1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
Delivery-date: Tue, 25 Feb 2025 12:26:05 -0800
Received: from mail-yb1-f190.google.com ([209.85.219.190])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBD3YNWFH7IHBBU6O7C6QMGQECDZREGY@googlegroups.com>)
id 1tn1VE-0005tr-HX
for bitcoindev@gnusha.org; Tue, 25 Feb 2025 12:26:05 -0800
Received: by mail-yb1-f190.google.com with SMTP id 3f1490d57ef6-e5dd164ee83sf257925276.1
for <bitcoindev@gnusha.org>; Tue, 25 Feb 2025 12:26:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1740515158; x=1741119958; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=RUM348WlHHC0JzxPe2gbn6Mr7GYByPWzRADz6mX3A2A=;
b=s/KRl7n38TOUALw5PUZ5KYM27+SgPxI3jqG7NXy4WX/7YzM2i1kr/vxlkkhmq6CZAa
o6MiqfIBOGaEV66z3bZnbTYKu1ah3yQxHsNbUO0vnZRFvvfNji2OVKZ5UstrZSOPwZeg
owumQOWmHdHTJ2EpyO5rDFLdYjt0w+Jww0bHhovX3mOsZPq6CLzPXBoNuffd2nnLL8B8
eSUH0ZrF94gp348IVsQuNw+bg/d1a4+O3Gwe+AJaIwnTIW82qXhjG1tyn6q7GB5tUBMz
1xS5ntJ14HPOXxSrgyB1FJQdQNOgmyY4qGekPLhjOo3mDl9SCquUYoUjRIjcraS29CXg
QZvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1740515158; x=1741119958;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=RUM348WlHHC0JzxPe2gbn6Mr7GYByPWzRADz6mX3A2A=;
b=AYjuGWwSMWgigOQcB6IgblLfl0wWMIBNwHB+uQUedn5eIPDRhM+4DJLQUS85vo4Kxt
Pb5Ve25Bw9zuQrpxvGTCoqQ2uhAgoEzhHCJLGqWOCyLufSXGin4SY0tIAguedC4eQgtm
rXx98zCcUZ9AtztrDiADK5q6NgMLSXHb//QAV8L4FZR2mFk8ebeB2CYb8/WHCVk3uT5K
LR1PCcOKgE2BH3ejTRgjS3JeysnBgDaUuJoU+yr3rH9jMgsce5rh4pbjThB8+PyW6Q7c
1yhHD+EzGPtiY8XN8SYWqSE0zfw/PjUIO3qnGRu+gLm0fiuT3MvjVeVke0wTgATKwBkW
K6JA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCUYwfizmv04ChmF4e0NwyC7A1bXVgtGC7xPEkZhO4wNc2NMsGNAixoih/AYNmRD02lbDFQbS5lQNlUH@gnusha.org
X-Gm-Message-State: AOJu0Yw78j2HyNez+YDwhNFoWZcINzEWDU9Zr0XOers1MfiDiDsC4Byz
hglmR+ngoIADHhz1YwMPwQ+sMBptlLcwTF2KslQCKfd6FnpXptJQ
X-Google-Smtp-Source: AGHT+IEy/454IfCi2Aql/Z0PsRk9QVrsV2gPhGbtABeJUmHu89SnwFkvvFSNQPLJRV9hxxtAQKBqYQ==
X-Received: by 2002:a05:6902:1b84:b0:e58:b99:6a5b with SMTP id 3f1490d57ef6-e5e24864353mr16305895276.8.1740515158455;
Tue, 25 Feb 2025 12:25:58 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com; h=Adn5yVHr1SXQJ9LPuNKgMNe1nNkWVe5UMszas1VhhJbRkT+WKA==
Received: by 2002:a25:bbc7:0:b0:e60:8883:5aa4 with SMTP id 3f1490d57ef6-e6088835d2els555630276.2.-pod-prod-03-us;
Tue, 25 Feb 2025 12:25:55 -0800 (PST)
X-Received: by 2002:a05:690c:6888:b0:6fb:b36b:300f with SMTP id 00721157ae682-6fbcc81788emr155230147b3.27.1740515155100;
Tue, 25 Feb 2025 12:25:55 -0800 (PST)
Received: by 2002:a05:690c:600d:b0:6f9:77a0:782b with SMTP id 00721157ae682-6fbcb177b37ms7b3;
Tue, 25 Feb 2025 10:04:01 -0800 (PST)
X-Received: by 2002:a05:690c:744a:b0:6ef:64e8:c708 with SMTP id 00721157ae682-6fd10a15e15mr37900727b3.17.1740506638561;
Tue, 25 Feb 2025 10:03:58 -0800 (PST)
Date: Tue, 25 Feb 2025 10:03:58 -0800 (PST)
From: Hunter Beast <hunter@surmount.systems>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <8e1cf1b5-27d1-4510-afec-52fb28959189n@googlegroups.com>
In-Reply-To: <5550807e-0655-4895-bc66-1b67bfde8c3e@gmail.com>
References: <8797807d-e017-44e2-b419-803291779007n@googlegroups.com>
<5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com>
<16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com>
<5550807e-0655-4895-bc66-1b67bfde8c3e@gmail.com>
Subject: Re: [bitcoindev] P2QRH / BIP-360 Update
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_413862_852546399.1740506638105"
X-Original-Sender: hunter@surmount.systems
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.7 (/)
------=_Part_413862_852546399.1740506638105
Content-Type: multipart/alternative;
boundary="----=_Part_413863_246398833.1740506638105"
------=_Part_413863_246398833.1740506638105
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Jonas,
