Pages:
Author

Topic: REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and other - page 4. (Read 40752 times)

legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
Congratulations!  I had completely forgotten about this thread.
newbie
Activity: 7
Merit: 0
... meanwhile, MD5 is still widely used  Grin
legendary
Activity: 1260
Merit: 1019
Obviously he ran a bot checking if the challenge is solved and trying to double-spend using the challenge answer before the real winner is confirmed
In fact the bot is looking for all inputs which do not require signing by private key
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
A double spend with 3 confirms?? i never thought i would see the day. Is this not a Zero day and needs too be patched? should we be happy this collision happened??
Not a problem, the other ones are not confirmed

How the guy did it:
 - The first SHA1 collision ever has been found today: https://shattered.io/
 - He took the data from the header to the "collision blocks" (see image at bottom, 320 bytes)
 - With the data after these blocks (from JPEG data to PDF footer) being the same and the 2 hashes having the same value, we know the hashes of "header -> collision blocks" will be the same due to what SHA1 is

Congratulations to 1EohDhHJT9byKsYhxp5zX6PNkuGhxoEu9r, I completely forgot this challenge



By the way, it looks like 1aa5cmqmvQq8YQTEqcTmW7dfBNuFwgdCD is trying something: https://blockchain.info/fr/address/37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP
This guy is known: https://bitcointalksearch.org/topic/instant-bitcoin-doubler-1572130 (amaclin: https://bitcointalksearch.org/user/amaclin-197593, Trust:   -512: -9 / +0 Warning: Trade with extreme caution!)
Obviously he ran a bot checking if the challenge is solved and trying to double-spend using the challenge answer before the real winner is confirmed



full member
Activity: 201
Merit: 100
A double spend with 3 confirms?? i never thought i would see the day. Is this not a Zero day and needs too be patched? should we be happy this collision happened??
newbie
Activity: 23
Merit: 0
sr. member
Activity: 278
Merit: 250
Someone please produce a news article with this sensational title :" The Bitcoin creator's $ 1 billion hidden reward to those who break NSA's super secret algorithm".

Hmmm, a catch-22:

If an intelligent person can derive a fast enough algorithm to invert SHA-2 (256-bit), then he can also use it to mine Bitcoins faster than anyone else and gain complete control of the network. And therefore, he has no incentive to share the knowledge.

But  if an intelligent person can derive a fast enough algorithm to break ECDSA signatures based on secp256k1, then he will have complete control of the crypto economy. His only option will be to keep the algorithm private. He has no incentive to share the knowledge because he can now manipulate transactions at will.
hero member
Activity: 784
Merit: 1000
Someone please produce a news article with this sensational title :" The Bitcoin creator's $ 1 billion hidden reward to those who break NSA's super secret algorithm".
staff
Activity: 4284
Merit: 8808
are at risk.
In context, of course— thats assuming a compromise of ECC on our curve. Smiley
legendary
Activity: 2576
Merit: 1186
Not to take away from Peters wonderful challenge to the world but shouldn't this have been better directed at the ECDSA weaknesses implied by Schnier assuming of course this was his motivation for posting this?

All of Satoshi's coins are a reward for breaking the ECDSA, since they are not protected by the RIPEMD160 hash function.
Stealing someone's coins by breaking ECDSA is not the same as a reward specifically for breaking something.

Also, this has nothing to do with "Satoshi's coins". All block rewards generated by bitcoind's internal miner or getwork are at risk.
sr. member
Activity: 360
Merit: 251
The updated system requires the hashing function and the signing algorithm to be broken at around the same time.

You need a preimage attack on the hash function where the preimage is a valid pubkey for which you know the corresponding privkey. There are about 2^256 pubkeys and 2^160 hashed addresses, so the attacker has to find one ECDSA keypair as the preimage out of about 2^96 possible candidates.

It's true to say that if the hash function is resistant to preimage attacks then we have 160 bits of security, compared to the 128 bits of security of ECDSA with 256 bit security parameter. But saying that the attacker must break both the hash function and ECDSA is too strong.
staff
Activity: 4284
Merit: 8808
And that this (government backed security services employed) someone has not publicly disclosed it
They now have a way to get paid a bit for anonymously disclosing it. How sure do you want to be? Insert coins.
legendary
Activity: 3430
Merit: 3080
Is there a way to know that someone hasn't already tested such a possibility? And that this (government backed security services employed) someone has not publicly disclosed it? I would suggest not, although I'd like to hear commentary from the more technically informed.
legendary
Activity: 1596
Merit: 1100
Added 1.0 BTC to SHA1 bounty.
staff
Activity: 4284
Merit: 8808
Not to take away from Peters wonderful challenge to the world but shouldn't this have been better directed at the ECDSA weaknesses implied by Schnier assuming of course this was his motivation for posting this?
I don't believe there is a way to construct such a thing— beyond all the coins which are pay to pubkey (e.g. early unspent blocks) and all the coins which are assigned to addresses which have spent before so the pubkey is known.

I'm not sure if anyone has identified any known-lost pay to pubkeys which can be redeemed without stealing from someone. Might be good for someone to do that.
legendary
Activity: 905
Merit: 1012
No, there's no relation between a pubkey and a pubkey-hash. Once the pubkey is known, hash160 isn't relevant at all. Coinbase transactions in the pre-pool days were simply the public key and OP_CHECKSIG. "All" you have to spend this is find a way to generate a signature from the public key only. No hash preimage is required.
legendary
Activity: 1764
Merit: 1002
What are those and how do they compare to what we have today?

The standard transaction is "This coin can be spent by someone who signs the transaction with the private key that matches a public key that hashes to ".

To spend that, you need to provide the public key and then sign it.  Even if the signature algorithm was broken, those coins couldn't be spent, since the attacker wouldn't know the public key.  This is one of the reasons why re-using addresses is a bad idea.  Once you spend money from the address, you give away the public key.

The original transactions were "This coin can be spent by someone who signs the transactions with the private key that matches ".  If the signature algorithm is broken, then those coins can be spent by the attacker, since he would know the public key.

The updated system requires the hashing function and the signing algorithm to be broken at around the same time.

interesting.  i never knew that the original Bitcoin didn't involve Hash160's.

but doesn't this get back to the point i was making to you that pubkeys are in fact more moderately protected by unspent addresses, ie Hash160's, of those pubkeys?

furthermore, my original point was i'd love to see Peter erect a scripting challenge to hack an ECDSA-related problem that Schnier so blatantly highlighted.
legendary
Activity: 1232
Merit: 1094
What are those and how do they compare to what we have today?

The standard transaction is "This coin can be spent by someone who signs the transaction with the private key that matches a public key that hashes to ".

To spend that, you need to provide the public key and then sign it.  Even if the signature algorithm was broken, those coins couldn't be spent, since the attacker wouldn't know the public key.  This is one of the reasons why re-using addresses is a bad idea.  Once you spend money from the address, you give away the public key.

The original transactions were "This coin can be spent by someone who signs the transactions with the private key that matches ".  If the signature algorithm is broken, then those coins can be spent by the attacker, since he would know the public key.

The updated system requires the hashing function and the signing algorithm to be broken at around the same time.
legendary
Activity: 1764
Merit: 1002
Not to take away from Peters wonderful challenge to the world but shouldn't this have been better directed at the ECDSA weaknesses implied by Schnier assuming of course this was his motivation for posting this?

All of Satoshi's coins are a reward for breaking the ECDSA, since they are not protected by the RIPEMD160 hash function.

Well they are as a public key is protected by an unspent address.

"Satoshi's early public keys"

What are those and how do they compare to what we have today?
Pages:
Jump to: