Author: Peter Todd 2017-02-25 20:57:06
Published on: 2017-02-25T20:57:06+00:00
In a discussion on the bitcoin-dev mailing list, Ethan Heilman argues that SHA-1 is insecure because the algorithm itself is flawed and not because 160 bits is not enough for collision resistance. Peter Todd agrees that P2SH's 160-bit security level is sufficient against preimage attacks but acknowledges that it is insufficient in certain use-cases such as multisig. Watson Ladd points out that P2SH is not secure against collision and that one could write two scripts with the same hash, one of which is an escrow script and the other which pays it to themself, have someone pay to the escrow script, and then get the payment. Todd responds that any use-case where multiple people are creating a P2SH redeemScript collaboratively is potentially vulnerable, but use-cases where the redeemScript was created by a single-party are not vulnerable as that party has complete control over whether or not collisions are possible. Todd also suggests commit-reveal techniques can mitigate the vulnerability, but the long-term solution is to use a 256-bit digest size, as segwit does.
Updated on: 2023-06-11T21:47:25.365842+00:00