mirror of
https://github.com/bitcoinbook/bitcoinbook
synced 2025-01-10 15:51:04 +00:00
CH04::P2SH: describe collision attacks
This will be important for describing why RIPEMD160 isn't used for segwit.
This commit is contained in:
David A. Harding
parent
206ee88a26
commit
9de657b887
@ -1029,7 +1029,56 @@ are only used in
|
||||
https://transactionfee.info/charts/payments-spending-segwit/[about 10% of transactions].
|
||||
Legacy addresses were supplanted by the bech32 family of addresses.
|
||||
|
||||
//FIXME: collision attacks
|
||||
[[p2sh_collision_attacks]]
|
||||
.P2SH collision attacks
|
||||
[WARNING]
|
||||
====
|
||||
All addresses based on hash functions are theoretically vulnerable to an
|
||||
attacker finding two different inputs (e.g. redeemScripts) that produce
|
||||
the same hash function output (commitment). For addresses created
|
||||
entirely by a single party, the chance of an attacker generating a
|
||||
different input for an existing commitment is proportional to the
|
||||
strength of the hash algorithm. For a secure 160-bit algorithm like
|
||||
HASH160, the probability is 1-in-2^160^. This is a _second pre-image
|
||||
attack_.
|
||||
|
||||
However, this changes when an attacker is able to influence the input
|
||||
value. For example, an attacker participates in the creation of a
|
||||
multisignature script where the attacker doesn't need to submit his
|
||||
public key until after he learns all of the other party's public keys.
|
||||
In that case, the strength of hash algorithm is reduced to its square
|
||||
root. For HASH160, the probability becomes 1-in-2^80^. This is a
|
||||
_collision attack_.
|
||||
|
||||
// bits80=$( echo '2^80' | bc )
|
||||
// seconds_per_hour="$(( 60 * 60))"
|
||||
// bitcoin-cli getmininginfo | jq "(.networkhashps / $bits80 * $seconds_per_hour)"
|
||||
// 0.8899382363032076
|
||||
|
||||
To put those numbers in context, as of early 2023, all Bitcoin miners
|
||||
combined execute about 2^80^ hash functions every hour. They run a
|
||||
different hash function than HASH160, so their existing hardware can't
|
||||
create collision attacks for it, but the existence of the Bitcoin
|
||||
network proves that collision attacks against 160-bit functions like
|
||||
HASH160 are practical. Bitcoin miners have spent the equivalent of
|
||||
billions of US dollars on special hardware, so creating a collision
|
||||
attack wouldn't be cheap, but there are organizations which expect to
|
||||
receive billions of dollars in bitcoins to addresses generated by
|
||||
processes involving multiple parties, which could make the attack
|
||||
profitable.
|
||||
|
||||
There are well established cryptographic protocols for preventing
|
||||
collision attacks but a simple solution which doesn't require any
|
||||
special knowledge on the part of wallet developers is to simply use
|
||||
a stronger hash function. Later upgrades to Bitcoin made that possible
|
||||
and newer Bitcoin addresses provide at least 128 bits of collision
|
||||
resistance--a number of hash operations that would require all current
|
||||
Bitcoin miners about about 50 billion years to perform.
|
||||
|
||||
Although we do not believe there is any immediate threat to anyone
|
||||
creating new P2SH addresses, we recommend all new wallets use newer
|
||||
types of addresses to eliminate address collision attacks as a concern.
|
||||
====
|
||||
|
||||
=== Bech32 addresses
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user