Author: Peter Todd 2019-10-04 11:15:36
Published on: 2019-10-04T11:15:36+00:00
The bitcoin-dev mailing list discussed the use of an OP_SHA256STREAM instead of OP_CAT, which would allow for concatenation of an unlimited amount of data to be hashed. The proposed implementation involves starting a new hash with an item, adding the item to the hash in state, and finalizing it. However, the simplest implementation could expose raw SHA256 midstates, allowing adversaries to use them directly. This is not secure as SHA256 is not designed for situations where adversaries control the initialization vector. An experienced cryptographer on the bitcoin-dev list has even proposed a design that falls victim to this attack. Therefore, it is important to avoid encouraging such attacks and consider alternative implementations.
Updated on: 2023-06-13T21:43:25.416543+00:00