Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?
On Fri, Jan 8, 2016 at 3:46 PM, Gavin Andresen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > How many years until we think a 2^84 attack where the work is an ECDSA > private->public key derivation will take a reasonable amount of time? > I think the EC multiply is not actually required. With compressed public keys, the script selection rule can just be a sha256 call instead. V is the public key of the victim, and const_pub_key is the attacker's public key. if prev_hash % 2 == 0: script = "2 V 0x02%s 2 CHECKMULTISIG" % (sha256(prev_hash))) else: script = "CHECKSIG %s OP_DROP" % (prev_hash, const_pub_key) next_hash = ripemd160(sha256(script)) If a collision is found, there is a 50% chance that the two scripts have different parity and there is a 50% chance that a compressed key is a valid key. This means that you need to run the algorithm 4 times instead of 2. The advantage is that each step is 2 sha256 calls and a ripemd160 call. No EC multiply is required. ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] New BIP editor, and request for information
On Thu, Jan 7, 2016 at 5:10 PM, Luke Dashjrwrote: > - BIP 46 is missing from the repository, but apparently self-soft-assigned > by > Tier Nolan in > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2014-April/005545.html > ; if this was later assigned official, or if he is still > interested in pursuing this, it seems logical to just keep it at BIP 46. > I was never officially assigned any number for this. Subsequent P2SH changes give the required functionality in an alternative way. This renders the BIP obsolete. I suggest marking the number as nonassignable, in order to prevent confusion with archive searches. I assume that new BIP numbers will be greater than 100 anyway. As was pointed out at the time, I shouldn't have used a number in the original git branch before being assigned it officially. ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?
On Fri, Jan 8, 2016 at 4:50 PM, Gavin Andresen via bitcoin-devwrote: > And to fend off the messag that I bet somebody is composing right now: > > Yes, I know about a "security first" mindset. But as I said earlier in the > thread, there is a tradeoff here between crypto strength and code > complexity, and "the strength of the crypto is all that matters" is NOT > security first. If the crypto code is properly encapsulated, the code complexity costs of choosing one hashing function over another should be non-existent. You made the space argument which is valid, but in my opinion code complexity shouldn't be a valid concern in this discussion. As a maybe uninteresting anecdote, I proposed the asset IDs in https://github.com/ElementsProject/elements/tree/alpha-0.10-multi-asset to do the same ```ripemd160 . sha256``` choice that Mark Friedenbach had proposed and I had approved for https://github.com/jtimon/freimarkets/blob/master/doc/freimarkets_specs.org#asset-tags . More humble than me, he admitted he had made a design mistake much earlier than me, who (maybe paradoxically) probably had less knowledge for making crypto choices at the low level. In the end I was convinced with examples I failed to write down for documentation and can't remember. That's not to say I have anything to say in this debate other than code complexity (which I do feel qualified to talk about) shouldn't be a concern in this debate. Just want to focus the discussion on what it should be: security vs space tradeoff. Since I am admittedly in doubt, I tend to prefer to play safe, but neither my feelings nor my anecdote are logical arguments and should, therefore, be ignored for any conclusions in the ```ripemd160 . sha256``` vs sha256d debate. Just like you non-sequitor "sha256d will lead to more code complexity", if anything, sha256d should be simpler than ```ripemd160 . sha256``` (but not simpler enough that it matters much). ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev