H = ripemd160(sha256(ECMultiply(A,G)))
A - 32-byte number,
H - 20-byte number,
G - generator point,
ECMultiply - elliptic curve point multiplication.
Is it true that there is many A that have the same H?
Asked
Active
Viewed 2,647 times
3
Denis Leonov
- 137
- 1
- 7
1 Answers
9
There are close to $2^{256}$ ECC keys while there are only $2^{160}$ 20-byte hashes, so the pidgeonhole principle shows that there exist collisions. On average there there are $2^{96}$ keys for each 20-byte hash.
Since SHA-256 is a strong hash function, the only way to find a collision is brute force, which involves $2^{80}$ hash computations. But collisions are not a relevant attack for bitcoin addresses, since stealing your own money is rather pointless.
What an attacker needs to do is a multi-target preimage attack, which is ridiculously more expensive than the expected rewards ($2^{160}$ hash computations to steal 67 billion USD, which means more than $2^{120}$ hash computations for each dollar you steal).
It's clearly better for the attacker to attack the address with a known ECC public key and the highest balance, since that costs $2^{128}$ operations, but reaps all bitcoins from that address.
CodesInChaos
- 25,121
- 2
- 90
- 129