arno/bitcoinbook
1
0
Fork 0
mirror of https://github.com/bitcoinbook/bitcoinbook synced 2025-01-25 15:11:03 +00:00
Code Issues Releases Wiki Activity

CH04::P2SH: describe collision attacks

Browse Source 
This will be important for describing why RIPEMD160 isn't used for
segwit.
This commit is contained in:
David A. Harding 2023-02-08 12:07:48 -10:00
parent 206ee88a26
commit 9de657b887
1 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
ch04.asciidoc
View File

@ -1029,7 +1029,56 @@ are only used in
https://transactionfee.info/charts/payments-spending-segwit/[about 10% of transactions]. https://transactionfee.info/charts/payments-spending-segwit/[about 10% of transactions].
Legacy addresses were supplanted by the bech32 family of addresses. Legacy addresses were supplanted by the bech32 family of addresses.
//FIXME: collision attacks [[p2sh_collision_attacks]]
.P2SH collision attacks
[WARNING]
====
All addresses based on hash functions are theoretically vulnerable to an
attacker finding two different inputs (e.g. redeemScripts) that produce
the same hash function output (commitment). For addresses created
entirely by a single party, the chance of an attacker generating a
different input for an existing commitment is proportional to the
strength of the hash algorithm. For a secure 160-bit algorithm like
HASH160, the probability is 1-in-2^160^. This is a _second pre-image
attack_.
However, this changes when an attacker is able to influence the input
value. For example, an attacker participates in the creation of a
multisignature script where the attacker doesn't need to submit his
public key until after he learns all of the other party's public keys.
In that case, the strength of hash algorithm is reduced to its square
root. For HASH160, the probability becomes 1-in-2^80^. This is a
_collision attack_.
// bits80=$( echo '2^80' | bc )
// seconds_per_hour="$(( 60 * 60))"
// bitcoin-cli getmininginfo | jq "(.networkhashps / $bits80 * $seconds_per_hour)"
// 0.8899382363032076
To put those numbers in context, as of early 2023, all Bitcoin miners
combined execute about 2^80^ hash functions every hour. They run a
different hash function than HASH160, so their existing hardware can't
create collision attacks for it, but the existence of the Bitcoin
network proves that collision attacks against 160-bit functions like
HASH160 are practical. Bitcoin miners have spent the equivalent of
billions of US dollars on special hardware, so creating a collision
attack wouldn't be cheap, but there are organizations which expect to
receive billions of dollars in bitcoins to addresses generated by
processes involving multiple parties, which could make the attack
profitable.
There are well established cryptographic protocols for preventing
collision attacks but a simple solution which doesn't require any
special knowledge on the part of wallet developers is to simply use
a stronger hash function. Later upgrades to Bitcoin made that possible
and newer Bitcoin addresses provide at least 128 bits of collision
resistance--a number of hash operations that would require all current
Bitcoin miners about about 50 billion years to perform.
Although we do not believe there is any immediate threat to anyone
creating new P2SH addresses, we recommend all new wallets use newer
types of addresses to eliminate address collision attacks as a concern.
====
=== Bech32 addresses === Bech32 addresses