1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
|
Delivery-date: Mon, 24 Feb 2025 07:27:59 -0800
Received: from mail-oo1-f64.google.com ([209.85.161.64])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDD5RM5R7QJRB5U76K6QMGQETC67TAA@googlegroups.com>)
id 1tmaNC-0000ae-Pb
for bitcoindev@gnusha.org; Mon, 24 Feb 2025 07:27:59 -0800
Received: by mail-oo1-f64.google.com with SMTP id 006d021491bc7-5fa476d0372sf1320656eaf.2
for <bitcoindev@gnusha.org>; Mon, 24 Feb 2025 07:27:58 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1740410873; cv=pass;
d=google.com; s=arc-20240605;
b=MZNWN5QuxXgTBDyrmyTCTIg9xiT/YYoRGk+soEROQzUHFlSJjBZUPZsR5Cjd27nD6D
UdHF6YICv9lXcnjMGXIX61DcKEbAHeZt3hUmnK0SjFoLtu8m2DNjDN5FDQVzR+I6XnhS
PHXQPkqSF36WhHM40fHR/ICkVxBRgJJ/RvYhXwz1ERc4ZUGIAXwXqg9YsSIvpIMBiYo0
wB4aRCAKqlSlJwqpmnUipVKh3WVphfSl1rRyZetqSWlbiAdNYcr7BeHWlNlhvPt4EH1e
PsXQk9c/lkEL4CIiyoqPIBn/d2VCu2CB6sKvJRz62oPgmJVsyiOsoP7gxFWBG2YE68r1
s28g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:in-reply-to:from:content-language
:references:to:subject:user-agent:mime-version:date:message-id
:sender:dkim-signature;
bh=BJldXx2zEo4XEdxgt6i3tZb+MH+uvX6BhSKyZWAbYPU=;
fh=YRZ+cJVyPjkzIuLDozriVa1jaD7PxY7HAFPljJPHoxA=;
b=XkU09cpNIFaMRMSs+WFzerVNVSxAMLfOG7PJk5hxlSz3wfdZ/hrmH4y8vZXrtc21hV
irnNNlbJRax5PkhMLbsTzrDKmFxNShEx/MelEv4lctXKIr3fflS8Dg/SZqgwwBr260R+
bqEpYUSs2OH14CjG4odxIohWrSz/b+ybXfLvJpya1+G1VgWpd4G8+UorvHw9aljAh7lG
u2qpzwvxAZU47giV/Ove7MKRYczw14mBeLOdB8o0UXPeW3jzYFFtS5T/GWixsq6FIkud
guVPo0uB1CPb9ri29pAz0nIREVJF4rC3INzKnBIdBWqjeZgK0ACl4twpOtqLhN+H6ia1
qp4w==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/ssWRRF";
spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1740410873; x=1741015673; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:from:content-language:references:to
:subject:user-agent:mime-version:date:message-id:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=BJldXx2zEo4XEdxgt6i3tZb+MH+uvX6BhSKyZWAbYPU=;
b=UTQcd22/aO0YVDGWSd0sQ4ZHzPYOFkU/tAsd/VWlvTofQYwOshYMCoJ2oscNnizjOm
EiFotxxq49z7hZiQi0ZRqhKNQMwFGLPhhFGGG4GY1xJ6DeEldCM+7E5ejkJxnb2/tiQw
ql2eKX0D1Ghy2kqia0WQ58fKcNDhQfjSje9LrEdJ5N/lCZGG17/a2OsrlmTeZfHbQ/t5
uUzaLwDQ54TyjoSNuFFG2AaYywLrU09MbMhiH7SaYO2csawRzXulpAtRxgtOsUQ3gVdJ
+yJoE0Csi6j038EDdtNJqpsOS5G2Bf3e+Cv5ddUstUDsuDK3KXoXw/ZTfDvM5XVXnKEm
4lSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1740410873; x=1741015673;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:from:content-language:references:to
:subject:user-agent:mime-version:date:message-id:sender:x-beenthere
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=BJldXx2zEo4XEdxgt6i3tZb+MH+uvX6BhSKyZWAbYPU=;
b=BGdjBedZtKYtrEskhN/oDBNeC0R+1W4i2iMoYE6BgIdsj/Kyp6ZJA1E5WvA4gax1J5
cb5aJISbsAjg+1WeFoHWloJgr3lVJXv0lxgufdR4XTaAy8ffv+YNR0lsIncIEgsEPS8F
4/EUhk8Jgcz4Kh6R3w2x5OKEzdTjHpuK7M53EQNYLqYHsQ5vcef4zW2ZgojPgUH7Hv5b
ig+zEzNf3J48ze/BQ2yhZH4fd+/wNaECANIZWnHMWqciYrAo1saJMCGs+kB0dSh04t1U
QjbwyMakfqRdDd+/A34rFgfSDpm2erUK1R3kt6owXeCl/YRE6FojBbufz9HHxGxak25g
JYhA==
X-Forwarded-Encrypted: i=2; AJvYcCVk3+Mlm0vYCok+RjKPFKFLaDUO6qvkF/4jfsalIXeZDIbbpN/RdV+AqAydEdeLgjeXqHHggCIolgTs@gnusha.org
X-Gm-Message-State: AOJu0YyyDxew41pshlRQ/zy/EwxfbNQKgJ1bE35NNjnE8FlkzDCwXca3
kA3Djgkmx1zidC/p5XgkCFbDwx8/8u+FhgQ/OglvoDiSjYQGsG8u
X-Google-Smtp-Source: AGHT+IHwGlkzWSYq2NlsgELo7iDmRKwXeRlQm7HFSYMk6zMvz48fc2G/FKJdQc86MmzjjAoCtGd6bA==
