[jerguismi]

The most impactful: "Taylor Hornby found the InternalH Collision vulnerability, which would let someone double-spend a specially-crafted note, if they have a computer powerful enough to find 128-bit hash collisions."

How difficult it is to find 128-bit hash collision, sane hash function assumed? For example sha256 truncated to 128 bits. On a quick thought it feels pretty much impossible.

[mrb]

It takes approximately 2^64 attempts to find a 128-bit collision. The Bitcoin network as a whole--with custom ASICs--computes 2^61 SHA256 compression function calls per second and consumes 150 MW, so it would take it 8 seconds. Or it would take 160 000 secs/44 hours with a single dense rack (7.5 kW) of custom ASICs.

So yeah if you care about the security of a crypto currency, this 2^64 collision attack is very doable and unacceptable. The rule of thumb in crypto is to aim at making attacks cost at least 2^128.

[tcoppi]

I didn't actually read the analysis, but to find two arbitrary inputs that hash to the same value for a 128-bit hash, collisions would follow the birthday bound, so it would take 2^(128/2) = 2^64 effort. Definitely not out of the realm of possibility for a modestly-funded effort, and certainly less security than I would expect for a cryptocurrency.

[CiPHPerCoder]

> certainly less security than I would expect for a cryptocurrency

The good news here is that a Zcash team member found this weakness in the Zcash protocol and it's being fixed before it ships.

Kudos to the Zcash team for employing aggressive internal security auditing.