[bitcoin-dev] Time to worry about 80-bit collision attacks or not?

Gavin Andresen gavinandresen at gmail.com
Tue Jan 12 12:08:18 UTC 2016

I'm convinced-- it is a good idea to worry about 80-bit collision attacks

Thanks to all the people smarter than me who contributed to this
discussion, I learned a lot about collision attacks that I didn't know

Would this be a reasonable "executive summary" :

If you are agreeing to lock up funds with somebody else, and they control
what public key to use, you are susceptible to collision attacks.

It is very likely an 80-bit-collision-in-ten-minutes attack will cost less
than $1million in 10 to twenty years (possibly sooner if there are crypto
breaks in that time).

If you don't trust the person with whom you're locking up funds and you're
locking up a significant amount of money (tens of millions of dollars
today, tens of thousands of dollars in a few years):

Then you should avoid using pay-to-script-hash addresses and instead use
the payment protocol and "raw" multisig outputs.


Have them give you a hierarchical deterministic (BIP32) seed, and derive a
public key for them to use.


Following the security in depth and validate all input secure coding
principles would mean doing both-- avoid p2sh AND have all parties to a
transaction exchange HD seeds, add randomness, and use the resulting public
keys in the transaction.

Gavin Andresen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160112/866bc47e/attachment.html>

More information about the bitcoin-dev mailing list