Author: Gavin Andresen 2016-01-08 12:38:50
Published on: 2016-01-08T12:38:50+00:00
In an email conversation between Rusty Russell and Matt Corallo, they discuss the vulnerability of anything using P2SH in case of an attack on RIPEMD160. However, Russell argues that even if a collision is generated in RIPEMD160, it wouldn't help as a specific SHA256 hash for the RIPEMD160 preimage is needed. He adds that even though a preimage attack would make grinding out the SHA256 preimage easier, consensus was that if broken MD5 was used instead of RIPEMD160, Bitcoin would still be secure today because of Satoshi's use of nested hash functions everywhere. Russell opines that we will only worry about economically viable attacks in 20 years due to Moore's law but suggests that simplicity should be chosen and all software scriptPubKeys should be "RIPEMD(SHA256(WP))" for now. They also discuss the specifics of the collision attack where an attacker is in the middle of establishing a payment channel with somebody and generate about 2^81 scripts that are some form of pay-to-attacker. However, they conclude that there isn't a viable attack unless RIPEMD160 and SHA256 (or the combination) suffer a cryptographic break.
Updated on: 2023-06-11T03:01:03.231466+00:00