@dinofelis made a followup reply to an upthread discussion...
Readers I am not admonishing @dinofelis. I respect him very much. Please read all the way to the end of this post.
Satoshi's creation contains too many blunders (mathematical, cryptographic, economical, game-theoretical and programmatic) to be made by a genius like Nash.
I have
refuted you in another thread. You had some really dumb errors in your analysis such as claiming that RIPE160 reducing security. No it only reduces the space of addresses increases potential collisions but only astronomically small probability yet saves a lot of scaling space.
Given that that thread is closed, I won't reply there of course. But your rebuttal is wrong, most probably because you didn't see the point I was making.
Here is your rebuttal:
Sorry but you are incorrect. Math theoretic bitlength security is not comparable to hash function bitlength security. Also RIPE160 comes after SHA256, thus you lose no security, only collisions. The hash only obscures the public key. Still need to provide the public key on spending, so 160-bit collision won't help you spend because hashing also with SHA256.
There are different forms of attack on a bitcoin UTXO, some more theoretical than others, but here it goes.
In order to spend an UTXO in an attack, you have to provide a digital signature and a public key that allows to verify that signature, in such a way that:
1) that signature corresponds to the transaction as verified with the given public key
2) the hash of that public key corresponds to the given address.
Of course, 1) is not difficult by itself: just any key pair (P,S) will allow you to use S to generate a valid signature, that can be verified by P. The hard part is 2), the fact that the public key has to hash to the given address.
Essentially, we need to find a P such that
1) P corresponds to an S that can generate a signature to be verified by P
2) P ultimately hashes to A, the address.
In this problem, A is the only given. ANY P that hashes to A and that has a corresponding S, will do.
The cryptographic assumptions are that we have an easy elliptic function ell(S) = P, and an easy hash function hash(P) = A. Note that the fact that hash() is a compound hash function of two standards, SHA-256 and RIPE160, doesn't matter in the theoretical description.
ell() is a 256 -> 256 bit function
hash is a 256 -> 160 bit function.
In the end, the only thing that we need, is to find an S, such that hash(ell(S)) = A.
As hash o ell = full is a 256 -> 160 bit function, to brute-force this, your security is essentially 160 bit. After on average 2^160 trials, you will have found an S.
Correct the
intractable brute force collision attack is reduced to 2^160 bits.
And that is you're mistake. Shocked?
I had thought of that of course and was waiting for you to make this mistake.
Here we aren't concerned about an
intractable brute force attack. We are concerned about cryptanalysis breakage. And non-brute force, cryptanalysis collision attacks require attacking the input (and output relationship) of the RIPE160, not attacking the input of the SHA256 whose output in the input of the RIPE160. Such as for
distinguishers, boomerang attacks, etc.
I have studied hash functions and their cryptanalysis some, so I became aware of this.
It will not be the owner's S, but that doesn't matter.
This particular S will:
1) provide a P that will be able to verify the signature generated by S
2) have the P hash to A
and that's all that is needed.
In fact, 2^(256 - 160) = 2^96 different (S,P) key pairs will satisfy the needs to spend the transaction output.
Although you try to make that big number of potential duplicates sound like a big deal, it is in fact
intractable to find one because of the 2^160 bits of collision space in the brute force attack case.
Only one of those is the true owner's key pair, but the whole point is that that doesn't matter. The transaction can be satisfied by 2^96 different key pairs, because the only thing that is needed for such a key pair, is for its public key to be hashed to the address.
So the effective security of bitcoin's signature scheme, is 160 bit on the condition that all cryptography is perfectly safe. There's no point in going to 256 bit for the key pair, because 96 bits of that are lost, given that 2^96 key pairs hash to the same address, and are interchangeable.
As I had originally pointed out you are conflating two entirely different systems of security and each can benefit orthogonally from increased bit lengths when we are not concerned about an
intractable brute force enumeration attack and instead concerned with math theoretic cryptanalysis breakage.
Now, ONCE the public key is exposed (which is normally, if no address re-utilisation, only when the payment is broadcast), the security of a 256 public key scheme with full cryptographic security is 128 bits (all schemes are vulnerable to Pollard's rho attack which halves the number of bits). As such, it seems at first sight that a 160 bit hash doesn't seem to decrease the security of the key pair, a 256 bit key is in any case not more secure than 128 bits.
That is why we need the 256 bitlength security for the ECDSA. That has been my point. Don't conflate hash function attacks with ECC attacks.
I'm even not sure that you really maintain the 128 bit security if 2^96 key pairs are possible, even though for most general attacks I know about, you need to know the explicit public key and not just a hash test of it.
You're thinking about it entirely incorrectly per my points above.
However, such security is not needed. The public key only needs to be secure from the moment of broadcast until the moment of integration in the block chain, that is, about 10 minutes. There is no need for 128 bit security in that case.
If you would have taken 80 bits of security, that is, an elliptic curve crypto system with 160 bit keys, then there would be only a single key pair that corresponds to the address. You wouldn't have wasted 96 bits for each input. The long time security would still be 160 bits, because of the security of the (combined) hash function. And 80 bits of security would be more than sufficient to keep the secret the time between broadcasting the signature and the key, and its inclusion in a block.
Incorrect. Think about it.
The error you (and probably Satoshi) make is to think that because at a certain point we have 256 bits, that this level of security is "locked in".
You presume we are simpletons, because you have made a Dunning-Kruger mistake.
This error comes from thinking that one has to crack the scheme "backward" one by one: first one has to crack RIPEM160, then one has to crack SHA-256, then one has to crack elliptic curve discrete logs on 256 bits. But that is not necessary. You can see the system as a whole, and you shouldn't see it as reversing several individual steps. You can easily see the problem with that notion. Suppose that passwords are protected with a 20-bit hash.
Please don't lecture me. I understand all that. But you got lost in the trees and didn't see the big picture point.
==> clumsy crypto.
Nope. Your analysis was clumsy.
Please stop thinking Satoshi made mistakes. He was more clever and exacting than you. You really want to believe the global elite didn't create Bitcoin. And you really want to believe Bitcoin is going to fail. But your beliefs do not align with objective reality.
I am not trying to insult or demean you. I know you are very smart and I have appreciated all your very high-quality analysis. As well you turned me more on to the concept that PoW is a crab mentality immutability game theory.
I am just noting that your confirmation biases for wanting Bitcoin to fail, are I think causing you to be overconfident and not skeptical enough on your analysis.
I am thoroughly convinced that iamnotback is a total moron.
You are suffering from the Dunning-Kruger effect.
The Dunning–Kruger effect is a cognitive bias in which low-ability individuals suffer from illusory superiority, mistakenly assessing their ability as much higher than it really is. Psychologists David Dunning and Justin Kruger attributed this bias to a metacognitive incapacity, on the part of those with low ability, to recognize their ineptitude and evaluate their competence accurately.
Dunning and Kruger have postulated that the effect is the result of internal illusion in those of low ability and external misperception in those of high ability: "The miscalibration of the incompetent stems from an error about the self, whereas the miscalibration of the highly competent stems from an error about others."
@dinofelis will acknowledge the correctness of my rebuttal, unless he is disingenuous. And I don't think he is.
@dinofelis's mistake was thinking that something that is intractable is worth worrying about. Cryptanalysis attempts to reduce the intractable bitlength security to a tractable attack. But I explained the staging of the SHA256 before the input of the RIPE160, in theory makes cryptanalysis attacks on the collision equivalent to attacking the 256-bitlength collision security of SHA256. Cryptanalysis attacks don't collapse to 160-bits. I possess more knowledge about hash function security than @dinofelis.
