Topic: Re: BIP 17 (Read 1060 times)

Blind Quantum Computing will solve this, no?
http://www.bbc.co.uk/news/science-environment-16636580

It was a theoretical question about magical pony friendly computers that started from tycho's statement
Bitcoin has enough problems as it is (mostly usability\user friendliness)
Also, this thread got off-topic

You don't have the signature either (and you can always derive the public key from the signature).  The point is that the attacker won't know the public key/signature until its announced ... and a few minutes after the announcement it's too late to attack.  So, assuming single use addresses (as was always intended) an attack on ECDSA would only be useful if you could pull it off very fast.

No such computer currently exists that can break ECDSA. As for the theoretical question... since you can get the public key from the signature, having the public key already is unnecessary.

that wasn't the question.
bitcoin uses ECDSA for the signatures.
assuming:
1) you have a strong enough computer to break the ECDSA encryption,
2) you have the data and the sig - which is the encrypted hash of the data IIRC
will it help you in any way to know the public key as well. will it simplify the process of finding the private key?

Bitcoin does not use encryption. If you have data + signature, you can already find the public key.

but would it actually matter if you have the public key or not to find the private key from data + encrypted data?

This isn't the case. QC only gives a sqrt(N) speedup for generic blackbox non-linear inversion.  So on a magical pixie dust computer a 256 bit hash function has the same security as a 128 bit hash function has on a classical computer that does the same number of operations per second.

There are QC strong versions of all the applicable cryptographic operations, we don't use them only because they have much higher overhead (like 16kbyte signatures), but the mass media loves to over-hype the capabilities of (still non-existent) quantum computers so you never hear about them.

The scheme of H(pubkey) addresses in Bitcoin is a bit of insurance against many kinds of ECDSA (classical or otherwise) weakining.

P2SH (of any kind) largely preserve this property, though they may slightly increase exposure to classical cryptanalytic attacks because they allow an attacker almost arbitrary stuffing to produce a matching address without also having to solve the discrete log problem. E.g. with current addresses an attacker doesn't just have to find a preimage, he'd have to find one that he knows the ECDSA private key for. Under P2SH there is a wider variety of acceptable inputs.

That said, even if we used the now-compromised MD5 algorithm the practical MD chosen prefix collision attack there couldn't be used to steal random people's money with P2SH (because it requires the attacker produce both messages, it's not a preimage attack) though it might permit an attacker to generate an unusual escrow script  which could also be redeemed under a second set of rules.  (Not that this weakness exists with our SHA256 much less the HASH160, but I think its useful to reason about how the system would work with parts replaced with compromised versions).

in this magic future of quantum computing you will be able to do that without the public key as well

I'm talking about the future when new magic computers will be able to break ECDSA with public key.

the whole point of ECDSA is that you cant break it with the public key. the security issue in bip16 is that on an old client it won't even check that the key fits the sig. so there is no need to break the encryption, just get the key and script - which you can do by checking the content of the transactions that you relay or actively "sniffing" the network.