Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C45E2305 for ; Sat, 25 Feb 2017 21:34:36 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-it0-f68.google.com (mail-it0-f68.google.com [209.85.214.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 14BF2AF for ; Sat, 25 Feb 2017 21:34:36 +0000 (UTC) Received: by mail-it0-f68.google.com with SMTP id w185so7859290ita.3 for ; Sat, 25 Feb 2017 13:34:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=muMBIhRCMvUhd7Xp5i3xMnbagGnX/sOKXjIIA4LSV3g=; b=P5TNdeovz9DGg0N/nmjR9CDDXRR7ItA7taambKjAKjwRXzc3PoIUOoMu6d+os9hQ2O 14OrUyiwJ3wZ3Ckxs2Dvqo8TjjScdfNSyKehrMuwGCVB5qll/MS2q1QaiqvgjBqtWJfP I7CppI9tXM5AOPUaOuVKF0h+gfRF0N31GVNNx5hgM/oMRaX1uY51lHZAl4pXKvxTe0sq ngxliqosl0m+4uft4LN09W6HLssrYAkWN/ma2HC+GKomAWeO4D0M0Yahu2j9T8AIuzSj LC7OULG8VgLdKPhpx9Fd28VZ1J73kEr+gb52WesCN7KLr5DMFiu0S49CZEsrmqOf4F6D I4uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=muMBIhRCMvUhd7Xp5i3xMnbagGnX/sOKXjIIA4LSV3g=; b=LquF/1/9waLBjFr2swT/nsuKgpw19LC2mC61/Ty85Q3hpNhsRuJoDkumw8GPP7bl8S RrcNbPeRKwrkma17uk6HI3GZd1owvXby5yadWntUGLOoYWLbSdB8bCTxv6XFd7JAuMAl W94HVkU6Zm2X/mTNHsoaCaCmx7aw5ipElVXa5IWIWPNS0SFDdc3bFEitbsaSAdsVmFwR INAMhE2NQahDPGmFFgCbJJaQhC1GiUgEDleZnmRybpATOmP0QFYUiNLy04gbwsVx/Hyc LQ6XIzyNhtaAi0q3U+k1ijX0NI9TlYa6WFd4e3PHVeRU1gkmTPo9FyazJf0RS4ePEbIc 2VXA== X-Gm-Message-State: AMke39lr37kZ6ucR0YikUGIrjdt4FtayFLoqMxb/t1+5r+fvtXCTpXQHdRZ//VeVMVDSuQ== X-Received: by 10.36.77.149 with SMTP id l143mr7805727itb.19.1488058475368; Sat, 25 Feb 2017 13:34:35 -0800 (PST) Received: from [10.0.1.42] (71-81-80-204.dhcp.stls.mo.charter.com. [71.81.80.204]) by smtp.gmail.com with ESMTPSA id c100sm2417159itd.20.2017.02.25.13.34.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Feb 2017 13:34:34 -0800 (PST) From: Steve Davis Message-Id: <4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55" Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Date: Sat, 25 Feb 2017 15:34:33 -0600 In-Reply-To: To: Dave Scotese References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> <20170225191201.GA15472@savin.petertodd.org> <20170225210406.GA16196@savin.petertodd.org> X-Mailer: Apple Mail (2.3259) X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 25 Feb 2017 22:08:11 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2017 21:34:36 -0000 --Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Yea, well. I don=E2=80=99t think it is ethical to post instructions = without an associated remediation (BIP) if you don=E2=80=99t see the = potential attack. I was rather hoping that we could have a fuller discussion of what the = best practical response would be to such an issue? > On Feb 25, 2017, at 3:21 PM, Dave Scotese = wrote: >=20 > I was under the impression that RIPEMD160(SHA256(msg)) is used to turn = a PUBLIC key (msg) into a bitcoin address, so yeah, you could identify = ANOTHER (or the same, I guess - how would you know?) public key that has = the same bitcoin address if RIPEMD-160 collisions are easy, but I don't = see how that has any effect on anyone. Maybe I'm restating what Peter = wrote. If so, confirmation would be nice. >=20 > On Sat, Feb 25, 2017 at 1:04 PM, Peter Todd via bitcoin-dev = > wrote: > On Sat, Feb 25, 2017 at 03:53:12PM -0500, Russell O'Connor wrote: > > On Sat, Feb 25, 2017 at 2:12 PM, Peter Todd via bitcoin-dev < > > bitcoin-dev@lists.linuxfoundation.org = > wrote: > > > > > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via = bitcoin-dev > > > wrote: > > > > >SHA1 is insecure because the SHA1 algorithm is insecure, not = because > > > > 160bits isn't enough. > > > > > > > > I would argue that 160-bits isn't enough for collision = resistance. > > > Assuming > > > > RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), > > > collisions > > > > > > That's something that we're well aware of; there have been a few > > > discussions on > > > this list about how P2SH's 160-bits is insufficient in certain = use-cases > > > such > > > as multisig. > > > > > > However, remember that a 160-bit *security level* is sufficient, = and > > > RIPEMD160 > > > has 160-bit security against preimage attacks. Thus things like > > > pay-to-pubkey-hash are perfectly secure: sure you could generate = two > > > pubkeys > > > that have the same RIPEMD160(SHA256()) digest, but if someone does = that it > > > doesn't cause the Bitcoin network itself any harm, and doing so is > > > something > > > you choose to do to yourself. > > > > > > > Be aware that the issue is more problematic for more complex = contracts. > > For example, you are building a P2SH 2-of-2 multisig together with = someone > > else if you are not careful, party A can hand their key over to = party B, > > who can may try to generate a collision between their second key and > > another 2-of-2 multisig where they control both keys. See > > = https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/01220= 5.html = >=20 > I'm very aware of that, in fact I think I may have even been the first = person > to post on this list the commit-reveal mitigation. >=20 > Note how I said earlier in the message you're replying to that "P2SH's = 160-bits > is insufficient in certain use-cases such as multisig" >=20 > -- > https://petertodd.org = 'peter'[:-1]@petertodd.org >=20 > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org = > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev = >=20 >=20 >=20 >=20 > --=20 > I like to provide some work at no charge to prove my value. Do you = need a techie? =20 > I own Litmocracy and Meme Racing = (in alpha).=20 > I'm the webmaster for The Voluntaryist = which now accepts Bitcoin. > I also code for The Dollar Vigilante . > "He ought to find it more profitable to play by the rules" - Satoshi = Nakamoto --Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Yea, well. I don=E2=80=99t think it is ethical to post = instructions without an associated remediation (BIP) if you don=E2=80=99t = see the potential attack.

