From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4E8CACE0 for ; Mon, 11 Jan 2016 04:31:50 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ozlabs.org (ozlabs.org [103.22.144.67]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A4232AD for ; Mon, 11 Jan 2016 04:31:49 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1011) id 7EA76140311; Mon, 11 Jan 2016 15:31:47 +1100 (AEDT) From: Rusty Russell To: Gavin Andresen , Anthony Towns In-Reply-To: References: <8760z4rbng.fsf@rustcorp.com.au> <8737u8qnye.fsf@rustcorp.com.au> <20160108153329.GA15731@sapphire.erisian.com.au> User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu) Date: Mon, 11 Jan 2016 14:27:15 +1030 Message-ID: <87fuy4hip0.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,LOTS_OF_MONEY, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2016 04:31:50 -0000 Gavin Andresen via bitcoin-dev writes: > How many years until we think a 2^84 attack where the work is an ECDSA > private->public key derivation will take a reasonable amount of time? vanitygen can generate keypairs pretty fast (on my CPU it's comparable with hashing time), and there are ways to make it faster. Since you can generate multiple script variations, too, I think hashing is the bottleneck. Antminer S7 can do 4.73 Terahash per second for $1.2k. (Double SHA, but let's assume RIPEMD160(SHA256()) is the same speed). 766,760,562,123 seconds to do 3*2^80, so you'd need over 200 million S7s to do it in an hour.[1] If you want to do that for $1M, wait 27 years and hope Moore's Law holds? Also, a colleague points out you could use this attack against a site like bitrated.com which publishes one side's pubkey, giving you a much longer attack window. Cheers, Rusty. [1] Weirdly, the bitcoin network is doing this much work every 57 days, for about $92M. If that's all the attack costs, it's under 1M in 10 years.