Ahem . . . Zooko . . . again
rusty
kanzure: oops... yeah, two conversations at once, that got smerged. s/bitcoin/bitlength/.
I guess you can still extend if that's valid data, though.
9:23 pm bsm117532
kanzure I thought this was exactly why satoshi used *double* sha256?
9:34 pm zooko
rusty: that's "Merkle-Damgård strengthening" and it's not good enough to prevent length-extension attacks.
9:46 pm rusty
zooko: you mean you can extend after the bitlength, right? I guess you'd need to prepend the length to make this work, and that has other issues.
9:49 pm
bsm117532: I've heard that theory before, but don't understand it. Perhaps there was a concern that some future partial weakness in SHA could deconstruct the hash enough to weaken the PoW?
9:50 pm katu_
i can't readily imagine how. all you can do with le is append, which helps you add data to a commitment (typically secret in hmac-like construct)
9:50 pm
theres nothing of the sorts in bitcoin afaik
9:52 pm Taek
from what I've gathered, Satoshi was not an amazing cryptographer, he may have done that out of paranoia
9:55 pm katu_
well, his prudence did pay off, especially in relation to SAT mining
9:56 pm zooko
Satoshi probably got it from Ferguson and Schneier's book "Practical Cryptography" "Cryptography Engineering".
9:56 pm katu_
(ie simple means to double the number of rounds, without inventing non-standard hash function)
9:56 pm zooko
We also used that construction, which F&S named "SHA256d", in Tahoe-LAFS.
Probably . . .