X-Received: by 2002:a05:6820:999:b0:5fd:f8d:3876 with SMTP id 006d021491bc7-5fd1960c3b9mr9240363eaf.3.1740410873218;
Mon, 24 Feb 2025 07:27:53 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com; h=Adn5yVH5/zqtkhAXlsbeUjcFrnt/0fqUAA1nm51DS587lNy7rg==
Received: by 2002:a05:6820:613:b0:5fc:fe48:912e with SMTP id
006d021491bc7-5fd0b0dc0e8ls148458eaf.2.-pod-prod-04-us; Mon, 24 Feb 2025
07:27:50 -0800 (PST)
X-Received: by 2002:a05:6808:1a06:b0:3f4:e63:7eb9 with SMTP id 5614622812f47-3f4246c2c85mr10501999b6e.14.1740410870653;
Mon, 24 Feb 2025 07:27:50 -0800 (PST)
Received: by 2002:a05:600c:3c9c:b0:439:a596:e64 with SMTP id 5b1f17b1804b1-439ae26b649ms5e9;
Mon, 24 Feb 2025 05:17:13 -0800 (PST)
X-Received: by 2002:a05:6000:1448:b0:38d:da11:df19 with SMTP id ffacd0b85a97d-38f6f0b0c1cmr10398680f8f.41.1740403029486;
Mon, 24 Feb 2025 05:17:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1740403029; cv=none;
d=google.com; s=arc-20240605;
b=kuMfCBxn+tk7GA+FdZtOkX0ty2jYXntDiYWt+9qbt+MviJ7A+6oRMyU5bjcKtgtyAa
zuiSyMS0IGRqxInpUXCg/Vb/svCFXYxsfx03drJmxCr+NTdSOW+0CbfPZi0Ws8qYpPoT
sTxPeIHB3ItjWrsCbb51gan0U6HAvJ2IUDEemSfriTyBnzVSg962lNClnUqI12AhoS+k
TQSV87eORKtkZ+oU99CuZNJZb9UKrS3wie1aD+4jfV+6rYKw+B6FIneGcofnDYTd+QqF
f8IpHldQN1db4zyts+kHXptJaMDs1l4CHP0lW5DWtSTmuRwUbnAtthuoPf1k2pq6egHO
VwkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:in-reply-to:from:content-language
:references:to:subject:user-agent:mime-version:date:message-id
:sender:dkim-signature;
bh=RpDSZIoJRxJXh09eo3soXrwYJGX2CUgE2hVutViLr8Q=;
fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
b=fOEHP332nuajQeupMGkkG2yZS3pBY7wza30hDHdkl86dfjDRUuXUoaamOjer8k9jOI
+XA5ivmBM7BBsT8zZWyUKwNoDUVzCjYwT/q+y7yyHjwR0Ev9v8CUirLhsnFEXVXI1StL
IvYOAnYsf0OZVp0AQiJ9bjn0uPZ9FzvIh9wUAFLrTzN4a7isCZr8qq1wU/c85wy3n/3V
RJTPiX7BqfRKFOmUaO3lRG5cGstUMq9Z+9hFYSaOLw5KSz0hT1RnCYBihxbNh5+9bW5D
NXJ/gWlnKUEmQPb3tJ0igkEnqrSlDFf+5+I1Mkv6AOSiuhPKcWdPkccuvETdiECTGwsO
vf8Q==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/ssWRRF";
spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com. [2a00:1450:4864:20::430])
by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-38f2590e484si816437f8f.3.2025.02.24.05.17.09
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 24 Feb 2025 05:17:09 -0800 (PST)
Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) client-ip=2a00:1450:4864:20::430;
Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-38f29a1a93bso3490731f8f.1
for <bitcoindev@googlegroups.com>; Mon, 24 Feb 2025 05:17:09 -0800 (PST)
X-Gm-Gg: ASbGncv6/0f0nDy5xA/LfDnezaLMFNJ0XAv5i5VsSVHFOzK3gKY+75A9h60J19Cpw+a
gUP03doPLEauNAkEt10iVNtzg5kZNkXerTLLVE59cJ6B6dx5busSQS1CR7kTCK6iMRrBG7VyQdO
GdTlI3/WH7XRZY6RQaM/LOWVl/XeLTrzUltuxxrLB+JAjgMUkpQt+K+tNDk3wlgxeOpzV1I4V6T
CYaWQIaJbZ+4AlBO2aPJSGqQxPkwONr0aiaq92+HmeiRwHqKcNeVIPBxOTX8+JJB4VSRpFcWZkN
OJ6SWppdTwY3Z+TQmg8a9ijBwahhNYqsvPu+tS/pv4hRBemqSGv6a3ojzO23
X-Received: by 2002:a5d:47ca:0:b0:385:d852:29ed with SMTP id ffacd0b85a97d-38f6f0affc2mr9726020f8f.36.1740403028759;
Mon, 24 Feb 2025 05:17:08 -0800 (PST)
Received: from [10.11.10.42] (p54b845a9.dip0.t-ipconnect.de. [84.184.69.169])
by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-439b0367516sm108212425e9.26.2025.02.24.05.17.07
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 24 Feb 2025 05:17:08 -0800 (PST)
