MIME-Version: 1.0
In-Reply-To: <f309ea73-053d-c3e9-134e-4561e89715f1@librelamp.com>
References: <mailman.22137.1487974823.31141.bitcoin-dev@lists.linuxfoundation.org>
	<8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com>
	<20170225010122.GA10233@savin.petertodd.org>
	<208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com>
	<CAN6UTayzQRowtWhLKr8LyFuXjw3m+GjQGtHfkDj-Xu41Hym32w@mail.gmail.com>
	<CAEM=y+WkgSkc07ZsU6APAkcu37zVZ7dwSc=jAg1nho31S5ZyxQ@mail.gmail.com>
	<f309ea73-053d-c3e9-134e-4561e89715f1@librelamp.com>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Sat, 25 Feb 2017 13:36:49 -0500
Message-ID: <CAEM=y+U7khq4FVift9aKewmasbdnFvn99pEkkYORmTCD-5thyQ@mail.gmail.com>
To: Alice Wonder <alice@librelamp.com>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a11484ae083228c05495f234b
Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by
 third-parties, not just repo maintainers
Precedence: list

--001a11484ae083228c05495f234b
Content-Type: text/plain; charset=UTF-8

>You have to not only produce a ripemd160 collision, you have to produce a
collision that is also a valid sha-256 hash - and that's much much much
more difficult.

I agree that merely finding a collision in RIPEMD-160 will be hard to use
in Bitcoin.

However finding a collision in RIPEMD-160(SHA-256(msg)) via bruteforce
(2^80 queries) is not particular more difficult than finding a collision in
RIPEMD-160 via brute force. Furthermore if you find a collision in
RIPEMD-160(SHA-256(msg)) you also get a valid SHA-256 hash for which you
know the preimage.


On Sat, Feb 25, 2017 at 1:19 PM, Alice Wonder via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On 02/25/2017 08:10 AM, Ethan Heilman via bitcoin-dev wrote:
>
>> SHA1 is insecure because the SHA1 algorithm is insecure, not because
>>>
>> 160bits isn't enough.
>>
>> I would argue that 160-bits isn't enough for collision resistance.
>> Assuming RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random
>> oracle), collisions can be generated in 2^80 queries (actually detecting
>> these collisions requires some time-memory additional trade-offs). The
>> Bitcoin network at the current hash rate performs roughly SHA-256 ~2^78
>> queries a day or 2^80 queries every four days.
>>
>
> You have to not only produce a ripemd160 collision, you have to produce a
> collision that is also a valid sha-256 hash - and that's much much much
> more difficult.
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--001a11484ae083228c05495f234b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">&gt;<span style=3D"font-size:12.8px">You have to not only =
produce a ripemd160 collision, you have to produce a collision that is also=
 a valid sha-256 hash - and that&#39;s much much much more difficult.</span=
><div class=3D"gmail-yj6qo gmail-ajU" style=3D"font-size:12.8px"></div><br>=
I agree that merely finding a collision in RIPEMD-160 will be hard to use i=
n Bitcoin.<br><br>However finding a collision in RIPEMD-160(SHA-256(msg)) v=
ia bruteforce (2^80 queries) is not particular more difficult than finding =
a collision in RIPEMD-160 via brute force. Furthermore if you find a collis=
ion in RIPEMD-160(SHA-256(msg)) you also get a valid SHA-256 hash for which=
 you know the preimage.<br><br></div><div class=3D"gmail_extra"><br><div cl=
ass=3D"gmail_quote">On Sat, Feb 25, 2017 at 1:19 PM, Alice Wonder via bitco=
in-dev <span dir=3D"ltr">&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfound=
ation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt;<=
/span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On 02/25/2=
017 08:10 AM, Ethan Heilman via bitcoin-dev wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
SHA1 is insecure because the SHA1 algorithm is insecure, not because<br>
</blockquote>
160bits isn&#39;t enough.<br>
<br>
I would argue that 160-bits isn&#39;t enough for collision resistance.<br>
Assuming RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random<br>
oracle), collisions can be generated in 2^80 queries (actually detecting<br=
>
these collisions requires some time-memory additional trade-offs). The<br>
Bitcoin network at the current hash rate performs roughly SHA-256 ~2^78<br>
queries a day or 2^80 queries every four days.<br>
</blockquote>
<br></span>
You have to not only produce a ripemd160 collision, you have to produce a c=
ollision that is also a valid sha-256 hash - and that&#39;s much much much =
more difficult.<div class=3D"HOEnZb"><div class=3D"h5"><br>
<br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundat<wbr>ion.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-d<wbr>ev</a><br>
</div></div></blockquote></div><br></div>

--001a11484ae083228c05495f234b--