📅 Original date posted:2016-01-08
📝 Original message:Matt Corallo <lf-lists at mattcorallo.com> writes:
> Indeed, anything which uses P2SH is obviously vulnerable if there is
> an attack on RIPEMD160 which reduces it's security only marginally.
I don't think this is true? Even if you can generate a collision in
RIPEMD160, that doesn't help you since you need to create a specific
SHA256 hash for the RIPEMD160 preimage.
Even a preimage attack only helps if it leads to more than one preimage
fairly cheaply; that would make grinding out the SHA256 preimage easier.
AFAICT even MD4 isn't this broken.
But just with Moore's law (doubling every 18 months), we'll worry about
economically viable attacks in 20 years.[1]
That's far enough away that I would choose simplicity, and have all SW
scriptPubKeys simply be "<0> RIPEMD(SHA256(WP))" for now, but it's
not a no-brainer.
Cheers,
Rusty.
[1] Assume bitcoin-network-level compute (collision in 19 days) costs
$1B to build today. Assume there will be 100 million dollars a day
in vulnerable txs, and you're on one end of all of them (or can MITM
if you find a collision), *and* can delay them all by 10 seconds,
and none are in parallel so you can attack all of them. IOW, just
like a single $100M opportunity for 3650 seconds each year.
Our machine has a 0.11% chance of finding a collision in 1 hour, so
it's worth about $110,000. We can build it for that in about 20
years.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-07 17:31:35
in reply to nevent1q…5lue
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-07 17:31:35Event JSON
{
"id": "525e20ddad8ad4e8e03edcb2229d7a3f3c36ba290916971a7f5cf2d28583518a",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686159095,
"kind": 1,
"tags": [
[
"e",
"39ee3b2141e39cb356bf3e8afab144a2e0bb0b6fbad76c57e6fb52dd7fe45506",
"",
"root"
],
[
"e",
"d9a30ba771c832db911d1a075cc457eef80d16e0183c9f4feac023468481c1fe",
"",
"reply"
],
[
"p",
"cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba"
]
],
"content": "📅 Original date posted:2016-01-08\n📝 Original message:Matt Corallo \u003clf-lists at mattcorallo.com\u003e writes:\n\u003e Indeed, anything which uses P2SH is obviously vulnerable if there is\n\u003e an attack on RIPEMD160 which reduces it's security only marginally.\n\nI don't think this is true? Even if you can generate a collision in\nRIPEMD160, that doesn't help you since you need to create a specific\nSHA256 hash for the RIPEMD160 preimage.\n\nEven a preimage attack only helps if it leads to more than one preimage\nfairly cheaply; that would make grinding out the SHA256 preimage easier.\nAFAICT even MD4 isn't this broken.\n\nBut just with Moore's law (doubling every 18 months), we'll worry about\neconomically viable attacks in 20 years.[1]\n\nThat's far enough away that I would choose simplicity, and have all SW\nscriptPubKeys simply be \"\u003c0\u003e RIPEMD(SHA256(WP))\" for now, but it's\nnot a no-brainer.\n\nCheers,\nRusty.\n\n[1] Assume bitcoin-network-level compute (collision in 19 days) costs\n $1B to build today. Assume there will be 100 million dollars a day\n in vulnerable txs, and you're on one end of all of them (or can MITM\n if you find a collision), *and* can delay them all by 10 seconds,\n and none are in parallel so you can attack all of them. IOW, just\n like a single $100M opportunity for 3650 seconds each year.\n\n Our machine has a 0.11% chance of finding a collision in 1 hour, so\n it's worth about $110,000. We can build it for that in about 20\n years.",
"sig": "7855aaac15dc9b3c7d0022422665a9d96a94ce00561bb13d820c01769af2f4655691c5f6e2a3c2dc60e2f627f858f999d6087514e1f7a6d1c7e2b9cce2ba1e6f"
}