1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
Return-Path: <adam@cypherspace.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id D394DDD8
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 8 Jan 2016 15:26:53 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 04B54164
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 8 Jan 2016 15:26:52 +0000 (UTC)
Received: from mail-ig0-f179.google.com ([209.85.213.179]) by
mrelay.perfora.net (mreueus003) with ESMTPSA (Nemesis) id
0M5ehC-1a1wvM0QMS-00xZg2 for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 08 Jan 2016 16:26:52 +0100
Received: by mail-ig0-f179.google.com with SMTP id mw1so75739744igb.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 08 Jan 2016 07:26:51 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.50.92.41 with SMTP id cj9mr22450623igb.38.1452266811110;
Fri, 08 Jan 2016 07:26:51 -0800 (PST)
Received: by 10.36.130.130 with HTTP; Fri, 8 Jan 2016 07:26:50 -0800 (PST)
In-Reply-To: <CACsn0cmE-c3MCAegH6QaFfDg6NDgNy7tKbczsxtQvkWBnLYJgw@mail.gmail.com>
References: <CABsx9T3aTme2EQATamGGzeqNqJkUcPGa=0LVidJSRYNznM-myQ@mail.gmail.com>
<CAPg+sBhH0MODjjp8Avx+Fy_UGqzMjUq_jn3vT3oH=u3711tsSA@mail.gmail.com>
<8760z4rbng.fsf@rustcorp.com.au>
<C4B5B9F1-9C53-45BC-9B30-F572C78096E3@mattcorallo.com>
<8737u8qnye.fsf@rustcorp.com.au>
<CABsx9T1gmz=sr_sEEuy8BQU6SXdmi58O30rzRWNW=0Ej98fi4A@mail.gmail.com>
<CACsn0cmE-c3MCAegH6QaFfDg6NDgNy7tKbczsxtQvkWBnLYJgw@mail.gmail.com>
Date: Fri, 8 Jan 2016 16:26:50 +0100
X-Gmail-Original-Message-ID: <CALqxMTHHh81Rkd274_XepXuZY-r_6Us+0FYrg9_Uupi0R9yVUw@mail.gmail.com>
Message-ID: <CALqxMTHHh81Rkd274_XepXuZY-r_6Us+0FYrg9_Uupi0R9yVUw@mail.gmail.com>
From: Adam Back <adam@cypherspace.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Provags-ID: V03:K0:X4jTBK13NxYsljHkAF8OxdWjoGaXInxexlgPqqVBCof/6KWjcA0
tjh1MPCLf/yyZ8GuUKFerDE9ucQc0MiUghgRvLYLxD3VtAiYZIM5zwlgyIjwAgBx9nB25oQ
6XnU1gMuJRmmk8WgOWT7XspOfraitfd84qDqrM+UTFSE85uA+Iroh2UT+9EzguZ7Gu8YHGQ
KEjDOtVWZSnxkQrNEDxjw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:STfpS7cDjPc=:y/LqaMgZJaoFOM8WWXRWCo
2zDfagnRQ4eukw1GlJ/jB+4/L5k68KXslcsY7iq55LwvmwuCNUem+5yA2gJci9JHWNt0Sle9Q
mKAzN6kx+2ZIQpRHB5DcqATZmSvdg0YtOKtUSjP6JxHDfEc7JizqQEAwPFS35rT+TWIQPXQAT
zC3oh4ldsClVYgm/aMP85ggHkGMLEitf+YBjSgqk64ohxxU0SL7FkD/I8RWtmDg0ELt9456Pb
Fz60Rlds+N0rVJtq1zruEzigDlaNovK4fuFsu8iIWZxpzfNwC+U63yb62oWRQ+KjBnmHySY13
Mgw9DWV3f8D7lw580BBaeOiEAo+Rsf9qJPCBhcOrqR/nI82lsaiVOPqMEQpnlPJkQspA92kWz
g94fnwa8i9Vqkj1krJiBHZ0i2uhAduB7/+clsJFwbk3nJXxEkue6RtqX1THzjn53znd8QxyLw
+VryrUKu39/4edWOmcFSEjU6Bk4PFNyfFm+PBLpp//VncQV7bG+CXrSV4HrqaxTxSsr1RI+q8
iIO/eIb/nboUdtBU0PrnD078DdrebwNQV0ku4U2HdSHSIU52W4S9izv2RkYOoknmb7wCWMnrn
2SFsIX3IRqsXFhKkSTNiWNRxJ7HMiAqHBCy7l8EunxZC1DyPcLKPIMY+9/LUQx/+cOLA9Vl4K
vlWD5KIOiIP1IxJa/RgPRyeigSz3i7CUzfCHtzuL8SbczsgD2NoKVN4R+7CKpWya1pVNMaZFQ
iDkXrlde4kPFrpLl
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Rusty Russell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or
not?
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2016 15:26:53 -0000
Tricky choice. On the one hand I had spotted this too before and maybe
one or two more exceptions to bitcoin's 128-bit security target and
been vaguely tut-tutting about them in the background. It's kind of a
violation of crypto rule of thumb that you want to balance things and
not have odd weak points as Watson was implying, it puts you closer to
the margin if there is a slip or other problem so you have an
imbalanced crypto format.
On the other hand it's not currently a problem as such and it's less
change and slightly more compact.
