From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 91325CCA for ; Fri, 1 Jun 2018 15:04:08 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8B30FA3 for ; Fri, 1 Jun 2018 15:04:07 +0000 (UTC) Received: by mail-io0-f170.google.com with SMTP id d22-v6so15455217iof.13 for ; Fri, 01 Jun 2018 08:04:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=JM6uHvo1mjmN5Ij6ht7RTxP8WIcwW0iwUycLWLdW79I=; b=aYG9ESL21x8lbn79RivcAC0GuoaJ4PHn08tckvt/esdetGgWSB4BR1/2TUJ0++hjUl RoPVFAgZ6afMlGw4QnPz5+vsi1DhRxje+6iBT79WOa6OWL/ubYJjJyprrEgO+2FigYZK QBsKCH4R45cjJflPmHcc69yfd5s4GaVrhYNWI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=JM6uHvo1mjmN5Ij6ht7RTxP8WIcwW0iwUycLWLdW79I=; b=IpC1ow6xYBL41koQPOknLkpj+X9CMFklhVHaeYC0NJf381LhM2kQEGqPwyA+UnCg0r Bk2V4XOKnG5r9N0B4K78is8rY1X9FUyQhOuVYI4Qp01W7EsWT2bsEYb97OJrIT94nPPj pvUHiWvTHYtsE5oA/00RSLxbGaIf31MVAvkqEgMi1Vy/+PzeyUS88YIAwUMi6oPzhZqk KO6gb538PsoKPjFB401urAeSxVwcuidfYhuXqj3eJl+nAze7rupMASozkm51aKPKSHEn gt+wIZVgwl+bahXgY8PlZznjwM2emE09dm3yJKILrvy3oIqzcPC5x7sle36xkEywXI4d 81nA== X-Gm-Message-State: ALKqPweHNNfQihmCrc8QwwRMXIXH2u2R/JNFmq1d9arsWycJTP7Qmp+y XhU0zRgg13JxMc87WYHSkjay7+GnyO63AN+LUp80mb8K X-Google-Smtp-Source: ADUXVKKA8e3qjjy5qQnoqMR1iBu/CnOZvrEp+xrrluf629DeeVSFSmNZ4Gf9rJGlGUlZg28elVBItRZPXMqFlyLEtYE= X-Received: by 2002:a6b:33d1:: with SMTP id z200-v6mr11864553ioz.112.1527865446800; Fri, 01 Jun 2018 08:04:06 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:1253:0:0:0:0:0 with HTTP; Fri, 1 Jun 2018 08:03:46 -0700 (PDT) In-Reply-To: <9CCCE945-9432-41B9-8559-AFE7CF233603@xbt.hk> References: <9CCCE945-9432-41B9-8559-AFE7CF233603@xbt.hk> From: "Russell O'Connor" Date: Fri, 1 Jun 2018 11:03:46 -0400 Message-ID: To: Johnson Lau , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000038c900056d95e58e" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] SIGHASH2 for version 1 witness programme X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2018 15:04:08 -0000 --00000000000038c900056d95e58e Content-Type: text/plain; charset="UTF-8" On Thu, May 31, 2018 at 2:35 PM, Johnson Lau via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > Double SHA256 of the serialization of: > Should we replace the Double SHA256 with a Single SHA256? There is no possible length extension attack here. Or are we speculating that there is a robustness of Double SHA256 in the presence of SHA256 breaking? I suggest putting `sigversion` at the beginning instead of the end of the format. Because its value is constant, the beginning of the SHA-256 computation could be pre-computed in advance. Furthermore, if we make the `sigversion` exactly 64-bytes long then the entire first block of the SHA-256 compression function could be pre-computed. Can we add CHECKSIGFROMSTACK or do you think that would go into a separate BIP? --00000000000038c900056d95e58e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, May 31, 2018 at 2:35 PM, Johnson Lau via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrot= e:

=C2=A0 Double SHA256 of the serialization of:

Should we replace the Double SHA256 with a Single SHA256?=C2=A0 Ther= e is no possible length extension attack here.=C2=A0 Or are we speculating = that there is a robustness of Double SHA256 in the presence of SHA256 break= ing?

I suggest putting `sigversion` at the beginning inst= ead of the end of the format.=C2=A0 Because its value is constant, the begi= nning of the SHA-256 computation could be pre-computed in advance.=C2=A0 Fu= rthermore, if we make the `sigversion` exactly 64-bytes long then the entir= e first block of the SHA-256 compression function could be pre-computed.

Can we add CHECKSIGFROMSTACK or do you think tha= t would go into a separate BIP?
--00000000000038c900056d95e58e--