|
|
|
|
@ -1029,7 +1029,56 @@ are only used in
|
|
|
|
|
https://transactionfee.info/charts/payments-spending-segwit/[about 10% of transactions].
|
|
|
|
|
Legacy addresses were supplanted by the bech32 family of addresses.
|
|
|
|
|
|
|
|
|
|
//FIXME: collision attacks
|
|
|
|
|
[[p2sh_collision_attacks]]
|
|
|
|
|
.P2SH collision attacks
|
|
|
|
|
[WARNING]
|
|
|
|
|
====
|
|
|
|
|
All addresses based on hash functions are theoretically vulnerable to an
|
|
|
|
|
attacker finding two different inputs (e.g. redeemScripts) that produce
|
|
|
|
|
the same hash function output (commitment). For addresses created
|
|
|
|
|
entirely by a single party, the chance of an attacker generating a
|
|
|
|
|
different input for an existing commitment is proportional to the
|
|
|
|
|
strength of the hash algorithm. For a secure 160-bit algorithm like
|
|
|
|
|
HASH160, the probability is 1-in-2^160^. This is a _second pre-image
|
|
|
|
|
attack_.
|
|
|
|
|
|
|
|
|
|
However, this changes when an attacker is able to influence the input
|
|
|
|
|
value. For example, an attacker participates in the creation of a
|
|
|
|
|
multisignature script where the attacker doesn't need to submit his
|
|
|
|
|
public key until after he learns all of the other party's public keys.
|
|
|
|
|
In that case, the strength of hash algorithm is reduced to its square
|
|
|
|
|
root. For HASH160, the probability becomes 1-in-2^80^. This is a
|
|
|
|
|
_collision attack_.
|
|
|
|
|
|
|
|
|
|
// bits80=$( echo '2^80' | bc )
|
|
|
|
|
// seconds_per_hour="$(( 60 * 60))"
|
|
|
|
|
// bitcoin-cli getmininginfo | jq "(.networkhashps / $bits80 * $seconds_per_hour)"
|
|
|
|
|
// 0.8899382363032076
|
|
|
|
|
|
|
|
|
|
To put those numbers in context, as of early 2023, all Bitcoin miners
|
|
|
|
|
combined execute about 2^80^ hash functions every hour. They run a
|
|
|
|
|
different hash function than HASH160, so their existing hardware can't
|
|
|
|
|
create collision attacks for it, but the existence of the Bitcoin
|
|
|
|
|
network proves that collision attacks against 160-bit functions like
|
|
|
|
|
HASH160 are practical. Bitcoin miners have spent the equivalent of
|
|
|
|
|
billions of US dollars on special hardware, so creating a collision
|
|
|
|
|
attack wouldn't be cheap, but there are organizations which expect to
|
|
|
|
|
receive billions of dollars in bitcoins to addresses generated by
|
|
|
|
|
processes involving multiple parties, which could make the attack
|
|
|
|
|
profitable.
|
|
|
|
|
|
|
|
|
|
There are well established cryptographic protocols for preventing
|
|
|
|
|
collision attacks but a simple solution which doesn't require any
|
|
|
|
|
special knowledge on the part of wallet developers is to simply use
|
|
|
|
|
a stronger hash function. Later upgrades to Bitcoin made that possible
|
|
|
|
|
and newer Bitcoin addresses provide at least 128 bits of collision
|
|
|
|
|
resistance--a number of hash operations that would require all current
|
|
|
|
|
Bitcoin miners about about 50 billion years to perform.
|
|
|
|
|
|
|
|
|
|
Although we do not believe there is any immediate threat to anyone
|
|
|
|
|
creating new P2SH addresses, we recommend all new wallets use newer
|
|
|
|
|
types of addresses to eliminate address collision attacks as a concern.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
=== Bech32 addresses
|
|
|
|
|
|
|
|
|
|
|
David A. Harding
1 year ago