I was rather hoping that we could have a fuller discussion of = what the best practical response would be to such an issue?


On = Feb 25, 2017, at 3:21 PM, Dave Scotese <dscotese@litmocracy.com> wrote:

I was under the impression that RIPEMD160(SHA256(msg)) is = used to turn a PUBLIC key (msg) into a bitcoin address, so yeah, you = could identify ANOTHER (or the same, I guess - how would you know?) = public key that has the same bitcoin address if RIPEMD-160 collisions = are easy, but I don't see how that has any effect on anyone.  Maybe = I'm restating what Peter wrote.  If so, confirmation would be = nice.

On Sat, Feb 25, 2017 at 1:04 PM, Peter Todd via = bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> = wrote:
On Sat, Feb 25, 2017 at 03:53:12PM = -0500, Russell O'Connor wrote:
> On Sat, Feb 25, 2017 at 2:12 PM, Peter Todd via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> = wrote:
>
> > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via = bitcoin-dev
> > wrote:
> > > >SHA1 is insecure because the SHA1 algorithm is = insecure, not because
> > > 160bits isn't enough.
> > >
> > > I would argue that 160-bits isn't enough for collision = resistance.
> > Assuming
> > > RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random = oracle),
> > collisions
> >
> > That's something that we're well aware of; there have been a = few
> > discussions on
> > this list about how P2SH's 160-bits is insufficient in certain = use-cases
> > such
> > as multisig.
> >
> > However, remember that a 160-bit *security level* is = sufficient, and
> > RIPEMD160
> > has 160-bit security against preimage attacks. Thus things = like
> > pay-to-pubkey-hash are perfectly secure: sure you could = generate two
> > pubkeys
> > that have the same RIPEMD160(SHA256()) digest, but if someone = does that it
> > doesn't cause the Bitcoin network itself any harm, and doing = so is
> > something
> > you choose to do to yourself.
> >
>
> Be aware that the issue is more problematic for more complex = contracts.
> For example, you are building a P2SH 2-of-2 multisig together with = someone
> else if you are not careful, party A can hand their key over to = party B,
> who can may try to generate a collision between their second key = and
> another 2-of-2 multisig where they control both keys. See
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/012205.html

I'm very aware of that, in fact I think I may have even been = the first person
to post on this list the commit-reveal mitigation.

Note how I said earlier in the message you're replying to that "P2SH's = 160-bits
is insufficient in certain use-cases such as = multisig"


_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev




--
I like = to provide some work at no charge to prove my value. Do you need a = techie? 
I own Litmocracy and Meme = Racing (in alpha).
I'm the webmaster for The = Voluntaryist which now accepts Bitcoin.
I also code = for The Dollar Vigilante.
"He ought to find it = more profitable to play by the rules" - Satoshi Nakamoto

= --Apple-Mail=_B6B7DA12-B2BF-4A3A-B194-D6BDBC112D55--