From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 48DD1259 for ; Sun, 26 Feb 2017 06:36:28 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr0-f173.google.com (mail-wr0-f173.google.com [209.85.128.173]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B79FA124 for ; Sun, 26 Feb 2017 06:36:27 +0000 (UTC) Received: by mail-wr0-f173.google.com with SMTP id o22so29974799wro.1 for ; Sat, 25 Feb 2017 22:36:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PJDIbHVHRu++34T0lSUIY64yKNbp1wgR6+Xd0ViS7mk=; b=GV3lNJIWOPSV50LHU5E0X2UEjFFWa2JthqbgD0/JwjOmw3BGtQi7mklhL04HbNFnyT MoQQGLGP6bme/HpFEG1afnXyeELPy116dgGHNnICQdUsaKipEfQESpl5gNDQXaCjXJQv REZXVagaj52O7Odwr+g29nrsIBp0s8hEHdJbH/usbbdB9rDWkF0TpVUkT1DJg+y+CVDm 8mWsV4sM4v9OGbvDEQMTExeSDzRoqa75fyCGO17eVGWarVZiT7tOiuOAQ7xlgfNd/glS xM4OuoWZYY47bMNbaznUpGea34MYGMKgBSJZajemHsjBRZHNoNHKBJdiuhum7iNzXJYZ 4Dow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PJDIbHVHRu++34T0lSUIY64yKNbp1wgR6+Xd0ViS7mk=; b=i3KvpI4ncJuM58osCfI3jx0mTiKzfVsm865uyWKWxzQKB/cztdmoFhojODg7s9XxzS nMaEt9+CzhrBZzjSJPkbxtKG6RKXViGXoZX6LuChla8rQTNPSZdQ3tSKApOHcDG8nfOQ bzrX8MW03c2g0/o8X/Uv70GDZge4kQfF5VaycW+tgylgljSy8mhBzh7eK7trlsv04GL1 RxAHV2gHccJT/VJGVVEeD61sFjXrQZt/y2V3AvT8ShEZoNjBAbzdWkhnS5mgPl9E+r// hxKeqgAHt9gQ3v9m0lrL2Rdrh+WEk2EyOlEqK/O7woXmjYM8PmJgCiBDoU7PCJ4tlAvR E5SQ== X-Gm-Message-State: AMke39mw4r9AOc02cpAGTYdEAiAMsfK7SYwBEQ85dn6epunyGVKrgeEO1rdv3SdPD1HJchOQELx/iN+DtzQ/Gg== X-Received: by 10.223.133.164 with SMTP id 33mr9695448wrt.39.1488090986427; Sat, 25 Feb 2017 22:36:26 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.153.212 with HTTP; Sat, 25 Feb 2017 22:36:25 -0800 (PST) Received: by 10.80.153.212 with HTTP; Sat, 25 Feb 2017 22:36:25 -0800 (PST) In-Reply-To: <4F6C2972-A320-429A-BD13-623B01F390A3@gmail.com> References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> <20170225191201.GA15472@savin.petertodd.org> <20170225210406.GA16196@savin.petertodd.org> <4FE38F6A-0560-4989-9C53-7F8C94EA4C76@gmail.com> <20170225214018.GA16524@savin.petertodd.org> <4F6C2972-A320-429A-BD13-623B01F390A3@gmail.com> From: Pieter Wuille Date: Sat, 25 Feb 2017 22:36:25 -0800 Message-ID: To: Steve Davis Content-Type: multipart/alternative; boundary=001a1147d2eca3bca20549692e8c X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2017 06:36:28 -0000 --001a1147d2eca3bca20549692e8c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Feb 25, 2017 22:26, "Steve Davis" wrote= : Hi Pieter, > On Feb 25, 2017, at 4:14 PM, Pieter Wuille wrote: > > Any alternative to move us away from RIPEMD160 would require: > =E2=80=9CAny alternative=E2=80=9D? What about reverting to: [, OP_CHECKSIG] snip Could that be the alternative? Ok, fair enough, that is an alternative that avoids the 160-bit hash function, but not where it matters. The 80-bit collision attack only applies to jointly constructed addresses like multisig P2SH, not single-key ones. As far as I know for those we only rely preimage security, and RIPEMD160 has 160 bit security there, which is even more than our ECDSA signatures offer. --=20 Pieter --001a1147d2eca3bca20549692e8c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Feb 25, 2017 22:26, "Steve Davis" <steven.charles.davis@gmail.com> = wrote:
Hi Pieter,

> On Feb 25, 2017, at 4:14 PM, Pieter Wuille <pieter.wuille@gmail.com> wrote:
>
> Any alternative to move us away from RIPEMD160 would require:

> <snipped>

=E2=80=9CAny alternative=E2=80=9D? What about reverting to:

[<public_key>, OP_CHECKSIG]

snip

<= blockquote class=3D"quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc = solid;padding-left:1ex">
Could that be the alternative?

Ok, fair enough, that is an alternative tha= t avoids the 160-bit hash function, but not where it matters. The 80-bit co= llision attack only applies to jointly constructed addresses like multisig = P2SH, not single-key ones. As far as I know for those we only rely preimage= security, and RIPEMD160 has 160 bit security there, which is even more tha= n our ECDSA signatures offer.

--=C2=A0
Pieter


--001a1147d2eca3bca20549692e8c--