[Cryptography] BitCoin Question - This may not be the best place to ask
ianG
iang at iang.org
Mon Dec 23 02:06:08 EST 2013
On 23/12/13 05:31 AM, Robert Christian wrote:
> Exactly my point. What's the collision resolution strategy and why
> isn't this a scary proposition?
That is the collision strategy. Consider this: in the old days we used
to use MD5 which was 128 bits long, so a collision could be engineered
in 2^64 bits space. That's now achievable.
So in or around 1996 we mostly (should have) shifted to SHA1 which is
160 bits. That is now scary, and has been scary since 2005 when the
Shandong team of Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu found weaknesses.
So people started switching to SHA2 which has 256 bits to 512 bits, and
NIST started a SHA3 competition which is now revealed.
1991 1996 2001 2012
MD5 -> SHA1 -> SHA2 -> Keccak/SHA3
128 -> 160 -> 256-512 -> ...
The collision resolution strategy is (1) use a big enough hash to start
with and (2) have some means of changing it if the cryptanalysis starts
to get dodgy.
That's standard in crypto work. It works. There are even proofs in the
market place that it works -- Verisign used MD5 too long in a CA of
theirs and got hacked. In 2011 or so, various fabricated certs based on
MD5 started appearing.
What Bitcoin's strategy for (2) is I don't know. That's a bit murky
because they haven't got a clear roll-over path built in.
iang
ps; which might become the ultimate test of the concept of One True
Cipher Suite ... also scary!
More information about the cryptography
mailing list