[Bitcoin-development] BIP-13

Gavin Andresen gavinandresen at gmail.com
Mon Feb 20 17:17:07 UTC 2012


RE:
> base58-encode: [one-byte network ID][20-byte hash][one-byte address
class][3-byte checksum]

How will the code distinguish between the old scheme:
[one-byte-version][20-byte-hash][4-byte-checksum]
and the new?

1 in 256 old addresses will have a first-byte-of-checksum that matches the
new address class; I guess the code would do something like:

a) If the 4-byte checksum matches, then assume it is a singlesig address (1
in 2^32 multisig addresses will incorrectly match)
b) If the one-byte-address-class and 3-byte checksum match, then it is a
valid p2sh
c) Otherwise, invalid address

The 1 in 2^32 multisig addresses also being valid singlesig addresses makes
me think this scheme won't work-- an attacker willing to generate 8 billion
or so ECDSA keys could generate a single/multisig collision.  I'm not sure
how that could be leveraged to their advantage, but I bet they'd find a way.

RE: should it be a BIP:  The BIP process is described in BIP
0001<https://en.bitcoin.it/wiki/BIP_0001#BIP_Work_Flow>,
and you're following it perfectly so far:

1) Post a rough draft of the idea here to see if there's any chance it'll
be adopted
2) Assuming a positive response and no major flaws: write up a draft BIP
3) Post the draft BIP here, where it can be picked apart.
4) Assuming no major flaws, ask the BIP editor (Amir) for a BIP number

I'd also encourage you to actually implement your idea between steps 3 and
4. But in this particular case, I think an attacker being able to create
singlesig/p2sh address collisions counts as a major flaw.

-- 
--
Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20120220/6f1b9f1d/attachment.html>


More information about the bitcoin-dev mailing list