📅 Original date posted:2016-01-08 📝 Original message:On Fri, Jan 08, 2016 at ...

Why Nostr? What is Njump?

Anthony Towns [ARCHIVE] /

npub17r…x9l2h

2023-06-07 17:47:45

in reply to nevent1q…wzmw

📅 Original date posted:2016-01-08
📝 Original message:On Fri, Jan 08, 2016 at 07:38:50AM -0500, Gavin Andresen via bitcoin-dev wrote:
> Lets see if I've followed the specifics of the collision attack correctly,
> Ethan (or somebody) please let me know if I'm missing something:
>
> So attacker is in the middle of establishing a payment channel with
> somebody. Victim gives their public key, attacker creates the innocent
> fund-locking script '2 V A 2 CHECKMULTISIG' (V is victim's public key, A
> is attacker's) but doesn't give it to the victim yet.

Using Ethan Heilman's procedure, the attacker can create two scripts:

2 V __A1__ 2 CHECKMULTISIG

2 V __A2__ 2 CHECKMULTISIG

and find values A1 and A2 which hash the scripts to the same result
with under 3*2**80 work. I think you can do that by setting the next
private key as the result of RIPEMD(SHA256(script with pubkey)), so you
could still spend either. But it doesn't change the script, so it's not
*that* helpful -- you've just got two different keys you can use.

Ah, but you can make the form of the script be a function of your key, so:

if privkey % 2 == 0:
script = "2 V %s 2 CHECKMULTISIG" % (pubkey)
else:
script = "%s CHECKSIG" % (pubkey)
hash = ripemd160(sha256(script))

nextprivkey = hash

Then you have a 50% chance of your cycle giving you a matching hash for
one script with A1 and the other script with A2, and you can find the
cycle with under 3*2**80 work. Doing five attempts should give you ~96%
chance of hitting a usable pair, and should take under 15*2**80 work ~=
2**84 work, with trivial memory use.

Trying that in python with a vastly weakened hash function (namely,
the first five bytes of ripemd160(sha256()), with 40 bits of security
and 3*2**20 work) works as expected -- I got a "useful" collision on my
second try in about 7 seconds, seeding with "grumpycat3" ("grumpycat2"
didn't work) with the result being:

hexlify(ripemd160(sha256("foo%sbar"%unhexlify("86f9fbac1a")))[:5])
'ae94d9f908'

hexlify(ripemd160(sha256("baz%squux"%unhexlify("104fc5093f")))[:5])
'ae94d9f908'

Cheers,
aj

Author Public Key

npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2h

Seen on

wss://relay.noswhere.com

Show more details

Published at

2023-06-07 17:47:45

Kind type

1 Short Text Note

Event JSON

{ "id": "96cbd86f211e101a58af9145793a71a8094248553ef0fe1fd08d730144b24489", "pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab", "created_at": 1686160065, "kind": 1, "tags": [ [ "e", "e1f46f49861d474f81d81bf43d690af02c9b35e1c9c4fe5cc415112a34c1c041", "", "root" ], [ "e", "3cc315c675e20a18d5e22a5023c6929168b630df9c3ddabbed6aa3dddd32a3ea", "", "reply" ], [ "p", "ee0fa66772f633411e4432e251cfb15b1c0fe8cd8befd8b0d86eb302402a8b4a" ] ], "content": "📅 Original date posted:2016-01-08\n📝 Original message:On Fri, Jan 08, 2016 at 07:38:50AM -0500, Gavin Andresen via bitcoin-dev wrote:\n\u003e Lets see if I've followed the specifics of the collision attack correctly,\n\u003e Ethan (or somebody) please let me know if I'm missing something:\n\u003e \n\u003e So attacker is in the middle of establishing a payment channel with\n\u003e somebody. Victim gives their public key, attacker creates the innocent\n\u003e fund-locking script '2 V A 2 CHECKMULTISIG' (V is victim's public key, A\n\u003e is attacker's) but doesn't give it to the victim yet.\n\nUsing Ethan Heilman's procedure, the attacker can create two scripts:\n\n 2 V __A1__ 2 CHECKMULTISIG\n\n 2 V __A2__ 2 CHECKMULTISIG\n\nand find values A1 and A2 which hash the scripts to the same result\nwith under 3*2**80 work. I think you can do that by setting the next\nprivate key as the result of RIPEMD(SHA256(script with pubkey)), so you\ncould still spend either. But it doesn't change the script, so it's not\n*that* helpful -- you've just got two different keys you can use.\n\nAh, but you can make the form of the script be a function of your key, so:\n\n if privkey % 2 == 0:\n script = \"2 V %s 2 CHECKMULTISIG\" % (pubkey)\n else:\n script = \"%s CHECKSIG\" % (pubkey)\n hash = ripemd160(sha256(script))\n\n nextprivkey = hash\n\nThen you have a 50% chance of your cycle giving you a matching hash for\none script with A1 and the other script with A2, and you can find the\ncycle with under 3*2**80 work. Doing five attempts should give you ~96%\nchance of hitting a usable pair, and should take under 15*2**80 work ~=\n2**84 work, with trivial memory use.\n\nTrying that in python with a vastly weakened hash function (namely,\nthe first five bytes of ripemd160(sha256()), with 40 bits of security\nand 3*2**20 work) works as expected -- I got a \"useful\" collision on my\nsecond try in about 7 seconds, seeding with \"grumpycat3\" (\"grumpycat2\"\ndidn't work) with the result being:\n\n hexlify(ripemd160(sha256(\"foo%sbar\"%unhexlify(\"86f9fbac1a\")))[:5])\n 'ae94d9f908'\n\n hexlify(ripemd160(sha256(\"baz%squux\"%unhexlify(\"104fc5093f\")))[:5])\n 'ae94d9f908'\n\nCheers,\naj", "sig": "43172e2e0d4ed6dcbeb0a68aa0ce5757226fca78a769ed5b810ed3e39295b217c59b8f8f80332ce57e608080d83ed8832f04a6b791928c71994228e45c6386e9" }