Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VKMYB-0002l3-Py for bitcoin-development@lists.sourceforge.net; Fri, 13 Sep 2013 06:08:15 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.149.81 as permitted sender) client-ip=62.13.149.81; envelope-from=pete@petertodd.org; helo=outmail149081.authsmtp.net; Received: from outmail149081.authsmtp.net ([62.13.149.81]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1VKMYA-00025M-5w for bitcoin-development@lists.sourceforge.net; Fri, 13 Sep 2013 06:08:15 +0000 Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237]) by punt12.authsmtp.com (8.14.2/8.14.2) with ESMTP id r8D688jL018622 for ; Fri, 13 Sep 2013 07:08:08 +0100 (BST) Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id r8D67xPf025529 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Fri, 13 Sep 2013 07:08:01 +0100 (BST) Date: Fri, 13 Sep 2013 02:07:58 -0400 From: Peter Todd To: Bitcoin Dev Message-ID: <20130913060758.GC4242@savin> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="pAwQNkOnpTn9IO2O" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: d8c14f96-1c3a-11e3-94fa-002590a135d3 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVJwpGK10IU0Fd P1hXKl1LNVAaWXld WiVPGEoXDxgzCjYj NEgGOBsDNw4AXgZ1 Mx0JXVBSFQZ4ARsL BhYUUhs8cANYeX5u ZEFqQHFbVVt/fUFi QwAWHRkAYi8APmAd VUVafk1VcAZJeFER YgN+UCUEZ3gGNXkx WlZqMmt0bGlRIWEN GltQfAobGB1WEmUq fT09NA8DVUoLSSgp IhBuJFkGVEYYKUV6 OlwlXVMDMhgUEUVQ GFsFOw9wfh1JfAoC V14EGQYkMQVwZAsF XEVgKxlEYHRVRipV HlAt X-Authentic-SMTP: 61633532353630.1024:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 76.10.178.109/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 0.0 LOTS_OF_MONEY Huge... sums of money X-Headers-End: 1VKMYA-00025M-5w Subject: [Bitcoin-development] REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and others X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Sep 2013 06:08:16 -0000 --pAwQNkOnpTn9IO2O Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Rewards at the following P2SH addresses are available for anyone able to demonstrate collision attacks against a variety of cryptographic algorithms. You collect your bounty by demonstrating two messages that are not equal in value, yet result in the same digest when hashed. These messages are used in a scriptSig, which satisfies the scriptPubKey storing the bountied funds, allowing you to move them to a scriptPubKey (Bitcoin address) of your choice. Further donations to the bounties are welcome, particularly for SHA1 - address 37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP - for which an attack on a single hash value is believed to be possible at an estimated cost of $2.77M (4) Details below; note that the "decodescript" RPC command is not yet released; compile bitcoind from the git repository at http://github.com/bitcoin/bitcoin SHA1: $ btc decodescript 6e879169a77ca787 { "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_E= QUAL", "type" : "nonstandard", "p2sh" : "37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP" } SHA256: $ btc decodescript 6e879169a87ca887 { "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA256 OP_SWAP OP_SHA256 = OP_EQUAL", "type" : "nonstandard", "p2sh" : "35Snmmy3uhaer2gTboc81ayCip4m9DT4ko" } RIPEMD160: $ btc decodescript 6e879169a67ca687 { "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_RIPEMD160 OP_SWAP OP_RIPE= MD160 OP_EQUAL", "type" : "nonstandard", "p2sh" : "3KyiQEGqqdb4nqfhUzGKN6KPhXmQsLNpay" } RIPEMD160(SHA256()): $ btc decodescript 6e879169a97ca987 { "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_HASH160 OP_SWAP OP_HASH16= 0 OP_EQUAL", "type" : "nonstandard", "p2sh" : "39VXyuoc6SXYKp9TcAhoiN1mb4ns6z3Yu6" } SHA256(SHA256()): $ btc decodescript 6e879169aa7caa87 { "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_HASH256 OP_SWAP OP_HASH25= 6 OP_EQUAL", "type" : "nonstandard", "p2sh" : "3DUQQvz4t57Jy7jxE86kyFcNpKtURNf1VW" } and last but not least, the absolute value function: $ btc decodescript 6e879169907c9087 { "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_ABS OP_SWAP OP_ABS OP_EQU= AL", "type" : "nonstandard", "p2sh" : "3QsT6Sast6ghfsjZ9VJj9u8jkM2qTfDgHV" } For example, this pair of transactions created, and then collected, an absolute value function bounty: 0100000001f3194f7c2a39809d6ea5fa2db68326932df146aaab7be2f398a524bd269d0b620= 00000008a473044022039bc13cb7fe565ff2e14b16fbc4a9facd36b25a435d2f49de4534463= 212aeaee022076413c7591385cd813df37d8104dd8110745c28178cef829b5ab3e56b7c30d2= 2014104d34775baab521d7ba2bd43997312d5f663633484ae1a4d84246866b7088297715a04= 9e2288ae16f168809d36e2da1162f03412bf23aa5f949f235eb2e7141783ffffffff03207e7= 500000000001976a9149bc0bbdd3024da4d0c38ed1aecf5c68dd1d3fa1288ac000000000000= 0000126a6e879169907c9087086e879169907c908740420f000000000017a914fe441065b65= 32231de2fac563152205ec4f59c748700000000 0100000001f18cda90bbbcfb031c65ceda17c82dc046c7db0b96242ba4c5b53c411d8c056e0= 20000000c510181086e879169907c9087ffffffff01a0bb0d00000000001976a9149bc0bbdd= 3024da4d0c38ed1aecf5c68dd1d3fa1288ac00000000 Specifically with the scriptSig: 1 -1 6e879169907c9087 Notes: 1) We advise mining the block in which you collect your bounty yourself; scriptSigs satisfying the above scriptPubKeys do not cryptographically s= ign the transaction's outputs. If the bounty value is sufficiently large other miners may find it profitable to reorganize the chain to kill your block and collect the reward themselves. This is particularly profitable for larger, centralized, mining pools. 2) Note that the value of your SHA256, RIPEMD160, RIPEMD160(SHA256()) or SHA256^2 bounty may be diminished by the act of collecting it. 3) Due to limitations of the Bitcoin scripting language bounties can only be collected with solutions using messages less than 521 bytes in size. 4) "When Will We See Collisions for SHA-1?" - Bruce Schneier https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html --=20 'peter'[:-1]@petertodd.org --pAwQNkOnpTn9IO2O Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBCAAGBQJSMqu+AAoJECSBQD2l8JH7Aq0H/jlu8HktaenQJMHoycVO+9yw bxauCL1y+00b2xkLP3Vxkvukf3PUPG+AjWtHzcMPZMDG8y0Eb8y8q9dy4KeDmvA6 njnfmgAPNa81vDRef7IR9bn2jqmb2wNx0RwNIE2O6tqvLSeWMlKlj27th0S0XPFN hpECGshZBGdVIbviQGoF1+629x0fbPz1BwDd89BRp2dGZvj1J7NnLDUPiUJdzXEW JEp31vWME1BVjoYSu2tIy1MfPYQWZVyJSdAY2pZsB6XcV02MFzntCW/jamcyG2GR yR2Esv92GOnJG5S/+hQFQZlsRahGkwi+Rr99iVkMZygDmpcSwTFu0HlIeIVNR5k= =/2vF -----END PGP SIGNATURE----- --pAwQNkOnpTn9IO2O--