First notice that, since Mastering Bitcoin was first revealed, Bitcoin has activated SegWit (BIP-141) and multi-party customers now have the potential of utilizing P2WSH to lock up their funds, which is safe towards collision search as a result of it makes use of a 256-bit hash (sha256) which has 128-bits of safety towards birthday assault.
Even the forked model (Bitcoin Money) finally (’23) solved the issue by extending the P2SH function (BIP-16) with P2SH32 (utilizing sha256d, supply).
Newer blockchains largely had 256-bit addresses from the get-go, and now this collision downside solely persists in some previous forks of Bitcoin’s codebase (e.g. Dogecoin).
Why was it an issue that wanted fixing? This is a quick clarification / instance (supply):
The issue arises when customers are requested to pay into an handle the place
another person had management over handle era, comparable to P2SH
multi-party multisig addresses and public-facing covenants.
Feasibility of a collision assault makes it usable as a part of a con
executed in 3 phases:
- Collision assault: generate a colliding contract (redeem script) pair;
- Social hacking set-up: launch the handle and solely one of many two colliding contracts to another get together or events and persuade them
to pay funds into the contract handle;- Rug-pull: when the handle has gathered sufficient funds to pay for step 1 and have some revenue, steal the funds from the handle through the use of
the opposite, secret, contract.For the con to work, the contract revealed to different events should look
harmless whereas additionally having a variable half appropriate for manipulation
by the attacker, one that may encode a complete 160-bit hash with a view to
make use of the constant-memory technique by discovering cycles. This does
not simply imply a steady 160-bit block, it’s rather more broad – it
means any diploma of freedom which might let the attacker feed 160 bits
of entropy of his alternative into the ultimate handle. The opposite message can
be something that may enable solely the attacker to spend from it.
Word that, whereas it’s possible to birthday assault a 160-bit hash collision, it’s nonetheless not low cost to do it. Ripemd160 ASICs do not exist but (P2SH hash160 is ripemd160(sha256(x))), nevertheless the Ripemd hash perform has comparable building (Merkle-Damgard) as sha256 so R&D might not must have massive capex price. If we assume effectivity to match sha256d we might estimate price of particular person collision search based mostly on Bitcoin’s hashrate and worth of block reward.
Collision search would wish 2^80 makes an attempt (about 1M exahashes). Bitcoin community as a complete now (November 2024) does 790 exahashes/s which means it now does 2^80 hashes each 21 minutes!
Assuming hash160 ASICs of equal effectivity, the price of a single collision search can be about 2 block rewards, or about 470,000 USD per collision search.
The attacker would wish a goal of excessive sufficient worth for the assault to be value it. How might he set it up? This is a hypothetical lengthy con (supply):
Instance Assault
To raised illustrate the assault, think about an adversary that creates a
custody service which units up 2-of-3 P2SH multisig addresses for his or her
customers. Any person of such service would management two keys, and the
custodian (attacker) would management one. Word that there exist
official providers that work simply as described, enabling customers to
maintain considered one of their two keys in chilly storage and depend on the service to
produce 2-of-3 signatures.For the assault to be doable, person interface of the rogue service
must first ask the person for his or her 2 public keys, and the
adversary would add its key final to generate the multisig handle, and
then reveal their third key to the person so the person might confirm
correctness of the contract. The person would possible assume it’s protected,
as a result of it could be the acquainted multisig contract (redeem script)
template which, if evaluated by itself, certainly works as marketed:
- Redeem script:
OP_2;OP_3 OP_CHECKMULTISIG - Locking script:
OP_HASH160.OP_EQUAL Such an output might then be spent from utilizing an enter of the
following kind:In our con state of affairs, when organising the multisig handle the attacker
would have generated aredeem_script_steal, one that may hash to
the very same handle and permit him to spend from the handle by
executing a wholly totally different script like:
- Redeem script:
<20-bytes> OP_DROP OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG.The script can be stored secret till stage 3. of the assault, the
rug-pull. Within the innocent-looking multisig script, his key wouldn’t
actually be a key, he can be utilizing it as a variable half in his
collision search. If the attacker expects customers to name on the service
to really use the important thing from the innocent-looking script, then it
would make stage 1. considerably dearer however nonetheless possible.The service could possibly be working legitimately for a very long time, ready
for the suitable goal or a set of targets. The attacker wouldn’t want
to carry out step 1. for all customers, that may have an unsure
return-on-investment. He would first want to draw sufficient customers and
establish high-value targets, ones the place they’ve sufficient funds to make
a collision search worthwhile. The attacker might then ask his targets
to maneuver their funds into a brand new contract that may have the identical 2
person keys, and the attacker might plausibly say he has to replace his
key for some inner safety improve.He would look ahead to his targets to maneuver the funds, after which steal them
multi function go and disappear.There’s a easy approach customers might defend themselves on this state of affairs:
insist on having the final say in handle era. The service would
have to offer their public key first, and the person would then
generate two model new keys for himself and use these to finalize the
P2SH multisig handle. The person would then be the one with the liberty
to generate a collision, however on this state of affairs he’s already the proprietor
of the handle so neither himself nor the service can be uncovered.
