P2SH addresses can be brute forced several orders of magnitude faster than P2PKH. The attacker needs to generate 1-of-2 multisig scripts in the following form:
A new compressed pubkey must be generated every 2^24 iterations.
You compute a sha256 midstate from the first 64 bytes, then restore and compute over the rest of the script for each subsequent iteration, then ripemd160 the output. Very easy to GPU accelerate.
The slowest part of address generation is the elliptic curve math, and this avoids it entirely for most iterations, only needing to to refresh the public key when the counter rolls over.
OP_1 [compressed pubkey] [0x02, 29 random bytes, 3 byte counter] OP_2 OP_CHECKMULTISIG
A new compressed pubkey must be generated every 2^24 iterations.
You compute a sha256 midstate from the first 64 bytes, then restore and compute over the rest of the script for each subsequent iteration, then ripemd160 the output. Very easy to GPU accelerate.
The slowest part of address generation is the elliptic curve math, and this avoids it entirely for most iterations, only needing to to refresh the public key when the counter rolls over.