Peter Todd





Offline



Activity: 1106

Merit: 1045







LegendaryActivity: 1106Merit: 1045 REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and other September 13, 2013, 06:19:33 AM Merited by joniboini (10), ETFbitcoin (2), LoyceV (2), nc50lc (2), Coding Enthusiast (2), BTCW (2), gmaxwell (1) #1



Further donations to the bounties are welcome, particularly for SHA1 - address



Details below; note that the "decodescript" RPC command is not yet released; compile bitcoind from the git repository at



SHA1:



$ btc decodescript 6e879169a77ca787

{

"asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL",

"type" : "nonstandard",

"p2sh" : "37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP"

}





SHA256:



$ btc decodescript 6e879169a87ca887

{

"asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA256 OP_SWAP OP_SHA256 OP_EQUAL",

"type" : "nonstandard",

"p2sh" : "35Snmmy3uhaer2gTboc81ayCip4m9DT4ko"

}





RIPEMD160:



$ btc decodescript 6e879169a67ca687

{

"asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_RIPEMD160 OP_SWAP OP_RIPEMD160 OP_EQUAL",

"type" : "nonstandard",

"p2sh" : "3KyiQEGqqdb4nqfhUzGKN6KPhXmQsLNpay"

}





RIPEMD160(SHA256()):



$ btc decodescript 6e879169a97ca987

{

"asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_HASH160 OP_SWAP OP_HASH160 OP_EQUAL",

"type" : "nonstandard",

"p2sh" : "39VXyuoc6SXYKp9TcAhoiN1mb4ns6z3Yu6"

}





SHA256(SHA256()):



$ btc decodescript 6e879169aa7caa87

{

"asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_HASH256 OP_SWAP OP_HASH256 OP_EQUAL",

"type" : "nonstandard",

"p2sh" : "3DUQQvz4t57Jy7jxE86kyFcNpKtURNf1VW"

}



and last but not least, the absolute value function:



$ btc decodescript 6e879169907c9087

{

"asm" : "OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_ABS OP_SWAP OP_ABS OP_EQUAL",

"type" : "nonstandard",

"p2sh" : "3QsT6Sast6ghfsjZ9VJj9u8jkM2qTfDgHV"

}



For example, this pair of transactions created, and then collected, an

absolute value function bounty:



0100000001f3194f7c2a39809d6ea5fa2db68326932df146aaab7be2f398a524bd269d0b6200000 0008a473044022039bc13cb7fe565ff2e14b16fbc4a9facd36b25a435d2f49de4534463212aeaee 022076413c7591385cd813df37d8104dd8110745c28178cef829b5ab3e56b7c30d22014104d3477 5baab521d7ba2bd43997312d5f663633484ae1a4d84246866b7088297715a049e2288ae16f16880 9d36e2da1162f03412bf23aa5f949f235eb2e7141783ffffffff03207e7500000000001976a9149 bc0bbdd3024da4d0c38ed1aecf5c68dd1d3fa1288ac0000000000000000126a6e879169907c9087 086e879169907c908740420f000000000017a914fe441065b6532231de2fac563152205ec4f59c7 48700000000



0100000001f18cda90bbbcfb031c65ceda17c82dc046c7db0b96242ba4c5b53c411d8c056e02000 0000c510181086e879169907c9087ffffffff01a0bb0d00000000001976a9149bc0bbdd3024da4d 0c38ed1aecf5c68dd1d3fa1288ac00000000



Specifically with the scriptSig: 1 -1 6e879169907c9087





Notes:



1) We advise mining the block in which you collect your bounty yourself; scriptSigs satisfying the above scriptPubKeys do not cryptographically sign the transaction's outputs. If the bounty value is sufficiently large other miners may find it profitable to reorganize the chain to kill your block and collect the reward themselves. This is particularly profitable for larger, centralized, mining pools.



2) Note that the value of your SHA256, RIPEMD160, RIPEMD160(SHA256()) or SHA256^2 bounty may be diminished by the act of collecting it.



3) Due to limitations of the Bitcoin scripting language bounties can only be collected with solutions using messages less than 521 bytes in size.



