From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id A3294305 for ; Sat, 25 Feb 2017 21:04:12 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from outmail149075.authsmtp.net (outmail149075.authsmtp.net [62.13.149.75]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id 8D29FCD for ; Sat, 25 Feb 2017 21:04:11 +0000 (UTC) Received: from mail-c232.authsmtp.com (mail-c232.authsmtp.com [62.13.128.232]) by punt20.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PL49Bl091765; Sat, 25 Feb 2017 21:04:09 GMT Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com [52.5.185.120]) (authenticated bits=0) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v1PL47ep041842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 25 Feb 2017 21:04:08 GMT Received: from [127.0.0.1] (localhost [127.0.0.1]) by petertodd.org (Postfix) with ESMTPSA id BAAEA40123; Sat, 25 Feb 2017 21:04:06 +0000 (UTC) Received: by localhost (Postfix, from userid 1000) id 1E66A204AB; Sat, 25 Feb 2017 16:04:06 -0500 (EST) Date: Sat, 25 Feb 2017 16:04:06 -0500 From: Peter Todd To: "Russell O'Connor" Message-ID: <20170225210406.GA16196@savin.petertodd.org> References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> <20170225191201.GA15472@savin.petertodd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Server-Quench: f2f9d1f4-fb9d-11e6-829f-00151795d556 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR bgdMdAcUHlAWAgsB AmEbWVVeUFl7WWs7 bghPaBtcak9QXgdq T0pMXVMcUgQIfRgG U14eVhh6cwcIeXh3 ZUIsCHINVRB7I0Jg FBxdQXAHZDJmdWgd WRZFdwNVdQJNdxoR b1V5GhFYa3VsNCMk FAgyOXU9MCtqYB91 a1hFJlUWRUcQHzk6 XFgHFDYiVWIEW20t MhggJ0QVFkIcelk1 eVI9RVsbOARaABw8 V11NATVVYkEIXTYq ABgeFUgZDHVfXDxA SgclOhgABzVTXDZR BU1IUQpn X-Authentic-SMTP: 61633532353630.1037:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 52.5.185.120/25 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Protocol Discussion , Steve Davis Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2017 21:04:12 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 25, 2017 at 03:53:12PM -0500, Russell O'Connor wrote: > On Sat, Feb 25, 2017 at 2:12 PM, Peter Todd via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: >=20 > > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via bitcoin-dev > > wrote: > > > >SHA1 is insecure because the SHA1 algorithm is insecure, not because > > > 160bits isn't enough. > > > > > > I would argue that 160-bits isn't enough for collision resistance. > > Assuming > > > RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), > > collisions > > > > That's something that we're well aware of; there have been a few > > discussions on > > this list about how P2SH's 160-bits is insufficient in certain use-cases > > such > > as multisig. > > > > However, remember that a 160-bit *security level* is sufficient, and > > RIPEMD160 > > has 160-bit security against preimage attacks. Thus things like > > pay-to-pubkey-hash are perfectly secure: sure you could generate two > > pubkeys > > that have the same RIPEMD160(SHA256()) digest, but if someone does that= it > > doesn't cause the Bitcoin network itself any harm, and doing so is > > something > > you choose to do to yourself. > > >=20 > Be aware that the issue is more problematic for more complex contracts. > For example, you are building a P2SH 2-of-2 multisig together with someone > else if you are not careful, party A can hand their key over to party B, > who can may try to generate a collision between their second key and > another 2-of-2 multisig where they control both keys. See > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/0122= 05.html I'm very aware of that, in fact I think I may have even been the first pers= on to post on this list the commit-reveal mitigation. Note how I said earlier in the message you're replying to that "P2SH's 160-= bits is insufficient in certain use-cases such as multisig" --=20 https://petertodd.org 'peter'[:-1]@petertodd.org --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYsfFDAAoJECSBQD2l8JH7MsMIAJucFV8KSyxDunTQ4py0F5YN 9HFVHBy9TOSfN3LLCyL1Cu++7PQKcyqORNAgbNvqkIrRil9fza1X4vfy5knbuNjF cEEkDFUI7uReQGqu8R+Exk9ujP0joXP1nIWIZSX0OaqBfxPOrAFKi6kyZcKL/db9 voCy3zhqHuwHC03Izd/9buor8d6hEzOjziP/6RsPwy8z9hz5C4K+YFdTcTc+/wVU iGnEfKiwUzGAUwRanxhHCFIRW1g6NlCVNkIHuuAYEJbajQK0oB0GVTof7shgLbr1 r7c2YKddOlJpvgF0uEaW1T4HGnGMq6ojX4eAoESIIW2+eqRN7MYpFtnum59EnMU= =87Ka -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu--