Author: Jeremy 2019-10-04 18:40:53
Published on: 2019-10-04T18:40:53+00:00
In a recent discussion on Bitcoin-dev, Jeremy Rubin brought up the idea of using OP_SHA256STREAM instead of OP_CAT. The former would allow concatenation of an unlimited amount of data using the streaming properties of SHA256 hash function. The proposal was met with concern from Peter Todd who pointed out that this approach could expose raw SHA256 midstates to attackers, allowing them to use it directly and potentially compromising security. Todd stated that SHA256 is not designed to be used in situations where adversaries control the initialization vector, and added that he had considered adding midstate support to OpenTimestamps but decided against it for the same reason. Todd also mentioned an example of an experienced cryptographer proposing a design that falls victim to this attack on the Bitcoin-dev mailing list.
Updated on: 2023-06-13T21:41:40.982226+00:00