Return-Path: <steven.charles.davis@gmail.com> Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C45E2305 for <bitcoin-dev@lists.linuxfoundation.org>; Sat, 25 Feb 2017 21:34:36 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-it0-f68.google.com (mail-it0-f68.google.com [209.85.214.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 14BF2AF for <bitcoin-dev@lists.linuxfoundation.org>; Sat, 25 Feb 2017 21:34:36 +0000 (UTC) Received: by mail-it0-f68.google.com with SMTP id w185so7859290ita.3 for <bitcoin-dev@lists.linuxfoundation.org>; Sat, 25 Feb 2017 13:34:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=muMBIhRCMvUhd7Xp5i3xMnbagGnX/sOKXjIIA4LSV3g=; b=P5TNdeovz9DGg0N/nmjR9CDDXRR7ItA7taambKjAKjwRXzc3PoIUOoMu6d+os9hQ2O 14OrUyiwJ3wZ3Ckxs2Dvqo8TjjScdfNSyKehrMuwGCVB5qll/MS2q1QaiqvgjBqtWJfP I7CppI9tXM5AOPUaOuVKF0h+gfRF0N31GVNNx5hgM/oMRaX1uY51lHZAl4pXKvxTe0sq ngxliqosl0m+4uft4LN09W6HLssrYAkWN/ma2HC+GKomAWeO4D0M0Yahu2j9T8AIuzSj LC7OULG8VgLdKPhpx9Fd28VZ1J73kEr+gb52WesCN7KLr5DMFiu0S49CZEsrmqOf4F6D I4uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=muMBIhRCMvUhd7Xp5i3xMnbagGnX/sOKXjIIA4LSV3g=; b=LquF/1/9waLBjFr2swT/nsuKgpw19LC2mC61/Ty85Q3hpNhsRuJoDkumw8GPP7bl8S RrcNbPeRKwrkma17uk6HI3GZd1owvXby5yadWntUGLOoYWLbSdB8bCTxv6XFd7JAuMAl W94HVkU6Zm2X/mTNHsoaCaCmx7aw5ipElVXa5IWIWPNS0SFDdc3bFEitbsaSAdsVmFwR INAMhE2NQahDPGmFFgCbJJaQhC1GiUgEDleZnmRybpATOmP0QFYUiNLy04gbwsVx/Hyc LQ6XIzyNhtaAi0q3U+k1ijX0NI9TlYa6WFd4e3PHVeRU1gkmTPo9FyazJf0RS4ePEbIc 2VXA== X-Gm-Message-State: AMke39lr37kZ6ucR0YikUGIrjdt4FtayFLoqMxb/t1+5r+fvtXCTpXQHdRZ//VeVMVDSuQ== X-Received: by 10.36.77.149 with SMTP id l143mr7805727itb.19.1488058475368; Sat, 25 Feb 2017 13:34:35 -0800 (PST) Received: from [10.0.1.42] (71-81-80-204.dhcp.stls.mo.charter.com. [71.81.80.204]) by smtp.gmail.com with ESMTPSA id c100sm2417159itd.20.2017.02.25.13.34.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Feb 2017 13:34:34 -0800 (PST) From: Steve Davis <steven.charles.davis@gmail.com> Message-Id: <4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55" Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Date: Sat, 25 Feb 2017 15:34:33 -0600 In-Reply-To: <CAGLBAhdCb+QLWRm4FWkPvaM2sU24HuafdgNiS=wgnPTGzrW05w@mail.gmail.com> To: Dave Scotese <dscotese@litmocracy.com> References: <mailman.22137.1487974823.31141.bitcoin-dev@lists.linuxfoundation.org> <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> <CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com> <CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com> <20170225191201.GA15472@savin.petertodd.org> <CAMZUoK=sq_sRoXuySca-VAGwA3AzeoZ5iNFSnKULbj+NtPjHFA@mail.gmail.com> <20170225210406.GA16196@savin.petertodd.org> <CAGLBAhdCb+QLWRm4FWkPvaM2sU24HuafdgNiS=wgnPTGzrW05w@mail.gmail.com> X-Mailer: Apple Mail (2.3259) X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 25 Feb 2017 22:08:11 +0000 Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Sat, 25 Feb 2017 21:34:36 -0000 --Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Yea, well. I don=E2=80=99t think it is ethical to post instructions = without an associated remediation (BIP) if you don=E2=80=99t see the = potential attack. I was rather hoping that we could have a fuller discussion of what the = best practical response would be to such an issue? > On Feb 25, 2017, at 3:21 PM, Dave Scotese <dscotese@litmocracy.com> = wrote: >=20 > I was under the impression that RIPEMD160(SHA256(msg)) is used to turn = a PUBLIC key (msg) into a bitcoin address, so yeah, you could identify = ANOTHER (or the same, I guess - how would you know?) public key that has = the same bitcoin address if RIPEMD-160 collisions are easy, but I don't = see how that has any effect on anyone. Maybe I'm restating what Peter = wrote. If so, confirmation would be nice. >=20 > On Sat, Feb 25, 2017 at 1:04 PM, Peter Todd via bitcoin-dev = <bitcoin-dev@lists.linuxfoundation.org = <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote: > On Sat, Feb 25, 2017 at 03:53:12PM -0500, Russell O'Connor wrote: > > On Sat, Feb 25, 2017 at 2:12 PM, Peter Todd via bitcoin-dev < > > bitcoin-dev@lists.linuxfoundation.org = <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote: > > > > > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via = bitcoin-dev > > > wrote: > > > > >SHA1 is insecure because the SHA1 algorithm is insecure, not = because > > > > 160bits isn't enough. > > > > > > > > I would argue that 160-bits isn't