Author: Matt Corallo 2016-01-07 19:13:22
Published on: 2016-01-07T19:13:22+00:00
The question of whether 80-bit collision resistance is something to be worried about in RIPEMD160 has been raised. While collisions only take 2**80 work theoretically, hash functions are never perfect and collision resistance is almost always the first thing that goes for them. Furthermore, it often gets easier to break long before anyone is truly worried about the security of the hash function. Matt warns that he would never assume RIPEMD160's collision resistance is 2**80 and would not wager a significant amount of money on it remaining true for five years.Gavin Andresen suggests using RIPEMD160(SHA256()) as the hash function and saving the 12 bytes. However, Pieter argues that this leaves the system vulnerable to an attacker constructing scripts with identical hashes and stealing coins. Gavin responds by saying that contract wallets can easily protect against collision attacks by refusing to accept certain scripts or recognizing them as pay-to-gavin transactions. He believes adding an extra 12 bytes to every segwit to prevent an attack that takes 2^80 computation and 2^80 storage is unlikely to be a problem in practice and is a wrong tradeoff.The general question raised on the bitcoin-dev mailing list is whether we should be worried today about collision attacks against RIPEMD160. While mounting a successful brute-force collision attack would require at least O(2^80) CPU, which is feasible, it also requires O(2^80) storage, which is utterly infeasible. Even assuming doubling every single year, we are still four decades away from an attacker with the entire world's storage capacity being able to mount a collision attack.
Updated on: 2023-05-19T23:02:14.971006+00:00