summaryrefslogtreecommitdiff
path: root/ff/44abcdb4956035770c99efe190db1a3873b2aa
blob: 93156cb77f04edd359717e122f3238c108bf9dbb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <pete@petertodd.org>) id 1VKMYB-0002l3-Py
	for bitcoin-development@lists.sourceforge.net;
	Fri, 13 Sep 2013 06:08:15 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of petertodd.org
	designates 62.13.149.81 as permitted sender)
	client-ip=62.13.149.81; envelope-from=pete@petertodd.org;
	helo=outmail149081.authsmtp.net; 
Received: from outmail149081.authsmtp.net ([62.13.149.81])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
	id 1VKMYA-00025M-5w for bitcoin-development@lists.sourceforge.net;
	Fri, 13 Sep 2013 06:08:15 +0000
Received: from mail-c237.authsmtp.com (mail-c237.authsmtp.com [62.13.128.237])
	by punt12.authsmtp.com (8.14.2/8.14.2) with ESMTP id r8D688jL018622
	for <bitcoin-development@lists.sourceforge.net>;
	Fri, 13 Sep 2013 07:08:08 +0100 (BST)
Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109])
	(authenticated bits=128)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id r8D67xPf025529
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
	for <bitcoin-development@lists.sourceforge.net>;
	Fri, 13 Sep 2013 07:08:01 +0100 (BST)
Date: Fri, 13 Sep 2013 02:07:58 -0400
From: Peter Todd <pete@petertodd.org>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Message-ID: <20130913060758.GC4242@savin>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="pAwQNkOnpTn9IO2O"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: d8c14f96-1c3a-11e3-94fa-002590a135d3
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVJwpGK10IU0Fd
	P1hXKl1LNVAaWXld WiVPGEoXDxgzCjYj NEgGOBsDNw4AXgZ1
	Mx0JXVBSFQZ4ARsL BhYUUhs8cANYeX5u ZEFqQHFbVVt/fUFi
	QwAWHRkAYi8APmAd VUVafk1VcAZJeFER YgN+UCUEZ3gGNXkx
	WlZqMmt0bGlRIWEN GltQfAobGB1WEmUq fT09NA8DVUoLSSgp
	IhBuJFkGVEYYKUV6 OlwlXVMDMhgUEUVQ GFsFOw9wfh1JfAoC
	V14EGQYkMQVwZAsF XEVgKxlEYHRVRipV HlAt
X-Authentic-SMTP: 61633532353630.1024:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 76.10.178.109/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 LOTS_OF_MONEY          Huge... sums of money
X-Headers-End: 1VKMYA-00025M-5w
Subject: [Bitcoin-development] REWARD offered for hash collisions for SHA1,
 SHA256, RIPEMD160 and others
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 06:08:16 -0000


--pAwQNkOnpTn9IO2O
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Rewards at the following P2SH addresses are available for anyone able to
demonstrate collision attacks against a variety of cryptographic
algorithms. You collect your bounty by demonstrating two messages that
are not equal in value, yet result in the same digest when hashed. These
messages are used in a scriptSig, which satisfies the scriptPubKey
storing the bountied funds, allowing you to move them to a scriptPubKey
(Bitcoin address) of your choice.

Further donations to the bounties are welcome, particularly for SHA1 -
address 37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP - for which an attack on a
single hash value is believed to be possible at an estimated cost of
$2.77M (4)


Details below; note that the "decodescript" RPC command is not yet
released; compile bitcoind from the git repository at
http://github.com/bitcoin/bitcoin

SHA1:

$ btc decodescript 6e879169a77ca787
{
    "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_E=
QUAL",
    "type" : "nonstandard",
    "p2sh" : "37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP"
}


SHA256:

$ btc decodescript 6e879169a87ca887
{
    "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA256 OP_SWAP OP_SHA256 =
OP_EQUAL",
    "type" : "nonstandard",
    "p2sh" : "35Snmmy3uhaer2gTboc81ayCip4m9DT4ko"
}


RIPEMD160:

$ btc decodescript 6e879169a67ca687
{
    "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_RIPEMD160 OP_SWAP OP_RIPE=
MD160 OP_EQUAL",
    "type" : "nonstandard",
    "p2sh" : "3KyiQEGqqdb4nqfhUzGKN6KPhXmQsLNpay"
}


