From 9de657b887816cf383049f28167c8beae06a2f3c Mon Sep 17 00:00:00 2001 From: "David A. Harding" Date: Wed, 8 Feb 2023 12:07:48 -1000 Subject: [PATCH] CH04::P2SH: describe collision attacks This will be important for describing why RIPEMD160 isn't used for segwit. --- ch04.asciidoc | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/ch04.asciidoc b/ch04.asciidoc index f2cd23ec..0482cc33 100644 --- a/ch04.asciidoc +++ b/ch04.asciidoc @@ -1029,7 +1029,56 @@ are only used in https://transactionfee.info/charts/payments-spending-segwit/[about 10% of transactions]. Legacy addresses were supplanted by the bech32 family of addresses. -//FIXME: collision attacks +[[p2sh_collision_attacks]] +.P2SH collision attacks +[WARNING] +==== +All addresses based on hash functions are theoretically vulnerable to an +attacker finding two different inputs (e.g. redeemScripts) that produce +the same hash function output (commitment). For addresses created +entirely by a single party, the chance of an attacker generating a +different input for an existing commitment is proportional to the +strength of the hash algorithm. For a secure 160-bit algorithm like +HASH160, the probability is 1-in-2^160^. This is a _second pre-image +attack_. + +However, this changes when an attacker is able to influence the input +value. For example, an attacker participates in the creation of a +multisignature script where the attacker doesn't need to submit his +public key until after he learns all of the other party's public keys. +In that case, the strength of hash algorithm is reduced to its square +root. For HASH160, the probability becomes 1-in-2^80^. This is a +_collision attack_. + +// bits80=$( echo '2^80' | bc ) +// seconds_per_hour="$(( 60 * 60))" +// bitcoin-cli getmininginfo | jq "(.networkhashps / $bits80 * $seconds_per_hour)" +// 0.8899382363032076 + +To put those numbers in context, as of early 2023, all Bitcoin miners +combined execute about 2^80^ hash functions every hour. They run a +different hash function than HASH160, so their existing hardware can't +create collision attacks for it, but the existence of the Bitcoin +network proves that collision attacks against 160-bit functions like +HASH160 are practical. Bitcoin miners have spent the equivalent of +billions of US dollars on special hardware, so creating a collision +attack wouldn't be cheap, but there are organizations which expect to +receive billions of dollars in bitcoins to addresses generated by +processes involving multiple parties, which could make the attack +profitable. + +There are well established cryptographic protocols for preventing +collision attacks but a simple solution which doesn't require any +special knowledge on the part of wallet developers is to simply use +a stronger hash function. Later upgrades to Bitcoin made that possible +and newer Bitcoin addresses provide at least 128 bits of collision +resistance--a number of hash operations that would require all current +Bitcoin miners about about 50 billion years to perform. + +Although we do not believe there is any immediate threat to anyone +creating new P2SH addresses, we recommend all new wallets use newer +types of addresses to eliminate address collision attacks as a concern. +==== === Bech32 addresses