From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 62CFED6C for ; Thu, 7 Jan 2016 21:06:33 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com [209.85.215.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BBCD1171 for ; Thu, 7 Jan 2016 21:06:32 +0000 (UTC) Received: by mail-lf0-f47.google.com with SMTP id m198so16368437lfm.0 for ; Thu, 07 Jan 2016 13:06:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=X58pafNW/36TLVJ4jyXwsGNnsiWeFc0Gn0ok4MKEBZc=; b=kXKAZSNqxKiEn71fOpb4Xr5xMQCbIH7nZsEKrM+rhweuNGnyhqg84iYXHWYbSuOPUt 55F9u3p3xtyI3UmKx3dWz2JGM04NpJYs1Phk4/vhHEjaWLUH02LYpfSrVCL1A1bXUQNp dQOKkccuwlqaj0uCKL1YPhs0ydqm4jN3fdVEVWc9UlId+pnayeh41jgbsJLmM9x24ZxZ 7q5uVqQ25Pu01C2/o0e3ONyJuKVLXQSNZaaDzJ4vj3c80XUuLbmbVieWKVgnrOmvaEm8 OSB4AeAIMWHrwCKi+0qXAxk1RR4HRwDEajar4ncV8wyVd8DW6f8I6n3wqld7X20PoeSd uYHQ== MIME-Version: 1.0 X-Received: by 10.25.134.130 with SMTP id i124mr29138604lfd.63.1452200790826; Thu, 07 Jan 2016 13:06:30 -0800 (PST) Received: by 10.25.25.78 with HTTP; Thu, 7 Jan 2016 13:06:30 -0800 (PST) In-Reply-To: References: Date: Thu, 7 Jan 2016 16:06:30 -0500 Message-ID: From: Gavin Andresen To: Dave Scotese Content-Type: multipart/alternative; boundary=001a113fb2e847a86a0528c4d866 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 07 Jan 2016 21:22:12 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 21:06:33 -0000 --001a113fb2e847a86a0528c4d866 Content-Type: text/plain; charset=UTF-8 Maybe I'm asking this question on the wrong mailing list: Matt/Adam: do you have some reason to think that RIPEMD160 will be broken before SHA256? And do you have some reason to think that they will be so broken that the nested hash construction RIPEMD160(SHA256()) will be vulnerable? Adam: re: "where to stop" : I'm suggesting we stop exactly at the current status quo, where we use RIPEMD160 for P2SH and P2PKH. Ethan: your algorithm will find two arbitrary values that collide. That isn't useful as an attack in the context we're talking about here (both of those values will be useless as coin destinations with overwhelming probability). Dave: you described a first preimage attack, which is 2**160 cpu time and no storage. -- -- Gavin Andresen --001a113fb2e847a86a0528c4d866 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Maybe I'm asking this question on the wrong maili= ng list:

Matt/Adam: do you have some reason to thi= nk that RIPEMD160 will be broken before SHA256?
And do you have s= ome reason to think that they will be so broken that the nested hash constr= uction RIPEMD160(SHA256()) will be vulnerable?

Ada= m: re: "where to stop" =C2=A0: =C2=A0I'm suggesting we stop e= xactly at the current status quo, where we use RIPEMD160 for P2SH and P2PKH= .

Ethan: =C2=A0your algorithm will find two arbitr= ary values that collide. That isn't useful as an attack in the context = we're talking about here (both of those values will be useless as coin = destinations with overwhelming probability).

Dave:= you described a first preimage attack, which is 2**160 cpu time and no sto= rage.


--
=
--
Gavin Andresen
--001a113fb2e847a86a0528c4d866--