Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 240CD4A3 for ; Sat, 25 Feb 2017 14:50:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7FECCA1 for ; Sat, 25 Feb 2017 14:50:32 +0000 (UTC) Received: by mail-wm0-f41.google.com with SMTP id 196so12522285wmm.1 for ; Sat, 25 Feb 2017 06:50:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z5zkQMMBMARnYKztLpWoka2wcN+MBjKiDjWcRcmr7QM=; b=NDxv498rXCW2Qyixtl+uWfObnJkR/P02zUZ07+IY+sGTYFmL7LYDoLRh9uWXWhD9sy Atn/K12C9JgbAG39rezknZmRF1YLsdYjE2NYt1xGaeRO/UfAagh7u8NebnjrveaL5LDD A206BYP9IKvMvx8BSu6KGq+qsTsqDu9ZayJMxKbpuW5kEIFGIdTjveI/7xQQp0vaZnLm fTH7DIeXIUenWg+OVZcRbuc9weskqia4jHubyrRY5sSTdNqDQb1XRAknMo24ZTcWFD5A xKQUVGyXIWhAOlM1Y8jnw1QIvQPQLdXnpuSfw1buVVY8L+ZeqB2zfJY3tsxEG0IndXGY znIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z5zkQMMBMARnYKztLpWoka2wcN+MBjKiDjWcRcmr7QM=; b=kYboIMvgo8URstG/TZFj/mlxAQAWL1ydCtw8Fni9CH6R55pGNI4F32ebuXl3sMCt2m H9eImpSjo3q7Vs3itb1meFGnW6UPenmFyNu1RdJDmZwWYfeytSMS0EmQzohNon0ho1lw fPuL36l4ZdmCdEpaoYZ9r1Bl6PVPSicukF/7glPeHShEgHBn5gHTMB7QeSxyew95T0Ks kHMPcvP0Bw8/84hsrawCFw4TfaTncdc4W4Pz1G9U1jK8/bLX+ehZX61zWP8ajrsfazqy OwisTcXx3EvyOK94Far8G/UscoFKvE4odzqSKJe11/8PlJauheIXZ7HzzyRmy+cS/GXa Lfxg== X-Gm-Message-State: AMke39mBP4FPMGJvGOxY0WeG2Z44N9oA20RhssWfMuCLa4LNtyteskh8Kc4kmW7KcnhZjmjx9HOEOZ/J2IeDuw== X-Received: by 10.28.135.82 with SMTP id j79mr6645469wmd.19.1488034231188; Sat, 25 Feb 2017 06:50:31 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.50.3 with HTTP; Sat, 25 Feb 2017 06:50:30 -0800 (PST) Received: by 10.28.50.3 with HTTP; Sat, 25 Feb 2017 06:50:30 -0800 (PST) In-Reply-To: <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> From: Leandro Coutinho Date: Sat, 25 Feb 2017 11:50:30 -0300 Message-ID: To: Steve Davis , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary=001a11443f82c385e105495bf732 X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 25 Feb 2017 15:01:39 +0000 Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2017 14:50:34 -0000 --001a11443f82c385e105495bf732 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Google recommeds "migrate to safer cryptographic hashes such as SHA-256 and SHA-3" It does not mention RIPEMD-160 https://security.googleblog.com/2017/02/announcing-first-sha1-collision.htm= l?m=3D1 Em 25/02/2017 10:47, "Steve Davis via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org> escreveu: > On Feb 24, 2017, at 7:01 PM, Peter Todd wrote: > > On Fri, Feb 24, 2017 at 05:49:36PM -0600, Steve Davis via bitcoin-dev wrote: >> If the 20 byte SHA1 is now considered insecure (with good reason), what about RIPEMD-160 which is the foundation of Bitcoin addresses? > > SHA1 is insecure because the SHA1 algorithm is insecure, not because 160bits isn't enough. > > AFAIK there aren't any known weaknesses in RIPEMD160, =E2=80=A6so far. I wonder how long that vacation will last? > but it also hasn't been > as closely studied as more common hash algorithms. ...but we can be sure that it will be, since the dollar value held in existing utxos continues to increase... > That said, Bitcoin uses > RIPEMD160(SHA256(msg)), which may make creating collisions harder if an attack > is found than if it used RIPEMD160 alone. Does that offer any greater protection? That=E2=80=99s not so clear to me a= s the outputs (at least for p2pkh) only verify the public key against the final 20 byte hash. Specifically, in the first (notional) case the challenge would be to find a private key that has a public key that hashes to the final hash. In the second (realistic) case, you merely need to add the sha256 hash into the problem, which doesn=E2=80=99t seem to me to increase = the difficulty by any significant amount? /s _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --001a11443f82c385e105495bf732 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Google recommeds "migrate to safer cryptographi= c hashes such as SHA-256 and SHA-3"
It does not menti= on=C2=A0RIPEMD-160



Em 25/= 02/2017 10:47, "Steve Davis via bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.= org> escreveu:

> On Feb 24, 2017, at 7:01 PM, Peter Todd <pete@petertodd.org> wrote:
>
> On Fri, Feb 24, 2017 at 05:49:36PM -0600, Steve Davis via bitcoin-dev = wrote:
>> If the 20 byte SHA1 is now considered insecure (with good reason),= what about RIPEMD-160 which is the foundation of Bitcoin addresses?
>
> SHA1 is insecure because the SHA1 algorithm is insecure, not because 1= 60bits isn't enough.
>
> AFAIK there aren't any known weaknesses in RIPEMD160,

=E2=80=A6so far. I wonder how long that vacation will last?

> but it also hasn't been
> as closely studied as more common hash algorithms.

...but we can be sure that it will be, since the dollar value held in= existing utxos continues to increase...

> That said, Bitcoin uses
> RIPEMD160(SHA256(msg)), which may make creating collisions harder if a= n attack
> is found than if it used RIPEMD160 alone.

Does that offer any greater protection? That=E2=80=99s not so clear t= o me as the outputs (at least for p2pkh) only verify the public key against= the final 20 byte hash. Specifically, in the first (notional) case the cha= llenge would be to find a private key that has a public key that hashes to = the final hash. In the second (realistic) case, you merely need to add the = sha256 hash into the problem, which doesn=E2=80=99t seem to me to increase = the difficulty by any significant amount?


/s
___________________________________________= ____
bitcoin-dev mailing list
bitcoin-dev@lists.= linuxfoundation.org
https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev

--001a11443f82c385e105495bf732--