Author: Ethan Heilman 2016-01-07 20:40:03
Published on: 2016-01-07T20:40:03+00:00
The current GH/s count of 775,464,121 Bitcoin tests 2^80 every 19 days. To understand the security model of segwit, it is assumed that any collision is bad. Storing all 2^80 previous hashes requires O(2^80) storage, which is infeasible. Instead, a seed value is hashed 2^80 times, and then a cycle is looked for. The worst-case scenario costs 2**81.5 and requires storing less than a kilobyte. Gavin Andresen previously suggested using RIPEMD160(SHA256()) as the hash function to save the 12 bytes since a preimage attack against that is unlikely to happen before people die. However, Pieter argued that a collision attack could be used in a contract setup to steal coins. Gavin defended that contract wallets could protect against collision attacks and adding an extra 12 bytes to every segwit is unlikely to be a problem in practice. The general question raised on the bitcoin-dev mailing list was whether there should be concern today about collision attacks against RIPEMD160 (the 160-bit hash). A successful brute-force collision attack would require at least O(2^80) CPU, which is feasible but also requires O(2^80) storage, which is infeasible. It is estimated that we are four decades away from an attacker with the entire world's storage capacity being able to mount a collision attack.
Updated on: 2023-06-11T02:59:56.102808+00:00