Thought experiment on security design of bitcoin protocol

kjj

legendary

Activity: 1302

Merit: 1026

Quote from: Mike Hearn on November 08, 2012, 04:55:09 AM

I think the existence of forged SSL certs that exploit MD5 collisions means that the possibility of two different valid transactions that hash to the same value isn't impossible. We already know what happens in that case - the code gets confused and can be exploited (we saw it with the coinbase duplication issue).

Quote from: Bob Jueneman, IETF-PKIX

There is nothing in any of these standards that would prevent me from including 1 gigabit
MPEG movie of me playing with my cat as one of the RDN components of the DN in my certificate

SSL cert signing requests have no consistent structure beyond some very loose guidelines that vary a bit from CA to CA. If you were trying to design a data format that was intentionally vulnerable to hash collision attacks, I doubt you could do a better job.

Mike Hearn

legendary

Activity: 1526

Merit: 1134

I think the existence of forged SSL certs that exploit MD5 collisions means that the possibility of two different valid transactions that hash to the same value isn't impossible. We already know what happens in that case - the code gets confused and can be exploited (we saw it with the coinbase duplication issue).

kjj

legendary

Activity: 1302

Merit: 1026

The biggest consequence is that no one would have taken it seriously. And even now that MD5 is considered to be totally broken and should never be used for anything at all, the other constraints in the system would cover our asses if we used them.

Being able to find a collision in MD5 is totally not the same thing as being able to find two valid blocks with the same MD5 hash, or two valid transactions with the same MD5 hash, or two private keys where the corresponding public keys have the same MD5 hash.

Pieter is right, collision attacks don't hurt us at all, and even in MD5, preimage attacks don't exist. Well, they sorta do, but they still require more than 2¹²⁰ operations, making them barely better than brute force. And I'm not even sure that a full preimage attack could meet the system requirements.

Pieter Wuille

legendary

Activity: 1072

Merit: 1181

All those things require a preimage attack. The only practical attack against MD5 is a collision attack.

kokjo

legendary

Activity: 1050

Merit: 1000

You are WRONG!

[what i wrote only applies to preimage attacks, md5 only got collision attacks]

double spends, chain splitting, faster creation, able to make two different transaction with same hash(ie. replace transactions in blocks, without changing it's hash) + many other nasty things, i have not though about yet.

capsqrl

sr. member

Activity: 444

Merit: 250

Just for fun, let's imagine an alternative reality in which Satoshi made a strange mistake in Bitcoin's design: instead of SHA-256, he used MD5. Everything else is exactly the same. What would some practical consequences of this be, with regards to the resilience of the bitcoin network, security of funds etc?

Topic: Thought experiment on security design of bitcoin protocol (Read 1086 times)