Author: Gavin Andresen 2016-01-07 23:39:58
Published on: 2016-01-07T23:39:58+00:00
The discussion revolves around the security of SHA256(SHA256) over RIPEMD160(SHA256) and the implementation of segwitness. The difference in security between SHA256(SHA256) and RIPEMD160(SHA256) is considered negligible, with the risk of implementation errors caused by multiple ways of interpreting the segwitness hash in scriptPubKey being much greater. It is suggested that wallets should be coded to mitigate the risk of collision attacks, and a single 20-byte segwitness in scriptPubKey would be the best design from a security point of view. The capacity increase of smaller scriptPubKeys is also a factor to consider. In response to Gavin Andresen's question about the potential vulnerability of nested hash construction RIPEMD160(SHA256()), concerns are raised about targeted collision attacks and length extension attacks. Cascading the same hash function twice is shown to be weaker than using HMAC. While RIPEMD160(SHA256()) may be better than RIPEMD160(), security should not rest on the assumption that an attacker requires a large amount of memory. Links to relevant research papers are provided.
Updated on: 2023-06-11T02:58:32.785716+00:00