Author: Russell O'Connor 2018-01-09 16:20:20
Published on: 2018-01-09T16:20:20+00:00
The Bitcoin developer community is currently discussing the use of a 16-bit "checksum" based on sha2 in relation to cryptocurrencies. Gregory Maxwell argues that using a small checksum like this results in a poor checksum that is likely to accept an errored string due to its low entropy. He suggests using a 20-bit code which guarantees that up to two errored words would always be detected, and probably could choose one which catches three words much more often (sipa's crc tools can help find codes like this). Pavol Rusnak originally wanted to use 16-bit of CRC32 for checksum, but was suggested by Daan Sprenkels to change this for cryptographically strong function. The argument was that CRC32 contains less entropy and mixing high-entropy data (secret) with low-entropy data (checksum) is not ideal. However, this entropy argument seems confused according to Gregory. Every checksum is error correcting, and given a failed checksum, all you have to do is search around the space of edits to find the smallest set edits that yield a valid checksum. With a 2^16 bit checksum one will expect to find a nearby checksum within 2^16 trials, even when using a truncated hash function. What an error-correcting codes gives you isn't the ability to correct errors, which we have seen is something that all short checksums provide, rather they provide guarantees about the ability to detect (and correct) certain common classes of errors.
Updated on: 2023-06-12T23:33:20.995489+00:00