Re: [bitcoin-dev] SegWit testnet is live

2016-01-07 Thread Matthieu Riou via bitcoin-dev
Not strictly speaking a wallet but we (BlockCypher) will also go down the segwit path as soon as the BIP and branch are mature enough. All transactions built from our APIs should eventually be segwitted (just made up a verb). Thanks, Matthieu *CTO and Founder, Blockcypher* I have been informed th

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Matt Corallo via bitcoin-dev
Indeed, anything which uses P2SH is obviously vulnerable if there is an attack on RIPEMD160 which reduces it's security only marginally. While no one thought hard about these attacks when P2SH was designed, we realized later this was not such a good idea to reuse the structure from P2PKH. Hence

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Rusty Russell via bitcoin-dev
Pieter Wuille via bitcoin-dev writes: > Yes, this is what I worry about. We're constructing a 2-of-2 multisig > escrow in a contract. I reveal my public key A, you do a 80-bit search for > B and C such that H(A and B) = H(B and C). You tell me your keys B, and I > happily send to H(A and B), which

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Watson Ladd via bitcoin-dev
On Jan 7, 2016 5:22 PM, "Gavin Andresen via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org> wrote: > > On Thu, Jan 7, 2016 at 6:52 PM, Pieter Wuille wrote: >> >> Bitcoin does have parts that rely on economic arguments for security or privacy, but can we please stick to using cryptography tha

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Gavin Andresen via bitcoin-dev
On Thu, Jan 7, 2016 at 8:26 PM, Matt Corallo wrote: > So just because other attacks are possible we should weaken the crypto > we use? You may feel comfortable weakening crypto used to protect a few > billion dollars of other peoples' money, but I dont. > No... I'm saying we can eliminate one s

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Matt Corallo via bitcoin-dev
So just because other attacks are possible we should weaken the crypto we use? You may feel comfortable weakening crypto used to protect a few billion dollars of other peoples' money, but I dont. On 01/07/16 23:39, Gavin Andresen via bitcoin-dev wrote: > Thanks, Ethan, that's helpful and I'll stop

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Gavin Andresen via bitcoin-dev
On Thu, Jan 7, 2016 at 6:52 PM, Pieter Wuille wrote: > Bitcoin does have parts that rely on economic arguments for security or > privacy, but can we please stick to using cryptography that is up to par > for parts where we can? It's a small constant factor of data, and it > categorically removes

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Gavin Andresen via bitcoin-dev
Thanks, Ethan, that's helpful and I'll stop thinking that collision attacks require 2^(n/2) memory... So can we quantify the incremental increase in security of SHA256(SHA256) over RIPEMD160(SHA256) versus the incremental increase in security of having a simpler implementation of segwitness? I'm

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Pieter Wuille via bitcoin-dev
> "The problem case is where someone in a contract setup shows you a script, which you accept as being a payment to yourself. An attacker could use a collision attack to construct scripts with identical hashes, only one of which does have the property you want, and steal coins. > > So you really wa

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Ethan Heilman via bitcoin-dev
>Ethan: your algorithm will find two arbitrary values that collide. That isn't >useful as an attack in the context we're talking about here (both of those >values will be useless as coin destinations with overwhelming probability). I'm not sure exactly the properties you want here and determini

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Ethan Heilman via bitcoin-dev
Based on current GH/s count of 775,464,121 Bitcoin tests 2^80 every 19 days. log2(775464121*(1000*1000*1000*60*60*24*19)) = ~80.07 I don't fully understand the security model of segwit, so my analysis will assume that any collision is bad. >But it also requires O(2^80) storage, which is utterly i

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Gavin Andresen via bitcoin-dev
Maybe I'm asking this question on the wrong mailing list: Matt/Adam: do you have some reason to think that RIPEMD160 will be broken before SHA256? And do you have some reason to think that they will be so broken that the nested hash construction RIPEMD160(SHA256()) will be vulnerable? Adam: re: "

Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

2016-01-07 Thread Dave Scotese via bitcoin-dev
Maybe I'm being dense, but I don't see why 2**80 storage is required for this attack. Also, I don't see why the attacker ever needs to get the victim to accept "arbitrary_data". Perhaps I'm wrong about how the collision attack works: 1. Create a script which is perfectly acceptable and would

Re: [bitcoin-dev] SegWit testnet is live

2016-01-07 Thread Eric Lombrozo via bitcoin-dev
I have been informed that Breadwallet has also committed to supporting segwit. The list now includes Blocktrail, Breadwallet, GreenAddress, GreenBits, mSIGNA, and NBitcoin. --- Eric On January 7, 2016 5:28:18 AM PST, Eric Lombrozo wrote: >I am pleased to report that as of December 31, 2015 we