Reposting here because I don't want to clog other threads.
I hope this act as a heads up for manufacturers, miners, developers, this also could be a known fact, I haven't seen it discussed any where.
Demonstrating two collision attacks in details.
This is a unc public key:
[1]0425f587ba19c90b6e4a6606929bc6a01c44a051805797662ca2cb735dba3c009859f01d2a9e6fa d26fd0fda518271ab0dc32e9a9de6ad3b0f000bd09edfa98ca3
We perform RMD160 on it:
[3]dacb99a98b80d48adbd8b94c9a7905996503d2ab
Result:
[2]1LwtDDHxpvo6Uh9sbRTNSU7r5rukqCFRGC
Now, since there are no SHA-256 hash that long[1] if we find the actual public key of our address[2] and perform a SHA-256 on it, the resulting hash which is a 64 char long hex will produce the same RMD160[3], therefore the SHA-256 of [2]'s actual public key and our fake hash[1] of a public key collide with each other on RMD160 hash function, 2 different inputs with one unchanged output.
Second attempt, this time on SHA-256.
We take this and use it as our public key:
[6]dacb99a98b80d48adbd8b94c9a7905996503d2ab
Then we perform a SHA-256 on it to get our hash of pub ready to convert to an address:
[5]32f51406f6d584a5b62365de425d01f308fc56a33682492284cc7577ceeb8868
Now we do a RMD160 on it:
6c161fcca8bbd0fe7a393b11b0499bb0754e3f7f
And the resulting address is:
[4]1ArWUwF2WfPnDubReohn2vtPodfPpG5Evq
Once again we have arrived at the scene of a collision, if you find the actual public key of [4], and perform a SHA-256 on it, you will see that the result is the same as[5], which means [6] and the actual public key of [4] which are different in value and length etc, collide with a similar SHA-256 hash, 2 different inputs, producing 1 unchanged output.
Do that long enough on too many objects, you will have a collection of collisions, conditionally if you could find the public keys of your generated addresses though.
More over, there are some funded addresses and obviously their owners are unaware that they are holding the key to an actual collision, sooner or later people will figure this out and will exploit it, also the owners of such addresses should transfer their funds to avoid unwanted stalkers, I imagine that top level gov agencies already are aware of this, the reason for publishing this, is to prevent unexpected harm to people and to the entire crypto-system in the future.
I'm also studying and experimenting on elliptic curve, and since I was always sleeping in math classes, I'm a bit slow and the progress is disappointing.
What I don't understand about EC is the possibility of 2 different private keys having identical public keys, if that really is a fact then who ever designed it, didn't know what he was doing or it was done on purpose, because applying the same mathematical equations on different input values should never result in an identical(collision) outputs, maybe I don't get the underlying mechanism of EC.
Moving on, as explained in the quoted post above, now we know that the possibility of hash collisions is much higher than with collisions of private keys/ public keys, hence the notion of 2^96 identical keys for each address, but I think there is something wrong with that, addresses are not the product of math equations, they are produced by hashing the public key twice, taking the obvious fact of those two hashes colliding chaotically with any random data in to account, we arrive at the conclusion that there exist different public keys which produce the same hash(collision), that is why we speculate about the numbers of 2^96 colliding private keys.
I just proved(in practice with examples) that we could have several identical addresses but with different corresponding public and private keys, they might look the same but in reality they are different.
I don't know if there has been any case of 2 identical addresses/hashes inside the blockchain with 2 different valid signatures? Since I'm noob about transactions, is the hash 160 or hash 256 of public key involved in the process of validating signatures/ scripts or not?
If they are involved then here we just found a security breach in bitcoin(cryptography). But if signatures/ scripts are signed by private keys and public keys are not involved, we are fine. Let me go and check..... Ok it looks like you use prv key to sign and the hash of the next owner's public key, quick question though, how do you prove your ownership of an address if there are several identical public key hashes corresponding with the same address? By using your prv key to sign! But again if a hash is performed on the public key to derive the correct address to check the validity of signatures, then other actors with the same hash could manipulate the data in the signature, is that why so many people are interested in r,s,z,k etc, they want to perform such attacks? Well that could mean they already have colliding keys and now are trying to trick the protocol to steal coins from others. This indicates that we need to persuade people to use an address only once and never store funds on reused/ exposed addresses.
Note to Satoshi, chop chop my man, your treasure is in danger.😉
Disclaimer: I do not claim to be an expert, what I say is my own understandings of things, they might be inaccurate/ wrong, and others could point out my mistakes, so don't take my words for it.