|
Title: Thought experiment on security design of bitcoin protocol Post by: capsqrl on November 03, 2012, 04:56:46 PM Just for fun, let's imagine an alternative reality in which Satoshi made a strange mistake in Bitcoin's design: instead of SHA-256, he used MD5. Everything else is exactly the same. What would some practical consequences of this be, with regards to the resilience of the bitcoin network, security of funds etc?
Title: Re: Thought experiment on security design of bitcoin protocol Post by: kokjo on November 03, 2012, 05:07:54 PM [what i wrote only applies to preimage attacks, md5 only got collision attacks]
double spends, chain splitting, faster creation, able to make two different transaction with same hash(ie. replace transactions in blocks, without changing it's hash) + many other nasty things, i have not though about yet. Title: Re: Thought experiment on security design of bitcoin protocol Post by: Pieter Wuille on November 03, 2012, 05:40:16 PM All those things require a preimage attack. The only practical attack against MD5 is a collision attack.
Title: Re: Thought experiment on security design of bitcoin protocol Post by: kjj on November 03, 2012, 06:55:38 PM The biggest consequence is that no one would have taken it seriously. And even now that MD5 is considered to be totally broken and should never be used for anything at all, the other constraints in the system would cover our asses if we used them.
Being able to find a collision in MD5 is totally not the same thing as being able to find two valid blocks with the same MD5 hash, or two valid transactions with the same MD5 hash, or two private keys where the corresponding public keys have the same MD5 hash. Pieter is right, collision attacks don't hurt us at all, and even in MD5, preimage attacks don't exist. Well, they sorta do, but they still require more than 2120 operations, making them barely better than brute force. And I'm not even sure that a full preimage attack could meet the system requirements. Title: Re: Thought experiment on security design of bitcoin protocol Post by: Mike Hearn on November 08, 2012, 09:55:09 AM I think the existence of forged SSL certs that exploit MD5 collisions means that the possibility of two different valid transactions that hash to the same value isn't impossible. We already know what happens in that case - the code gets confused and can be exploited (we saw it with the coinbase duplication issue).
Title: Re: Thought experiment on security design of bitcoin protocol Post by: kjj on November 08, 2012, 12:18:11 PM I think the existence of forged SSL certs that exploit MD5 collisions means that the possibility of two different valid transactions that hash to the same value isn't impossible. We already know what happens in that case - the code gets confused and can be exploited (we saw it with the coinbase duplication issue). Quote from: Bob Jueneman, IETF-PKIX There is nothing in any of these standards that would prevent me from including 1 gigabit MPEG movie of me playing with my cat as one of the RDN components of the DN in my certificate SSL cert signing requests have no consistent structure beyond some very loose guidelines that vary a bit from CA to CA. If you were trying to design a data format that was intentionally vulnerable to hash collision attacks, I doubt you could do a better job. |