>You have to not only produce a ripemd160 collision, you have to produce a collision that is also a valid sha-256 hash - and that's much much much more difficult.

I agree that merely finding a collision in RIPEMD-160 will be hard to use in Bitcoin.

However finding a collision in RIPEMD-160(SHA-256(msg)) via bruteforce (2^80 queries) is not particular more difficult than finding a collision in RIPEMD-160 via brute force. Furthermore if you find a collision in RIPEMD-160(SHA-256(msg)) you also get a valid SHA-256 hash for which you know the preimage.

On Sat, Feb 25, 2017 at 1:19 PM, Alice Wonder via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

On 02/25/2017 08:10 AM, Ethan Heilman via bitcoin-dev wrote:

SHA1 is insecure because the SHA1 algorithm is insecure, not because

160bits isn't enough.

I would argue that 160-bits isn't enough for collision resistance.
Assuming RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random
oracle), collisions can be generated in 2^80 queries (actually detecting
these collisions requires some time-memory additional trade-offs). The
Bitcoin network at the current hash rate performs roughly SHA-256 ~2^78
queries a day or 2^80 queries every four days.

You have to not only produce a ripemd160 collision, you have to produce a collision that is also a valid sha-256 hash - and that's much much much more difficult.

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev