bitcoin-dev

ColliderScript: Covenants in Bitcoin via 160-bit hash collisions

Original Postby Ethan Heilman

Posted on: November 13, 2024 22:06 UTC

In the discussion about transaction grinding in the context of Bitcoin development, a detailed explanation of how transactions can be made to carry specific data through a process called grinding is provided.

The process involves finding a variable y that ensures the values s1 and s2 within a transaction are equal. This equality is crucial for an honest party spending a covenant, as it guarantees that y1 (derived from s1 using a larger scripting mechanism) and y2 (derived from s2 with a smaller script) will be identical despite their different encodings. This commonality occurs because both y1 and y2 are generated by hashing the same source value, leading to their equality.

The correspondence further delves into the mechanics of generating these values, highlighting the deterministic nature of the generation process. Both dGen_big_script and dGen_small_script functions utilize 32-bit elements and are deterministic, implying that they will produce consistent outputs given the same inputs (w, t). This deterministic property is pivotal for achieving the desired transaction modification through grinding.

Additionally, the letter addresses concerns regarding the potential advantages an attacker might gain through staticness in the grinding process. It clarifies that staticness does not offer any leverage to attackers. On the contrary, if an attacker fails to adequately randomize the sighash across queries, they would face increased difficulty in finding collisions. This point underscores the importance of randomness in ensuring the security of transactions against such attacks. The request for a concrete example of an attack highlights the ongoing dialogue and efforts among developers to understand and mitigate potential vulnerabilities within the system.