collision assault on bitcoin p2sh

0
3


First notice that, since Mastering Bitcoin was first printed, Bitcoin has activated SegWit (BIP-141) and multi-party customers now have the potential of utilizing P2WSH to lock up their funds, which is safe towards collision search as a result of it makes use of a 256-bit hash (sha256) which has 128-bits of safety towards birthday assault.
Even the forked model (Bitcoin Money) finally (’23) solved the issue by extending the P2SH characteristic (BIP-16) with P2SH32 (utilizing sha256d, supply).
Newer blockchains principally had 256-bit addresses from the get-go, and now this collision drawback solely persists in some previous forks of Bitcoin’s codebase (e.g. Dogecoin).

Why was it an issue that wanted fixing? Here is a quick clarification / instance (supply):

The issue arises when customers are requested to pay into an deal with the place
another person had management over deal with era, reminiscent of P2SH
multi-party multisig addresses and public-facing covenants.
Feasibility of a collision assault makes it usable as a part of a con
executed in 3 levels:

  1. Collision assault: generate a colliding contract (redeem script) pair;
  2. Social hacking set-up: launch the deal with and solely one of many two colliding contracts to another occasion or events and persuade them
    to pay funds into the contract deal with;
  3. Rug-pull: when the deal with has amassed sufficient funds to pay for step 1 and have some revenue, steal the funds from the deal with by utilizing
    the opposite, secret, contract.

For the con to work, the contract revealed to different events should look
harmless whereas additionally having a variable half appropriate for manipulation
by the attacker, one that may encode an entire 160-bit hash so as to
make use of the constant-memory technique by discovering cycles. This does
not simply imply a steady 160-bit block, it’s rather more broad – it
means any diploma of freedom which might let the attacker feed 160 bits
of entropy of his alternative into the ultimate deal with. The opposite message can
be something that can enable solely the attacker to spend from it.

Observe that, whereas it’s possible to birthday assault a 160-bit hash collision, it’s nonetheless not low cost to do it. Ripemd160 ASICs do not exist but (P2SH hash160 is ripemd160(sha256(x))), nevertheless the Ripemd hash perform has comparable building (Merkle-Damgard) as sha256 so R&D might not have to have giant capex price. If we assume effectivity to match sha256d we may estimate price of particular person collision search based mostly on Bitcoin’s hashrate and worth of block reward.

Collision search would want 2^80 makes an attempt (about 1M exahashes). Bitcoin community as an entire now (November 2024) does 790 exahashes/s that means it now does 2^80 hashes each 21 minutes!
Assuming hash160 ASICs of equal effectivity, the price of a single collision search could be about 2 block rewards, or about 470,000 USD per collision search.

The attacker would want a goal of excessive sufficient worth for the assault to be value it. How may he set it up? Here is a hypothetical lengthy con (supply):

Instance Assault

To higher illustrate the assault, think about an adversary that creates a
custody service which units up 2-of-3 P2SH multisig addresses for his or her
customers. Any person of such service would management two keys, and the
custodian (attacker) would management one. Observe that there exist
respectable companies that work simply as described, enabling customers to
maintain considered one of their two keys in chilly storage and depend on the service to
produce 2-of-3 signatures.

For the assault to be potential, person interface of the rogue service
must first ask the person for his or her 2 public keys, and the
adversary would add its key final to generate the multisig deal with, and
then reveal their third key to the person so the person may confirm
correctness of the contract. The person would possible assume it’s secure,
as a result of it could be the acquainted multisig contract (redeem script)
template which, if evaluated by itself, certainly works as marketed:

  • Redeem script: OP_2 <attacker's 33-byte pubkey> <person's 33-byte pubkey 1> <person's 33-byte pubkey 0> OP_3 OP_CHECKMULTISIG;
  • Locking script: OP_HASH160 <hash160(redeem_script)> OP_EQUAL.

Such an output may then be spent from utilizing an enter of the
following type:

  • Unlocking script: OP_0 <person's signature> <person's different signature or attacker's signature> <redeem_script>

In our con situation, when establishing the multisig deal with the attacker
would have generated a redeem_script_steal, one that may hash to
the very same deal with and permit him to spend from the deal with by
executing a wholly totally different script like:

  • Redeem script: <20-bytes> OP_DROP OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG.

The script could be stored secret till stage 3. of the assault, the
rug-pull. Within the innocent-looking multisig script, his key wouldn’t
actually be a key, he could be utilizing it as a variable half in his
collision search. If the attacker expects customers to name on the service
to truly use the important thing from the innocent-looking script, then it
would make stage 1. considerably costlier however nonetheless possible.

The service may very well be working legitimately for a very long time, ready
for the correct goal or a set of targets. The attacker wouldn’t want
to carry out step 1. for all customers, that may have an unsure
return-on-investment. He would first want to draw sufficient customers and
establish high-value targets, ones the place they’ve sufficient funds to make
a collision search worthwhile. The attacker may then ask his targets
to maneuver their funds into a brand new contract that may have the identical 2
person keys, and the attacker may plausibly say he has to replace his
key for some inside safety improve.

He would look forward to his targets to maneuver the funds, after which steal them
multi function go and disappear.

There’s a easy method customers may shield themselves on this situation:
insist on having the final say in deal with era. The service would
have to supply their public key first, and the person would then
generate two model new keys for himself and use these to finalize the
P2SH multisig deal with. The person would then be the one with the liberty
to generate a collision, however on this situation he’s already the proprietor
of the deal with so neither himself nor the service could be uncovered.

LEAVE A REPLY

Please enter your comment!
Please enter your name here