Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 48DD1259
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 26 Feb 2017 06:36:28 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f173.google.com (mail-wr0-f173.google.com
	[209.85.128.173])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B79FA124
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 26 Feb 2017 06:36:27 +0000 (UTC)
Received: by mail-wr0-f173.google.com with SMTP id o22so29974799wro.1
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 25 Feb 2017 22:36:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=PJDIbHVHRu++34T0lSUIY64yKNbp1wgR6+Xd0ViS7mk=;
	b=GV3lNJIWOPSV50LHU5E0X2UEjFFWa2JthqbgD0/JwjOmw3BGtQi7mklhL04HbNFnyT
	MoQQGLGP6bme/HpFEG1afnXyeELPy116dgGHNnICQdUsaKipEfQESpl5gNDQXaCjXJQv
	REZXVagaj52O7Odwr+g29nrsIBp0s8hEHdJbH/usbbdB9rDWkF0TpVUkT1DJg+y+CVDm
	8mWsV4sM4v9OGbvDEQMTExeSDzRoqa75fyCGO17eVGWarVZiT7tOiuOAQ7xlgfNd/glS
	xM4OuoWZYY47bMNbaznUpGea34MYGMKgBSJZajemHsjBRZHNoNHKBJdiuhum7iNzXJYZ
	4Dow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=PJDIbHVHRu++34T0lSUIY64yKNbp1wgR6+Xd0ViS7mk=;
	b=i3KvpI4ncJuM58osCfI3jx0mTiKzfVsm865uyWKWxzQKB/cztdmoFhojODg7s9XxzS
	nMaEt9+CzhrBZzjSJPkbxtKG6RKXViGXoZX6LuChla8rQTNPSZdQ3tSKApOHcDG8nfOQ
	bzrX8MW03c2g0/o8X/Uv70GDZge4kQfF5VaycW+tgylgljSy8mhBzh7eK7trlsv04GL1
	RxAHV2gHccJT/VJGVVEeD61sFjXrQZt/y2V3AvT8ShEZoNjBAbzdWkhnS5mgPl9E+r//
	hxKeqgAHt9gQ3v9m0lrL2Rdrh+WEk2EyOlEqK/O7woXmjYM8PmJgCiBDoU7PCJ4tlAvR
	E5SQ==
X-Gm-Message-State: AMke39mw4r9AOc02cpAGTYdEAiAMsfK7SYwBEQ85dn6epunyGVKrgeEO1rdv3SdPD1HJchOQELx/iN+DtzQ/Gg==
X-Received: by 10.223.133.164 with SMTP id 33mr9695448wrt.39.1488090986427;
	Sat, 25 Feb 2017 22:36:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.80.153.212 with HTTP; Sat, 25 Feb 2017 22:36:25 -0800 (PST)
Received: by 10.80.153.212 with HTTP; Sat, 25 Feb 2017 22:36:25 -0800 (PST)
In-Reply-To: <4F6C2972-A320-429A-BD13-623B01F390A3@gmail.com>
References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com>
	<20170225010122.GA10233@savin.petertodd.org>
	<208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com>
	<CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com>
	<CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
	<20170225191201.GA15472@savin.petertodd.org>
	<CAMZUoK=sq_sRoXuySca-VAGwA3AzeoZ5iNFSnKULbj+NtPjHFA@mail.gmail.com>
	<20170225210406.GA16196@savin.petertodd.org>
	<CAGLBAhdCb+QLWRm4FWkPvaM2sU24HuafdgNiS=wgnPTGzrW05w@mail.gmail.com>
	<4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com>
	<20170225214018.GA16524@savin.petertodd.org>
	<D36DB0BD-C805-4346-B425-77D5B29582E5@gmail.com>
	<CAPg+sBhZ1UqOLqz_PVjjrE8Cbte_Y160Gq7P7EWf6cRKjMcDEQ@mail.gmail.com>
	<4F6C2972-A320-429A-BD13-623B01F390A3@gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Sat, 25 Feb 2017 22:36:25 -0800
Message-ID: <CAPg+sBgndv+Q-MGhz6Th9A3xhtqouz6D9AENqRusnCz_m+2O2g@mail.gmail.com>
To: Steve Davis <steven.charles.davis@gmail.com>
Content-Type: multipart/alternative; boundary=001a1147d2eca3bca20549692e8c
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by
 third-parties, not just repo maintainers
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2017 06:36:28 -0000

--001a1147d2eca3bca20549692e8c
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Feb 25, 2017 22:26, "Steve Davis" <steven.charles.davis@gmail.com> wrote=
:

Hi Pieter,

> On Feb 25, 2017, at 4:14 PM, Pieter Wuille <pieter.wuille@gmail.com>
wrote:
>
> Any alternative to move us away from RIPEMD160 would require:

> <snipped>

=E2=80=9CAny alternative=E2=80=9D? What about reverting to:

[<public_key>, OP_CHECKSIG]


snip


Could that be the alternative?


Ok, fair enough, that is an alternative that avoids the 160-bit hash
function, but not where it matters. The 80-bit collision attack only
applies to jointly constructed addresses like multisig P2SH, not single-key
ones. As far as I know for those we only rely preimage security, and
RIPEMD160 has 160 bit security there, which is even more than our ECDSA
signatures offer.

--=20
Pieter

--001a1147d2eca3bca20549692e8c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div><br><div class=3D"gmail_extra"><br><div class=3D"gma=
il_quote">On Feb 25, 2017 22:26, &quot;Steve Davis&quot; &lt;<a href=3D"mai=
lto:steven.charles.davis@gmail.com">steven.charles.davis@gmail.com</a>&gt; =
wrote:<br type=3D"attribution"><blockquote class=3D"quote" style=3D"margin:=
0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Pieter,<br>
<div class=3D"quoted-text"><br>
&gt; On Feb 25, 2017, at 4:14 PM, Pieter Wuille &lt;<a href=3D"mailto:piete=
r.wuille@gmail.com">pieter.wuille@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; Any alternative to move us away from RIPEMD160 would require:<br>
<br>
</div>&gt; &lt;snipped&gt;<br>
<br>
=E2=80=9CAny alternative=E2=80=9D? What about reverting to:<br>
<br>
[&lt;public_key&gt;, OP_CHECKSIG]<br></blockquote></div></div></div><div di=
r=3D"auto"><br></div><div dir=3D"auto">snip</div><div dir=3D"auto"><br></di=
v><div dir=3D"auto"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><=
blockquote class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">
<br>
Could that be the alternative?</blockquote></div></div></div><div dir=3D"au=
to"><br></div><div dir=3D"auto">Ok, fair enough, that is an alternative tha=
t avoids the 160-bit hash function, but not where it matters. The 80-bit co=
llision attack only applies to jointly constructed addresses like multisig =
P2SH, not single-key ones. As far as I know for those we only rely preimage=
 security, and RIPEMD160 has 160 bit security there, which is even more tha=
n our ECDSA signatures offer.</div><div dir=3D"auto"><br></div><div dir=3D"=
auto">--=C2=A0</div><div dir=3D"auto">Pieter</div><div dir=3D"auto"><br></d=
iv><div dir=3D"auto"><br></div><div dir=3D"auto"></div></div>

--001a1147d2eca3bca20549692e8c--