RIPEMD160(SHA256()):

$ btc decodescript 6e879169a97ca987
{
    "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_HASH160 OP_SWAP OP_HASH16=
0 OP_EQUAL",
    "type" : "nonstandard",
    "p2sh" : "39VXyuoc6SXYKp9TcAhoiN1mb4ns6z3Yu6"
}


SHA256(SHA256()):

$ btc decodescript 6e879169aa7caa87
{
    "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_HASH256 OP_SWAP OP_HASH25=
6 OP_EQUAL",
    "type" : "nonstandard",
    "p2sh" : "3DUQQvz4t57Jy7jxE86kyFcNpKtURNf1VW"
}


and last but not least, the absolute value function:

$ btc decodescript 6e879169907c9087
{
    "asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_ABS OP_SWAP OP_ABS OP_EQU=
AL",
    "type" : "nonstandard",
    "p2sh" : "3QsT6Sast6ghfsjZ9VJj9u8jkM2qTfDgHV"
}

For example, this pair of transactions created, and then collected, an
absolute value function bounty:

0100000001f3194f7c2a39809d6ea5fa2db68326932df146aaab7be2f398a524bd269d0b620=
00000008a473044022039bc13cb7fe565ff2e14b16fbc4a9facd36b25a435d2f49de4534463=
212aeaee022076413c7591385cd813df37d8104dd8110745c28178cef829b5ab3e56b7c30d2=
2014104d34775baab521d7ba2bd43997312d5f663633484ae1a4d84246866b7088297715a04=
9e2288ae16f168809d36e2da1162f03412bf23aa5f949f235eb2e7141783ffffffff03207e7=
500000000001976a9149bc0bbdd3024da4d0c38ed1aecf5c68dd1d3fa1288ac000000000000=
0000126a6e879169907c9087086e879169907c908740420f000000000017a914fe441065b65=
32231de2fac563152205ec4f59c748700000000

0100000001f18cda90bbbcfb031c65ceda17c82dc046c7db0b96242ba4c5b53c411d8c056e0=
20000000c510181086e879169907c9087ffffffff01a0bb0d00000000001976a9149bc0bbdd=
3024da4d0c38ed1aecf5c68dd1d3fa1288ac00000000

Specifically with the scriptSig: 1 -1 6e879169907c9087


Notes:

1) We advise mining the block in which you collect your bounty yourself;
   scriptSigs satisfying the above scriptPubKeys do not cryptographically s=
ign
   the transaction's outputs. If the bounty value is sufficiently large
   other miners may find it profitable to reorganize the chain to kill
   your block and collect the reward themselves. This is particularly
   profitable for larger, centralized, mining pools.

2) Note that the value of your SHA256, RIPEMD160, RIPEMD160(SHA256()) or
   SHA256^2 bounty may be diminished by the act of collecting it.

3) Due to limitations of the Bitcoin scripting language bounties can
   only be collected with solutions using messages less than 521 bytes
   in size.

4) "When Will We See Collisions for SHA-1?" - Bruce Schneier
   https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html

--=20
'peter'[:-1]@petertodd.org

--pAwQNkOnpTn9IO2O
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJSMqu+AAoJECSBQD2l8JH7Aq0H/jlu8HktaenQJMHoycVO+9yw
bxauCL1y+00b2xkLP3Vxkvukf3PUPG+AjWtHzcMPZMDG8y0Eb8y8q9dy4KeDmvA6
njnfmgAPNa81vDRef7IR9bn2jqmb2wNx0RwNIE2O6tqvLSeWMlKlj27th0S0XPFN
hpECGshZBGdVIbviQGoF1+629x0fbPz1BwDd89BRp2dGZvj1J7NnLDUPiUJdzXEW
JEp31vWME1BVjoYSu2tIy1MfPYQWZVyJSdAY2pZsB6XcV02MFzntCW/jamcyG2GR
yR2Esv92GOnJG5S/+hQFQZlsRahGkwi+Rr99iVkMZygDmpcSwTFu0HlIeIVNR5k=
=/2vF
-----END PGP SIGNATURE-----

--pAwQNkOnpTn9IO2O--