First notice that, since Mastering Bitcoin was first printed, Bitcoin has activated SegWit (BIP-141) and multi-party customers now have the potential for utilizing P2WSH to lock up their funds, which is safe in opposition to collision search as a result of it makes use of a 256-bit hash (sha256) which has 128-bits of safety in opposition to birthday assault.
Even the forked model (Bitcoin Money) ultimately (’23) solved the issue by extending the P2SH function (BIP-16) with P2SH32 (utilizing sha256d, supply).
Newer blockchains largely had 256-bit addresses from the get-go, and now this collision drawback solely persists in some outdated forks of Bitcoin’s codebase (e.g. Dogecoin).
Why was it an issue that wanted fixing? Here is a quick rationalization / instance (supply):
The issue arises when customers are requested to pay into an handle the place
another person had management over handle era, resembling P2SH
multi-party multisig addresses and public-facing covenants.
Feasibility of a collision assault makes it usable as a part of a con
executed in 3 phases:
- Collision assault: generate a colliding contract (redeem script) pair;
- Social hacking set-up: launch the handle and solely one of many two colliding contracts to another celebration or events and persuade them
to pay funds into the contract handle;- Rug-pull: when the handle has accrued sufficient funds to pay for step 1 and have some revenue, steal the funds from the handle by utilizing
the opposite, secret, contract.For the con to work, the contract revealed to different events should look
harmless whereas additionally having a variable half appropriate for manipulation
by the attacker, one that may encode an entire 160-bit hash with the intention to
make use of the constant-memory technique by discovering cycles. This does
not simply imply a steady 160-bit block, it’s far more broad – it
means any diploma of freedom which might let the attacker feed 160 bits
of entropy of his selection into the ultimate handle. The opposite message can
be something that can enable solely the attacker to spend from it.
Word that, whereas it’s possible to birthday assault a 160-bit hash collision, it’s nonetheless not low-cost to do it. Ripemd160 ASICs do not exist but (P2SH hash160 is ripemd160(sha256(x))), nevertheless the Ripemd hash perform has comparable development (Merkle-Damgard) as sha256 so R&D could not have to have massive capex value. If we assume effectivity to match sha256d we might estimate value of particular person collision search based mostly on Bitcoin’s hashrate and worth of block reward.
Collision search would want 2^80 makes an attempt (about 1M exahashes). Bitcoin community as an entire now (November 2024) does 790 exahashes/s that means it now does 2^80 hashes each 21 minutes!
Assuming hash160 ASICs of equal effectivity, the price of a single collision search can be about 2 block rewards, or about 470,000 USD per collision search.
The attacker would want a goal of excessive sufficient worth for the assault to be value it. How might he set it up? Here is a hypothetical lengthy con (supply):
Instance Assault
To raised illustrate the assault, contemplate an adversary that creates a
custody service which units up 2-of-3 P2SH multisig addresses for his or her
customers. Any consumer of such service would management two keys, and the
custodian (attacker) would management one. Word that there exist
professional companies that work simply as described, enabling customers to
maintain one in every of their two keys in chilly storage and depend on the service to
produce 2-of-3 signatures.For the assault to be potential, consumer interface of the rogue service
must first ask the consumer for his or her 2 public keys, and the
adversary would add its key final to generate the multisig handle, and
then reveal their third key to the consumer so the consumer might confirm
correctness of the contract. The consumer would probably assume it’s protected,
as a result of it will be the acquainted multisig contract (redeem script)
template which, if evaluated by itself, certainly works as marketed:
- Redeem script:
OP_2 <attacker's 33-byte pubkey> <consumer's 33-byte pubkey 1> <consumer's 33-byte pubkey 0> OP_3 OP_CHECKMULTISIG;- Locking script:
OP_HASH160 <hash160(redeem_script)> OP_EQUAL.Such an output might then be spent from utilizing an enter of the
following kind:
- Unlocking script:
OP_0 <consumer's signature> <consumer's different signature or attacker's signature> <redeem_script>In our con situation, when organising the multisig handle the attacker
would have generated aredeem_script_steal, one that will hash to
the very same handle and permit him to spend from the handle by
executing a wholly totally different script like:
- Redeem script:
<20-bytes> OP_DROP OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG.The script can be stored secret till stage 3. of the assault, the
rug-pull. Within the innocent-looking multisig script, his key wouldn’t
actually be a key, he can be utilizing it as a variable half in his
collision search. If the attacker expects customers to name on the service
to really use the important thing from the innocent-looking script, then it
would make stage 1. considerably dearer however nonetheless possible.The service could possibly be working legitimately for a very long time, ready
for the correct goal or a set of targets. The attacker wouldn’t want
to carry out step 1. for all customers, that will have an unsure
return-on-investment. He would first want to draw sufficient customers and
establish high-value targets, ones the place they’ve sufficient funds to make
a collision search worthwhile. The attacker might then ask his targets
to maneuver their funds into a brand new contract that will have the identical 2
consumer keys, and the attacker might plausibly say he has to replace his
key for some inside safety improve.He would anticipate his targets to maneuver the funds, after which steal them
multi functional go and disappear.There’s a easy approach customers might defend themselves on this situation:
insist on having the final say in handle era. The service would
have to offer their public key first, and the consumer would then
generate two model new keys for himself and use these to finalize the
P2SH multisig handle. The consumer would then be the one with the liberty
to generate a collision, however on this situation he’s already the proprietor
of the handle so neither himself nor the service can be uncovered.