Costia (OP)
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 28, 2012, 03:24:42 PM |
|
3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much? If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses). So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already. the whole point of ECDSA is that you cant break it with the public key. the security issue in bip16 is that on an old client it won't even check that the key fits the sig. so there is no need to break the encryption, just get the key and script - which you can do by checking the content of the transactions that you relay or actively "sniffing" the network.
|
|
|
|
|
|
|
|
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin Core, which will follow the rules of the network no matter what miners do. Even if every miner decided to create 1000 bitcoins per block, full nodes would stick to the rules and reject those blocks.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
[Tycho]
|
|
January 28, 2012, 03:27:33 PM |
|
3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much? If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses). So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already. the whole point of ECDSA is that you cant break it with the public key. I'm talking about the future when new magic computers will be able to break ECDSA with public key.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
Costia (OP)
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 28, 2012, 03:29:18 PM |
|
3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much? If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses). So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already. the whole point of ECDSA is that you cant break it with the public key. I'm talking about the future when new magic computers will be able to break ECDSA with public key. in this magic future of quantum computing you will be able to do that without the public key as well
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4158
Merit: 8411
|
|
January 29, 2012, 10:13:49 AM |
|
in this magic future of quantum computing you will be able to do that without the public key as well
This isn't the case. QC only gives a sqrt(N) speedup for generic blackbox non-linear inversion. So on a magical pixie dust computer a 256 bit hash function has the same security as a 128 bit hash function has on a classical computer that does the same number of operations per second. There are QC strong versions of all the applicable cryptographic operations, we don't use them only because they have much higher overhead (like 16kbyte signatures), but the mass media loves to over-hype the capabilities of (still non-existent) quantum computers so you never hear about them. The scheme of H(pubkey) addresses in Bitcoin is a bit of insurance against many kinds of ECDSA (classical or otherwise) weakining. P2SH (of any kind) largely preserve this property, though they may slightly increase exposure to classical cryptanalytic attacks because they allow an attacker almost arbitrary stuffing to produce a matching address without also having to solve the discrete log problem. E.g. with current addresses an attacker doesn't just have to find a preimage, he'd have to find one that he knows the ECDSA private key for. Under P2SH there is a wider variety of acceptable inputs. That said, even if we used the now-compromised MD5 algorithm the practical MD chosen prefix collision attack there couldn't be used to steal random people's money with P2SH (because it requires the attacker produce both messages, it's not a preimage attack) though it might permit an attacker to generate an unusual escrow script which could also be redeemed under a second set of rules. (Not that this weakness exists with our SHA256 much less the HASH160, but I think its useful to reason about how the system would work with parts replaced with compromised versions).
|
|
|
|
Costia (OP)
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 29, 2012, 10:28:49 AM |
|
but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
January 29, 2012, 01:40:19 PM |
|
but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
Bitcoin does not use encryption. If you have data + signature, you can already find the public key.
|
|
|
|
Costia (OP)
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 29, 2012, 06:51:19 PM |
|
but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
Bitcoin does not use encryption. If you have data + signature, you can already find the public key. that wasn't the question. bitcoin uses ECDSA for the signatures. assuming: 1) you have a strong enough computer to break the ECDSA encryption, 2) you have the data and the sig - which is the encrypted hash of the data IIRC will it help you in any way to know the public key as well. will it simplify the process of finding the private key?
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
January 29, 2012, 07:39:04 PM |
|
1) you have a strong enough computer to break the ECDSA encryption, 2) you have the data and the sig - which is the encrypted hash of the data IIRC will it help you in any way to know the public key as well. will it simplify the process of finding the private key? No such computer currently exists that can break ECDSA. As for the theoretical question... since you can get the public key from the signature, having the public key already is unnecessary.
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4158
Merit: 8411
|
|
January 29, 2012, 09:21:40 PM |
|
but would it actually matter if you have the public key or not to find the private key from data + encrypted data?
You don't have the signature either (and you can always derive the public key from the signature). The point is that the attacker won't know the public key/signature until its announced ... and a few minutes after the announcement it's too late to attack. So, assuming single use addresses (as was always intended) an attack on ECDSA would only be useful if you could pull it off very fast.
|
|
|
|
Costia (OP)
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 29, 2012, 09:26:57 PM |
|
It was a theoretical question about magical pony friendly computers that started from tycho's statement Bitcoin has enough problems as it is (mostly usability\user friendliness) Also, this thread got off-topic
|
|
|
|
chsados
|
|
January 30, 2012, 08:11:09 AM |
|
3) Also, the scriptPubKey it's going to end up in the chain anyway. Why the moment matters so much? If you are asking about the public key, then usually it appears in the blockchain only when it doesn't matters anymore (for one-time addresses). So if someone can "break" the signature using only pubkey, he won't be dangerous because if pubkey is used for redeeming then that address is empty already. the whole point of ECDSA is that you cant break it with the public key. I'm talking about the future when new magic computers will be able to break ECDSA with public key. in this magic future of quantum computing you will be able to do that without the public key as well Blind Quantum Computing will solve this, no? http://www.bbc.co.uk/news/science-environment-16636580
|
|
|
|
|