RIPEMD probably is less well reviewed than SHA2. However SHA1 has
problems, and SHA2 is a bigger SHA1 basically so, hence the NIST
motivation for SHA3 designed to fix the design flaw in SHA1 (and SHA2
in principle).
So then if we agree with this rule of thumb (and not doing so would
fly against best practices which we probably shouldnt look to do in
such a security focussed domain) then what this discussion is more
about is when is a good time to write down tech debt.
I think that comes to segregated-witness itself which writes down a
tidily organised by lines of code robust fix to a bunch of long
standing problems.
Doing a 2MB hard-fork in comparison fixes nothing really. Leaving
known issues to bake in for another N years eventually builds up on
you (not even in security just in software engineering) as another
rule of thumb. I mean if we dont fix it now that we are making a
change that connects, when will we?
In software projects I ran we always disguised the cost of tech-debt
as non-negotiable baked into our estimates without a line item to
escape the PHB syndrome of haggling for features instead of tech debt
(which is _never_ a good idea:)
Pragmatism vs refactoring as you go.
But for scale I think segregated-witness does offer the intriguing
next step of being able to do 2 of 2, 3 of 3 and N of N which give
size of one sig multisig (indistinguishable even for privacy) as well
as K of N key tree sigs, which are also significantly more compact.
There was also the other thing I mentioned further up the thread that
if we want to take an approach of living with little bit of bloat from
getting back to a universal 128-bit target, there are still some
fixable bloat things going on:
a) sending pubKey in the signature vs recovery (modulo interference
with Schnorr batch verify compatibility*);
b) using the PubKey instead of PKH in the ScriptPubKey, though that
loses the nice property of of not having the key to do DL attacks on
until the signed transaction is broadcast;
c) I think there might be a way to combine hash & PubKey to keep the
delayed PubKey publication property and yet still save the bloat of
having both.
* I did suggest to Pieter that you could let the miner decide to forgo
Schnorr batch verifiability to get compaction from recovery - the pub
key could be optionally elided from the scriptSig serialisation by the
miner.
The other thing we could consider is variable sized hashes (& a few
pubkey size choices) that is software complexity however. We might be
better of focussing on the bigger picture like IBLT/weak-blocks and
bigger wins like MAST, multiSig Schnorr & key tree sigs.
Didnt get time to muse on c) but a nice crypto question for someone :)
Another thing to note is combining has been known to be fragile to bad
interactions or unexpected behaviours. This paper talks about things
tradeoffs and weaknesses in hash combiners.
http://tuprints.ulb.tu-darmstadt.de/2094/1/thesis.lehmann.pdf
Weak concept NACK I think for losing a cleanup opportunity to store it
up for the future when there is a reasonable opportunity to fix it?
Adam
On 8 January 2016 at 15:34, Watson Ladd via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Fri, Jan 8, 2016 at 4:38 AM, Gavin Andresen via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>> On Fri, Jan 8, 2016 at 7:02 AM, Rusty Russell <rusty@rustcorp.com.au> wrote:
>>>
>>> Matt Corallo <lf-lists@mattcorallo.com> writes:
>>> > Indeed, anything which uses P2SH is obviously vulnerable if there is
>>> > an attack on RIPEMD160 which reduces it's security only marginally.
>>>
>>> I don't think this is true? Even if you can generate a collision in
>>> RIPEMD160, that doesn't help you since you need to create a specific
>>> SHA256 hash for the RIPEMD160 preimage.
>>>
>>> Even a preimage attack only helps if it leads to more than one preimage
>>> fairly cheaply; that would make grinding out the SHA256 preimage easier.
>>> AFAICT even MD4 isn't this broken.
>>
>>
>> It feels like we've gone over that before, but I can never remember where or
>> when. I believe consensus was that if we were using the broken MD5 in all
>> the places we use RIPEMD160 we'd still be secure today because of Satoshi's
>> use of nested hash functions everywhere.
>>
>>>
>>> But just with Moore's law (doubling every 18 months), we'll worry about
>>> economically viable attacks in 20 years.[1]
>>>
>>>
>>> That's far enough away that I would choose simplicity, and have all SW
>>> scriptPubKeys simply be "<0> RIPEMD(SHA256(WP))" for now, but it's
>>> not a no-brainer.
>>
>>
>> Lets see if I've followed the specifics of the collision attack correctly,
>> Ethan (or somebody) please let me know if I'm missing something:
>>
>> So attacker is in the middle of establishing a payment channel with
>> somebody. Victim gives their public key, attacker creates the innocent
>> fund-locking script '2 V A 2 CHECKMULTISIG' (V is victim's public key, A is
>> attacker's) but doesn't give it to the victim yet.
>>
>> Instead they then generate about 2^81scripts that are some form of
>> pay-to-attacker ....
>> ... wait, no that doesn't work, because SHA256 is used as the inner hash
>> function. They'd have to generate 2^129 to find a cycle in SHA256.
>
> For 2^80 they simply generate 2^80 scripts that look innocent, and
> 2^80 that are not. With high probability there is a collision. I agree
> that most cryptanalysis won't work because of the nesting, but 2^80 is
> not good.
>>
>> Instead, they .. what? I don't see a viable attack unless RIPEMD160 and
>> SHA256 (or the combination) suffers a cryptographic break.
>>
>>
>> --
>> --
>> Gavin Andresen
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|