|
|
|
|
@ -944,21 +944,21 @@ Legacy addresses were supplanted by the bech32 family of ((("redemption scripts"
|
|
|
|
|
[[p2sh_collision_attacks]]
|
|
|
|
|
.P2SH Collision Attacks
|
|
|
|
|
****
|
|
|
|
|
All addresses based on hash functions are theoretically vulnerable to an
|
|
|
|
|
All addresses ((("collision attacks", id="collision")))based on hash functions are theoretically vulnerable to an
|
|
|
|
|
attacker independently finding the same input that produced the hash
|
|
|
|
|
function output (commitment). In the case of Bitcoin, if they find the
|
|
|
|
|
input the same way the original user did, they'll know the user's private
|
|
|
|
|
key and be able to spend that user's bitcoins. The chance of an attacker
|
|
|
|
|
independently generating the input for an existing commitment is
|
|
|
|
|
proportional to the strength of the hash algorithm. For a secure
|
|
|
|
|
160-bit algorithm like HASH160, the probability is 1-in-2^160^. This is
|
|
|
|
|
160-bit algorithm like HASH160, the probability is 1-in-2^160^. This ((("preimage attacks")))is
|
|
|
|
|
a _preimage attack_.
|
|
|
|
|
|
|
|
|
|
An attacker can also try to generate two different inputs (e.g., redeem
|
|
|
|
|
scripts) that produce the same commitment. For addresses created
|
|
|
|
|
entirely by a single party, the chance of an attacker generating a
|
|
|
|
|
different input for an existing commitment is also about 1-in-2^160^ for
|
|
|
|
|
the HASH160 algorithm. This is a _second preimage attack_.
|
|
|
|
|
the HASH160 algorithm. This is((("second preimage attacks"))) a _second preimage attack_.
|
|
|
|
|
|
|
|
|
|
However, this changes when an attacker is able to influence the original input
|
|
|
|
|
value. For example, an attacker participates in the creation of a
|
|
|
|
|
@ -994,7 +994,7 @@ Bitcoin miners about 32 billion years.
|
|
|
|
|
|
|
|
|
|
Although we do not believe there is any immediate threat to anyone
|
|
|
|
|
creating new P2SH addresses, we recommend all new wallets use newer
|
|
|
|
|
types of addresses to eliminate address collision attacks((("public key cryptography", "hash functions and", startref="pub-key-hash2")))((("hash functions", "Bitcoin payments and", startref="hash-payment2")))((("payments", "with hash functions", secondary-sortas="hash functions", startref="payment-hash2")))((("P2SH (pay to script hash)", startref="p2sh"))) as a concern.
|
|
|
|
|
types of addresses to eliminate address collision attacks((("public key cryptography", "hash functions and", startref="pub-key-hash2")))((("hash functions", "Bitcoin payments and", startref="hash-payment2")))((("payments", "with hash functions", secondary-sortas="hash functions", startref="payment-hash2")))((("P2SH (pay to script hash)", startref="p2sh")))((("collision attacks", startref="collision"))) as a concern.
|
|
|
|
|
****
|
|
|
|
|
|
|
|
|
|
=== Bech32 Addresses
|
|
|
|
|
|
clenser
7 months ago