4) "When Will We See Collisions for SHA-1?" - Bruce Schneier -https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html Rewards at the following P2SH addresses are available for anyone able to demonstrate collision attacks against a variety of cryptographic algorithms. You collect your bounty by demonstrating two messages that are not equal in value, yet result in the same digest when hashed. These messages are used in a scriptSig, which satisfies the scriptPubKey storing the bountied funds, allowing you to move them to a scriptPubKey (Bitcoin address) of your choice.Further donations to the bounties are welcome, particularly for SHA1 - address 37k7toV1Nv4DfmQbmZ8KuZDQCYK9x5KpzP - for which an attack on a single hash value is believed to be possible at an estimated cost of $2.77M (4)Details below; note that the "decodescript" RPC command is not yet released; compile bitcoind from the git repository at http://github.com/bitcoin/bitcoin and last but not least, the absolute value function:For example, this pair of transactions created, and then collected, anabsolute value function bounty:0100000001f3194f7c2a39809d6ea5fa2db68326932df146aaab7be2f398a524bd269d0b62000000008a473044022039bc13cb7fe565ff2e14b16fbc4a9facd36b25a435d2f49de4534463212aeaee022076413c7591385cd813df37d8104dd8110745c28178cef829b5ab3e56b7c30d22014104d34775baab521d7ba2bd43997312d5f663633484ae1a4d84246866b7088297715a049e2288ae16f168809d36e2da1162f03412bf23aa5f949f235eb2e7141783ffffffff03207e7500000000001976a9149bc0bbdd3024da4d0c38ed1aecf5c68dd1d3fa1288ac0000000000000000126a6e879169907c9087086e879169907c908740420f000000000017a914fe441065b6532231de2fac563152205ec4f59c7487000000000100000001f18cda90bbbcfb031c65ceda17c82dc046c7db0b96242ba4c5b53c411d8c056e020000000c510181086e879169907c9087ffffffff01a0bb0d00000000001976a9149bc0bbdd3024da4d0c38ed1aecf5c68dd1d3fa1288ac00000000Specifically with the scriptSig: 1 -1 6e879169907c9087Notes:1) We advise mining the block in which you collect your bounty yourself; scriptSigs satisfying the above scriptPubKeys do not cryptographically sign the transaction's outputs. If the bounty value is sufficiently large other miners may find it profitable to reorganize the chain to kill your block and collect the reward themselves. This is particularly profitable for larger, centralized, mining pools.2) Note that the value of your SHA256, RIPEMD160, RIPEMD160(SHA256()) or SHA256^2 bounty may be diminished by the act of collecting it.3) Due to limitations of the Bitcoin scripting language bounties can only be collected with solutions using messages less than 521 bytes in size.4) "When Will We See Collisions for SHA-1?" - Bruce Schneier -https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html BTC: 1FCYd7j4CThTMzts78rh6iQJLBRGPW9fWv PGP: 7FAB114267E4FA04

AWARD-WINNING

CASINO CRYPTO EXCLUSIVE

CLUBHOUSE 1500+

GAMES 2 MIN

CASH-OUTS 24/7

SUPPORT 100s OF

FREE SPINS PLAY NOW vertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here. Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal inyour jurisdiction

TierNolan



Offline



Activity: 1232

Merit: 1006







LegendaryActivity: 1232Merit: 1006 Re: REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and other September 13, 2013, 02:11:34 PM #10 Quote from: cypherdoc on September 13, 2013, 01:27:27 PM What are those and how do they compare to what we have today?



The standard transaction is "This coin can be spent by someone who signs the transaction with the private key that matches a public key that hashes to <hash>".



To spend that, you need to provide the public key and then sign it. Even if the signature algorithm was broken, those coins couldn't be spent, since the attacker wouldn't know the public key. This is one of the reasons why re-using addresses is a bad idea. Once you spend money from the address, you give away the public key.



The original transactions were "This coin can be spent by someone who signs the transactions with the private key that matches <some public key>". If the signature algorithm is broken, then those coins can be spent by the attacker, since he would know the public key.