enough for collision = resistance. > > > Assuming > > > > RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), > > > collisions > > > > > > That's something that we're well aware of; there have been a few > > > discussions on > > > this list about how P2SH's 160-bits is insufficient in certain = use-cases > > > such > > > as multisig. > > > > > > However, remember that a 160-bit *security level* is sufficient, = and > > > RIPEMD160 > > > has 160-bit security against preimage attacks. Thus things like > > > pay-to-pubkey-hash are perfectly secure: sure you could generate = two > > > pubkeys > > > that have the same RIPEMD160(SHA256()) digest, but if someone does = that it > > > doesn't cause the Bitcoin network itself any harm, and doing so is > > > something > > > you choose to do to yourself. > > > > > > > Be aware that the issue is more problematic for more complex = contracts. > > For example, you are building a P2SH 2-of-2 multisig together with = someone > > else if you are not careful, party A can hand their key over to = party B, > > who can may try to generate a collision between their second key and > > another 2-of-2 multisig where they control both keys. See > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/01220= 5.html = <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/0122= 05.html> >=20 > I'm very aware of that, in fact I think I may have even been the first = person > to post on this list the commit-reveal mitigation. >=20 > Note how I said earlier in the message you're replying to that "P2SH's = 160-bits > is insufficient in certain use-cases such as multisig" >=20 > -- > https://petertodd.org <https://petertodd.org/> = 'peter'[:-1]@petertodd.org <http://petertodd.org/> >=20 > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org = <mailto:bitcoin-dev@lists.linuxfoundation.org> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev = <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev> >=20 >=20 >=20 >=20 > --=20 > I like to provide some work at no charge to prove my value. Do you = need a techie? =20 > I own Litmocracy <http://www.litmocracy.com/> and Meme Racing = <http://www.memeracing.net/> (in alpha).=20 > I'm the webmaster for The Voluntaryist <http://www.voluntaryist.com/> = which now accepts Bitcoin. > I also code for The Dollar Vigilante <http://dollarvigilante.com/>. > "He ought to find it more profitable to play by the rules" - Satoshi = Nakamoto --Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D"">Yea, well. I don=E2=80=99t think it is ethical to post = instructions without an associated remediation (BIP) if you don=E2=80=99t = see the potential attack.<div class=3D""><br class=3D""></div><div = class=3D"">I was rather hoping that we could have a fuller discussion of = what the best practical response would be to such an issue?<br = class=3D""><div class=3D""><br class=3D""></div><div class=3D""><br = class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On = Feb 25, 2017, at 3:21 PM, Dave Scotese <<a = href=3D"mailto:dscotese@litmocracy.com" = class=3D"">dscotese@litmocracy.com</a>> wrote:</div><br = class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" = class=3D"">I was under the impression that RIPEMD160(SHA256(msg)) is = used to turn a PUBLIC key (msg) into a bitcoin address, so yeah, you = could identify ANOTHER (or the same, I guess - how would you know?) = public key that has the same bitcoin address if RIPEMD-160 collisions = are easy, but I don't see how that has any effect on anyone. Maybe = I'm restating what Peter wrote. If so, confirmation would be = nice.<br class=3D""></div><div class=3D"gmail_extra"><br class=3D""><div = class=3D"gmail_quote">On Sat, Feb 25, 2017 at 1:04 PM, Peter Todd via = bitcoin-dev <span dir=3D"ltr" class=3D""><<a = href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank" = class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>></span> = wrote:<br class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0 = 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div = class=3D"HOEnZb"><div class=3D"h5">On Sat, Feb 25, 2017 at 03:53:12PM = -0500, Russell O'Connor wrote:<br class=3D""> > On Sat, Feb 25, 2017 at 2:12 PM, Peter Todd via bitcoin-dev <<br = class=3D""> > <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" = class=3D"">bitcoin-dev@lists.