From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 24 Feb 2025 07:27:59 -0800 Received: from mail-oo1-f64.google.com ([209.85.161.64]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tmaNC-0000ae-Pb for bitcoindev@gnusha.org; Mon, 24 Feb 2025 07:27:59 -0800 Received: by mail-oo1-f64.google.com with SMTP id 006d021491bc7-5fa476d0372sf1320656eaf.2 for ; Mon, 24 Feb 2025 07:27:58 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1740410873; cv=pass; d=google.com; s=arc-20240605; b=MZNWN5QuxXgTBDyrmyTCTIg9xiT/YYoRGk+soEROQzUHFlSJjBZUPZsR5Cjd27nD6D UdHF6YICv9lXcnjMGXIX61DcKEbAHeZt3hUmnK0SjFoLtu8m2DNjDN5FDQVzR+I6XnhS PHXQPkqSF36WhHM40fHR/ICkVxBRgJJ/RvYhXwz1ERc4ZUGIAXwXqg9YsSIvpIMBiYo0 wB4aRCAKqlSlJwqpmnUipVKh3WVphfSl1rRyZetqSWlbiAdNYcr7BeHWlNlhvPt4EH1e PsXQk9c/lkEL4CIiyoqPIBn/d2VCu2CB6sKvJRz62oPgmJVsyiOsoP7gxFWBG2YE68r1 s28g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=BJldXx2zEo4XEdxgt6i3tZb+MH+uvX6BhSKyZWAbYPU=; fh=YRZ+cJVyPjkzIuLDozriVa1jaD7PxY7HAFPljJPHoxA=; b=XkU09cpNIFaMRMSs+WFzerVNVSxAMLfOG7PJk5hxlSz3wfdZ/hrmH4y8vZXrtc21hV irnNNlbJRax5PkhMLbsTzrDKmFxNShEx/MelEv4lctXKIr3fflS8Dg/SZqgwwBr260R+ bqEpYUSs2OH14CjG4odxIohWrSz/b+ybXfLvJpya1+G1VgWpd4G8+UorvHw9aljAh7lG u2qpzwvxAZU47giV/Ove7MKRYczw14mBeLOdB8o0UXPeW3jzYFFtS5T/GWixsq6FIkud guVPo0uB1CPb9ri29pAz0nIREVJF4rC3INzKnBIdBWqjeZgK0ACl4twpOtqLhN+H6ia1 qp4w==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/ssWRRF"; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740410873; x=1741015673; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=BJldXx2zEo4XEdxgt6i3tZb+MH+uvX6BhSKyZWAbYPU=; b=UTQcd22/aO0YVDGWSd0sQ4ZHzPYOFkU/tAsd/VWlvTofQYwOshYMCoJ2oscNnizjOm EiFotxxq49z7hZiQi0ZRqhKNQMwFGLPhhFGGG4GY1xJ6DeEldCM+7E5ejkJxnb2/tiQw ql2eKX0D1Ghy2kqia0WQ58fKcNDhQfjSje9LrEdJ5N/lCZGG17/a2OsrlmTeZfHbQ/t5 uUzaLwDQ54TyjoSNuFFG2AaYywLrU09MbMhiH7SaYO2csawRzXulpAtRxgtOsUQ3gVdJ +yJoE0Csi6j038EDdtNJqpsOS5G2Bf3e+Cv5ddUstUDsuDK3KXoXw/ZTfDvM5XVXnKEm 4lSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740410873; x=1741015673; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BJldXx2zEo4XEdxgt6i3tZb+MH+uvX6BhSKyZWAbYPU=; b=BGdjBedZtKYtrEskhN/oDBNeC0R+1W4i2iMoYE6BgIdsj/Kyp6ZJA1E5WvA4gax1J5 cb5aJISbsAjg+1WeFoHWloJgr3lVJXv0lxgufdR4XTaAy8ffv+YNR0lsIncIEgsEPS8F 4/EUhk8Jgcz4Kh6R3w2x5OKEzdTjHpuK7M53EQNYLqYHsQ5vcef4zW2ZgojPgUH7Hv5b ig+zEzNf3J48ze/BQ2yhZH4fd+/wNaECANIZWnHMWqciYrAo1saJMCGs+kB0dSh04t1U QjbwyMakfqRdDd+/A34rFgfSDpm2erUK1R3kt6owXeCl/YRE6FojBbufz9HHxGxak25g JYhA== X-Forwarded-Encrypted: i=2; AJvYcCVk3+Mlm0vYCok+RjKPFKFLaDUO6qvkF/4jfsalIXeZDIbbpN/RdV+AqAydEdeLgjeXqHHggCIolgTs@gnusha.org X-Gm-Message-State: AOJu0YyyDxew41pshlRQ/zy/EwxfbNQKgJ1bE35NNjnE8FlkzDCwXca3 kA3Djgkmx1zidC/p5XgkCFbDwx8/8u+FhgQ/OglvoDiSjYQGsG8u X-Google-Smtp-Source: AGHT+IHwGlkzWSYq2NlsgELo7iDmRKwXeRlQm7HFSYMk6zMvz48fc2G/FKJdQc86MmzjjAoCtGd6bA== X-Received: by 2002:a05:6820:999:b0:5fd:f8d:3876 with SMTP id 006d021491bc7-5fd1960c3b9mr9240363eaf.3.1740410873218; Mon, 24 Feb 2025 07:27:53 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h=Adn5yVH5/zqtkhAXlsbeUjcFrnt/0fqUAA1nm51DS587lNy7rg== Received: by 2002:a05:6820:613:b0:5fc:fe48:912e with SMTP id 006d021491bc7-5fd0b0dc0e8ls148458eaf.2.