From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D05ADF01 for ; Fri, 8 Jan 2016 03:30:28 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ozlabs.org (ozlabs.org [103.22.144.67]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 22A78F5 for ; Fri, 8 Jan 2016 03:30:28 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1011) id 427ED1402DE; Fri, 8 Jan 2016 14:30:25 +1100 (AEDT) From: Rusty Russell To: Pieter Wuille , Gavin Andresen In-Reply-To: References: User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Fri, 08 Jan 2016 14:00:11 +1030 Message-ID: <8760z4rbng.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Jan 2016 03:31:24 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2016 03:30:28 -0000 Pieter Wuille via bitcoin-dev writes: > Yes, this is what I worry about. We're constructing a 2-of-2 multisig > escrow in a contract. I reveal my public key A, you do a 80-bit search for > B and C such that H(A and B) = H(B and C). You tell me your keys B, and I > happily send to H(A and B), which you steal with H(B and C). FWIW, this attack would effect the current lightning-network "deployable lightning" design at channel establishment; we reveal our pubkey in the opening packet (which is used to redeem a P2SH using normal 2of2). At least you need to grind before replying (which will presumably time out), rather than being able to do it once the channel is open. We could pre-commit by exchanging hashes of pubkeys first, but contracts on bitcoin are hard enough to get right that I'm reluctant to add more hoops. Cheers, Rusty.