I think I understand what you're getting at with your first point. The=20
thing is, to be able to include arbitrary data in the hashes provided to=20
resolve the Merkle tree, it would require an extraordinary amount of=20
computation to wind up with enough to store arbitrary data. And remember,=
=20
this is competing with just storing that data in the witness, so it has to=
=20
be 4x more economical. Consider a 1/1024 multisig, and the key being spent=
=20
is at the furthest depth in the tree. This means that they would need to=20
grind generating an elliptic curve public key in the hopes of getting a=20
hash collision just to include 11 hashes, or 352 bytes of arbitrary data.=
=20
This would also have to be a valid public key and signature pair. I don't=
=20
see this approach as being practical.
As for your second point, a 256 bit hash provides 128 bits of security,=20
correct? If so, I think that's still fine. Others in this thread have=20
commented that 256 bits is overkill.
Hunter
On Monday, February 24, 2025 at 8:27:53=E2=80=AFAM UTC-7 Jonas Nick wrote:
> What prevents arbitrary data being hashed and then included in the=20
attestation=20
> is, each signature public key pair must be able to verify the transaction=
=20
> message in order to be considered a valid transaction.=20
This appears to contradict the selective disclosure mechanism described in=
=20
the=20
BIP and this sentence in the "Script Validation" section:=20
> Public keys that are not needed can be excluded by including their hash=
=20
in the=20
> attestation accompanied with an empty signature=20
Even if the selective disclosure vulnerability is fixed by committing to=20
the=20
multisig semantics in the P2QRH output, any unopened public key commitment=
=20
could=20
still be "abused" for arbitrary data storage. Similar to the scenario in my=
=20
previous post, if the root R is MerkleRoot([leafhash1, leafhash2]) and the=
=20
multisig policy is "1-of-2", then we can set=20
leafhash1 :=3D data=20
leafhash2 :=3D hash(public_key_secp256k1)=20
and post the data to the chain by spending the output using an attestation=
=20
structure that includes leafhash1, an empty signature, public_key_secp256k1=
=20
and=20
the corresponding signature.=20
> I will admit I don't understand this attack. Can you provide more details=
=20
on=20
> how it works, and how it might be possible to mitigate?=20
To give more context, this attack is intended as a concrete demonstration=
=20
of how=20
breaking the collision resistance of the hash function used in the Merkle=
=20
tree=20
can enable an adversary to steal coins. Here's a different explanation for=
=20
essentially the same attack in the context of P2SH vs. P2WSH:=20
https://bitcoin.stackexchange.com/a/54847/35586=20
The attack against the BIP's proposed signature scheme (where the Merkle=20
tree is=20
constructed from public keys and then an ordinary signature scheme is=20
applied to=20
one or more of the committed public keys) can be mitigated by using a hash=
=20
function with a larger output space (e.g., SHA-512).=20
However, I'm not suggesting to do this. My point is that while the BIP aims=
=20
for=20
256 bits of security by using NIST strength level V parameters, it does not=
=20
actually achieve that security level (when the adversary can affect any of=
=20
the=20
leaves as in multisignatures, for example).=20
The Bitcoin protocol relies heavily on collision-resistance of SHA-256,=20
which is=20
pretty much the definition of NIST strength level II [0].=20
[0]=20
https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-crypt=
ography-standardization/evaluation-criteria/security-(evaluation-criteria)=
=20
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
8e1cf1b5-27d1-4510-afec-52fb28959189n%40googlegroups.com.
