[bitcoin-dev] SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers
watsonbladd at gmail.com
Sat Feb 25 20:42:56 UTC 2017
On Sat, Feb 25, 2017 at 11:12 AM, Peter Todd via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> On Sat, Feb 25, 2017 at 11:10:02AM -0500, Ethan Heilman via bitcoin-dev wrote:
>> >SHA1 is insecure because the SHA1 algorithm is insecure, not because
>> 160bits isn't enough.
>> I would argue that 160-bits isn't enough for collision resistance. Assuming
>> RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random oracle), collisions
> That's something that we're well aware of; there have been a few discussions on
> this list about how P2SH's 160-bits is insufficient in certain use-cases such
> as multisig.
> However, remember that a 160-bit *security level* is sufficient, and RIPEMD160
> has 160-bit security against preimage attacks. Thus things like
> pay-to-pubkey-hash are perfectly secure: sure you could generate two pubkeys
> that have the same RIPEMD160(SHA256()) digest, but if someone does that it
> doesn't cause the Bitcoin network itself any harm, and doing so is something
> you choose to do to yourself.
P2SH is not secure against collision. I could write two scripts with
the same hash, one of which is an escrow script and the other which
pays it to me, have someone pay to the escrow script, and then get the
payment. Some formal analysis tools would ignore the unused
instructions even if human analysis would not.
> In any case, segwit will provide a 256-bit pay-to-witness-script-hash(1), which
> provides a 128-bit security level against collision attacks.
> 1) https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki#Native_P2WSH
> https://petertodd.org 'peter'[:-1]@petertodd.org
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
"Man is born free, but everywhere he is in chains".
More information about the bitcoin-dev