Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 26134DD0 for ; Fri, 8 Jan 2016 01:54:04 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C015C14C for ; Fri, 8 Jan 2016 01:54:02 +0000 (UTC) Received: by mail-lb0-f172.google.com with SMTP id oh2so217483913lbb.3 for ; Thu, 07 Jan 2016 17:54:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u0igcesifE6eqQw6GhnV7TrWsxiAfplR0cjETJffEqQ=; b=tl5+Rtp7VLUmwCj3sFlZdhlWgiUjoYDlEOF+DpsMHo6KkYIUXjMVqIgOFU6CKGAG4K YFQC0e1k5Ahah7TGrNdWTz0zAmns8cTXphATw8+UILOlWHrer5Mmcwb2mewiGmjz8fLe b09YAuk2sbrlzkf4RUHRe1mmip2+F5t3+eSr5w3qJfAl4z17XoHPsRJxjTvC1ehZQO4+ YZn3jwKyMAJcsf72A4JG4oJFbT/FTE8SU/32XlKZ1exD+AbBw/oKZiSv0D+HOpdE+RqH HEggvkX5i/oXyYNbo2EC2M/N48S61DjQb03ECtXS3O5FuXCyBAtELdettcidYx/L4JHC S6qA== MIME-Version: 1.0 X-Received: by 10.112.219.101 with SMTP id pn5mr10768816lbc.123.1452218041056; Thu, 07 Jan 2016 17:54:01 -0800 (PST) Received: by 10.25.25.78 with HTTP; Thu, 7 Jan 2016 17:54:00 -0800 (PST) In-Reply-To: <568F103E.1050909@mattcorallo.com> References: <568F103E.1050909@mattcorallo.com> Date: Thu, 7 Jan 2016 20:54:00 -0500 Message-ID: From: Gavin Andresen To: Matt Corallo Content-Type: multipart/alternative; boundary=001a11c3c26c79496d0528c8dc5b X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Jan 2016 02:37:31 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2016 01:54:04 -0000 --001a11c3c26c79496d0528c8dc5b Content-Type: text/plain; charset=UTF-8 On Thu, Jan 7, 2016 at 8:26 PM, Matt Corallo wrote: > So just because other attacks are possible we should weaken the crypto > we use? You may feel comfortable weakening crypto used to protect a few > billion dollars of other peoples' money, but I dont. > No... I'm saying we can eliminate one somewhat unlikely attack (that there is a bug in the code or test cases, today or some future version, that has to decide what to do with "version 0" versus "version 1" witness programs) by accepting the risk of another insanely, extremely unlikely attack. Reference for those who are lost: https://github.com/CodeShark/bips/blob/segwit/bip-codeshark-jl2012-segwit.mediawiki#witness-program My proposal would be to just do a version 0 witness program now, that is RIPEMD160(SHA256(script)). And ten or twenty years from now, if there is a plausible attack on RIPEMD160 and/or SHA256, revisit and do a version 11 (or whatever). It will simplify the BIP, means half as many test cases have to be written, means a little more scalability, and is as secure as the P2SH and P2PKH everybody is using to secure their bitcoin today. Tell you what: I'll change my mind if anybody can describe a plausible attack if we were using MD5(SHA256), given what we know about how MD5 is broken. --- I'm really disappointed with the "Here's the spec, take it or leave it" attitude. What's the point of having a BIP process if the discussion just comes down to "We think more is better. We don't care what you think." -- -- Gavin Andresen --001a11c3c26c79496d0528c8dc5b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= hu, Jan 7, 2016 at 8:26 PM, Matt Corallo <lf-lists@mattcorallo.com<= /a>> wrote:
So just because other attacks are possible we should w= eaken the crypto
we use? You may feel comfortable weakening crypto used to protect a few
billion dollars of other peoples' money, but I dont.

No...

I'm saying we can elimin= ate one somewhat unlikely attack (that there is a bug in the code or test c= ases, today or some future version, that has to decide what to do with &quo= t;version 0" versus "version 1" witness programs) by accepti= ng the risk of another insanely, extremely unlikely attack.

Reference for those w= ho are lost:
=C2=A0=C2=A0https://github.com/CodeShark/bips/blob/segwit/bip-codesh= ark-jl2012-segwit.mediawiki#witness-program

My proposal would be to just do a= version 0 witness program now, that is RIPEMD160(SHA256(script)).

And ten or twe= nty years from now, if there is a plausible attack on RIPEMD160 and/or SHA2= 56, revisit and do a version 11 (or whatever).

It will simplify the BIP, means ha= lf as many test cases have to be written, means a little more scalability, = and is as secure as the P2SH and P2PKH everybody is using to secure their b= itcoin today.

Tell you = what: =C2=A0I'll change my mind if anybody can describe a plausible att= ack if we were using MD5(SHA256), given what we know about how MD5 is broke= n.


---

I&#= 39;m really disappointed with the "Here's the spec, take it or lea= ve it" attitude. What's the point of having a BIP process if the d= iscussion just comes down to "We think more is better. We don't ca= re what you think."

--
--
Gavin Andresen

--001a11c3c26c79496d0528c8dc5b--