>You have to not only produce a ripemd160 collision, you have to produce a collision that is also a valid sha-256 hash - and that's much much much more difficult.
I agree that merely finding a collision in RIPEMD-160 will be hard to use in Bitcoin. However finding a collision in RIPEMD-160(SHA-256(msg)) via bruteforce (2^80 queries) is not particular more difficult than finding a collision in RIPEMD-160 via brute force. Furthermore if you find a collision in RIPEMD-160(SHA-256(msg)) you also get a valid SHA-256 hash for which you know the preimage. On Sat, Feb 25, 2017 at 1:19 PM, Alice Wonder via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On 02/25/2017 08:10 AM, Ethan Heilman via bitcoin-dev wrote: > >> SHA1 is insecure because the SHA1 algorithm is insecure, not because >>> >> 160bits isn't enough. >> >> I would argue that 160-bits isn't enough for collision resistance. >> Assuming RIPEMD-160(SHA-256(msg)) has no flaws (i.e. is a random >> oracle), collisions can be generated in 2^80 queries (actually detecting >> these collisions requires some time-memory additional trade-offs). The >> Bitcoin network at the current hash rate performs roughly SHA-256 ~2^78 >> queries a day or 2^80 queries every four days. >> > > You have to not only produce a ripemd160 collision, you have to produce a > collision that is also a valid sha-256 hash - and that's much much much > more difficult. > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