------=_Part_413863_246398833.1740506638105
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Jonas,<div><br /></div><div>I think I understand what you're getting at =
with your first point. The thing is, to be able to include arbitrary data i=
n the hashes provided to resolve the Merkle tree, it would require an extra=
ordinary amount of computation to wind up with enough to store arbitrary da=
ta. And remember, this is competing with just storing that data in the witn=
ess, so it has to be 4x more economical. Consider a 1/1024 multisig, and th=
e key being spent is at the furthest depth in the tree. This means that the=
y would need to grind generating an elliptic curve public key in the hopes =
of getting a hash collision just to include 11 hashes, or 352 bytes of arbi=
trary data. This would also have to be a valid public key and signature pai=
r. I don't see this approach as being practical.</div><div><br /></div><div=
>As for your second point, a 256 bit hash provides 128 bits of security, co=
rrect? If so, I think that's still fine. Others in this thread have comment=
ed that 256 bits is overkill.</div><div><br /></div><div>Hunter<br /><br />=
<div><div dir=3D"auto">On Monday, February 24, 2025 at 8:27:53=E2=80=AFAM U=
TC-7 Jonas Nick wrote:<br /></div><blockquote style=3D"margin: 0px 0px 0px =
0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> >=
What prevents arbitrary data being hashed and then included in the attesta=
tion
<br /> > is, each signature public key pair must be able to verify the t=
ransaction
<br /> > message in order to be considered a valid transaction.
<br />
<br />This appears to contradict the selective disclosure mechanism describ=
ed in the
<br />BIP and this sentence in the "Script Validation" section:
<br />
<br /> > Public keys that are not needed can be excluded by including th=
eir hash in the
<br /> > attestation accompanied with an empty signature
<br />
<br />Even if the selective disclosure vulnerability is fixed by committing=
to the
<br />multisig semantics in the P2QRH output, any unopened public key commi=
tment could
<br />still be "abused" for arbitrary data storage. Similar to the scenario=
in my
<br />previous post, if the root R is MerkleRoot([leafhash1, leafhash2]) an=
d the
<br />multisig policy is "1-of-2", then we can set
<br />
<br />leafhash1 :=3D data
<br />leafhash2 :=3D hash(public_key_secp256k1)
<br />
<br />and post the data to the chain by spending the output using an attest=
ation
<br />structure that includes leafhash1, an empty signature, public_key_sec=
p256k1 and
<br />the corresponding signature.
<br />
<br /> > I will admit I don't understand this attack. Can you provide mo=
re details on
<br /> > how it works, and how it might be possible to mitigate?
<br />
<br />To give more context, this attack is intended as a concrete demonstra=
tion of how
<br />breaking the collision resistance of the hash function used in the Me=
rkle tree
<br />can enable an adversary to steal coins. Here's a different explanatio=
n for
<br />essentially the same attack in the context of P2SH vs. P2WSH:
<br /><a href=3D"https://bitcoin.stackexchange.com/a/54847/35586" target=3D=
"_blank" rel=3D"nofollow">https://bitcoin.stackexchange.com/a/54847/35586</=
a>
<br />
<br />The attack against the BIP's proposed signature scheme (where the Mer=
kle tree is
<br />constructed from public keys and then an ordinary signature scheme is=
applied to
<br />one or more of the committed public keys) can be mitigated by using a=
hash
<br />function with a larger output space (e.g., SHA-512).
<br />
<br />However, I'm not suggesting to do this. My point is that while the BI=
P aims for
<br />256 bits of security by using NIST strength level V parameters, it do=
es not
<br />actually achieve that security level (when the adversary can affect a=
ny of the
<br />leaves as in multisignatures, for example).
<br />
<br />The Bitcoin protocol relies heavily on collision-resistance of SHA-25=
6, which is
<br />pretty much the definition of NIST strength level II [0].
<br />
<br />[0] <a href=3D"https://csrc.nist.gov/projects/post-quantum-cryptograp=
hy/post-quantum-cryptography-standardization/evaluation-criteria/security-(=
evaluation-criteria)" target=3D"_blank" rel=3D"nofollow">https://csrc.nist.=
gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardiz=
ation/evaluation-criteria/security-(evaluation-criteria)</a>
<br /></blockquote></div></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/8e1cf1b5-27d1-4510-afec-52fb28959189n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/8e1cf1b5-27d1-4510-afec-52fb28959189n%40googlegroups.com</a>.<br />
------=_Part_413863_246398833.1740506638105--
------=_Part_413862_852546399.1740506638105--
|
