|
|
|
@ -887,7 +887,7 @@ Then they'll replace it on the stack with its deserialized value:
|
|
|
|
|
The script is executed and, if it passes and all of the other
|
|
|
|
|
transaction details are correct, the transaction is valid.
|
|
|
|
|
|
|
|
|
|
Addresses for Pay-to-Script-Hash (P2SH) are also created with
|
|
|
|
|
Addresses for P2SH are also created with
|
|
|
|
|
base58check. The version prefix is set to 5, which results in an
|
|
|
|
|
encoded address starting with a +3+. An example of a P2SH address is
|
|
|
|
|
+3F6i6kwkevjR7AsAd4te2YB2zZyASEm1HM+.
|
|
|
|
@ -906,7 +906,7 @@ common over time.
|
|
|
|
|
Legacy addresses were supplanted by the bech32 family of addresses.
|
|
|
|
|
|
|
|
|
|
[[p2sh_collision_attacks]]
|
|
|
|
|
.P2SH collision attacks
|
|
|
|
|
.P2SH Collision Attacks
|
|
|
|
|
****
|
|
|
|
|
All addresses based on hash functions are theoretically vulnerable to an
|
|
|
|
|
attacker independently finding the same input that produced the hash
|
|
|
|
@ -916,18 +916,17 @@ key and be able to spend that user's bitcoins. The chance of an attacker
|
|
|
|
|
independently generating the input for an existing commitment is
|
|
|
|
|
proportional to the strength of the hash algorithm. For a secure
|
|
|
|
|
160-bit algorithm like HASH160, the probability is 1-in-2^160^. This is
|
|
|
|
|
a _pre-image attack_.
|
|
|
|
|
a _preimage attack_.
|
|
|
|
|
|
|
|
|
|
An attacker can also try to generate two different inputs (e.g. redeem
|
|
|
|
|
An attacker can also try to generate two different inputs (e.g., redeem
|
|
|
|
|
scripts) that produce the same commitment. For addresses created
|
|
|
|
|
entirely by a single party, the chance of an attacker generating a
|
|
|
|
|
different input for an existing commitment is also about 1-in-2^160^ for
|
|
|
|
|
the HASH160 algoritm. This is a _second pre-image attack_.
|
|
|
|
|
the HASH160 algorithm. This is a _second preimage attack_.
|
|
|
|
|
|
|
|
|
|
However, this changes when an attacker is able to influence the original input
|
|
|
|
|
value. For example, an attacker participates in the creation of a
|
|
|
|
|
multisignature script where the attacker doesn't need to submit his
|
|
|
|
|
public key until after he learns all of the other party's public keys.
|
|
|
|
|
multisignature script where tthey don't need to submit their public key until after he learns all of the other party's public keys.
|
|
|
|
|
In that case, the strength of hash algorithm is reduced to its square
|
|
|
|
|
root. For HASH160, the probability becomes 1-in-2^80^. This is a
|
|
|
|
|
_collision attack_.
|
|
|
|
|