Preface: I wish to more concisely restate and amplify the greater point of my original post.
People are worrying about the wrong measure of the wrong thing.I’ve seen endlessly repeated forum discussions of how big 2
256 is, in the context of Bitcoin’s 256-bit keys—oft accompanied by estimates of how long it would take to try each potential key in a bruteforce attack.
That’s the wrong measure: No actual attacker would use a bruteforce attack against ECC. Against actual attackers, Bitcoin’s public-key crypto has a 128-bit security level. This means that breaking it would require a
humanly impossible amount of computation, approximately 2
128 work.
And
it’s the wrong thing to worry about. Worry about your computer security, your operational security, your privacy. Those are all incomparably weaker and more vulnerable than crypto with a 128-bit security level. Bitcoin’s public key security level is a strength. Worry about your weaknesses.
Worry about all the many weak links in the chain of your security, not one of the few strong links.I expect that if people put into their “weak links” even half the energy they expend obsessing over how hard it is to break things which are humanly impossible to break, then many fewer coins would be stolen.
What do you think of P2WKH (160bit hash of pubkey) vs P2WSH (256bit hash of pubkey) security?
Breaking the security of a 160-bit key hash requires a full preimage attack. Therefore, the security level for
this particular component is 160 bits. That exceeds the 128-bit security level of the public key itself; so, “what I think” is that it’s stronger than strong enough. So as for P2WPKH.
P2WSH upgraded to a 256-bit hash because multisig transactions are vulnerable to a collision attack by a malicious signer, such as a cheating party in an escrow transaction. Collision attacks are much easier than preimage attacks, due to the birthday paradox. In old-style P2SH (with “3” addresses), using a 160-bit hash, multisig has only an 80-bit security level against malicious signers; the hash still has a 160-bit security level against anybody who is not a signer.
Multisig with Segwit P2WSH and its 256-bit hashes has a 128-bit security level against malicious signers, and a 256-bit security level against everybody else.Exponentials confuse many people. The difference between 80-bit and 128-bit doesn’t sound like much. Whereas 2
128 work is
more than 281 trillion times bigger than 2
80 work. To do 2
80 work is feasible today, albeit costly in the extreme. To do 2
80 work more than 281 trillion times over is humanly impossible and unthinkable.
N.b. that this pertains primarily to multisig. I can imagine it might also affect some other uses, but multisig is the major use case which invokes vulnerability to collision attacks. There are other P2SH uses, which do not include in the script any data from an untrusted party—for example, the backwards-compatibility nesting of P2WPKH in P2SH. For such use cases, old-style P2SH has a 160-bit security level; and Segwit P2WSH has a 256-bit security level.
There are some interesting references apropos in this
Core blog post. Note that the “comparison” to the Bitcoin mining network is outdated: Hashrate has much increased; it now takes a bit over a day and a half for Bitcoin miners to collectively do 2
80 work.
In P2WKH you have to re-built an unknow script, and if you want to unlock a P2WKH Tx, you have to found a sha256 collision with the lock script of this transaction.
To me, it is still very secure unless you break sha256 and then, find a way to create a new valid script corresponding to the precedent hash.
Do you mean P2WSH? What you said does not make any sense. s/P2WKH/P2WSH/g. Next, understand the difference between a collision and a preimage. A collision means finding two different inputs which have the same hash—
any hash. Whereas in P2WSH (or almost anywhere else in the on-chain use of hashes), the hash is already determined. To find an input matching
a particular hash requires a preimage attack, not a collision attack. This is a huge difference. Preimage attacks are much harder.
I am now convinced that Anti-Cen
is trolling.
This is a note for people who are not forum regulars, and newbies trying to learn. Just ignore Anti-Cen. Apologies for the noise.
(Link upgraded to https in quote.) Thanks, pebwindkraft. Good link, though note that the pertains to old-style P2KH transactions. Segwit P2WPKH transactions involve a different serialization (not instead of, but
in addition to the old serialization for non-witness data), among other differences. Of course, P2SH and P2WSH are much different.
Bitcoin’s Public-Key Security Level
:o :o :o :o :o :o :o :o :o :o :o :o :
If that’s intended to suggest that Bitcoin’s security-level is, wow, mind-bogglingly huge, then yes, I would agree with that.
...
Thus, Bitcoin’s public-key security is humanly impossible to break ...
wtf you talkin about. all that power(2,256) turns to just one if you can catch random generator pattern
hatshepsut93 is right. As I
recently expressed elsewhere:
If you do not have a working Cryptographically Secure PRNG, then you have nothing else, either. Your concern is almost tantamount to saying, well, what if you give the attacker your secret key? Then, of course all the crypto is “broken”! Of course! The security of random number generation is important, because
using a bad random generator to make your secret key is nearly like giving your secret key to the attacker.That says absolutely nothing about the security of Bitcoin’s public-key crypto, which has a 128-bit security level—which is
extremely secure.