Title: Multisig wallets Post by: aurora on March 31, 2022, 12:55:26 PM I know address collision is like 1 chance out of godzillion but still a chance. But what about multisig addresses? are chances of address collision is even lower?
Title: Re: Multisig wallets Post by: vjudeu on March 31, 2022, 01:24:38 PM Quote P2SH use RIPEMD-160 It is ok for now, but it can be a problem in the future. After doing 2^80 operations, it may be possible to reach address collision. It is not enough to claim P2(W)PKH coins, because that would require 160-bit preimage, but if you want to create P2SH multisig, then you could make two identical addresses: one where you can claim all coins by using first pubkey, and one where there is for example 2-of-2 multisig with someone. As long as doing 2^80 hashes is too hard for any average attacker, it is fine, but it can be possible in the future, so in case of multisig, switching to P2WSH or to Taproot is recommended.Title: Re: Multisig wallets Post by: BlackHatCoiner on March 31, 2022, 02:12:35 PM After doing 2^80 operations, it may be possible to reach address collision. Why 2^80? Wouldn't it be likely if you searched half of the [1, 2^160] range? Half is 2^159. I remember I had seen 2^80 (for RIPEMD-160) and 2^128 (for SHA-256), but I don't remember why it's the square root of their range and not half numbers of their range. Title: Re: Multisig wallets Post by: garlonicon on March 31, 2022, 02:19:39 PM Quote Why 2^80? Because you don't need specific address. You need any address. That's the difference between pairgen (https://bitcointalk.org/index.php?topic=5312582.0) and well-known vanitygen.The difficulty of finding a pair is suqare root of the difficulty finding a specific prefix. This is known as Birthday Paradox (https://en.wikipedia.org/wiki/Birthday_problem). Title: Re: Multisig wallets Post by: BlackHatCoiner on March 31, 2022, 04:35:03 PM Because you don't need specific address. You need any address. I still don't understand. Don't you hash a script in P2SH? Whether that contains multiple public keys or just one. Title: Re: Multisig wallets Post by: garlonicon on March 31, 2022, 05:46:07 PM It is simple. You need any address, not some specific address. For example, you can generate any address with the first matching letter, whatever it will be. How many addresses you need on average? In case of base58, it will be sqrt(58), so something around 8. Let's try:
Code: privkey=1, address=1EHNa6Q4Jz2uvNExL497mE43ikXhwF6kZm Quote Don't you hash a script in P2SH? Yes, you hash a script, but it doesn't matter what is hashed, if you have 160-bit hash, then you can reach collisions after trying 2^80 hashes, whatever you hash.Quote Whether that contains multiple public keys or just one. This attack is quite simple: you create two scripts, one is "<yourFirstPubkey> OP_CHECKSIG" and another is "2 <yourSecondPubKey> <someonePubKey> 2 OP_CHECKMULTISIG". You try different first and second private keys, trying to get a collision. After trying around 2^80 addresses, there is a chance to find one pair of scripts that will hash to the same value, then you can attack. You can try around 2^32 addresses on your CPU and see that you will probably hit some P2SH script pair, where the first 64 bits will be the same. |