analysis tools would ignore the unused instructions even if human analysis would not. > > In any case, segwit will provide a 256-bit pay-to-witness-script-hash(1), which > provides a 128-bit security level against collision attacks. > > 1) https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#Native_P2WSH > > -- > https://petertodd.org 'peter'[:-1]@petertodd.org > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -- "Man is born free, but everywhere he is in chains". --Rousseau.