Why RIPEMD-160 and SHA-256 used for Bitcoin addresses

[oleganza]

I couldn't find anywhere why these two were chosen for hashing the public key. SHA-256 is quite popular, but I never heard of RIPEMD-160 before. Apparently, it's also quite popular, but originated from European university (SHA comes from NIST in US).

Thinking about that, I though that, maybe, these two were chosen because of their very different roots. In case you find some weakness in one of them, it should apply in the same way to the other. Or some conspiracy theory: if NIST happen to have some backdoor in  SHA-256, RIPEMD should not have because it was designed for a competing agency (US vs. EU). And vice versa?

What do you think? What were the other popular hash functions without known weaknesses in 2008, why they were not used?

PS. Here's my slightly extended post on this: http://blog.oleganza.com/post/42523601710/how-to-steal-all-coins

[1713901914]

1713901914

[JoelKatz]

RIPEMD-160 was used because it produces a shorter hash output. This permits bitcoin addresses to be as short as possible without compromising security. The exact reason why SHA-256 was used in combination with RIPEMD-160 isn't known. The two leading theories are:

1. There was concern that RIPEMD might have some defect. SHA-256 was believed to be more secure. The hope was that the two combined would be stronger than RIPEMD alone.

2. There was a concern about possible weaknesses in the MD structure itself, such as a length extension attack. Two hashes combined result in a composite hash that does not have a Merkle–Damgård structure and so is not vulnerable to these attacks.

Personally, I think the first explanation is more likely.

The idea of a backdoor in an open hash function like SHA-256 or RIPEMD-160 is pretty implausible. Even if there were such a thing that might permit something like constructing something that hashed to a given output, it's almost inconceivable that there could be a back door in a hash function that had the right interaction properties with ECDSA to make it useful against the bitcoin address scheme. It really is extremely implausible -- I'd say at least 1,000 times less likely than other possibilities with comparable consequences.

[Gabi]

Probably because the more, the merrier. If one is broken, the other one will still work.

Backdoors? Unlikely, the code is open, tons of ppl controlled it and everyday try to break it.