1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id A3294305
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 25 Feb 2017 21:04:12 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail149075.authsmtp.net (outmail149075.authsmtp.net
[62.13.149.75])
by smtp1.linuxfoundation.org (Postfix) with ESMTP id 8D29FCD
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 25 Feb 2017 21:04:11 +0000 (UTC)
Received: from mail-c232.authsmtp.com (mail-c232.authsmtp.com [62.13.128.232])
by punt20.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PL49Bl091765;
Sat, 25 Feb 2017 21:04:09 GMT
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
[52.5.185.120]) (authenticated bits=0)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PL47ep041842
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Sat, 25 Feb 2017 21:04:08 GMT
Received: from [127.0.0.1] (localhost [127.0.0.1])
by petertodd.org (Postfix) with ESMTPSA id BAAEA40123;
Sat, 25 Feb 2017 21:04:06 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
id 1E66A204AB; Sat, 25 Feb 2017 16:04:06 -0500 (EST)
Date: Sat, 25 Feb 2017 16:04:06 -0500
From: Peter Todd <pete@petertodd.org>
To: "Russell O'Connor" <roconnor@blockstream.io>
Message-ID: <20170225210406.GA16196@savin.petertodd.org>
References: <mailman.22137.1487974823.31141.bitcoin-dev@lists.linuxfoundation.org>
<8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com>
<20170225010122.GA10233@savin.petertodd.org>
<208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com>
<CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com>
<CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
<20170225191201.GA15472@savin.petertodd.org>
<CAMZUoK=sq_sRoXuySca-VAGwA3AzeoZ5iNFSnKULbj+NtPjHFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu"
Content-Disposition: inline
In-Reply-To: <CAMZUoK=sq_sRoXuySca-VAGwA3AzeoZ5iNFSnKULbj+NtPjHFA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: f2f9d1f4-fb9d-11e6-829f-00151795d556
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
bgdMdAcUHlAWAgsB AmEbWVVeUFl7WWs7 bghPaBtcak9QXgdq
T0pMXVMcUgQIfRgG U14eVhh6cwcIeXh3 ZUIsCHINVRB7I0Jg
FBxdQXAHZDJmdWgd WRZFdwNVdQJNdxoR b1V5GhFYa3VsNCMk
FAgyOXU9MCtqYB91 a1hFJlUWRUcQHzk6 XFgHFDYiVWIEW20t
MhggJ0QVFkIcelk1 eVI9RVsbOARaABw8 V11NATVVYkEIXTYq
ABgeFUgZDHVfXDxA SgclOhgABzVTXDZR BU1IUQpn
X-Authentic-SMTP: 61633532353630.1037:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Steve Davis <steven.charles.davis@gmail.com>
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by
third-parties, not just repo maintainers
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Feb 2017 21:04:12 -0000
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Feb 25, 2017 at 03:53:12PM -0500, Russell O'Connor wrote:
> On Sat, Feb 25, 2017 at 2:12 PM, Peter Todd via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>=20
> > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via bitcoin-dev
> > wrote:
> > > >SHA1 is insecure because the SHA1 algorithm is insecure, not because
> > > 160bits isn't enough.
> > >
> > > I would argue that 160-bits isn't enough for collision resistance.
> > Assuming
> > > RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle),
> > collisions
> >
> > That's something that we're well aware of; there have been a few
> > discussions on
> > this list about how P2SH's 160-bits is insufficient in certain use-cases
> > such
> > as multisig.
> >
> > However, remember that a 160-bit *security level* is sufficient, and
> > RIPEMD160
> > has 160-bit security against preimage attacks. Thus things like
> > pay-to-pubkey-hash are perfectly secure: sure you could generate two
> > pubkeys
> > that have the same RIPEMD160(SHA256()) digest, but if someone does that=
it
> > doesn't cause the Bitcoin network itself any harm, and doing so is
> > something
> > you choose to do to yourself.
> >
>=20
> Be aware that the issue is more problematic for more complex contracts.
> For example, you are building a P2SH 2-of-2 multisig together with someone
> else if you are not careful, party A can hand their key over to party B,
> who can may try to generate a collision between their second key and
> another 2-of-2 multisig where they control both keys. See
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/0122=
05.html
I'm very aware of that, in fact I think I may have even been the first pers=
on
to post on this list the commit-reveal mitigation.
Note how I said earlier in the message you're replying to that "P2SH's 160-=
bits
is insufficient in certain use-cases such as multisig"
--=20
https://petertodd.org 'peter'[:-1]@petertodd.org
--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJYsfFDAAoJECSBQD2l8JH7MsMIAJucFV8KSyxDunTQ4py0F5YN
9HFVHBy9TOSfN3LLCyL1Cu++7PQKcyqORNAgbNvqkIrRil9fza1X4vfy5knbuNjF
cEEkDFUI7uReQGqu8R+Exk9ujP0joXP1nIWIZSX0OaqBfxPOrAFKi6kyZcKL/db9
voCy3zhqHuwHC03Izd/9buor8d6hEzOjziP/6RsPwy8z9hz5C4K+YFdTcTc+/wVU
iGnEfKiwUzGAUwRanxhHCFIRW1g6NlCVNkIHuuAYEJbajQK0oB0GVTof7shgLbr1
r7c2YKddOlJpvgF0uEaW1T4HGnGMq6ojX4eAoESIIW2+eqRN7MYpFtnum59EnMU=
=87Ka
-----END PGP SIGNATURE-----
--sdtB3X0nJg68CQEu--
|
