Bitcoin Forum
December 17, 2017, 12:34:44 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 »  All
  Print  
Author Topic: "All cryptography is breakable" criticism  (Read 7359 times)
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
September 29, 2012, 10:40:28 PM
 #61

To prevent length-extension attacks. These attacks are a known weakness in the current SHA hash functions, but the new SHA-3 hash function - to be announced soon - will have built-in measures to secure against this. The double-SHA-256 is sort of a workaround to this vulnerability.

I would point out extension attacks are only possible when the payload is of arbitrary size.  Bitcoin blockheaders are fixed sized, exactly 640 bits not a bit more or a bit less.   Thus even if you found a payload which has a longer length but generates the same hash it wouldn't be a valid bitcoin blockheader and thus would be rejected by the network.

Still it is possible that Satoshi either didn't understand this or misunderstood the implications of a extension attack and used the double hash as a method to "prevent" the attack.  It certainly is plausible and is the most likely explanation I have heard so far.
1513514084
Hero Member
*
Offline Offline

Posts: 1513514084

View Profile Personal Message (Offline)

Ignore
1513514084
Reply with quote  #2

1513514084
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513514084
Hero Member
*
Offline Offline

Posts: 1513514084

View Profile Personal Message (Offline)

Ignore
1513514084
Reply with quote  #2

1513514084
Report to moderator
Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
September 29, 2012, 11:24:18 PM
 #62

Very simple counter-argument: "online banking uses cryptography too (HTTPS), do you also consider it unsafe?" Of course not.

Breaking a bank's website security does not give you access to the vault.

MoonShadow
Legendary
*
Offline Offline

Activity: 1708



View Profile
September 29, 2012, 11:28:12 PM
 #63

I think $5 wrench still defeats one time pad.
No way.  These days $5 would get you a wrench about four inches long and two ounces.  At least a $30 wrench is required to defeat a one time pad.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
MoonShadow
Legendary
*
Offline Offline

Activity: 1708



View Profile
September 29, 2012, 11:32:13 PM
 #64

Very simple counter-argument: "online banking uses cryptography too (HTTPS), do you also consider it unsafe?" Of course not.

Breaking a bank's website security does not give you access to the vault.

Nor would breaking bitcoin's blockchain security give you access to anyone's vault that you, personally, didn't already own in the recent past. 

And my understanding of why there are two consecutive uses of SHA256 was more about establishing 'hooks' for a future use of a more advanced hashing algo alongside the current one, permitting the network to upgrade over an extended period of time without the potential of exposing the system to an unknown attack vector or requiring a rapid upgrade cycle.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
September 30, 2012, 12:04:49 AM
 #65

Nor would breaking bitcoin's blockchain security give you access to anyone's vault that you, personally, didn't already own in the recent past.

I don't think it was the block chain security to which I was referring, considering that that does not give you access to any money.

MoonShadow
Legendary
*
Offline Offline

Activity: 1708



View Profile
September 30, 2012, 12:08:51 AM
 #66

Nor would breaking bitcoin's blockchain security give you access to anyone's vault that you, personally, didn't already own in the recent past.

I don't think it was the block chain security to which I was referring, considering that that does not give you access to any money.


Well, on that note, it would be wise if the development team were to consider the adoption of a second address schema using a different public/private algo.  This way, in the event that a flaw in the current one is discovered, there will be an option to move funds to before the blackhats have the chance to exploit any flaws.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
September 30, 2012, 12:17:01 AM
 #67

Well, on that note, it would be wise if the development team were to consider the adoption of a second address schema using a different public/private algo.
Right now?  What if we did that and it turned out the second public/private algo was broken first? ECDSA is a NIST standard that has been very well studied and has no known vulnerabilities.  There are much, much, much higher items on the development TODO list, like figuring out a nice GUI for multi-device transaction authorization.

I did write up plans for migrating to a new algorithm here:
  https://gist.github.com/2355445  (See the "using a quantum-resistant digital signature algorithm" example at the end).

How often do you get the chance to work on a potentially world-changing project?
MoonShadow
Legendary
*
Offline Offline

Activity: 1708



View Profile
September 30, 2012, 12:41:36 AM
 #68

Well, on that note, it would be wise if the development team were to consider the adoption of a second address schema using a different public/private algo.
Right now?  What if we did that and it turned out the second public/private algo was broken first? ECDSA is a NIST standard that has been very well studied and has no known vulnerabilities.  There are much, much, much higher items on the development TODO list, like figuring out a nice GUI for multi-device transaction authorization.

I did write up plans for migrating to a new algorithm here:
  https://gist.github.com/2355445  (See the "using a quantum-resistant digital signature algorithm" example at the end).