<wbr class=3D"">linuxfoundation.org</a>> = wrote:<br class=3D""> ><br class=3D""> > > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via = bitcoin-dev<br class=3D""> > > wrote:<br class=3D""> > > > >SHA1 is insecure because the SHA1 algorithm is = insecure, not because<br class=3D""> > > > 160bits isn't enough.<br class=3D""> > > ><br class=3D""> > > > I would argue that 160-bits isn't enough for collision = resistance.<br class=3D""> > > Assuming<br class=3D""> > > > RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random = oracle),<br class=3D""> > > collisions<br class=3D""> > ><br class=3D""> > > That's something that we're well aware of; there have been a = few<br class=3D""> > > discussions on<br class=3D""> > > this list about how P2SH's 160-bits is insufficient in certain = use-cases<br class=3D""> > > such<br class=3D""> > > as multisig.<br class=3D""> > ><br class=3D""> > > However, remember that a 160-bit *security level* is = sufficient, and<br class=3D""> > > RIPEMD160<br class=3D""> > > has 160-bit security against preimage attacks. Thus things = like<br class=3D""> > > pay-to-pubkey-hash are perfectly secure: sure you could = generate two<br class=3D""> > > pubkeys<br class=3D""> > > that have the same RIPEMD160(SHA256()) digest, but if someone = does that it<br class=3D""> > > doesn't cause the Bitcoin network itself any harm, and doing = so is<br class=3D""> > > something<br class=3D""> > > you choose to do to yourself.<br class=3D""> > ><br class=3D""> ><br class=3D""> > Be aware that the issue is more problematic for more complex = contracts.<br class=3D""> > For example, you are building a P2SH 2-of-2 multisig together with = someone<br class=3D""> > else if you are not careful, party A can hand their key over to = party B,<br class=3D""> > who can may try to generate a collision between their second key = and<br class=3D""> > another 2-of-2 multisig where they control both keys. See<br = class=3D""> > <a = href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-Janua= ry/012205.html" rel=3D"noreferrer" target=3D"_blank" = class=3D"">https://lists.linuxfoundation.<wbr = class=3D"">org/pipermail/bitcoin-dev/<wbr = class=3D"">2016-January/012205.html</a><br class=3D""> <br class=3D""> </div></div>I'm very aware of that, in fact I think I may have even been = the first person<br class=3D""> to post on this list the commit-reveal mitigation.<br class=3D""> <br class=3D""> Note how I said earlier in the message you're replying to that "P2SH's = 160-bits<br class=3D""> <span class=3D"im HOEnZb">is insufficient in certain use-cases such as = multisig"<br class=3D""> <br class=3D""> </span><div class=3D"HOEnZb"><div class=3D"h5">--<br class=3D""> <a href=3D"https://petertodd.org/" rel=3D"noreferrer" target=3D"_blank" = class=3D"">https://petertodd.org</a> 'peter'[:-1]@<a = href=3D"http://petertodd.org/" rel=3D"noreferrer" target=3D"_blank" = class=3D"">petertodd.org</a><br class=3D""> </div></div><br class=3D"">______________________________<wbr = class=3D"">_________________<br class=3D""> bitcoin-dev mailing list<br class=3D""> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" = class=3D"">bitcoin-dev@lists.<wbr class=3D"">linuxfoundation.org</a><br = class=3D""> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"= rel=3D"noreferrer" target=3D"_blank" = class=3D"">https://lists.linuxfoundation.<wbr = class=3D"">org/mailman/listinfo/bitcoin-<wbr class=3D"">dev</a><br = class=3D""> <br class=3D""></blockquote></div><br class=3D""><br clear=3D"all" = class=3D""><br class=3D"">-- <br class=3D""><div class=3D"gmail_signature"= data-smartmail=3D"gmail_signature"><div dir=3D"ltr" class=3D"">I like = to provide some work at no charge to prove my value. Do you need a = techie? <br class=3D"">I own <a href=3D"http://www.litmocracy.com/" = target=3D"_blank" class=3D"">Litmocracy</a> and <a = href=3D"http://www.memeracing.net/" target=3D"_blank" class=3D"">Meme = Racing</a> (in alpha). <br class=3D"">I'm the webmaster for <a = href=3D"http://www.voluntaryist.com/" target=3D"_blank" class=3D"">The = Voluntaryist</a> which now accepts Bitcoin.<br class=3D"">I also code = for <a href=3D"http://dollarvigilante.com/" target=3D"_blank" = class=3D"">The Dollar Vigilante</a>.<br class=3D"">"He ought to find it = more profitable to play by the rules" - Satoshi Nakamoto</div></div> </div> </div></blockquote></div><br class=3D""></div></div></body></html>= --Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55--