Bitcoin Forum
December 09, 2016, 09:19:19 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Re: BIP 17  (Read 832 times)
Costia
Newbie
*
Offline Offline

Activity: 28



View Profile
January 28, 2012, 03:24:42 PM
 #1

3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much?
If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses).
So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already.
the whole point of ECDSA is that you cant break it with the public key. the security issue in bip16 is that on an old client it won't even check that the key fits the sig. so there is no need to break the encryption, just get the key and script - which you can do by checking the content of the transactions that you relay or actively "sniffing" the network.
1481318359
Hero Member
*
Offline Offline

Posts: 1481318359

View Profile Personal Message (Offline)

Ignore
1481318359
Reply with quote  #2

1481318359
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
January 28, 2012, 03:27:33 PM
 #2

3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much?
If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses).
So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already.
the whole point of ECDSA is that you cant break it with the public key.
I'm talking about the future when new magic computers will be able to break ECDSA with public key.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
Costia
Newbie
*
Offline Offline

Activity: 28



View Profile
January 28, 2012, 03:29:18 PM
 #3

3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much?
If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses).
So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already.
the whole point of ECDSA is that you cant break it with the public key.
I'm talking about the future when new magic computers will be able to break ECDSA with public key.
in this magic future of quantum computing you will be able to do that without the public key as well

gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2030



View Profile
January 29, 2012, 10:13:49 AM
 #4

in this magic future of quantum computing you will be able to do that without the public key as well

This isn't the case. QC only gives a sqrt(N) speedup for generic blackbox non-linear inversion.  So on a magical pixie dust computer a 256 bit hash function has the same security as a 128 bit hash function has on a classical computer that does the same number of operations per second.

There are QC strong versions of all the applicable cryptographic operations, we don't use them only because they have much higher overhead (like 16kbyte signatures), but the mass media loves to over-hype the capabilities of (still non-existent) quantum computers so you never hear about them.

The scheme of H(pubkey) addresses in Bitcoin is a bit of insurance against many kinds of ECDSA (classical or otherwise) weakining.

P2SH (of any kind) largely preserve this property, though they may slightly increase exposure to classical cryptanalytic attacks because they allow an attacker almost arbitrary stuffing to produce a matching address without also having to solve the discrete log problem. E.g. with current addresses an attacker doesn't just have to find a preimage, he'd have to find one that he knows the ECDSA private key for. Under P2SH there is a wider variety of acceptable inputs.

That said, even if we used the now-compromised MD5 algorithm the practical MD chosen prefix collision attack there couldn't be used to steal random people's money with P2SH (because it requires the attacker produce both messages, it's not a preimage attack) though it might permit an attacker to generate an unusual escrow script  which could also be redeemed under a second set of rules.  (Not that this weakness exists with our SHA256 much less the HASH160, but I think its useful to reason about how the system would work with parts replaced with compromised versions).

Costia
Newbie
*
Offline Offline

Activity: 28



View Profile
January 29, 2012, 10:28:49 AM
 #5

but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2100



View Profile
January 29, 2012, 01:40:19 PM
 #6

but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
Bitcoin does not use encryption. If you have data + signature, you can already find the public key.

Costia
Newbie
*
Offline Offline

Activity: 28



View Profile
January 29, 2012, 06:51:19 PM
 #7

but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
Bitcoin does not use encryption. If you have data + signature, you can already find the public key.
that wasn't the question.
bitcoin uses ECDSA for the signatures.
assuming:
1) you have a strong enough computer to break the ECDSA encryption,
2) you have the data and the sig - which is the encrypted hash of the data IIRC
will it help you in any way to know the public key as well. will it simplify the process of finding the private key?
Luke-Jr
Legendary
*
expert
Offline Offline

Activity: 2100



View Profile
January 29, 2012, 07:39:04 PM
 #8

1) you have a strong enough computer to break the ECDSA encryption,
2) you have the data and the sig - which is the encrypted hash of the data IIRC
will it help you in any way to know the public key as well. will it simplify the process of finding the private key?
No such computer currently exists that can break ECDSA. As for the theoretical question... since you can get the public key from the signature, having the public key already is unnecessary.

gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2030



View Profile
January 29, 2012, 09:21:40 PM
 #9

but would it actually matter if you have the public key or not to find the private key from data + encrypted data?

You don't have the signature either (and you can always derive the public key from the signature).  The point is that the attacker won't know the public key/signature until its announced ... and a few minutes after the announcement it's too late to attack.  So, assuming single use addresses (as was always intended) an attack on ECDSA would only be useful if you could pull it off very fast.
Costia
Newbie
*
Offline Offline

Activity: 28



View Profile
January 29, 2012, 09:26:57 PM
 #10

It was a theoretical question about magical pony friendly computers that started from tycho's statement
Bitcoin has enough problems as it is (mostly usability\user friendliness)
Also, this thread got off-topic Sad
chsados
Hero Member
*****
Offline Offline

Activity: 652



View Profile
January 30, 2012, 08:11:09 AM
 #11

3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much?
If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses).
So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already.
the whole point of ECDSA is that you cant break it with the public key.
I'm talking about the future when new magic computers will be able to break ECDSA with public key.
in this magic future of quantum computing you will be able to do that without the public key as well



Blind Quantum Computing will solve this, no?
http://www.bbc.co.uk/news/science-environment-16636580
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!