[148616] in cryptography@c2.net mail archive
Re: [Cryptography] BitCoin Question - This may not be the best
daemon@ATHENA.MIT.EDU (CodesInChaos)
Mon Dec 23 10:29:08 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAB==r-DQw4aeLpub9Gkd8u+v27JA1ihtF2KdjhEDLQgMeG_nhA@mail.gmail.com>
Date: Mon, 23 Dec 2013 16:05:25 +0100
From: CodesInChaos <codesinchaos@gmail.com>
To: Robert Christian <robertjchristian@gmail.com>
Cc: cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Collisions in bitcoin addresses don't matter. An attacker doesn't gain
anything from generating two private keys mapping to the same address.
They need to match an address currently owned by somebody *else* that
contains a non negligible amount of money. This is a variant
of a multi-target second pre-image attack.
For example if there are 4 billion addresses with non negligible money
in them in use at the same time (currently there are much fewer),
an attacker will need to generate 2^160/(4 billion) = 2^128 key-pairs
to match steal a single one of them. This is too expensive for current
computers.
Or a different way of looking at it: For 2^160 work, an attacker gains
the total value of bitcoins, something like 20 billion USD for now.
This means that they
gain 1 USD for every 2^125 key-pairs they generate. The cost of this
attack *vastly* exceeds the gain.
In general bitcoin has been designed for a 128 bit security level:
* Where collisions are threatening, use 256 bit hashes => 2^128 attack cost
* Where collisions are irrelevant, but multi-target second-pre-images
are a threat, use 160 bits, which for 4 billion targets results in a
2^128 bit security level
* 256 bit ECC which can be broken with 2^128 effort.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