Sender: Jonas Nick <jonasdnick@gmail.com>
Message-ID: <5550807e-0655-4895-bc66-1b67bfde8c3e@gmail.com>
Date: Mon, 24 Feb 2025 13:17:07 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [bitcoindev] P2QRH / BIP-360 Update
To: bitcoindev@googlegroups.com
References: <8797807d-e017-44e2-b419-803291779007n@googlegroups.com>
<5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com>
<16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com>
Content-Language: en-US
From: Jonas Nick <jonasd.nick@gmail.com>
In-Reply-To: <16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Original-Sender: jonasdnick@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b="d/ssWRRF"; spf=pass
(google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430
as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass
(p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
> What prevents arbitrary data being hashed and then included in the attestation
> is, each signature public key pair must be able to verify the transaction
> message in order to be considered a valid transaction.
This appears to contradict the selective disclosure mechanism described in the
BIP and this sentence in the "Script Validation" section:
> Public keys that are not needed can be excluded by including their hash in the
> attestation accompanied with an empty signature
Even if the selective disclosure vulnerability is fixed by committing to the
multisig semantics in the P2QRH output, any unopened public key commitment could
still be "abused" for arbitrary data storage. Similar to the scenario in my
previous post, if the root R is MerkleRoot([leafhash1, leafhash2]) and the
multisig policy is "1-of-2", then we can set
leafhash1 := data
leafhash2 := hash(public_key_secp256k1)
and post the data to the chain by spending the output using an attestation
structure that includes leafhash1, an empty signature, public_key_secp256k1 and
the corresponding signature.
> I will admit I don't understand this attack. Can you provide more details on
> how it works, and how it might be possible to mitigate?
To give more context, this attack is intended as a concrete demonstration of how
breaking the collision resistance of the hash function used in the Merkle tree
can enable an adversary to steal coins. Here's a different explanation for
essentially the same attack in the context of P2SH vs. P2WSH:
https://bitcoin.stackexchange.com/a/54847/35586
The attack against the BIP's proposed signature scheme (where the Merkle tree is
constructed from public keys and then an ordinary signature scheme is applied to
one or more of the committed public keys) can be mitigated by using a hash
function with a larger output space (e.g., SHA-512).
However, I'm not suggesting to do this. My point is that while the BIP aims for
256 bits of security by using NIST strength level V parameters, it does not
actually achieve that security level (when the adversary can affect any of the
leaves as in multisignatures, for example).
The Bitcoin protocol relies heavily on collision-resistance of SHA-256, which is
pretty much the definition of NIST strength level II [0].
[0] https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria)
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/5550807e-0655-4895-bc66-1b67bfde8c3e%40gmail.com.
|
