Author: Adam Back 2016-01-07 19:19:42
Published on: 2016-01-07T19:19:42+00:00
In a discussion on the bitcoin-dev mailing list, Gavin Andresen suggested using RIPEMD160(SHA256()) as the hash function for segregated witness transactions, arguing it is unlikely a preimage attack against that would happen before everyone is dead. However, Pieter Wuille responded by saying the problem with using a hash function with only 80 bits of collision-resistance is that an attacker could use a collision attack to construct scripts with identical hashes and steal coins. They argued for collision security and said that even normal pubkey hashes couldn't be constructed to pay to you. Andresen dismissed this and suggested that contract wallets could easily protect against collision attacks by refusing certain types of scripts or looking for specific proof of private keys. He also argued that adding an extra 12 bytes to every segwit transaction to prevent such an attack is unlikely to be a problem in practice and is trivial to protect against. Saving almost 40% by using RIPEMD160(SHA256()) instead of the usual 32-byte hash remains significant. The question raised was whether we should be worried about collision attacks against RIPEMD160 today. While a successful brute-force collision attack may require at least O(2^80) CPU, which is feasible, it also requires O(2^80) storage, which is infeasible, even assuming doubling every single year.
Updated on: 2023-06-11T03:00:43.670690+00:00