Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id D1448414
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 25 Feb 2017 19:12:07 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail148107.authsmtp.com (outmail148107.authsmtp.com
	[62.13.148.107])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id E9D35139
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 25 Feb 2017 19:12:06 +0000 (UTC)
Received: from mail-c232.authsmtp.com (mail-c232.authsmtp.com [62.13.128.232])
	by punt22.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PJC4NK042892;
	Sat, 25 Feb 2017 19:12:04 GMT
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
	[52.5.185.120]) (authenticated bits=0)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PJC2sZ012288
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 25 Feb 2017 19:12:03 GMT
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by petertodd.org (Postfix) with ESMTPSA id 1D1B34008A;
	Sat, 25 Feb 2017 19:12:02 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
	id 56A43204AB; Sat, 25 Feb 2017 14:12:01 -0500 (EST)
Date: Sat, 25 Feb 2017 14:12:01 -0500
From: Peter Todd <pete@petertodd.org>
To: Ethan Heilman <eth3rs@gmail.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <20170225191201.GA15472@savin.petertodd.org>
References: <mailman.22137.1487974823.31141.bitcoin-dev@lists.linuxfoundation.org>
	<8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com>
	<20170225010122.GA10233@savin.petertodd.org>
	<208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com>
	<CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com>
	<CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX"
Content-Disposition: inline
In-Reply-To: <CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: 4ad188e7-fb8e-11e6-829f-00151795d556
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	bgdMdAcUHlAWAgsB AmEbWl1eUV97WWc7 bghPaBtcak9QXgdq
	T0pMXVMcUgQIe28D RXQeUxtwfw0IeX1x bU4sWiEPXUxyIEFg
	FBxcQHAHZDJmdWgd WRZFdwNVdQJNdxoR b1V5GhFYa3VsNCMk
	FAgyOXU9MCtqYB91 a1hFJlUWRUcQHzk6 XFgHFDYiVWIEW20t
	MhggJ0QVFkIcelk1 eVI9RVsbOARaABw8 V11NATVVYkEIXTYq
	ABgeFUgZDHVfXDxA SgclOhgABzVTXDZR BU1IUQpn
X-Authentic-SMTP: 61633532353630.1037:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Steve Davis <steven.charles.davis@gmail.com>
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by
 third-parties, not just repo maintainers
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Feb 2017 19:12:08 -0000


--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via bitcoin-dev wro=
te:
> >SHA1 is insecure because the SHA1 algorithm is insecure, not because
> 160bits isn't enough.
>=20
> I would argue that 160-bits isn't enough for collision resistance. Assumi=
ng
> RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), collisio=
ns

That's something that we're well aware of; there have been a few discussion=
s on
this list about how P2SH's 160-bits is insufficient in certain use-cases su=
ch
as multisig.

However, remember that a 160-bit *security level* is sufficient, and RIPEMD=
160
has 160-bit security against preimage attacks. Thus things like
pay-to-pubkey-hash are perfectly secure: sure you could generate two pubkeys
that have the same RIPEMD160(SHA256()) digest, but if someone does that it
doesn't cause the Bitcoin network itself any harm, and doing so is something
you choose to do to yourself.

In any case, segwit will provide a 256-bit pay-to-witness-script-hash(1), w=
hich
provides a 128-bit security level against collision attacks.

1) https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#Native_P2=
WSH

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--huq684BweRXVnRxX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYsdb9AAoJECSBQD2l8JH7718H/js71HapsFmrnOQ1dJuulnds
AckgBgUr1tH3duZgOYCbEJ77rcngo1GjsEPaE6xMSQOGqrO0mDqbK7URWA6BzWVr
bD1KdxZaw7fM0rO5Gx8qXhjvDRIm1Xn2eJAvPoiYDUluuQ+TdICI8eOfiGhS/Je+
m1EMp0Tfjpvu9x7J8mM3U4vr48IVdalIbiI9Gi3JWzkS2u98wz/FpYyTI53lFLe/
krw6TJ7WvFqbmRhiBDvaxFOEmCc8F+/9nqaiHDCTGrUDignzi1N6JEIpI2qPm6cu
okmauAOsCAjkqpboz7Rse04mOFgc80BVHiiStS7bNviaWPAsp4ZEPIiSNZHTE2Q=
=ATaN
-----END PGP SIGNATURE-----

--huq684BweRXVnRxX--