That particular approach is vulnerable to precomputation and amortization fo computation against different target strings. ie Attacker can pre compute and store 2**N inputs and have fair chance of being able to solve by lookup. Similarly he can for the same cost find collisions on SHA1(T) and SHA1(T') simultaneously. What the original hashcash function did was look for Bit(i,SHA1(T||X)) == B(i,SHA1(T)) for i = 1..n that way the candidate solutions are useless against other targets. A more recent simplifcation is to just use the all 0 bit string as the target. So you're looking for Bit(i,SHA1(T||X)) = 0 for i = 1..n. Adam On Fri, May 16, 2003 at 05:20:44PM -0700, Bill Stewart wrote:
The hash is easy to do - Given a target "T", provide a string "X" for Bit(i,SHA1(X)) == Bit(i,SHA1(T)) for i=1...n, and Substring(SHA1(X),N+1,160) != Substring(SHA1(T),N+1,160).
You'll need to try roughly 2**N inputs to find one.