what fields to hash with hashcash (Re: A Trial Balloon to Ban Email?)

Adam Back adam at cypherspace.org
Sun May 18 09:59:48 PDT 2003


That particular approach is vulnerable to precomputation and
amortization fo computation against different target strings.

ie Attacker can pre compute and store 2**N inputs and have fair chance
of being able to solve by lookup.  Similarly he can for the same cost
find collisions on SHA1(T) and SHA1(T') simultaneously.

What the original hashcash function did was look for Bit(i,SHA1(T||X))
== B(i,SHA1(T)) for i = 1..n that way the candidate solutions are
useless against other targets.

A more recent simplifcation is to just use the all 0 bit string as the
target.  So you're looking for Bit(i,SHA1(T||X)) = 0 for i = 1..n.

Adam

On Fri, May 16, 2003 at 05:20:44PM -0700, Bill Stewart wrote:
> The hash is easy to do - Given a target "T",
> provide a string "X" for Bit(i,SHA1(X)) == Bit(i,SHA1(T)) for i=1...n,
> and Substring(SHA1(X),N+1,160) != Substring(SHA1(T),N+1,160).
> 
> You'll need to try roughly 2**N inputs to find one.





More information about the cypherpunks-legacy mailing list