Thought experiment on security design of bitcoin protocol

[capsqrl]

Just for fun, let's imagine an alternative reality in which Satoshi made a strange mistake in Bitcoin's design: instead of SHA-256, he used MD5. Everything else is exactly the same. What would some practical consequences of this be, with regards to the resilience of the bitcoin network, security of funds etc?

[1714775178]

1714775178

[1714775178]

1714775178

[1714775178]

1714775178

[kokjo]

[what i wrote only applies to preimage attacks, md5 only got collision attacks]

double spends, chain splitting, faster creation, able to make two different transaction with same hash(ie. replace transactions in blocks, without changing it's hash) + many other nasty things, i have not though about yet.

[Pieter Wuille]

All those things require a preimage attack. The only practical attack against MD5 is a collision attack.

[kjj]

The biggest consequence is that no one would have taken it seriously.  And even now that MD5 is considered to be totally broken and should never be used for anything at all, the other constraints in the system would cover our asses if we used them.

Being able to find a collision in MD5 is totally not the same thing as being able to find two valid blocks with the same MD5 hash, or two valid transactions with the same MD5 hash, or two private keys where the corresponding public keys have the same MD5 hash.

Pieter is right, collision attacks don't hurt us at all, and even in MD5, preimage attacks don't exist.  Well, they sorta do, but they still require more than 2¹²⁰ operations, making them barely better than brute force.  And I'm not even sure that a full preimage attack could meet the system requirements.

[Mike Hearn]

I think the existence of forged SSL certs that exploit MD5 collisions means that the possibility of two different valid transactions that hash to the same value isn't impossible. We already know what happens in that case - the code gets confused and can be exploited (we saw it with the coinbase duplication issue).

[kjj]

I think the existence of forged SSL certs that exploit MD5 collisions means that the possibility of two different valid transactions that hash to the same value isn't impossible. We already know what happens in that case - the code gets confused and can be exploited (we saw it with the coinbase duplication issue).

There is nothing in any of these standards that would prevent me from including 1 gigabit
 MPEG movie of me playing with my cat as one of the RDN components of the DN in my certificate

SSL cert signing requests have no consistent structure beyond some very loose guidelines that vary a bit from CA to CA.  If you were trying to design a data format that was intentionally vulnerable to hash collision attacks, I doubt you could do a better job.