First observe that, since Mastering Bitcoin was first revealed, Bitcoin has activated SegWit (BIP-141) and multi-party customers now have the potential for utilizing P2WSH to lock up their funds, which is safe in opposition to collision search as a result of it makes use of a 256-bit hash (sha256) which has 128-bits of safety in opposition to birthday assault.
Even the forked model (Bitcoin Money) finally (’23) solved the issue by extending the P2SH characteristic (BIP-16) with P2SH32 (utilizing sha256d, supply).
Newer blockchains principally had 256-bit addresses from the get-go, and now this collision drawback solely persists in some previous forks of Bitcoin’s codebase (e.g. Dogecoin).
Why was it an issue that wanted fixing? This is a short clarification / instance (supply):
The issue arises when customers are requested to pay into an deal with the place
another person had management over deal with technology, similar to P2SH
multi-party multisig addresses and public-facing covenants.
Feasibility of a collision assault makes it usable as a part of a con
executed in 3 phases:
- Collision assault: generate a colliding contract (redeem script) pair;
- Social hacking set-up: launch the deal with and solely one of many two colliding contracts to another social gathering or events and persuade them
to pay funds into the contract deal with;- Rug-pull: when the deal with has gathered sufficient funds to pay for step 1 and have some revenue, steal the funds from the deal with through the use of
the opposite, secret, contract.For the con to work, the contract revealed to different events should look
harmless whereas additionally having a variable half appropriate for manipulation
by the attacker, one that may encode an entire 160-bit hash in an effort to
make use of the constant-memory technique by discovering cycles. This does
not simply imply a steady 160-bit block, it’s rather more broad – it
means any diploma of freedom which might let the attacker feed 160 bits
of entropy of his selection into the ultimate deal with. The opposite message can
be something that can enable solely the attacker to spend from it.
Observe that, whereas it’s possible to birthday assault a 160-bit hash collision, it’s nonetheless not low-cost to do it. Ripemd160 ASICs do not exist but (P2SH hash160 is ripemd160(sha256(x))), nevertheless the Ripemd hash perform has related development (Merkle-Damgard) as sha256 so R&D could not have to have massive capex value. If we assume effectivity to match sha256d we might estimate value of particular person collision search based mostly on Bitcoin’s hashrate and worth of block reward.
Collision search would wish 2^80 makes an attempt (about 1M exahashes). Bitcoin community as an entire now (November 2024) does 790 exahashes/s which means it now does 2^80 hashes each 21 minutes!
Assuming hash160 ASICs of equal effectivity, the price of a single collision search could be about 2 block rewards, or about 470,000 USD per collision search.
The attacker would wish a goal of excessive sufficient worth for the assault to be price it. How might he set it up? This is a hypothetical lengthy con (supply):
Instance Assault
To raised illustrate the assault, think about an adversary that creates a
custody service which units up 2-of-3 P2SH multisig addresses for his or her
customers. Any person of such service would management two keys, and the
custodian (attacker) would management one. Observe that there exist
professional companies that work simply as described, enabling customers to
maintain one in every of their two keys in chilly storage and depend on the service to
produce 2-of-3 signatures.For the assault to be potential, person interface of the rogue service
must first ask the person for his or her 2 public keys, and the
adversary would add its key final to generate the multisig deal with, and
then reveal their third key to the person so the person might confirm
correctness of the contract. The person would seemingly assume it’s protected,
as a result of it might be the acquainted multisig contract (redeem script)
template which, if evaluated by itself, certainly works as marketed:
- Redeem script:
OP_2;OP_3 OP_CHECKMULTISIG - Locking script:
OP_HASH160.OP_EQUAL Such an output might then be spent from utilizing an enter of the
following type:In our con state of affairs, when establishing the multisig deal with the attacker
would have generated aredeem_script_steal, one that may hash to
the very same deal with and permit him to spend from the deal with by
executing a wholly totally different script like:
- Redeem script:
<20-bytes> OP_DROP OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG.The script could be stored secret till stage 3. of the assault, the
rug-pull. Within the innocent-looking multisig script, his key wouldn’t
actually be a key, he could be utilizing it as a variable half in his
collision search. If the attacker expects customers to name on the service
to really use the important thing from the innocent-looking script, then it
would make stage 1. considerably dearer however nonetheless possible.The service might be working legitimately for a very long time, ready
for the precise goal or a set of targets. The attacker wouldn’t want
to carry out step 1. for all customers, that may have an unsure
return-on-investment. He would first want to draw sufficient customers and
establish high-value targets, ones the place they’ve sufficient funds to make
a collision search worthwhile. The attacker might then ask his targets
to maneuver their funds into a brand new contract that may have the identical 2
person keys, and the attacker might plausibly say he has to replace his
key for some inner safety improve.He would anticipate his targets to maneuver the funds, after which steal them
multi functional go and disappear.There’s a easy approach customers might defend themselves on this state of affairs:
insist on having the final say in deal with technology. The service would
have to supply their public key first, and the person would then
generate two model new keys for himself and use these to finalize the
P2SH multisig deal with. The person would then be the one with the liberty
to generate a collision, however on this state of affairs he’s already the proprietor
of the deal with so neither himself nor the service could be uncovered.