Author: Gavin Andresen 2016-01-07 19:02:05
Published on: 2016-01-07T19:02:05+00:00
Gavin Andresen, a developer and former lead maintainer of Bitcoin, raised the concern about the tradeoff between security and efficiency in the context of segregated witness BIP. The proposal suggested reducing the size of the signature by using SHA256(RIPEMD160()) as the hash function. However, Pieter argued that this could lead to collision attacks where an attacker creates two scripts with identical hashes, only one of which transfers the intended payment. Gavin proposed that contract wallets can protect against such attacks and that adding an extra 12 bytes to every segwit is unlikely to be a problem in practice and trivial to protect against. He further questioned whether there is a need to worry about collision attacks against RIPEMD160 today. A successful brute-force collision attack would require O(2^80) CPU and storage, which is infeasible given current technology. Even assuming doubling storage capacity every year, it would take four decades for an attacker to have the entire world's storage and mount a collision attack. In conclusion, while reducing the size of the signature can result in significant savings, it may not be worth compromising security. Therefore, protecting against possible attacks should be a priority even if they seem unlikely to happen.
Updated on: 2023-06-11T02:59:44.248437+00:00