First be aware that, since Mastering Bitcoin was first printed, Bitcoin has activated SegWit (BIP-141) and multi-party customers now have the potential for utilizing P2WSH to lock up their funds, which is safe towards collision search as a result of it makes use of a 256-bit hash (sha256) which has 128-bits of safety towards birthday assault.
Even the forked model (Bitcoin Money) finally (’23) solved the issue by extending the P2SH characteristic (BIP-16) with P2SH32 (utilizing sha256d, supply).
Newer blockchains principally had 256-bit addresses from the get-go, and now this collision drawback solely persists in some previous forks of Bitcoin’s codebase (e.g. Dogecoin).
Why was it an issue that wanted fixing? Here is a quick rationalization / instance (supply):
The issue arises when customers are requested to pay into an handle the place
another person had management over handle era, resembling P2SH
multi-party multisig addresses and public-facing covenants.
Feasibility of a collision assault makes it usable as a part of a con
executed in 3 phases:
- Collision assault: generate a colliding contract (redeem script) pair;
- Social hacking set-up: launch the handle and solely one of many two colliding contracts to another social gathering or events and persuade them
to pay funds into the contract handle;- Rug-pull: when the handle has amassed sufficient funds to pay for step 1 and have some revenue, steal the funds from the handle through the use of
the opposite, secret, contract.For the con to work, the contract revealed to different events should look
harmless whereas additionally having a variable half appropriate for manipulation
by the attacker, one that may encode an entire 160-bit hash as a way to
make use of the constant-memory methodology by discovering cycles. This does
not simply imply a steady 160-bit block, it’s rather more broad – it
means any diploma of freedom which might let the attacker feed 160 bits
of entropy of his alternative into the ultimate handle. The opposite message can
be something that can enable solely the attacker to spend from it.
Notice that, whereas it’s possible to birthday assault a 160-bit hash collision, it’s nonetheless not low cost to do it. Ripemd160 ASICs do not exist but (P2SH hash160 is ripemd160(sha256(x))), nevertheless the Ripemd hash perform has comparable building (Merkle-Damgard) as sha256 so R&D could not must have massive capex value. If we assume effectivity to match sha256d we may estimate value of particular person collision search based mostly on Bitcoin’s hashrate and worth of block reward.
Collision search would wish 2^80 makes an attempt (about 1M exahashes). Bitcoin community as an entire now (November 2024) does 790 exahashes/s that means it now does 2^80 hashes each 21 minutes!
Assuming hash160 ASICs of equal effectivity, the price of a single collision search could be about 2 block rewards, or about 470,000 USD per collision search.
The attacker would wish a goal of excessive sufficient worth for the assault to be value it. How may he set it up? Here is a hypothetical lengthy con (supply):
Instance Assault
To raised illustrate the assault, think about an adversary that creates a
custody service which units up 2-of-3 P2SH multisig addresses for his or her
customers. Any person of such service would management two keys, and the
custodian (attacker) would management one. Notice that there exist
respectable companies that work simply as described, enabling customers to
maintain one in all their two keys in chilly storage and depend on the service to
produce 2-of-3 signatures.For the assault to be attainable, person interface of the rogue service
must first ask the person for his or her 2 public keys, and the
adversary would add its key final to generate the multisig handle, and
then reveal their third key to the person so the person may confirm
correctness of the contract. The person would possible assume it’s protected,
as a result of it might be the acquainted multisig contract (redeem script)
template which, if evaluated by itself, certainly works as marketed:
- Redeem script:
OP_2;OP_3 OP_CHECKMULTISIG - Locking script:
OP_HASH160.OP_EQUAL Such an output may then be spent from utilizing an enter of the
following type:In our con state of affairs, when establishing the multisig handle the attacker
would have generated aredeem_script_steal, one that will hash to
the very same handle and permit him to spend from the handle by
executing a completely totally different script like:
- Redeem script:
<20-bytes> OP_DROP OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG.The script could be stored secret till stage 3. of the assault, the
rug-pull. Within the innocent-looking multisig script, his key wouldn’t
actually be a key, he could be utilizing it as a variable half in his
collision search. If the attacker expects customers to name on the service
to really use the important thing from the innocent-looking script, then it
would make stage 1. considerably dearer however nonetheless possible.The service may very well be working legitimately for a very long time, ready
for the correct goal or a set of targets. The attacker wouldn’t want
to carry out step 1. for all customers, that will have an unsure
return-on-investment. He would first want to draw sufficient customers and
determine high-value targets, ones the place they’ve sufficient funds to make
a collision search worthwhile. The attacker may then ask his targets
to maneuver their funds into a brand new contract that will have the identical 2
person keys, and the attacker may plausibly say he has to replace his
key for some inner safety improve.He would look ahead to his targets to maneuver the funds, after which steal them
multi function go and disappear.There’s a easy approach customers may defend themselves on this state of affairs:
insist on having the final say in handle era. The service would
have to supply their public key first, and the person would then
generate two model new keys for himself and use these to finalize the
P2SH multisig handle. The person would then be the one with the liberty
to generate a collision, however on this state of affairs he’s already the proprietor
of the handle so neither himself nor the service could be uncovered.
