1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gronager@ceptacle.com>) id 1RzaoA-0005Pr-2l
for bitcoin-development@lists.sourceforge.net;
Mon, 20 Feb 2012 21:30:06 +0000
X-ACL-Warn:
Received: from 2508ds5-oebr.0.fullrate.dk ([95.166.54.49]
helo=mail.ceptacle.com)
by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1Rzao8-00022c-VC for bitcoin-development@lists.sourceforge.net;
Mon, 20 Feb 2012 21:30:06 +0000
Received: from localhost (localhost [127.0.0.1])
by mail.ceptacle.com (Postfix) with ESMTP id C59AE17ACD54;
Mon, 20 Feb 2012 22:29:58 +0100 (CET)
X-Virus-Scanned: amavisd-new at ceptacle.com
Received: from mail.ceptacle.com ([127.0.0.1])
by localhost (server.ceptacle.private [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id AwXSW75H3Vsq; Mon, 20 Feb 2012 22:29:58 +0100 (CET)
Received: from [10.0.1.28] (2508ds5-oebr.0.fullrate.dk [95.166.54.49])
by mail.ceptacle.com (Postfix) with ESMTPSA id 532B317ACD4A;
Mon, 20 Feb 2012 22:29:58 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=iso-8859-1
From: =?iso-8859-1?Q?Michael_Gr=F8nager?= <gronager@ceptacle.com>
In-Reply-To: <CABsx9T0hCAtJnA9YnmVAMjjSPB5W30e=cp8BX2mO--cWEzuSNQ@mail.gmail.com>
Date: Mon, 20 Feb 2012 22:29:57 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C0B1418A-11D9-4F4C-8C75-0261AEAD1F4A@ceptacle.com>
References: <3DA9C79B-D91D-48B2-9469-37BAA037FC50@ceptacle.com>
<CABsx9T0hCAtJnA9YnmVAMjjSPB5W30e=cp8BX2mO--cWEzuSNQ@mail.gmail.com>
To: Gavin Andresen <gavinandresen@gmail.com>
X-Mailer: Apple Mail (2.1257)
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
X-Headers-End: 1Rzao8-00022c-VC
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] BIP-13
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2012 21:30:06 -0000
> How will the code distinguish between the old scheme:
> [one-byte-version][20-byte-hash][4-byte-checksum]
> and the new?
>=20
> 1 in 256 old addresses will have a first-byte-of-checksum that matches =
the new address class; I guess the code would do something like:
>=20
> a) If the 4-byte checksum matches, then assume it is a singlesig =
address (1 in 2^32 multisig addresses will incorrectly match)
> b) If the one-byte-address-class and 3-byte checksum match, then it is =
a valid p2sh
> c) Otherwise, invalid address
Exactly!
>=20
> The 1 in 2^32 multisig addresses also being valid singlesig addresses =
makes me think this scheme won't work-- an attacker willing to generate =
8 billion or so ECDSA keys could generate a single/multisig collision. =
I'm not sure how that could be leveraged to their advantage, but I bet =
they'd find a way.
Nope - its almost like calling the version:0+5 possible collision with =
new evil, say "ponzicoin" with version=3D5 a possible flaw that could be =
exploited... And you can already create non-existing addresses with a =
matching checksum...
> I'd also encourage you to actually implement your idea between steps 3 =
and 4. But in this particular case, I think an attacker being able to =
create singlesig/p2sh address collisions counts as a major flaw.
I will rest my case, not due to the "flaw", but I got some info on the =
bitfields of the "version" (thanks Luke!) - this makes the +5 less =
arbitrary, however, I don't think the bitfield interpretation is that =
well known, so there might already be "version"-collisions...:
Network class:
00xxxxxx - main network
01xxxxxx - reserved
10xxxxxx - reserved
11xxxxxx - test network
Network:
xx00xxxx - bitcoin
xx01xxxx - reserved
xx10xxxx - OTHER (next octet)
xx11xxxx - Namecoin
Network specific:
xxxx000y - PubKeyHash
xxxx001y - reserved
xxxx010y - p2sh
xxxx011y - public key (raw)
xxxx100y - signature
xxxx101y - reserved
xxxx110y - private key (raw)
xxxx111y - OTHER (next octet)
y =3D 0/1 depending on aesthetics (I guess to force the address to be =
either 1 or 3).=20
This also opens up for extensions - (if xx10xxxx or xxxx111x) the next =
byte will be part of the version.
/M
>=20
> --=20
> --
> Gavin Andresen
|