Bitcoin Forum
November 30, 2023, 02:19:43 AM *
News: Latest Bitcoin Core release: 25.0 [Torrent]
   Home   Help Search Login Register More  
Pages: [1]
Author Topic: Why RIPEMD-160 and SHA-256 used for Bitcoin addresses  (Read 2835 times)
oleganza (OP)
Full Member
Offline Offline

Activity: 200
Merit: 103

Software design and user experience.

View Profile WWW
February 07, 2013, 08:58:19 PM

I couldn't find anywhere why these two were chosen for hashing the public key. SHA-256 is quite popular, but I never heard of RIPEMD-160 before. Apparently, it's also quite popular, but originated from European university (SHA comes from NIST in US).

Thinking about that, I though that, maybe, these two were chosen because of their very different roots. In case you find some weakness in one of them, it should apply in the same way to the other. Or some conspiracy theory: if NIST happen to have some backdoor in  SHA-256, RIPEMD should not have because it was designed for a competing agency (US vs. EU). And vice versa?

What do you think? What were the other popular hash functions without known weaknesses in 2008, why they were not used?

PS. Here's my slightly extended post on this:

Bitcoin analytics: / 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo
"You Asked For Change, We Gave You Coins" -- casascius
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
Offline Offline

Activity: 1596
Merit: 1012

Democracy is vulnerable to a 51% attack.

View Profile WWW
February 07, 2013, 09:08:49 PM
Last edit: February 07, 2013, 09:25:38 PM by JoelKatz

RIPEMD-160 was used because it produces a shorter hash output. This permits bitcoin addresses to be as short as possible without compromising security. The exact reason why SHA-256 was used in combination with RIPEMD-160 isn't known. The two leading theories are:

1. There was concern that RIPEMD might have some defect. SHA-256 was believed to be more secure. The hope was that the two combined would be stronger than RIPEMD alone.

2. There was a concern about possible weaknesses in the MD structure itself, such as a length extension attack. Two hashes combined result in a composite hash that does not have a Merkle–Damgård structure and so is not vulnerable to these attacks.

Personally, I think the first explanation is more likely.

The idea of a backdoor in an open hash function like SHA-256 or RIPEMD-160 is pretty implausible. Even if there were such a thing that might permit something like constructing something that hashed to a given output, it's almost inconceivable that there could be a back door in a hash function that had the right interaction properties with ECDSA to make it useful against the bitcoin address scheme. It really is extremely implausible -- I'd say at least 1,000 times less likely than other possibilities with comparable consequences.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Offline Offline

Activity: 1148
Merit: 1008

If you want to walk on water, get out of the boat

View Profile
February 07, 2013, 09:09:38 PM

Probably because the more, the merrier. If one is broken, the other one will still work.

Backdoors? Unlikely, the code is open, tons of ppl controlled it and everyday try to break it.

Pages: [1]
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!