From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B623D414 for ; Sat, 25 Feb 2017 18:28:02 +0000 (UTC) X-Greylist: delayed 00:08:49 by SQLgrey-1.7.6 Received: from librelamp.com (librelamp.com [45.79.96.192]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 54881176 for ; Sat, 25 Feb 2017 18:28:02 +0000 (UTC) Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253]) by librelamp.com (Postfix) with ESMTPSA id 7E43F822 for ; Sat, 25 Feb 2017 18:19:12 +0000 (UTC) To: bitcoin-dev@lists.linuxfoundation.org References: <8F096BE1-D305-43D4-AF10-2CC48837B14F@gmail.com> <20170225010122.GA10233@savin.petertodd.org> <208F93FE-B7C8-46BE-8E00-52DBD0F43415@gmail.com> From: Alice Wonder Message-ID: Date: Sat, 25 Feb 2017 10:19:11 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Feb 2017 18:28:02 -0000 On 02/25/2017 08:10 AM, Ethan Heilman via bitcoin-dev wrote: >>SHA1 is insecure because the SHA1 algorithm is insecure, not because > 160bits isn't enough. > > I would argue that 160-bits isn't enough for collision resistance. > Assuming RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random > oracle), collisions can be generated in 2^80 queries (actually detecting > these collisions requires some time-memory additional trade-offs). The > Bitcoin network at the current hash rate performs roughly SHA-256 ~2^78 > queries a day or 2^80 queries every four days. You have to not only produce a ripemd160 collision, you have to produce a collision that is also a valid sha-256 hash - and that's much much much more difficult.