-pod-prod-04-us; Mon, 24 Feb 2025 07:27:50 -0800 (PST) X-Received: by 2002:a05:6808:1a06:b0:3f4:e63:7eb9 with SMTP id 5614622812f47-3f4246c2c85mr10501999b6e.14.1740410870653; Mon, 24 Feb 2025 07:27:50 -0800 (PST) Received: by 2002:a05:600c:3c9c:b0:439:a596:e64 with SMTP id 5b1f17b1804b1-439ae26b649ms5e9; Mon, 24 Feb 2025 05:17:13 -0800 (PST) X-Received: by 2002:a05:6000:1448:b0:38d:da11:df19 with SMTP id ffacd0b85a97d-38f6f0b0c1cmr10398680f8f.41.1740403029486; Mon, 24 Feb 2025 05:17:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740403029; cv=none; d=google.com; s=arc-20240605; b=kuMfCBxn+tk7GA+FdZtOkX0ty2jYXntDiYWt+9qbt+MviJ7A+6oRMyU5bjcKtgtyAa zuiSyMS0IGRqxInpUXCg/Vb/svCFXYxsfx03drJmxCr+NTdSOW+0CbfPZi0Ws8qYpPoT sTxPeIHB3ItjWrsCbb51gan0U6HAvJ2IUDEemSfriTyBnzVSg962lNClnUqI12AhoS+k TQSV87eORKtkZ+oU99CuZNJZb9UKrS3wie1aD+4jfV+6rYKw+B6FIneGcofnDYTd+QqF f8IpHldQN1db4zyts+kHXptJaMDs1l4CHP0lW5DWtSTmuRwUbnAtthuoPf1k2pq6egHO VwkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=RpDSZIoJRxJXh09eo3soXrwYJGX2CUgE2hVutViLr8Q=; fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=; b=fOEHP332nuajQeupMGkkG2yZS3pBY7wza30hDHdkl86dfjDRUuXUoaamOjer8k9jOI +XA5ivmBM7BBsT8zZWyUKwNoDUVzCjYwT/q+y7yyHjwR0Ev9v8CUirLhsnFEXVXI1StL IvYOAnYsf0OZVp0AQiJ9bjn0uPZ9FzvIh9wUAFLrTzN4a7isCZr8qq1wU/c85wy3n/3V RJTPiX7BqfRKFOmUaO3lRG5cGstUMq9Z+9hFYSaOLw5KSz0hT1RnCYBihxbNh5+9bW5D NXJ/gWlnKUEmQPb3tJ0igkEnqrSlDFf+5+I1Mkv6AOSiuhPKcWdPkccuvETdiECTGwsO vf8Q==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/ssWRRF"; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com. [2a00:1450:4864:20::430]) by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-38f2590e484si816437f8f.3.2025.02.24.05.17.09 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 05:17:09 -0800 (PST) Received-SPF: pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) client-ip=2a00:1450:4864:20::430; Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-38f29a1a93bso3490731f8f.1 for ; Mon, 24 Feb 2025 05:17:09 -0800 (PST) X-Gm-Gg: ASbGncv6/0f0nDy5xA/LfDnezaLMFNJ0XAv5i5VsSVHFOzK3gKY+75A9h60J19Cpw+a gUP03doPLEauNAkEt10iVNtzg5kZNkXerTLLVE59cJ6B6dx5busSQS1CR7kTCK6iMRrBG7VyQdO GdTlI3/WH7XRZY6RQaM/LOWVl/XeLTrzUltuxxrLB+JAjgMUkpQt+K+tNDk3wlgxeOpzV1I4V6T CYaWQIaJbZ+4AlBO2aPJSGqQxPkwONr0aiaq92+HmeiRwHqKcNeVIPBxOTX8+JJB4VSRpFcWZkN OJ6SWppdTwY3Z+TQmg8a9ijBwahhNYqsvPu+tS/pv4hRBemqSGv6a3ojzO23 X-Received: by 2002:a5d:47ca:0:b0:385:d852:29ed with SMTP id ffacd0b85a97d-38f6f0affc2mr9726020f8f.36.1740403028759; Mon, 24 Feb 2025 05:17:08 -0800 (PST) Received: from [10.11.10.42] (p54b845a9.dip0.t-ipconnect.de. [84.184.69.169]) by smtp.googlemail.com with ESMTPSA id 5b1f17b1804b1-439b0367516sm108212425e9.26.2025.02.24.05.17.07 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2025 05:17:08 -0800 (PST) Sender: Jonas Nick Message-ID: <5550807e-0655-4895-bc66-1b67bfde8c3e@gmail.com> Date: Mon, 24 Feb 2025 13:17:07 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bitcoindev] P2QRH / BIP-360 Update To: bitcoindev@googlegroups.com References: <8797807d-e017-44e2-b419-803291779007n@googlegroups.com> <5667eb21-cd56-411d-a29f-81604752b7c4@gmail.com> <16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com> Content-Language: en-US From: Jonas Nick In-Reply-To: <16d7adca-a01e-40c5-9570-31967ee339ecn@googlegroups.