Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id AC1B8F47 for ; Fri, 8 Jan 2016 01:27:03 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-yk0-f180.google.com (mail-yk0-f180.google.com [209.85.160.180]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 24A1A165 for ; Fri, 8 Jan 2016 01:27:03 +0000 (UTC) Received: by mail-yk0-f180.google.com with SMTP id k129so324957560yke.0 for ; Thu, 07 Jan 2016 17:27:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=au+EjLJgw7D40aW1IUByh8+SdpdV7oPNowoxuujTMbA=; b=sAEJ0Jtxn1p5qjkAVzCQLEVWTgpnCP22R+XZ+uECmACDbXyf9GqtrO7zcU477VKHlk NcS3bWZji9DuQ0X25c31lrxQ6sQzxfcCdN/4tn4UmnPOd7ZBFd8ZK23wxutsFvHKlSP6 U9aBoxQG+9VSinvFRLGKTxfeTdnZ91DbbhsAsxuP65n3MHuNfnHsLE/jqPrajwqHsOxJ qatOM2uWXS4SrWTbzDvr1h1fj18BmlIeRAfZMj0ONAHRwtYNL3YyB3fak4tRIh+NxiZm vim9xTU5sBegNDi3WDMJYwt7kE5nhp/5+oERaF3BxmpFXBGu7WhPKr92/3rJPZYAVxHG 4lZQ== MIME-Version: 1.0 X-Received: by 10.13.226.137 with SMTP id l131mr89750189ywe.239.1452216422344; Thu, 07 Jan 2016 17:27:02 -0800 (PST) Received: by 10.13.216.150 with HTTP; Thu, 7 Jan 2016 17:27:02 -0800 (PST) Received: by 10.13.216.150 with HTTP; Thu, 7 Jan 2016 17:27:02 -0800 (PST) In-Reply-To: References: Date: Thu, 7 Jan 2016 17:27:02 -0800 Message-ID: From: Watson Ladd To: Gavin Andresen Content-Type: multipart/alternative; boundary=001a114fe252fdadab0528c87bb3 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Jan 2016 02:38:30 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2016 01:27:03 -0000 --001a114fe252fdadab0528c87bb3 Content-Type: text/plain; charset=UTF-8 On Jan 7, 2016 5:22 PM, "Gavin Andresen via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org> wrote: > > On Thu, Jan 7, 2016 at 6:52 PM, Pieter Wuille wrote: >> >> Bitcoin does have parts that rely on economic arguments for security or privacy, but can we please stick to using cryptography that is up to par for parts where we can? It's a small constant factor of data, and it categorically removes the worry about security levels. > > Our message may have crossed in the mod queue: > > "So can we quantify the incremental increase in security of SHA256(SHA256) over RIPEMD160(SHA256) versus the incremental increase in security of having a simpler implementation of segwitness?" There are several clever ways to exploit even chosen prefix collisions using the scripting language. One could search for collisions where one message is some data and the other is a jump over a critical check. > > I believe the history of computer security is that implementation errors and sidechannel attacks are much, much more common than brute-force breaks. KEEP IT SIMPLE. Ask the Iranian nuclear program. Or those brainwallet users. > > (and a quibble: "do a 80-bit search for B and C such that H(A and B) = H(B and C)" isn't enough, you have to end up with a C public key for which you know the corresponding private key or the attacker just succeeds in burning the funds) > > > -- > -- > Gavin Andresen > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --001a114fe252fdadab0528c87bb3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Jan 7, 2016 5:22 PM, "Gavin Andresen via bitcoin-dev" <bitcoin-dev@lists.linu= xfoundation.org> wrote:
>
> On Thu, Jan 7, 2016 at 6:52 PM, Pieter Wuille <pieter.wuille@gmail.com> wrote:
>>
>> Bitcoin does have parts that rely on economic arguments for securi= ty or privacy, but can we please stick to using cryptography that is up to = par for parts where we can? It's a small constant factor of data, and i= t categorically removes the worry about security levels.
>
> Our message may have crossed in the mod queue:
>
> "So can we quantify the incremental increase in security of SHA25= 6(SHA256) over RIPEMD160(SHA256) versus the incremental increase in securit= y of having a simpler implementation of segwitness?"

There are several clever ways to exploit even chosen prefix = collisions using the scripting language. One could search for collisions wh= ere one message is some data and the other is a jump over a critical check.=

>
> I believe the history of computer security is that implementation erro= rs and sidechannel attacks are much, much more common than brute-force brea= ks. KEEP IT SIMPLE.

Ask the Iranian nuclear program. Or those brainwallet users.=
>
> (and a quibble: =C2=A0"do a 80-bit search for B and C such that H= (A and B) =3D H(B and C)" =C2=A0isn't enough, you have to end up w= ith a C public key for which you know the corresponding private key or the = attacker just succeeds in burning the funds)
>
>
> --
> --
> Gavin Andresen
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@l= ists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--001a114fe252fdadab0528c87bb3--