> "The problem case is where someone in a contract setup shows you a
script, which you accept as being a payment to yourself. An attacker could
use a collision attack to construct scripts with identical hashes, only one
of which does have the property you want, and steal coins.
>
> So you really
On Thu, Jan 7, 2016 at 6:52 PM, Pieter Wuille
wrote:
> Bitcoin does have parts that rely on economic arguments for security or
> privacy, but can we please stick to using cryptography that is up to par
> for parts where we can? It's a small constant factor of data, and
So just because other attacks are possible we should weaken the crypto
we use? You may feel comfortable weakening crypto used to protect a few
billion dollars of other peoples' money, but I dont.
On 01/07/16 23:39, Gavin Andresen via bitcoin-dev wrote:
> Thanks, Ethan, that's helpful and I'll
>Ethan: your algorithm will find two arbitrary values that collide. That isn't
>useful as an attack in the context we're talking about here (both of those
>values will be useless as coin destinations with overwhelming probability).
I'm not sure exactly the properties you want here and
On Thu, Jan 7, 2016 at 8:26 PM, Matt Corallo
wrote:
> So just because other attacks are possible we should weaken the crypto
> we use? You may feel comfortable weakening crypto used to protect a few
> billion dollars of other peoples' money, but I dont.
>
No...
I'm
Indeed, anything which uses P2SH is obviously vulnerable if there is an attack
on RIPEMD160 which reduces it's security only marginally. While no one thought
hard about these attacks when P2SH was designed, we realized later this was not
such a good idea to reuse the structure from P2PKH. Hence
Not strictly speaking a wallet but we (BlockCypher) will also go down the
segwit path as soon as the BIP and branch are mature enough. All
transactions built from our APIs should eventually be segwitted (just made
up a verb).
Thanks,
Matthieu
*CTO and Founder, Blockcypher*
I have been informed
Based on current GH/s count of 775,464,121 Bitcoin tests 2^80 every 19 days.
log2(775464121*(1000*1000*1000*60*60*24*19)) = ~80.07
I don't fully understand the security model of segwit, so my analysis
will assume that any collision is bad.
>But it also requires O(2^80) storage, which is utterly
Maybe I'm being dense, but I don't see why 2**80 storage is required for
this attack. Also, I don't see why the attacker ever needs to get the
victim to accept "arbitrary_data". Perhaps I'm wrong about how the
collision attack works:
1. Create a script which is perfectly acceptable and would