--- Log opened Thu Oct 20 00:00:52 2022
01:16 < darosior> Not qualified to answer this, i'll let others chime in. But out of curiosity what makes musig special wrt the 80 bit collision security?
04:19 -!- jonatack1 [~jonatack@user/jonatack] has joined ##miniscript
05:32 < andytoshi> darosior: the fact that it's common/expected that a single key may represent multiple parties
05:33 < andytoshi> 80-bit security doesn't matter if you can only attack yourself
05:33 < andytoshi> sipa: yeah, outlawing pkh(musig) sounds like a very good idea
05:33 < andytoshi> outlawing pkh entirely .. i'm of two minds here, because if you _know_ you can get away with 160-bit keys this is the only way post-taproot that you can
05:34 < andytoshi> and i feel like, if you aren't allowed to do pkh(musig), then to get a multiparty pkh you're already doing something weird and non-standard and difficult
05:35 < andytoshi> so we don't need to put a lot of effort into trying to prevent that
05:35 <@sipa> If you know that you only care about preimage security, the better choice is something sha1-based ;(
05:35 <@sipa> even smaller, and afaik not broken w.r.t. preimage security
05:36 <@sipa> but sure, dropping pkh entirely is more invasive
06:01 < andytoshi> i thought sha1 and ripemd are the same size?
06:01 <@sipa> oh yes, it's md5 that's 128 bit
06:02 < andytoshi> heh i think md5 is also secure against preimage security
06:03 < andytoshi> second-preimage attacks*
06:03 < andytoshi> interesting observation that bitcoin could've had a use for a md5 opcode :P
06:03 < andytoshi> BIP when
06:03 <@sipa> or sha256 + substr
06:03 < andytoshi> ah yeah, that probably would've been better than all of these
06:04 < andytoshi> including ripemd, i'd wager
08:49 -!- jonatack1 [~jonatack@user/jonatack] has quit [Read error: Connection reset by peer]
11:22 -!- sanket_cell [~sanket172@ec2-100-24-255-95.compute-1.amazonaws.com] has quit [Quit: ZNC 1.8.2 - https://znc.in]
11:22 -!- sanket1729 [~sanket172@ec2-100-24-255-95.compute-1.amazonaws.com] has quit [Quit: ZNC 1.8.2 - https://znc.in]
11:23 -!- sanket1729 [~sanket172@ec2-100-24-255-95.compute-1.amazonaws.com] has joined ##miniscript
11:23 -!- sanket_cell [~sanket172@ec2-100-24-255-95.compute-1.amazonaws.com] has joined ##miniscript
11:48 < sanket1729> I like out-lawing musig inside pkh
11:49 < sanket1729> Can also outlaw pkh altogether. Don't really have a strong preference here.
11:49 < sanket1729> But we should either one of the two
12:28 -!- jonatack [~jonatack@user/jonatack] has joined ##miniscript
13:20 -!- jonatack [~jonatack@user/jonatack] has quit [Ping timeout: 258 seconds]
13:37 <@sipa> darosior: In general, any scriptPubKey that directly or indirectly only has a 160-bit hash of a key, if that key is jointly constructed by multiple parties, is at risk of a collision attack between the cosigners.
13:37 <@sipa> P2SH multisig is vulnerable to this too, and that's the reason why P2WSH uses a 256-bit script hash rather than a 160-bit hash.
13:39 <@sipa> Specifically, say your key is A, and you're looking to construct a 2-of-2 musig under 160-bit hash with me, I can in ~2^80 work find two keys B and C such that hash160(C) = hash160(musig(A,B)). I give you B, coins get deposited in pkh(musig(A,B), and I spend the coins by revealing C as preimage of the key hash.
13:42 <@sipa> Requiring that the provided key is real doesn't thwart this attack (e.g. you requiring that I provide you with a signature on B using B itself doesn't make the attack meaningfully harder).
17:55 -!- jonatack [~jonatack@user/jonatack] has joined ##miniscript
18:55 -!- jon_atack [~jonatack@user/jonatack] has joined ##miniscript
18:58 -!- jonatack [~jonatack@user/jonatack] has quit [Ping timeout: 255 seconds]
19:13 -!- jon_atack [~jonatack@user/jonatack] has quit [Ping timeout: 246 seconds]
19:32 -!- jonatack1 [~jonatack@user/jonatack] has joined ##miniscript
19:44 -!- jonatack2 [~jonatack@user/jonatack] has joined ##miniscript
19:47 -!- jonatack1 [~jonatack@user/jonatack] has quit [Ping timeout: 255 seconds]
20:04 -!- jonatack3 [~jonatack@user/jonatack] has joined ##miniscript
20:07 -!- jonatack2 [~jonatack@user/jonatack] has quit [Ping timeout: 255 seconds]
20:29 -!- jonatack [~jonatack@user/jonatack] has joined ##miniscript
20:31 -!- jonatack3 [~jonatack@user/jonatack] has quit [Ping timeout: 252 seconds]
--- Log closed Fri Oct 21 00:00:55 2022