first thanks for answering
I know that sha is secure and every kind of possible attack need a very very very lot of time and computation and so they are not possible to be done but my questions are only for studying purpose of the bitcoin protocol.
I've understand that collision attack is useless for bitcoin and so I've asked only about first and second preimage attack. It seems that the first preimage attack so can involve only block mining, while second preimage attack in some way could involve spend some other's money but still it's not very clear to me how. I've still not understood exactly what "defeat OP_CHECKSIG" means.



ok it is a second preimage attack and If I have understand that it could be a right example of taking favour of break second preimage resistance.

Hi, I've read this page on bitcoin wiki https://en.bitcoin.it/wiki/Contingency_plans#SHA-256_is_broken , mainly the section about sha-256. I'm triyng to understand why and how the attacks specified in this page could be done.
1) Attacker may be able to defeat OP_CHECKSIG, which hashes transactions before signing. I can't understand what means "defeat OP_CHECKSIG". I try to figure out what kind of attack would be related to this: user A sends transaction T to user B. User C intercepts T1 before spreading to the network and if we could crack che second preimage resistance of sha we could find another tx T2 that has the same hash of T1 (this preserve the integrity of the sign for T2). In particular if he could find a transaction T2 that is different from T1 only for the destination address (address X instead B address) (and T1 and T2 have the same hash)  he could modify the destination address and so send T2 to the network (and delete T1). With this operation A's bitcoin will be delivered to some "x" address instead of B. The problem of the attacker is now to obtain a private key of that address x to try to spend it (ECDSA probem)
Is this the attack related to OP_CHECKSIG? Or something else?
2) Attacker may be able to create blocks very quickly. I think this is related to the first preimage resistance: if I could break this properties of sha I could fix a hash value less than the target and I could obtain the header of the block that generates this hash. Even I could be able to do this I will also have a problem. What I obtain from this "reverse" operation has to have a reasonable meaning in bitcoin protocol, I mean that the bit string of a valid header has a structure and I can't use some random bit as an header block because it depends on what transaction the block contains. Even if I include only the coinbase transaction there would be a depence between this transaction and the block (merkle root hash). So what I've understand is that even if someone would be able to crack the first preimage resistance of sha it would be very difficult to mine a block using this attack. It is right what I've supposed?

3? double spend?) This isn't named in the wiki page but I think that if somone would break the second preimage resistance he could execute double-spend. It is similar to 2) attack: suppose I have sent a transaction T1 that now is confirmed. If I could create a transaction T2 to some user B, that has the same hash of T1 and spends the same input, when I spread it into the network other nodes will see that the T2 hash is a hash that it is confirmed in the blockchain yet? At this point every node will discard T2 or T2 will be spread again to the network?or they first will se that those input don't exist between utxo and so discard immediately T2?
Probably I don't understand how to double spend taking advantage of breaking some properties of sha. Have anyone some idea about this? Or double-spend could be done only whit computational power attack?

Ok this is what I was searching. It is an idea but it seems a right one.

Ok thanks again
I take advantage of your kindness to ask you if I've understood how merkle tree/root works. I've understood how merkle root is calculated and that it is in the block header, that's easy. Then I read that if I have a SPV client, I only have block header and so only merkle root, so in order to verify if a transaction is included in a block I need some merkle branch ("some intermediate hash of the tree") in order to calculate merkle root and see if it corresponds to merkle root of the header. Is it right? I read that merkle branch are provided by full node, so SPV client needs to ask for these branch, but inside a block I see only a list of transactions with their own hash, so merkle branch (so "intermediate" hash of the tree) where are stored? Are they dinamically calculated by full node and sent to SPV? (I don't think so, it wouldn't be a good idea)

I'm sorry if this question is not related to topic's title

Ok, thanks. So I imagine that the entire transaction hash is calculated with all inputs sigscript field filled with their own signature.
I have a last question, I've searched where utxo are stored but I've not found a clear answer. Are they stored in a database? O are they organized in a particular structure? I'm only quite sure they are indexed by their transaction hash but it's not clear how are organized and updated to the network after that some are spent.

thank you very much for your help, i'm doing a university work and so I need to learn about byte-level details. I've also read that every input is signed individually but this makes me confused about how previous output hash field works. This means that the hash in this field refers to an individual input hash and not to a transaction hash? I've used blockexplorer to see some blocks and transactions and I've understood that this field refers to a transaction hash and index field denotes which input is considered.

Another possibility is that to verify transaction and to sign it we calculate individual hash for inputs but then is calculated a general hash for the entire transaction so that we can refer to? In this way transaction's hash would be used only to refer that and not also to sign it.

I hope you can clarify this question.

thank you. So the hash isn't calculated with the signature and the public key in SigScript field, but there is the Pkscript of the utxo it is related to. After calculating hash signature is inserted in the related field. So when someone receive the transaction that he have to verify, he create a new transaction copy that has in sigscript field the Pkscript part of utxo and then check the signature..
It is right?

Hi, I understand that in transaction input structure there is the SigScript that contains the signature of the transaction and the public key of who generates the transaction so that everyone can verify the signature. But I've also read that the signature is calculated from the transaction hash, but if the signature is a part of the transaction, how I can sign an hash that is generated from something that contains the signature itself. I imagine that there is some steps that misses in my argument.

Hi, I'm tryng to understand how transactions works and how they are organized. I understand the structure of a transaction, made up of a list of input and output https://en.bitcoin.it/wiki/File:TxBinaryMap.png .
First 32 bytes of tx input are the hash of the previous transaction (and then 4 bytes of index), that is the transaction where there is the unspent output that I use as input in this transaction. This is the idea, right?
But in transaction structure there is no hash field, transaction are stored in blocks, and blocks have their own hash and the merkle root hash.
I can't understand how with transaction hash we can check if in that transaction there is an unspent output.
How can i find a transaction from its hash if it isn't stored anywhere?

I've also read that there is a structure that contains all utxo but i can't find detail about that.

Oh yes I know that my public key is sent only when I spend Bitcoin, the mistake that i've done is to consider using only one bitcoin address for more transactions. Now i've understood why we use it, it is not necessary but it is a good way to prevent some attacks or problem, thank you to everyone

thank you for your answers, I understand what you say, but when I send a transaction on the network I've understood that i also send my public key because I've signed the transaction with my private key and so everyone had to check the transaction with my public one.
So everyone can know my public key, it is not true? Maybe I've don't understood how transactions work. If it works in this way the problem still remains and using an address doesn't hide the public key.

Hi, I'm studying Bitcoin protocol and I have a question: why can't we use public key as an address? Why is it not enough? Address is simply obtained from public key that is hashed ecc.. I can't understand why we need an address and we can't use public key instead. Public key is public as it is defined so I can only imagine that we don't use that because it is too long.
Is this the reason?
I've found this question here http://bitcoin.stackexchange.com/questions/3600/why-are-bitcoin-addresses-hashes-of-public-keys but there is only one answer and it is about the size of the public key and some not specified security problem. Anyone can explain with more details this problem?
Thank you