1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 48DD1259
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 26 Feb 2017 06:36:28 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr0-f173.google.com (mail-wr0-f173.google.com
[209.85.128.173])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B79FA124
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 26 Feb 2017 06:36:27 +0000 (UTC)
Received: by mail-wr0-f173.google.com with SMTP id o22so29974799wro.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 25 Feb 2017 22:36:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=PJDIbHVHRu++34T0lSUIY64yKNbp1wgR6+Xd0ViS7mk=;
b=GV3lNJIWOPSV50LHU5E0X2UEjFFWa2JthqbgD0/JwjOmw3BGtQi7mklhL04HbNFnyT
MoQQGLGP6bme/HpFEG1afnXyeELPy116dgGHNnICQdUsaKipEfQESpl5gNDQXaCjXJQv
REZXVagaj52O7Odwr+g29nrsIBp0s8hEHdJbH/usbbdB9rDWkF0TpVUkT1DJg+y+CVDm
8mWsV4sM4v9OGbvDEQMTExeSDzRoqa75fyCGO17eVGWarVZiT7tOiuOAQ7xlgfNd/glS
xM4OuoWZYY47bMNbaznUpGea34MYGMKgBSJZajemHsjBRZHNoNHKBJdiuhum7iNzXJYZ
4Dow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=PJDIbHVHRu++34T0lSUIY64yKNbp1wgR6+Xd0ViS7mk=;
b=i3KvpI4ncJuM58osCfI3jx0mTiKzfVsm865uyWKWxzQKB/cztdmoFhojODg7s9XxzS
nMaEt9+CzhrBZzjSJPkbxtKG6RKXViGXoZX6LuChla8rQTNPSZdQ3tSKApOHcDG8nfOQ
bzrX8MW03c2g0/o8X/Uv70GDZge4kQfF5VaycW+tgylgljSy8mhBzh7eK7trlsv04GL1
RxAHV2gHccJT/VJGVVEeD61sFjXrQZt/y2V3AvT8ShEZoNjBAbzdWkhnS5mgPl9E+r//
hxKeqgAHt9gQ3v9m0lrL2Rdrh+WEk2EyOlEqK/O7woXmjYM8PmJgCiBDoU7PCJ4tlAvR
E5SQ==
X-Gm-Message-State: AMke39mw4r9AOc02cpAGTYdEAiAMsfK7SYwBEQ85dn6epunyGVKrgeEO1rdv3SdPD1HJchOQELx/iN+DtzQ/Gg==
X-Received: by 10.223.133.164 with SMTP id 33mr9695448wrt.39.1488090986427;
Sat, 25 Feb 2017 22:36:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.80.153.212 with HTTP; Sat, 25 Feb 2017 22:36:25 -0800 (PST)
Received: by 10.80.153.212 with HTTP; Sat, 25 Feb 2017 22:36:25 -0800 (PST)
In-Reply-To: <4F6C2972-A320-429A-BD13-623B01F390A3@gmail.com>
References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com>
<20170225010122.GA10233@savin.petertodd.org>
<208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com>
<CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com>
<CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
<20170225191201.GA15472@savin.petertodd.org>
<CAMZUoK=sq_sRoXuySca-VAGwA3AzeoZ5iNFSnKULbj+NtPjHFA@mail.gmail.com>
<20170225210406.GA16196@savin.petertodd.org>
<CAGLBAhdCb+QLWRm4FWkPvaM2sU24HuafdgNiS=wgnPTGzrW05w@mail.gmail.com>
<4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com>
<20170225214018.GA16524@savin.petertodd.org>
<D36DB0BD-C805-4346-B425-77D5B29582E5@gmail.com>
<CAPg+sBhZ1UqOLqz_PVjjrE8Cbte_Y160Gq7P7EWf6cRKjMcDEQ@mail.gmail.com>
<4F6C2972-A320-429A-BD13-623B01F390A3@gmail.com>
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Sat, 25 Feb 2017 22:36:25 -0800
Message-ID: <CAPg+sBgndv+Q-MGhz6Th9A3xhtqouz6D9AENqRusnCz_m+2O2g@mail.gmail.com>
To: Steve Davis <steven.charles.davis@gmail.com>
Content-Type: multipart/alternative; boundary=001a1147d2eca3bca20549692e8c
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by
third-parties, not just repo maintainers
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2017 06:36:28 -0000
--001a1147d2eca3bca20549692e8c
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Feb 25, 2017 22:26, "Steve Davis" <steven.charles.davis@gmail.com> wrote=
:
Hi Pieter,
> On Feb 25, 2017, at 4:14 PM, Pieter Wuille <pieter.wuille@gmail.com>
wrote:
>
> Any alternative to move us away from RIPEMD160 would require:
> <snipped>
=E2=80=9CAny alternative=E2=80=9D? What about reverting to:
[<public_key>, OP_CHECKSIG]
snip
Could that be the alternative?
Ok, fair enough, that is an alternative that avoids the 160-bit hash
function, but not where it matters. The 80-bit collision attack only
applies to jointly constructed addresses like multisig P2SH, not single-key
ones. As far as I know for those we only rely preimage security, and
RIPEMD160 has 160 bit security there, which is even more than our ECDSA
signatures offer.
--=20
Pieter
--001a1147d2eca3bca20549692e8c
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto"><div><br><div class=3D"gmail_extra"><br><div class=3D"gma=
il_quote">On Feb 25, 2017 22:26, "Steve Davis" <<a href=3D"mai=
lto:steven.charles.davis@gmail.com">steven.charles.davis@gmail.com</a>> =
wrote:<br type=3D"attribution"><blockquote class=3D"quote" style=3D"margin:=
0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Pieter,<br>
<div class=3D"quoted-text"><br>
> On Feb 25, 2017, at 4:14 PM, Pieter Wuille <<a href=3D"mailto:piete=
r.wuille@gmail.com">pieter.wuille@gmail.com</a>> wrote:<br>
><br>
> Any alternative to move us away from RIPEMD160 would require:<br>
<br>
</div>> <snipped><br>
<br>
=E2=80=9CAny alternative=E2=80=9D? What about reverting to:<br>
<br>
[<public_key>, OP_CHECKSIG]<br></blockquote></div></div></div><div di=
r=3D"auto"><br></div><div dir=3D"auto">snip</div><div dir=3D"auto"><br></di=
v><div dir=3D"auto"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><=
blockquote class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">
<br>
Could that be the alternative?</blockquote></div></div></div><div dir=3D"au=
to"><br></div><div dir=3D"auto">Ok, fair enough, that is an alternative tha=
t avoids the 160-bit hash function, but not where it matters. The 80-bit co=
llision attack only applies to jointly constructed addresses like multisig =
P2SH, not single-key ones. As far as I know for those we only rely preimage=
security, and RIPEMD160 has 160 bit security there, which is even more tha=
n our ECDSA signatures offer.</div><div dir=3D"auto"><br></div><div dir=3D"=
auto">--=C2=A0</div><div dir=3D"auto">Pieter</div><div dir=3D"auto"><br></d=
iv><div dir=3D"auto"><br></div><div dir=3D"auto"></div></div>
--001a1147d2eca3bca20549692e8c--
|