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Original-Sender: jonasdnick@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/ssWRRF"; spf=pass (google.com: domain of jonasd.nick@gmail.com designates 2a00:1450:4864:20::430 as permitted sender) smtp.mailfrom=jonasd.nick@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) > What prevents arbitrary data being hashed and then included in the attestation > is, each signature public key pair must be able to verify the transaction > message in order to be considered a valid transaction. This appears to contradict the selective disclosure mechanism described in the BIP and this sentence in the "Script Validation" section: > Public keys that are not needed can be excluded by including their hash in the > attestation accompanied with an empty signature Even if the selective disclosure vulnerability is fixed by committing to the multisig semantics in the P2QRH output, any unopened public key commitment could still be "abused" for arbitrary data storage. Similar to the scenario in my previous post, if the root R is MerkleRoot([leafhash1, leafhash2]) and the multisig policy is "1-of-2", then we can set leafhash1 := data leafhash2 := hash(public_key_secp256k1) and post the data to the chain by spending the output using an attestation structure that includes leafhash1, an empty signature, public_key_secp256k1 and the corresponding signature. > I will admit I don't understand this attack. Can you provide more details on > how it works, and how it might be possible to mitigate? To give more context, this attack is intended as a concrete demonstration of how breaking the collision resistance of the hash function used in the Merkle tree can enable an adversary to steal coins. Here's a different explanation for essentially the same attack in the context of P2SH vs. P2WSH: https://bitcoin.stackexchange.com/a/54847/35586 The attack against the BIP's proposed signature scheme (where the Merkle tree is constructed from public keys and then an ordinary signature scheme is applied to one or more of the committed public keys) can be mitigated by using a hash function with a larger output space (e.g., SHA-512). However, I'm not suggesting to do this. My point is that while the BIP aims for 256 bits of security by using NIST strength level V parameters, it does not actually achieve that security level (when the adversary can affect any of the leaves as in multisignatures, for example). The Bitcoin protocol relies heavily on collision-resistance of SHA-256, which is pretty much the definition of NIST strength level II [0]. [0] https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria) -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/5550807e-0655-4895-bc66-1b67bfde8c3e%40gmail.com.