Easy!  Easy!  I was not aware this was already under consideration.  You're doing a fine job, Gavin; not everyone here is out to get you.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
runeks
Legendary
*
Offline Offline

Activity: 952



View Profile WWW
September 30, 2012, 01:25:19 AM
 #69

To prevent length-extension attacks. These attacks are a known weakness in the current SHA hash functions, but the new SHA-3 hash function - to be announced soon - will have built-in measures to secure against this. The double-SHA-256 is sort of a workaround to this vulnerability.

I would point out extension attacks are only possible when the payload is of arbitrary size.  Bitcoin blockheaders are fixed sized, exactly 640 bits not a bit more or a bit less.   Thus even if you found a payload which has a longer length but generates the same hash it wouldn't be a valid bitcoin blockheader and thus would be rejected by the network.

Still it is possible that Satoshi either didn't understand this or misunderstood the implications of a extension attack and used the double hash as a method to "prevent" the attack.  It certainly is plausible and is the most likely explanation I have heard so far.
Yes. Also, as far as I can tell, the attack isn't relevant unless you're hashing a secret, which the Bitcoin protocol doesn't use. Ie. the point of the attack is the ability to extend a message that has been hashed together with a secret, to produce a valid hash of a message that consists of m+p+m' where m is the original message including a secret, p is the SHA-256 padding, and m' is the message you want to add to the end.

I guess the point is that it's not apparent whether some future use-case of the protocol could make such an attack useful, and doing two rounds of SHA-256 vs. just one is so inexpensive that we might as well avoid that concern by just always hashing twice. It really should be the default use of SHA-256 anyway, which is why SHA-3 is required to implement this feature (or a feature that offers the same protection) by default. Ie. it's a SHA-256 bugfix that may or may not be necessary, but there's practically no reason not to do it.
FactoredPrimes
Newbie
*
Offline Offline

Activity: 14


View Profile
September 30, 2012, 05:22:41 AM
 #70

SHA-256 is used by all the world, banks, governments, companies etcetc. If it get broke...well we can easily switch to something else with a client update. Meanwhile the entire world would collapse  Cheesy

Most systems can switch out one hashing system for another. For example, when md5 was shown vulnerable to collisions SSL signatures simply switched to another hashing method.

Bitcoin has the disadvantage of being set in its ways. The majority of clients would have to be updated to at the same time switch to another method. Even if such a thing could be coordinated and the bitcoin contract ammended in the wild it would take a lot of time to organize it. Those that failed to update would reject these new blocks.
anu
Legendary
*
Offline Offline

Activity: 1120



View Profile
September 30, 2012, 11:02:14 AM
 #71

Those that failed to update would reject these new blocks.

Which means they would update because otherwise they reject their own transactions. EDIT: I assume of course that such a change would not be controversial and lead to a blockchain fork.


███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █

█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
●  Whitepaper
●  ANN Thread
●  Reddit
●  Telegram
●  Twitter
●  Facebook

███
███
███
███
███
███
███
███
███
███
███
███
███
bustaballs
Member
**
Offline Offline

Activity: 115


View Profile
September 30, 2012, 07:09:39 PM
 #72

So what's the supposed danger here? Some super quantum computer manages to instantly solve all of the blocks and thus take all of the new coins?

JoelKatz
Legendary
*
Offline Offline

Activity: 1582


Democracy is vulnerable to a 51% attack.


View Profile WWW
October 01, 2012, 06:32:29 AM
 #73

So what's the supposed danger here? Some super quantum computer manages to instantly solve all of the blocks and thus take all of the new coins?
The danger is some super quantum computer manages to find an ECDSA private key that corresponds to every Bitcoin address.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
anu
Legendary
*
Offline Offline

Activity: 1120



View Profile
October 01, 2012, 06:45:22 AM
 #74

So what's the supposed danger here? Some super quantum computer manages to instantly solve all of the blocks and thus take all of the new coins?
The danger is some super quantum computer manages to find an ECDSA private key that corresponds to every Bitcoin address.


Should be enough if finding a private key to any given address is trivial.

Reminds me: Does anyone know why addresses are 160 Bit, and not 256? That way, there seem to be ~ 2^96 private keys for any given Bitcoin address - so the true length of a private key is also only 160 Bit. What would happen if anyone used a new private key for a transaction that does not correspond to an already published public key?

TIA
-Anu


███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █
███ █ █

█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
█ █ ███
●  Whitepaper
●  ANN Thread
●  Reddit
●  Telegram
●  Twitter
●  Facebook

███
███
███
███
███
███
███
███
███
███
███
███
███
JoelKatz
Legendary
*
Offline Offline

Activity: 1582


Democracy is vulnerable to a 51% attack.


View Profile WWW
October 01, 2012, 06:54:22 AM
 #75

Does anyone know why addresses are 160 Bit, and not 256?
To keep the accounts as short as possible to make it easier to communicate them.