The updated system requires the hashing function and the signing algorithm to be broken at around the same time. The standard transaction is "This coin can be spent by someone who signs the transaction with the private key that matches a public key that hashes to ".To spend that, you need to provide the public key and then sign it. Even if the signature algorithm was broken, those coins couldn't be spent, since the attacker wouldn't know the public key. This is one of the reasons why re-using addresses is a bad idea. Once you spend money from the address, you give away the public key.The original transactions were "This coin can be spent by someone who signs the transactions with the private key that matches ". If the signature algorithm is broken, then those coins can be spent by the attacker, since he would know the public key.The updated system requires the hashing function and the signing algorithm to be broken at around the same time. 1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF

cypherdoc



Offline



Activity: 1764

Merit: 1002









LegendaryActivity: 1764Merit: 1002 Re: REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and other September 13, 2013, 02:22:37 PM

Last edit: September 13, 2013, 02:37:37 PM by cypherdoc #11 Quote from: TierNolan on September 13, 2013, 02:11:34 PM Quote from: cypherdoc on September 13, 2013, 01:27:27 PM What are those and how do they compare to what we have today?



The standard transaction is "This coin can be spent by someone who signs the transaction with the private key that matches a public key that hashes to <hash>".



To spend that, you need to provide the public key and then sign it. Even if the signature algorithm was broken, those coins couldn't be spent, since the attacker wouldn't know the public key. This is one of the reasons why re-using addresses is a bad idea. Once you spend money from the address, you give away the public key.



The original transactions were "This coin can be spent by someone who signs the transactions with the private key that matches <some public key>". If the signature algorithm is broken, then those coins can be spent by the attacker, since he would know the public key.



The updated system requires the hashing function and the signing algorithm to be broken at around the same time.

The standard transaction is "This coin can be spent by someone who signs the transaction with the private key that matches a public key that hashes to ".To spend that, you need to provide the public key and then sign it. Even if the signature algorithm was broken, those coins couldn't be spent, since the attacker wouldn't know the public key. This is one of the reasons why re-using addresses is a bad idea. Once you spend money from the address, you give away the public key.The original transactions were "This coin can be spent by someone who signs the transactions with the private key that matches ". If the signature algorithm is broken, then those coins can be spent by the attacker, since he would know the public key.The updated system requires the hashing function and the signing algorithm to be broken at around the same time.

interesting. i never knew that the original Bitcoin didn't involve Hash160's.



but doesn't this get back to the point i was making to you that pubkeys are in fact more moderately protected by unspent addresses, ie Hash160's, of those pubkeys?



furthermore, my original point was i'd love to see Peter erect a scripting challenge to hack an ECDSA-related problem that Schnier so blatantly highlighted. interesting. i never knew that the original Bitcoin didn't involve Hash160's.but doesn't this get back to the point i was making to you that pubkeys are in fact more moderately protected by unspent addresses, ie Hash160's, of those pubkeys?furthermore, my original point was i'd love to see Peter erect a scripting challenge to hack an ECDSA-related problem that Schnier so blatantly highlighted.

gmaxwell

Legendary





Offline



Activity: 3178

Merit: 4298









ModeratorLegendaryActivity: 3178Merit: 4298 Re: REWARD offered for hash collisions for SHA1, SHA256, RIPEMD160 and other September 13, 2013, 04:45:12 PM #13 Quote from: cypherdoc on September 13, 2013, 11:33:02 AM Not to take away from Peters wonderful challenge to the world but shouldn't this have been better directed at the ECDSA weaknesses implied by Schnier assuming of course this was his motivation for posting this?

I don't believe there is a way to construct such a thing beyond all the coins which are pay to pubkey (e.g. early unspent blocks) and all the coins which are assigned to addresses which have spent before so the pubkey is known.



I'm not sure if anyone has identified any known-lost pay to pubkeys which can be redeemed without stealing from someone. Might be good for someone to do that. I don't believe there is a way to construct such a thing beyond all the coins which are pay to pubkey (e.g. early unspent blocks) and all the coins which are assigned to addresses which have spent before so the pubkey is known.I'm not sure if anyone has identified any known-lost pay to pubkeys which can be redeemed without stealing from someone. Might be good for someone to do that.