π
Original date posted:2016-01-11
π Original message:On Fri, Jan 8, 2016 at 3:46 PM, Gavin Andresen via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> How many years until we think a 2^84 attack where the work is an ECDSA
> private->public key derivation will take a reasonable amount of time?
>
I think the EC multiply is not actually required. With compressed public
keys, the script selection rule can just be a sha256 call instead.
V is the public key of the victim, and const_pub_key is the attacker's
public key.
if prev_hash % 2 == 0:
script = "2 V 0x02%s 2 CHECKMULTISIG" % (sha256(prev_hash)))
else:
script = "CHECKSIG %s OP_DROP" % (prev_hash, const_pub_key)
next_hash = ripemd160(sha256(script))
If a collision is found, there is a 50% chance that the two scripts have
different parity and there is a 50% chance that a compressed key is a valid
key.
This means that you need to run the algorithm 4 times instead of 2.
The advantage is that each step is 2 sha256 calls and a ripemd160 call. No
EC multiply is required.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160111/be7bd486/attachment.html>;
Tier Nolan [ARCHIVE] /
npub1g6β¦sl5wd
2023-06-07 17:47:47
in reply to nevent1qβ¦vlte
Author Public Key
npub1g6vxlp4e0nyhs2dqxxcryztyf5f5hyuaq93nw4r87zcnv0sdsa0qqsl5wdSeen on
wss://relay.noswhere.comPublished at
2023-06-07 17:47:47Event JSON
{
"id": "8807e11ba4251f9baa563b4078be9a7c26e23b43438dc6aca3711e18704d00c8",
"pubkey": "46986f86b97cc97829a031b03209644d134b939d0163375467f0b1363e0d875e",
"created_at": 1686160067,
"kind": 1,
"tags": [
[
"e",
"e1f46f49861d474f81d81bf43d690af02c9b35e1c9c4fe5cc415112a34c1c041",
"",
"root"
],
[
"e",
"3ee3bf7d7f451a86a34a83ce52d8236cd1b9f21ece3478314ea27f8db141f3d6",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "π
Original date posted:2016-01-11\nπ Original message:On Fri, Jan 8, 2016 at 3:46 PM, Gavin Andresen via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e How many years until we think a 2^84 attack where the work is an ECDSA\n\u003e private-\u003epublic key derivation will take a reasonable amount of time?\n\u003e\n\nI think the EC multiply is not actually required. With compressed public\nkeys, the script selection rule can just be a sha256 call instead.\n\nV is the public key of the victim, and const_pub_key is the attacker's\npublic key.\n\n if prev_hash % 2 == 0:\n script = \"2 V 0x02%s 2 CHECKMULTISIG\" % (sha256(prev_hash)))\n else:\n script = \"CHECKSIG %s OP_DROP\" % (prev_hash, const_pub_key)\n\n next_hash = ripemd160(sha256(script))\n\nIf a collision is found, there is a 50% chance that the two scripts have\ndifferent parity and there is a 50% chance that a compressed key is a valid\nkey.\n\nThis means that you need to run the algorithm 4 times instead of 2.\n\nThe advantage is that each step is 2 sha256 calls and a ripemd160 call. No\nEC multiply is required.\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160111/be7bd486/attachment.html\u003e",
"sig": "2f54a4034c794cd53369c6f3639fb56d8e5a3b836773ee26299e58198f1eed600e930ea7d4dcf36b1e820c4158b735146b8aed1e9d53e703fdd78b5e9144f560"
}