On Sat, Feb 25, 2017 at 12:42:56PM -0800, Watson Ladd wrote: > On Sat, Feb 25, 2017 at 11:12 AM, Peter Todd via bitcoin-dev > <bitcoin-dev@lists.linuxfoundation.org> wrote: > > On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via bitcoin-dev > > wrote: > >> >SHA1 is insecure because the SHA1 algorithm is insecure, not because > >> 160bits isn't enough. > >> > >> I would argue that 160-bits isn't enough for collision resistance. Assuming > >> RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), collisions > > > > That's something that we're well aware of; there have been a few > > discussions on > > this list about how P2SH's 160-bits is insufficient in certain use-cases > > such > > as multisig. > > > > However, remember that a 160-bit *security level* is sufficient, and > > RIPEMD160 > > has 160-bit security against preimage attacks. Thus things like > > pay-to-pubkey-hash are perfectly secure: sure you could generate two pubkeys > > that have the same RIPEMD160(SHA256()) digest, but if someone does that it > > doesn't cause the Bitcoin network itself any harm, and doing so is something > > you choose to do to yourself. > > P2SH is not secure against collision. I could write two scripts with > the same hash, one of which is an escrow script and the other which > pays it to me, have someone pay to the escrow script, and then get the > payment. Some formal analysis tools would ignore the unused > instructions even if human analysis would not.
That's what I said: "P2SH's 160-bits is insufficient in certain use-cases such as multisig" Obviously any usecase where multiple people are creating a P2SH redeemScript collaboratively is potentially vulnerable. Use-cases where the redeemScript was created by a single-party however are _not_ vulnerable, as that party has complete control over whether or not collisions are possible, by virtue of the fact that they're the ones who have to make the collision happen! Similarly, even in the multisig case, commit-reveal techniques can mitigate the vulnerability, by forcing parties to commit to what pubkeys/hashlocks/etc. they'll use for the script prior to pubkeys/hashlocks/etc. being revealed. Though a better long-term approach is to use a 256-bit digest size, as segwit does. -- https://petertodd.org 'peter'[:-1]@petertodd.org
signature.asc
Description: Digital signature
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
