Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][DRK] DarkCoin | First Anonymous Coin | First X11 | First DGW | ASIC Resistant
by
baddw
on 28/05/2014, 22:55:57 UTC
Quote from: phzi on May 28, 2014, 10:37:20 PM
Quote from: baddw on May 28, 2014, 10:28:36 PM
Your example falls apart if the algorithm ordering is crc32(sha256(input)).
Not quite. A collision found part way thru the stack still allows you to generate collisions across the entire stack, because you can skip the inner-most steps.

e.g. if we have
crc32(sha256(y)) = crc32(someValue)

if crc32(someValue) collides with crc32(anotherValue), then there is essentially a full stack collision, because you can literally ignore the innermost sha256() function when generating your X11() collisions.

This is partly related to the nature of using a hashing algorithm for PoW - it's unnecessary to have a collision attack at the inputs, only somewhere along the hashing chain before the output.

Of course, this is all mainly about future-proofing - but in the long-term, I think this may end up being highly significant.

But in PoW, the hash is the proof of the block, and the block is the proof of the hash.  You can publish collided hashes all you want, but if there is not a valid input block which produces that hash, you will not be able to attack the network.  You can't "skip the inner-most steps" if you want to do anything meaningful.

In your sha256(crc32()) example, you used "plumless" and "buckaroo" for inputs.  Say these are blocks, and say that the specification of the coin requires that all blocks start with "p".  Therefore "plumless" meets the qualifications for a block but "buckaroo" does not. Then your collision is meaningless for attacking the coin unless you can find another collision with an input starting with "p".

Given that raw coin blocks have many bytes of plaintext in them, which MUST be formatted correctly; and that they contain many transactions within them, which are themselves self-proving with hashes and signatures; (therefore changing 1 byte in the transaction will result in the transaction hash not being valid, so changing the 1 byte in the transaction will result in an entirely new transaction hash, and the output would have to include both in your collision); even with a pretty well busted algorithm, the likelihood of finding another valid block which matches the hash must be vanishingly small.