From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 01D82EAE for ; Fri, 8 Jan 2016 12:02:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ozlabs.org (ozlabs.org [103.22.144.67]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 42BD8123 for ; Fri, 8 Jan 2016 12:02:26 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1011) id C6F8A1402B4; Fri, 8 Jan 2016 23:02:23 +1100 (AEDT) From: Rusty Russell To: Matt Corallo , Rusty Russell via bitcoin-dev , Pieter Wuille , Gavin Andresen In-Reply-To: References: <8760z4rbng.fsf@rustcorp.com.au> User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Fri, 08 Jan 2016 22:32:01 +1030 Message-ID: <8737u8qnye.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,LOTS_OF_MONEY, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Jan 2016 12:33:37 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2016 12:02:27 -0000 Matt Corallo writes: > Indeed, anything which uses P2SH is obviously vulnerable if there is > an attack on RIPEMD160 which reduces it's security only marginally. I don't think this is true? Even if you can generate a collision in RIPEMD160, that doesn't help you since you need to create a specific SHA256 hash for the RIPEMD160 preimage. Even a preimage attack only helps if it leads to more than one preimage fairly cheaply; that would make grinding out the SHA256 preimage easier. AFAICT even MD4 isn't this broken. But just with Moore's law (doubling every 18 months), we'll worry about economically viable attacks in 20 years.[1] That's far enough away that I would choose simplicity, and have all SW scriptPubKeys simply be "<0> RIPEMD(SHA256(WP))" for now, but it's not a no-brainer. Cheers, Rusty. [1] Assume bitcoin-network-level compute (collision in 19 days) costs $1B to build today. Assume there will be 100 million dollars a day in vulnerable txs, and you're on one end of all of them (or can MITM if you find a collision), *and* can delay them all by 10 seconds, and none are in parallel so you can attack all of them. IOW, just like a single $100M opportunity for 3650 seconds each year. Our machine has a 0.11% chance of finding a collision in 1 hour, so it's worth about $110,000. We can build it for that in about 20 years.