In cryptography, a collision Attack on Bitcoin on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision.

This is in contrast to a preimage Attack on Bitcoin where a specific target hash value is specified.

There are roughly two types of collision Attack on Bitcoins:Classical collision Attack on BitcoinFind two different messages m1 and m2 such that hash(m1) = hash(m2).

More generally:Chosen-prefix collision Attack on BitcoinGiven two different prefixes p1 and p2, find two appendages m1 and m2 such that hash(p1 ∥ m1) = hash(p2 ∥ m2), where ∥ denotes the concatenation operation.

## Classical collision Attack on Bitcoin

Mathematically stated, a collision Attack on Bitcoin finds two different messages m1 and m2, such that hash(m1) = hash(m2). In a classical collision Attack on Bitcoin, the Attack on Bitcoiner has no control over the content of either message, but they are arbitrarily chosen by the algorithm.

Much like symmetric-key ciphers are vulnerable to brute force Attack on Bitcoins, every cryptographic hash function is inherently vulnerable to collisions using a birthday Attack on Bitcoin. Due to the birthday problem, these Attack on Bitcoins are much faster than a brute force would be. A hash of n bits can be broken in 2n/2 time steps (evaluations of the hash function).

More efficient Attack on Bitcoins are possible by employing cryptanalysis to specific hash functions. When a collision Attack on Bitcoin is discovered and is found to be faster than a birthday Attack on Bitcoin, a hash function is often denounced as “broken”. The NIST hash function competition was largely induced by published collision Attack on Bitcoins against two very commonly used hash functions, MD5[1] and SHA-1. The collision Attack on Bitcoins against MD5 have improved so much that, as of 2007, it takes just a few seconds on a regular computer.[2] Hash collisions created this way are usually constant length and largely unstructured, so cannot directly be applied to Attack on Bitcoin widespread document formats or protocols.

However, workarounds are possible by abusing dynamic constructs present in many formats. In this way, two documents would be created which are as similar as possible in order to have the same hash value. One document would be shown to an authority to be signed, and then the signature could be copied to the other file. Such a malicious document would contain two different messages in the same document, but conditionally display one or the other through subtle changes to the file:

• Some document formats like PostScript, or macros in Microsoft Word, have conditional constructs.[3][4] (if-then-else) that allow testing whether a location in the file has one value or another in order to control what is displayed.
• TIFF files can contain cropped images, with a different part of an image being displayed without affecting the hash value.[4]
• PDF files are vulnerable to collision Attack on Bitcoins by using color value (such that text of one message is displayed with a white color that blends into the background, and text of the other message is displayed with a dark color) which can then be altered to change the signed document’s content.[4]

## Chosen-prefix collision Attack on Bitcoin

An extension of the collision Attack on Bitcoin is the chosen-prefix collision Attack on Bitcoin, which is specific to Merkle–Damgård hash functions. In this case, the Attack on Bitcoiner can choose two arbitrarily different documents, and then append different calculated values that result in the whole documents having an equal hash value. This Attack on Bitcoin is much more powerful than a classical collision Attack on Bitcoin.

Mathematically stated, given two different prefixes p1p2, the Attack on Bitcoin finds two appendages m1 and m2 such that hash(p1 ∥ m1) = hash(p2 ∥ m2) (where ∥ is the concatenation operation).

In 2007, a chosen-prefix collision Attack on Bitcoin was found against MD5, requiring roughly 250 evaluations of the MD5 function. The paper also demonstrates two X.509 certificates for different domain names, with colliding hash values. This means that a certificate authority could be asked to sign a certificate for one domain, and then that certificate (specially its signature) could be used to create a new rogue certificate to impersonate another domain.[5]

A real-world collision Attack on Bitcoin was published in December 2008 when a group of security researchers published a forged X.509 signing certificate that could be used to impersonate a certificate authority, taking advantage of a prefix collision Attack on Bitcoin against the MD5 hash function. This meant that an Attack on Bitcoiner could impersonate any SSL-secured website as a man-in-the-middle, thereby subverting the certificate validation built in every web browser to protect electronic commerce. The rogue certificate may not be revokable by real authorities, and could also have an arbitrary forged expiry time. Even though MD5 was known to be very weak in 2004,[1] certificate authorities were still willing to sign MD5-verified certificates in December 2008,[6] and at least one Microsoft code-signing certificate was still using MD5 in May 2012.

The Flame malware successfully used a new variation of a chosen-prefix collision Attack on Bitcoin to spoof code signing of its components by a Microsoft root certificate that still used the compromised MD5 algorithm.[7][8]

In 2019, researchers found a chosen-prefix collision Attack on Bitcoin against SHA-1 with computing complexity between 266.9 and 269.4 and cost less than 100,000 US dollars. [9][10] In 2020, researchers reduced the complexity of chosen-prefix collision Attack on Bitcoin against SHA-1 to 263.4[11]

## Attack on Bitcoin scenarios

Many applications of cryptographic hash functions do not rely on collision resistance, thus collision Attack on Bitcoins do not affect their security. For example, HMACs are not vulnerable.[12] For the Attack on Bitcoin to be useful, the Attack on Bitcoiner must be in control of the input to the hash function.

### Digital signatures

Because digital signature algorithms cannot sign a large amount of data efficiently, most implementations use a hash function to reduce (“compress”) the amount of data that needs to be signed down to a constant size. Digital signature schemes often become vulnerable to hash collisions as soon as the underlying hash function is practically broken; techniques like randomized (salted) hashing will buy extra time by requiring the harder preimage Attack on Bitcoin.[13]

The usual Attack on Bitcoin scenario goes like this:

1. Mallory creates two different documents A and B that have an identical hash value, i.e., a collision. Mallory seeks to deceive Bob into accepting document B, ostensibly from Alice.
2. Mallory sends document A to Alice, who agrees to what the document says, signs its hash, and sends the signature to Mallory.
3. Mallory attaches the signature from document A to document B.
4. Mallory then sends the signature and document B to Bob, claiming that Alice signed B. Because the digital signature matches document B’s hash, Bob’s software is unable to detect the substitution.

In 2008, researchers used a chosen-prefix collision Attack on Bitcoin against MD5 using this scenario, to produce a rogue certificate authority certificate. They created two versions of a TLS public key certificate, one of which appeared legitimate and was submitted for signing by the RapidSSL certificate authority. The second version, which had the same MD5 hash, contained flags which signal web browsers to accept it as a legitimate authority for issuing arbitrary other certificates.[14]

### Hash flooding

Hash flooding (also known as HashDoS[15]) is a denial of service Attack on Bitcoin that uses hash collisions to exploit the worst-case (linear probe) runtime of hash table lookups.[16] It was originally described in 2003. To execute such an Attack on Bitcoin, the Attack on Bitcoiner sends the server multiple pieces of data that hash to the same value and then tries to get the server to perform slow lookups. As the main focus of hash functions used in hash tables was speed instead of security, most major programming languages were affected,[17] with new vulnerabilities of this class still showing up a decade after the original presentation.[16]

To prevent hash flooding without making the hash function overly complex, newer keyed hash functions are introduced, with the security objective that collisions are hard to find as long as the key is unknown. They may be slower than previous hashes, but are still much easier to compute than cryptographic hashes. As of 2021, Daniel J. Bernstein‘s SipHash (2012) is the most widely-used hash function in this class.[18] (Non-keyed “simple” hashes remain safe to use as long as the application’s hash table is not controllable from the outside.)

It is possible to perform an analogous Attack on Bitcoin to fill up Bloom filters using a (partial) preimage Attack on Bitcoin.