Return-Path: <roconnor@blockstream.io>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 91325CCA
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  1 Jun 2018 15:04:08 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-io0-f170.google.com (mail-io0-f170.google.com
	[209.85.223.170])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8B30FA3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  1 Jun 2018 15:04:07 +0000 (UTC)
Received: by mail-io0-f170.google.com with SMTP id d22-v6so15455217iof.13
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri, 01 Jun 2018 08:04:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=blockstream.io; s=google;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to; 
	bh=JM6uHvo1mjmN5Ij6ht7RTxP8WIcwW0iwUycLWLdW79I=;
	b=aYG9ESL21x8lbn79RivcAC0GuoaJ4PHn08tckvt/esdetGgWSB4BR1/2TUJ0++hjUl
	RoPVFAgZ6afMlGw4QnPz5+vsi1DhRxje+6iBT79WOa6OWL/ubYJjJyprrEgO+2FigYZK
	QBsKCH4R45cjJflPmHcc69yfd5s4GaVrhYNWI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to;
	bh=JM6uHvo1mjmN5Ij6ht7RTxP8WIcwW0iwUycLWLdW79I=;
	b=IpC1ow6xYBL41koQPOknLkpj+X9CMFklhVHaeYC0NJf381LhM2kQEGqPwyA+UnCg0r
	Bk2V4XOKnG5r9N0B4K78is8rY1X9FUyQhOuVYI4Qp01W7EsWT2bsEYb97OJrIT94nPPj
	pvUHiWvTHYtsE5oA/00RSLxbGaIf31MVAvkqEgMi1Vy/+PzeyUS88YIAwUMi6oPzhZqk
	KO6gb538PsoKPjFB401urAeSxVwcuidfYhuXqj3eJl+nAze7rupMASozkm51aKPKSHEn
	gt+wIZVgwl+bahXgY8PlZznjwM2emE09dm3yJKILrvy3oIqzcPC5x7sle36xkEywXI4d
	81nA==
X-Gm-Message-State: ALKqPweHNNfQihmCrc8QwwRMXIXH2u2R/JNFmq1d9arsWycJTP7Qmp+y
	XhU0zRgg13JxMc87WYHSkjay7+GnyO63AN+LUp80mb8K
X-Google-Smtp-Source: ADUXVKKA8e3qjjy5qQnoqMR1iBu/CnOZvrEp+xrrluf629DeeVSFSmNZ4Gf9rJGlGUlZg28elVBItRZPXMqFlyLEtYE=
X-Received: by 2002:a6b:33d1:: with SMTP id
	z200-v6mr11864553ioz.112.1527865446800; 
	Fri, 01 Jun 2018 08:04:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:1253:0:0:0:0:0 with HTTP;
	Fri, 1 Jun 2018 08:03:46 -0700 (PDT)
In-Reply-To: <9CCCE945-9432-41B9-8559-AFE7CF233603@xbt.hk>
References: <9CCCE945-9432-41B9-8559-AFE7CF233603@xbt.hk>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Fri, 1 Jun 2018 11:03:46 -0400
Message-ID: <CAMZUoKms85DhtS1mN70nq4LSY7QtXym6E4_yvQk5Q0tizkVwEQ@mail.gmail.com>
To: Johnson Lau <jl2012@xbt.hk>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000038c900056d95e58e"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] SIGHASH2 for version 1 witness programme
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 15:04:08 -0000

--00000000000038c900056d95e58e
Content-Type: text/plain; charset="UTF-8"

On Thu, May 31, 2018 at 2:35 PM, Johnson Lau via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>
>   Double SHA256 of the serialization of:
>

Should we replace the Double SHA256 with a Single SHA256?  There is no
possible length extension attack here.  Or are we speculating that there is
a robustness of Double SHA256 in the presence of SHA256 breaking?

I suggest putting `sigversion` at the beginning instead of the end of the
format.  Because its value is constant, the beginning of the SHA-256
computation could be pre-computed in advance.  Furthermore, if we make the
`sigversion` exactly 64-bytes long then the entire first block of the
SHA-256 compression function could be pre-computed.

Can we add CHECKSIGFROMSTACK or do you think that would go into a separate
BIP?

--00000000000038c900056d95e58e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Thu, May 31, 2018 at 2:35 PM, Johnson Lau via bitcoin-dev <span dir=
=3D"ltr">&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targe=
t=3D"_blank">bitcoin-dev@lists.<wbr>linuxfoundation.org</a>&gt;</span> wrot=
e:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex"><br>
=C2=A0 Double SHA256 of the serialization of:<br></blockquote><div><br></di=
v><div>Should we replace the Double SHA256 with a Single SHA256?=C2=A0 Ther=
e is no possible length extension attack here.=C2=A0 Or are we speculating =
that there is a robustness of Double SHA256 in the presence of SHA256 break=
ing?<br><br></div><div>I suggest putting `sigversion` at the beginning inst=
ead of the end of the format.=C2=A0 Because its value is constant, the begi=
nning of the SHA-256 computation could be pre-computed in advance.=C2=A0 Fu=
rthermore, if we make the `sigversion` exactly 64-bytes long then the entir=
e first block of the SHA-256 compression function could be pre-computed.<br=
></div><div><br></div><div>Can we add CHECKSIGFROMSTACK or do you think tha=
t would go into a separate BIP?<br></div></div></div></div>

--00000000000038c900056d95e58e--