From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1RzaoA-0005Pr-2l for bitcoin-development@lists.sourceforge.net; Mon, 20 Feb 2012 21:30:06 +0000 X-ACL-Warn: Received: from 2508ds5-oebr.0.fullrate.dk ([95.166.54.49] helo=mail.ceptacle.com) by sog-mx-2.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1Rzao8-00022c-VC for bitcoin-development@lists.sourceforge.net; Mon, 20 Feb 2012 21:30:06 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.ceptacle.com (Postfix) with ESMTP id C59AE17ACD54; Mon, 20 Feb 2012 22:29:58 +0100 (CET) X-Virus-Scanned: amavisd-new at ceptacle.com Received: from mail.ceptacle.com ([127.0.0.1]) by localhost (server.ceptacle.private [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwXSW75H3Vsq; Mon, 20 Feb 2012 22:29:58 +0100 (CET) Received: from [10.0.1.28] (2508ds5-oebr.0.fullrate.dk [95.166.54.49]) by mail.ceptacle.com (Postfix) with ESMTPSA id 532B317ACD4A; Mon, 20 Feb 2012 22:29:58 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=iso-8859-1 From: =?iso-8859-1?Q?Michael_Gr=F8nager?= In-Reply-To: Date: Mon, 20 Feb 2012 22:29:57 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <3DA9C79B-D91D-48B2-9469-37BAA037FC50@ceptacle.com> To: Gavin Andresen X-Mailer: Apple Mail (2.1257) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. X-Headers-End: 1Rzao8-00022c-VC Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] BIP-13 X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2012 21:30:06 -0000 > How will the code distinguish between the old scheme: > [one-byte-version][20-byte-hash][4-byte-checksum] > and the new? >=20 > 1 in 256 old addresses will have a first-byte-of-checksum that matches = the new address class; I guess the code would do something like: >=20 > a) If the 4-byte checksum matches, then assume it is a singlesig = address (1 in 2^32 multisig addresses will incorrectly match) > b) If the one-byte-address-class and 3-byte checksum match, then it is = a valid p2sh > c) Otherwise, invalid address Exactly! >=20 > The 1 in 2^32 multisig addresses also being valid singlesig addresses = makes me think this scheme won't work-- an attacker willing to generate = 8 billion or so ECDSA keys could generate a single/multisig collision. = I'm not sure how that could be leveraged to their advantage, but I bet = they'd find a way. Nope - its almost like calling the version:0+5 possible collision with = new evil, say "ponzicoin" with version=3D5 a possible flaw that could be = exploited... And you can already create non-existing addresses with a = matching checksum... > I'd also encourage you to actually implement your idea between steps 3 = and 4. But in this particular case, I think an attacker being able to = create singlesig/p2sh address collisions counts as a major flaw. I will rest my case, not due to the "flaw", but I got some info on the = bitfields of the "version" (thanks Luke!) - this makes the +5 less = arbitrary, however, I don't think the bitfield interpretation is that = well known, so there might already be "version"-collisions...: Network class: 00xxxxxx - main network 01xxxxxx - reserved 10xxxxxx - reserved 11xxxxxx - test network Network: xx00xxxx - bitcoin xx01xxxx - reserved xx10xxxx - OTHER (next octet) xx11xxxx - Namecoin Network specific: xxxx000y - PubKeyHash xxxx001y - reserved xxxx010y - p2sh xxxx011y - public key (raw) xxxx100y - signature xxxx101y - reserved xxxx110y - private key (raw) xxxx111y - OTHER (next octet) y =3D 0/1 depending on aesthetics (I guess to force the address to be = either 1 or 3).=20 This also opens up for extensions - (if xx10xxxx or xxxx111x) the next = byte will be part of the version. /M >=20 > --=20 > -- > Gavin Andresen