Gavin Andresen [ARCHIVE] on Nostr: š Original date posted:2012-02-20 š Original message:RE: > base58-encode: ...
š
Original date posted:2012-02-20
š Original message:RE:
> base58-encode: [one-byte network ID][20-byte hash][one-byte address
class][3-byte checksum]
How will the code distinguish between the old scheme:
[one-byte-version][20-byte-hash][4-byte-checksum]
and the new?
1 in 256 old addresses will have a first-byte-of-checksum that matches the
new address class; I guess the code would do something like:
a) If the 4-byte checksum matches, then assume it is a singlesig address (1
in 2^32 multisig addresses will incorrectly match)
b) If the one-byte-address-class and 3-byte checksum match, then it is a
valid p2sh
c) Otherwise, invalid address
The 1 in 2^32 multisig addresses also being valid singlesig addresses makes
me think this scheme won't work-- an attacker willing to generate 8 billion
or so ECDSA keys could generate a single/multisig collision. I'm not sure
how that could be leveraged to their advantage, but I bet they'd find a way.
RE: should it be a BIP: The BIP process is described in BIP
0001<https://en.bitcoin.it/wiki/BIP_0001#BIP_Work_Flow>;,
and you're following it perfectly so far:
1) Post a rough draft of the idea here to see if there's any chance it'll
be adopted
2) Assuming a positive response and no major flaws: write up a draft BIP
3) Post the draft BIP here, where it can be picked apart.
4) Assuming no major flaws, ask the BIP editor (Amir) for a BIP number
I'd also encourage you to actually implement your idea between steps 3 and
4. But in this particular case, I think an attacker being able to create
singlesig/p2sh address collisions counts as a major flaw.
--
--
Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20120220/6f1b9f1d/attachment.html>;
š Original message:RE:
> base58-encode: [one-byte network ID][20-byte hash][one-byte address
class][3-byte checksum]
How will the code distinguish between the old scheme:
[one-byte-version][20-byte-hash][4-byte-checksum]
and the new?
1 in 256 old addresses will have a first-byte-of-checksum that matches the
new address class; I guess the code would do something like:
a) If the 4-byte checksum matches, then assume it is a singlesig address (1
in 2^32 multisig addresses will incorrectly match)
b) If the one-byte-address-class and 3-byte checksum match, then it is a
valid p2sh
c) Otherwise, invalid address
The 1 in 2^32 multisig addresses also being valid singlesig addresses makes
me think this scheme won't work-- an attacker willing to generate 8 billion
or so ECDSA keys could generate a single/multisig collision. I'm not sure
how that could be leveraged to their advantage, but I bet they'd find a way.
RE: should it be a BIP: The BIP process is described in BIP
0001<https://en.bitcoin.it/wiki/BIP_0001#BIP_Work_Flow>;,
and you're following it perfectly so far:
1) Post a rough draft of the idea here to see if there's any chance it'll
be adopted
2) Assuming a positive response and no major flaws: write up a draft BIP
3) Post the draft BIP here, where it can be picked apart.
4) Assuming no major flaws, ask the BIP editor (Amir) for a BIP number
I'd also encourage you to actually implement your idea between steps 3 and
4. But in this particular case, I think an attacker being able to create
singlesig/p2sh address collisions counts as a major flaw.
--
--
Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20120220/6f1b9f1d/attachment.html>;