Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Pieter Wuille <pieter.wuille@gmail•com>
To: Gavin Andresen <gavinandresen@gmail•com>
Cc: Bitcoin Dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Time to worry about 80-bit collision attacks or not?
Date: Fri, 8 Jan 2016 18:38:34 +0100	[thread overview]
Message-ID: <CAPg+sBiOPpJb8kPYqMSZdGvN7Tb96sgyw_h4yPdhbsLWNcVFRQ@mail.gmail.com> (raw)
In-Reply-To: <CABsx9T2CM2iVBbzBs-jQA6S-sHCdtEEWNwn=DgN_D+biKVErkA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1923 bytes --]

On Fri, Jan 8, 2016 at 2:54 AM, Gavin Andresen via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> I'm saying we can eliminate one somewhat unlikely attack (that there is a
> bug in the code or test cases, today or some future version, that has to
> decide what to do with "version 0" versus "version 1" witness programs) by
> accepting the risk of another insanely, extremely unlikely attack.

Ok, just having one witness program version now is a somewhat different
proposal. It would be simpler for sure. The reasoning was that you'd need
this to not add significant overhead to small scripts, but that may not be
the case anymore. I wouldn't mind seeing numbers.

> My proposal would be to just do a version 0 witness program now, that is
> RIPEMD160(SHA256(script)).

I don't think that is wise. Bitcoin has a 128-bit security target for
everything else. We did not know that P2SH and similar constructs were
vulnerable to a collision attack at the time, but now we do, so the obvious
choice is to pick a size that is sufficiently large to maintain the 128-bit
security target. This is a no brainer to me; we're not proposing switching
to a 160-bit EC curve either, right?

> I'm really disappointed with the "Here's the spec, take it or leave it"
> attitude. What's the point of having a BIP process if the discussion just
> comes down to "We think more is better. We don't care what you think."

It is a proposal and we are discussing it. You first brought up some
criticisms in private, and I agreed with several things you said.

But it remains the proposal of a few people including me, and I do not
agree with the specific suggestion of reducing the security target for
witness scripts to 80 bits.

We are not deciding what the system will be. We're making a proposal, and
hope that due to its technical merit, the ecosystem will adopt it. You're
free to participate in that discussion.

-- 
Pieter

[-- Attachment #2: Type: text/html, Size: 2293 bytes --]

next prev parent reply	other threads:[~2016-01-08 17:38 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-07 19:02 Gavin Andresen
2016-01-07 19:13 ` Matt Corallo
2016-01-07 19:19 ` Adam Back
2016-01-07 20:56   ` Dave Scotese
2016-01-07 21:06     ` Gavin Andresen
2016-01-07 22:56       ` Ethan Heilman
2016-01-07 23:39         ` Gavin Andresen
2016-01-08  1:26           ` Matt Corallo
2016-01-08  1:54             ` Gavin Andresen
2016-01-08 17:38               ` Pieter Wuille [this message]
2016-01-08 18:41               ` Peter Todd
2016-01-07 20:40 ` Ethan Heilman
2016-01-07 23:52 ` Pieter Wuille
2016-01-08  1:00   ` Gavin Andresen
2016-01-08  1:27     ` Watson Ladd
2016-01-08  3:30   ` Rusty Russell
2016-01-08  3:41     ` Matt Corallo
2016-01-08 12:02       ` Rusty Russell
2016-01-08 12:38         ` Gavin Andresen
2016-01-08 14:34           ` Watson Ladd
2016-01-08 15:26             ` Adam Back
2016-01-08 15:33           ` Anthony Towns
2016-01-08 15:46             ` Gavin Andresen
2016-01-08 15:50               ` Gavin Andresen
2016-01-08 15:59                 ` Gavin Andresen
2016-01-11 20:32                 ` Jorge Timón
2016-01-08 16:06               ` Gavin Andresen
2016-01-11  3:57               ` Rusty Russell
2016-01-11  6:57                 ` Peter Todd
2016-01-11 23:57               ` Tier Nolan
2016-01-12  0:00                 ` Tier Nolan
2016-01-12 12:08                   ` Gavin Andresen
2016-01-12 23:22                     ` Zooko Wilcox-O'Hearn
2016-01-08 18:52     ` Peter Todd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPg+sBiOPpJb8kPYqMSZdGvN7Tb96sgyw_h4yPdhbsLWNcVFRQ@mail.gmail.com \
    --to=pieter.wuille@gmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=gavinandresen@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox