Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 06:57:00 AM |
|
As u know, each time u make a payment Satoshi's client generates a new address to send change to. He (or someone else) also advised to create a new address each time someone needs to receive a payment (for anonymity reason). Entropy of an address is 160 bits (due to RIPEMD-160 "compression"). Applying Birthday Paradox we get that when 2^80 addresses are created we will, likely, get a collision. This is not critical, coz "older" address will be empty, probably. But this can be used in black PR against Bitcoin. An adversary (who is generating addresses non-stop) will be able to show 2 different public keys with the same address. Media will be happy to publish articles with "Bitcoin completely broken" title...
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
November 15, 2013, 06:59:01 AM |
|
I think the math works out that there's more Bitcoin addresses than there are atoms in the universe. Basically, it's been talked about many times, and it's nothing to worry about.
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 07:00:10 AM |
|
I think the math works out that there's more Bitcoin addresses than there are atoms in the universe. Basically, it's been talked about many times, and it's nothing to worry about.
U r talking about a case when u need to create a collision for one special address. Read http://en.wikipedia.org/wiki/Birthday_problem plz.
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
November 15, 2013, 07:02:00 AM |
|
I think the math works out that there's more Bitcoin addresses than there are atoms in the universe. Basically, it's been talked about many times, and it's nothing to worry about.
U r talking about a case when u need to create a collision for one special address. Read http://en.wikipedia.org/wiki/Birthday_problem plz. But still, even if someone is generating billions of addresses a second for millions of years, the statistical odds are extremely low they would find a collision even under those circumstances. I'm not a math whiz or I'd show you the proof, but I know the calculations have been done many times before, and always check out.
|
|
|
|
marcotheminer
Legendary
Offline
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
|
|
November 15, 2013, 07:03:33 AM |
|
I think the math works out that there's more Bitcoin addresses than there are atoms in the universe. Basically, it's been talked about many times, and it's nothing to worry about.
True, BUT there is still the possibility of a collision!
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 07:04:32 AM |
|
But still, even if someone is generating billions of addresses a second for millions of years, the statistical odds are extremely low they would find a collision even under those circumstances. I'm not a math whiz or I'd show you the proof, but I know the calculations have been done many times before, and always check out.
U can generate addresses much faster coz u don't need to know the private key. Pick any set of bytes and say it's a public key. 2^80 is not a big number. Edit: 2^80 == (2^10)^8 ~ 1000^8 == 10^24. And now look at the hash rate of Bitcoin network.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
November 15, 2013, 07:09:49 AM |
|
U can generate addresses much faster coz u don't need to know the private key. Pick any set of bytes and say it's a public key. 2^80 is not a big number. If you don't know the private key, then there's no attack. But even so .. Edit: 2^80 == (2^10)^8 ~ 1000^8 == 10^24. And now look at the hash rate of Bitcoin network.
Okay, it's 7 years with the full hashing power of all Bitcoin mining. And all such an attacker would have is an account that he himself had compromised. He'd be a long way from compromising anyone else's account.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 07:11:24 AM |
|
It's a PR attack. An attacker can even invest freshly printed millions dollars.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
November 15, 2013, 07:12:55 AM |
|
It's a PR attack.
You can launch a 51% attack just by expending more effort than all miners expend. Worrying about a PR attack that requires you to expend hundreds of times that effort is senseless.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 07:15:09 AM |
|
It's a PR attack.
You can launch a 51% attack just by expending more effort than all miners expend. Worrying about a PR attack that requires you to expend hundreds of times that effort is senseless. Maybe. As time passes probability of 51% attack goes to zero, while probability of collision attack goes to 100%.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
November 15, 2013, 07:18:10 AM |
|
Maybe. As time passes probability of 51% attack goes to zero, while probability of collision attack goes to 100%.
We all know that Bitcoin will have to evolve or face technical obsolescence. We have no way to know *today* what changes will be correct in the future though. Bitcoin still uses a near optimum set of tradeoffs for today's technology because those decisions were made just a few years ago. Bring this up again in about eight years.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
darkmule
Legendary
Offline
Activity: 1176
Merit: 1005
|
|
November 15, 2013, 06:11:00 PM |
|
Media will be happy to publish articles with "Bitcoin completely broken" title...
They wouldn't be the first completely moronic, uninformed media attention Bitcoin has survived. I'm not sure we should make technical decisions based on the moronic, uninformed opinions of, well, morons. Seems the current system is inevitably going to lead to some measurable problems, while the alternative leads to a nearly unmeasurable chance of a problem. Also, if that completely breaks Bitcoin, then the mere existence of brain wallets using bad passphrases is much more of a worry.
|
|
|
|
Kouye
Sr. Member
Offline
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
|
|
November 15, 2013, 07:40:45 PM |
|
I agree that public address should be a 256bit hash, too. Why do we care about the size of the public base58 address, anyways?
It's either copied/pasted or QR-code-scanned, I'm pretty sure nobody ever typed-in an address char by char using a keyboard. So why take the risk of restraining the 256 bit key pairs to fit in a collision-more-likely 160 bit public address?
|
[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition! I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 07:43:22 PM |
|
So why take the risk of restraining the 256 bit key pairs to fit in a collision-more-likely 160 bit public address?
For security reason. If NSA knows how to reverse SHA-256, it may not know how to do the same with RIPEMD-160.
|
|
|
|
Kouye
Sr. Member
Offline
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
|
|
November 15, 2013, 07:56:13 PM |
|
So why take the risk of restraining the 256 bit key pairs to fit in a collision-more-likely 160 bit public address?
For security reason. If NSA knows how to reverse SHA-256, it may not know how to do the same with RIPEMD-160. I can understand and agree with that, but there are other hash functions, it seems... I'm not an expert at all, but after a quick search BLAKE2s came up, for example?
|
[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition! I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 08:01:57 PM |
|
I'm not an expert at all, but after a quick search BLAKE2s came up, for example?
Did BLAKE2 exist when Satoshi was coding Bitcoin? Also RIPEMD-160 wasn't "sponsored" by the US govt, was it?
|
|
|
|
Kouye
Sr. Member
Offline
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
|
|
November 15, 2013, 08:09:04 PM |
|
Did BLAKE2 exist when Satoshi was coding Bitcoin? Also RIPEMD-160 wasn't "sponsored" by the US govt, was it?
Maybe not, but the base58 RIPEMD-160 hash was mainly used to reduce public address size, as far as I'm aware, which looks like a bad choice to me. From what I read, progressively replacing the RIPE hash with a stronger non-sponsored one while maintaining backward compatibility would not be impossible. So why not change now ?
|
[OVER] RIDDLES 2nd edition --- this was claimed. Look out for 3rd edition! I won't ever ask for a loan nor offer any escrow service. If I do, please consider my account as hacked.
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
November 15, 2013, 08:10:52 PM |
|
I agree that public address should be a 256bit hash, too.
Why? 256 bit ECDSA only provides 128 bit security 160 bit pubkey hash provides 160 bit security. What would making the pubkeyhash larger accomplish other than bloating the blockchain?
|
|
|
|
Come-from-Beyond (OP)
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
November 15, 2013, 08:14:21 PM |
|
160 bit pubkey hash provides 160 bit security.
R u sure? I was thinking that 160-bit hash provides 80-bit security.
|
|
|
|
cscape
|
|
November 15, 2013, 08:16:09 PM |
|
U can generate addresses much faster coz u don't need to know the private key. Pick any set of bytes and say it's a public key. 2^80 is not a big number.
Edit: 2^80 == (2^10)^8 ~ 1000^8 == 10^24. And now look at the hash rate of Bitcoin network.
Of course, when a normal miner checks a hash, it starts by checking the top 32 bits are zero, which is a trivial operation. Checking for a collision with a growing database of up to 2^80 previous hashes is a lot more effort.
|
Happy with your c-scape product ? Consider a tip: 16X2FWVRz6UzPWsu4WjKBMJatR7UvyKzcy
|
|
|
|