1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
Return-Path: <roconnor@blockstream.io>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 91325CCA
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 Jun 2018 15:04:08 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-io0-f170.google.com (mail-io0-f170.google.com
[209.85.223.170])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 8B30FA3
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 1 Jun 2018 15:04:07 +0000 (UTC)
Received: by mail-io0-f170.google.com with SMTP id d22-v6so15455217iof.13
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 01 Jun 2018 08:04:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=blockstream.io; s=google;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
bh=JM6uHvo1mjmN5Ij6ht7RTxP8WIcwW0iwUycLWLdW79I=;
b=aYG9ESL21x8lbn79RivcAC0GuoaJ4PHn08tckvt/esdetGgWSB4BR1/2TUJ0++hjUl
RoPVFAgZ6afMlGw4QnPz5+vsi1DhRxje+6iBT79WOa6OWL/ubYJjJyprrEgO+2FigYZK
QBsKCH4R45cjJflPmHcc69yfd5s4GaVrhYNWI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to;
bh=JM6uHvo1mjmN5Ij6ht7RTxP8WIcwW0iwUycLWLdW79I=;
b=IpC1ow6xYBL41koQPOknLkpj+X9CMFklhVHaeYC0NJf381LhM2kQEGqPwyA+UnCg0r
Bk2V4XOKnG5r9N0B4K78is8rY1X9FUyQhOuVYI4Qp01W7EsWT2bsEYb97OJrIT94nPPj
pvUHiWvTHYtsE5oA/00RSLxbGaIf31MVAvkqEgMi1Vy/+PzeyUS88YIAwUMi6oPzhZqk
KO6gb538PsoKPjFB401urAeSxVwcuidfYhuXqj3eJl+nAze7rupMASozkm51aKPKSHEn
gt+wIZVgwl+bahXgY8PlZznjwM2emE09dm3yJKILrvy3oIqzcPC5x7sle36xkEywXI4d
81nA==
X-Gm-Message-State: ALKqPweHNNfQihmCrc8QwwRMXIXH2u2R/JNFmq1d9arsWycJTP7Qmp+y
XhU0zRgg13JxMc87WYHSkjay7+GnyO63AN+LUp80mb8K
X-Google-Smtp-Source: ADUXVKKA8e3qjjy5qQnoqMR1iBu/CnOZvrEp+xrrluf629DeeVSFSmNZ4Gf9rJGlGUlZg28elVBItRZPXMqFlyLEtYE=
X-Received: by 2002:a6b:33d1:: with SMTP id
z200-v6mr11864553ioz.112.1527865446800;
Fri, 01 Jun 2018 08:04:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:1253:0:0:0:0:0 with HTTP;
Fri, 1 Jun 2018 08:03:46 -0700 (PDT)
In-Reply-To: <9CCCE945-9432-41B9-8559-AFE7CF233603@xbt.hk>
References: <9CCCE945-9432-41B9-8559-AFE7CF233603@xbt.hk>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Fri, 1 Jun 2018 11:03:46 -0400
Message-ID: <CAMZUoKms85DhtS1mN70nq4LSY7QtXym6E4_yvQk5Q0tizkVwEQ@mail.gmail.com>
To: Johnson Lau <jl2012@xbt.hk>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000038c900056d95e58e"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] SIGHASH2 for version 1 witness programme
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 15:04:08 -0000
--00000000000038c900056d95e58e
Content-Type: text/plain; charset="UTF-8"
On Thu, May 31, 2018 at 2:35 PM, Johnson Lau via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Double SHA256 of the serialization of:
>
Should we replace the Double SHA256 with a Single SHA256? There is no
possible length extension attack here. Or are we speculating that there is
a robustness of Double SHA256 in the presence of SHA256 breaking?
I suggest putting `sigversion` at the beginning instead of the end of the
format. Because its value is constant, the beginning of the SHA-256
computation could be pre-computed in advance. Furthermore, if we make the
`sigversion` exactly 64-bytes long then the entire first block of the
SHA-256 compression function could be pre-computed.
Can we add CHECKSIGFROMSTACK or do you think that would go into a separate
BIP?
--00000000000038c900056d95e58e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
te">On Thu, May 31, 2018 at 2:35 PM, Johnson Lau via bitcoin-dev <span dir=
=3D"ltr"><<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" targe=
t=3D"_blank">bitcoin-dev@lists.<wbr>linuxfoundation.org</a>></span> wrot=
e:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex"><br>
=C2=A0 Double SHA256 of the serialization of:<br></blockquote><div><br></di=
v><div>Should we replace the Double SHA256 with a Single SHA256?=C2=A0 Ther=
e is no possible length extension attack here.=C2=A0 Or are we speculating =
that there is a robustness of Double SHA256 in the presence of SHA256 break=
ing?<br><br></div><div>I suggest putting `sigversion` at the beginning inst=
ead of the end of the format.=C2=A0 Because its value is constant, the begi=
nning of the SHA-256 computation could be pre-computed in advance.=C2=A0 Fu=
rthermore, if we make the `sigversion` exactly 64-bytes long then the entir=
e first block of the SHA-256 compression function could be pre-computed.<br=
></div><div><br></div><div>Can we add CHECKSIGFROMSTACK or do you think tha=
t would go into a separate BIP?<br></div></div></div></div>
--00000000000038c900056d95e58e--
|
