- snip -
Now, the nasty thing with a double signature, is that the guy providing HIS signature has a lever on the true document, and is hence able to find a collision with a document entirely of his making. This is what reduces the 160 bit second-pre-image security to 80 bit collision security.
Am I right in assuming that this reduction in security is because the attacker can generate 2
79 reasonable looking 2-of-2 contracts (and their associated P2SH addresses), and then generate 2
79 single-signature P2SH addresses, and in doing so would have an extremely high probability of finding an address in the set of 2-of-2 contracts that collides with one of the single-signature P2SH addresses?
2
79 contracts + 2
79 single-signature P2SH addresses =
280 generations.
Or more specifically, that the attacker can:
- 1. Generate one 2-of-2 contract and one single-signature P2SH addresses and see if they collide...
- 2. Then generate an additional 2-of-2 contract and see if it collides with ANY of the single-signature P2SH addresses generated so far
- 3. Then generate an additional single-signature P2SH addresse and see if it collides with ANY of the 2-of-2 contracts generated so far
- 4. Repeat steps 2 and 3 until a collision is found
And that in doing so they will succeed, on average, after repeating steps two and three 2
80 times (although they could get lucky and collide sooner, or get unlucky and collide much later).
Is that the risk here?
Yes. Up to a few factors of 2, we're talking orders of magnitude here, not an exact amount of trials.