[bitcoin-dev] Time to worry about 80-bit collision attacks or not?

Gavin Andresen gavinandresen at gmail.com
Thu Jan 7 21:06:30 UTC 2016

Maybe I'm asking this question on the wrong mailing list:

Matt/Adam: do you have some reason to think that RIPEMD160 will be broken
before SHA256?
And do you have some reason to think that they will be so broken that the
nested hash construction RIPEMD160(SHA256()) will be vulnerable?

Adam: re: "where to stop"  :  I'm suggesting we stop exactly at the current
status quo, where we use RIPEMD160 for P2SH and P2PKH.

Ethan:  your algorithm will find two arbitrary values that collide. That
isn't useful as an attack in the context we're talking about here (both of
those values will be useless as coin destinations with overwhelming

Dave: you described a first preimage attack, which is 2**160 cpu time and
no storage.

Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160107/a777b3e1/attachment.html>

More information about the bitcoin-dev mailing list