path: root/ac/45925e8f86e218d0c58755aef4117fa4e0291d

Return-Path: <watsonbladd@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 72F85E4E
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Jan 2016 14:34:10 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-yk0-f177.google.com (mail-yk0-f177.google.com
	[209.85.160.177])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DD927F5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Jan 2016 14:34:09 +0000 (UTC)
Received: by mail-yk0-f177.google.com with SMTP id k129so341205482yke.0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri, 08 Jan 2016 06:34:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=ntAewp8E1JhXpnKB8QcOGVzwXfYxXzDtVyAdMThvw4M=;
	b=DhZ0Q9ysTHdJLNon++M+iqELIlLuVIMHRV3psH9W1JkCsRJubFPlkRbiWcyiwkWc8R
	uBWyc5vglYQheLG1oZpt1zncp1ZTi0KB56aDeJaT9u3WpggdPd8GwgvHY3PP+Io4yCMk
	ccuxdySIw9CBoDLE3sPsNqrtnbbrfPjSMs026ieLijG4+w9bs5pPQckRZTrSYOjw+aO5
	bNkRiHnb1308lk+0UkZNCY7BDE4itoCqf+gQ/kBQLqWhn1DFinb/FCKyPQECe46jB7go
	Lv24xMeNUu5n5GFYFHDVFz1V0WsNK6dYex+rty/c77/KgSnWog5H94kKwWhpf+rtehtr
	epFw==
MIME-Version: 1.0
X-Received: by 10.13.213.215 with SMTP id x206mr83515861ywd.97.1452263649247; 
	Fri, 08 Jan 2016 06:34:09 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Fri, 8 Jan 2016 06:34:09 -0800 (PST)
In-Reply-To: <CABsx9T1gmz=sr_sEEuy8BQU6SXdmi58O30rzRWNW=0Ej98fi4A@mail.gmail.com>
References: <CABsx9T3aTme2EQATamGGzeqNqJkUcPGa=0LVidJSRYNznM-myQ@mail.gmail.com>
	<CAPg+sBhH0MODjjp8Avx+Fy_UGqzMjUq_jn3vT3oH=u3711tsSA@mail.gmail.com>
	<8760z4rbng.fsf@rustcorp.com.au>
	<C4B5B9F1-9C53-45BC-9B30-F572C78096E3@mattcorallo.com>
	<8737u8qnye.fsf@rustcorp.com.au>
	<CABsx9T1gmz=sr_sEEuy8BQU6SXdmi58O30rzRWNW=0Ej98fi4A@mail.gmail.com>
Date: Fri, 8 Jan 2016 06:34:09 -0800
Message-ID: <CACsn0cmE-c3MCAegH6QaFfDg6NDgNy7tKbczsxtQvkWBnLYJgw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Gavin Andresen <gavinandresen@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 08 Jan 2016 14:37:04 +0000
Cc: Rusty Russell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or
	not?
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2016 14:34:10 -0000

On Fri, Jan 8, 2016 at 4:38 AM, Gavin Andresen via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Fri, Jan 8, 2016 at 7:02 AM, Rusty Russell <rusty@rustcorp.com.au> wrote:
>>
>> Matt Corallo <lf-lists@mattcorallo.com> writes:
>> > Indeed, anything which uses P2SH is obviously vulnerable if there is
>> > an attack on RIPEMD160 which reduces it's security only marginally.
>>
>> I don't think this is true?  Even if you can generate a collision in
>> RIPEMD160, that doesn't help you since you need to create a specific
>> SHA256 hash for the RIPEMD160 preimage.
>>
>> Even a preimage attack only helps if it leads to more than one preimage
>> fairly cheaply; that would make grinding out the SHA256 preimage easier.
>> AFAICT even MD4 isn't this broken.
>
>
> It feels like we've gone over that before, but I can never remember where or
> when. I believe consensus was that if we were using the broken MD5 in all
> the places we use RIPEMD160 we'd still be secure today because of Satoshi's
> use of nested hash functions everywhere.
>
>>
>> But just with Moore's law (doubling every 18 months), we'll worry about
>> economically viable attacks in 20 years.[1]
>>
>>
>> That's far enough away that I would choose simplicity, and have all SW
>> scriptPubKeys simply be "<0> RIPEMD(SHA256(WP))" for now, but it's
>> not a no-brainer.
>
>
> Lets see if I've followed the specifics of the collision attack correctly,
> Ethan (or somebody) please let me know if I'm missing something:
>
> So attacker is in the middle of establishing a payment channel with
> somebody. Victim gives their public key, attacker creates the innocent
> fund-locking script  '2 V A 2 CHECKMULTISIG' (V is victim's public key, A is
> attacker's) but doesn't give it to the victim yet.
>
> Instead they then generate about 2^81scripts that are some form of
> pay-to-attacker ....
> ... wait, no that doesn't work, because SHA256 is used as the inner hash
> function.  They'd have to generate 2^129 to find a cycle in SHA256.

For 2^80 they simply generate 2^80 scripts that look innocent, and
2^80 that are not. With high probability there is a collision. I agree
that most cryptanalysis won't work because of the nesting, but 2^80 is
not good.
>
> Instead, they .. what? I don't see a viable attack unless RIPEMD160 and
> SHA256 (or the combination) suffers a cryptographic break.
>
>
> --
> --
> Gavin Andresen
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.