Quote
What would happen if anyone used a new private key for a transaction that does not correspond to an already published public key?
Unless someone specifically thought to check, nobody would know.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
MoonShadow
Legendary
*
Offline Offline

Activity: 1708



View Profile
October 01, 2012, 01:11:50 PM
 #76

So what's the supposed danger here? Some super quantum computer manages to instantly solve all of the blocks and thus take all of the new coins?
The danger is some super quantum computer manages to find an ECDSA private key that corresponds to every Bitcoin address.


I've recently been informed that the next address schema is likely to be a 'quantum resistant' algo, although I don't understand it.  It's low on the to-do list though, since there are more pressing threats.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
MoonShadow
Legendary
*
Offline Offline

Activity: 1708



View Profile
October 01, 2012, 01:23:08 PM
 #77



Reminds me: Does anyone know why addresses are 160 Bit, and not 256? That way, there seem to be ~ 2^96 private keys for any given Bitcoin address - so the true length of a private key is also only 160 Bit.


Not quite true, the published address isn't really the public key, it's a hash of the public key with a checksum thrown in for error correction.
Quote

What would happen if anyone used a new private key for a transaction that does not correspond to an already published public key?

Wouldn't matter anyway, since that is how bitcoins' transactions work.  A user creates a private key, it's corrosponding public key, and the address.  The address is published and can receive coins, but the public key isn't published until the first time coins are spent from that address.  The way this works is that addresses cannot be reversed to their public key, but the public key is required before the other nodes can verify the digital signing of any spending transactions.  So every time coins are spent from that address, the public key is included in the transaction and the transaction is signed with the private key.  Other nodes can then verify that the signing key is mathmaticly related to the public key presented & the address is related to the public key by the standard hashing algo used.  If I'm getting some details wrong, I'm sure someone will correct me, but this is the general idea.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
October 01, 2012, 03:30:52 PM
 #78



Reminds me: Does anyone know why addresses are 160 Bit, and not 256? That way, there seem to be ~ 2^96 private keys for any given Bitcoin address - so the true length of a private key is also only 160 Bit.


Not quite true, the published address isn't really the public key, it's a hash of the public key with a checksum thrown in for error correction.
Quote

What would happen if anyone used a new private key for a transaction that does not correspond to an already published public key?

Wouldn't matter anyway, since that is how bitcoins' transactions work.  A user creates a private key, it's corrosponding public key, and the address.  The address is published and can receive coins, but the public key isn't published until the first time coins are spent from that address.  The way this works is that addresses cannot be reversed to their public key, but the public key is required before the other nodes can verify the digital signing of any spending transactions.  So every time coins are spent from that address, the public key is included in the transaction and the transaction is signed with the private key.  Other nodes can then verify that the signing key is mathmaticly related to the public key presented & the address is related to the public key by the standard hashing algo used.  If I'm getting some details wrong, I'm sure someone will correct me, but this is the general idea.

Yup, that is correct.  To spend, you sign the transaction with the private key, and then provide that signature and the corresponding public key to the network.  The network then verifies that 1) the signature could only have been calculated using the private key that corresponds to the public key provided, and 2) that the public key does actually hash down to the hash (address) in the prevout.

A key point is that using a public key once does not claim it or make it special.  If someone manages to find a different private/public key pair with the same pubkey hash, that key is just as valid for other transactions using the same hash as the original was.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
October 03, 2012, 05:28:44 AM
 #79

I apologize if this has been asked here already and I missed it (it seems obvious) - are there recent examples of cryptographic algorithms being broken in a sudden, catastrophic fashion? I see it much more likely that a "weakness" is published first, thus giving everyone some time to migrate to a new signature algo and send their coins to the new system. How hard would it be technically to enable spending of "old" ECDSA coins into the network based on a different signing algorithm?


They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Etlase2
Hero Member
*****
Offline Offline

Activity: 798


View Profile
October 03, 2012, 05:33:04 AM
 #80

I apologize if this has been asked here already and I missed it (it seems obvious) - are there recent examples of cryptographic algorithms being broken in a sudden, catastrophic fashion? I see it much more likely that a "weakness" is published first, thus giving everyone some time to migrate to a new signature algo and send their coins to the new system. How hard would it be technically to enable spending of "old" ECDSA coins into the network based on a different signing algorithm?

Catastrophic failures are not at all common (if ever) for well-tested algorithms. Speculative ones get busted with some regularity. Old ECDSA coins would need to be spent to a new address that is either a new public key or a new hash from a new public key. According to what I've read, this can be done without a hard fork, but unless all miners are upgraded the network will fork, at least temporarily.

Pages: « 1 2 3 [4] 5 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!