Should we replace the Double SHA256 with a Single SHA256?  There is no possible length extension attack here.  Or are we speculating that there is a robustness of Double SHA256 in the presence of SHA256 breaking?

I suggest putting `sigversion` at the beginning instead of the end of the format.  Because its value is constant, the beginning of the SHA-256 computation could be pre-computed in advance.  Furthermore, if we make the `sigversion` exactly 64-bytes long then the entire first block of the SHA-256 compression function could be pre-computed.

Can we add CHECKSIGFROMSTACK or do you think that would go into a separate BIP?