Author: Johnson Lau 2018-06-01 17:03:05
Published on: 2018-06-01T17:03:05+00:00
The email chain discusses the possibility of replacing double SHA256 with single SHA256 in Bitcoin's serialization process. It is mentioned that double SHA256 is a tradition and there is no possible length extension attack with single SHA256. However, it is suggested that double SHA256 may be necessary for blind signatures and non-Bitcoin signature schemes that use SHA512-SHA256. The email also proposes putting `sigversion` at the beginning instead of the end of the format to allow for pre-computation and optimization. The value of `sigversion` is suggested to be 64-bytes long to enable pre-computation of the entire first block of the SHA-256 compression function. Additionally, the email discusses the possibility of adding CHECKSIGFROMSTACK (CSFS) but it is unclear whether it should be a separate opcode or combined with CHECKSIG. If combined with CHECKSIG, if bit 10 of SIGHASH2 is set, CHECKSIG will pop one more item from stack and serialize its content with the transaction digest. The email also mentions that the placement of `sigversion` was in response to Peter Todd's comments on BIP143 and should be placed at the end of the message as 0x01000000 to avoid collisions. Finally, the email wonders about the effectiveness of putting a 64-byte constant at the beginning of SHA256 while making the message 64 bytes longer.
Updated on: 2023-05-20T16:42:37.314071+00:00