Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Over on the bitcoin forums I asked why the bitcoin client computes SHA-256(SHA-2

ID: 651485 • Letter: O

Question

Over on the bitcoin forums I asked why the bitcoin client computes SHA-256(SHA-256(x)) as its cryptographic hash for a variety of purposes. The leading theory--since the bitcoin author has disappeared--seems to be that from a security standpoint it could be sort-of analogous to upping the number of rounds in SHA-256 from 64 to 128, thereby providing a margin of safety as it is probable that the first preimage attack against SHA-256 (if such a thing exists) wouldn't work against SHA-256(SHA-256(x)), giving time to transition to a new hash function.

First of all, is that true? Would hashing twice make it any more difficult to mount a preimage attack, at least for certain types of attacks?

If the answer is yes, my related question is: is there a mode for encrypting twice to provide a similar increase in security? How would one feed the result of the 1st round of encryption into the setup of the 2nd (or 3rd)? Would you use the same key twice? Would you derive the 2nd key from (a hash of) the ciphertext of the first round (and the 3rd round from the 2nd, etc.)? Would you need an odd number of rounds and alternate Encrypt(Decrypt(Encrypt())) like Triple-DES does to prevent a meet-in-the-middle attack? How would this interact with the various modes of symmetric key encryption? Anything else I'm not thinking of that I would have to know about this if I were to implement it in a real product?

Explanation / Answer

SHA-256(SHA-256(x)) was proposed by Ferguson and Schneier in their excellent book "Practical Cryptography" (later updated by Ferguson, Schneier, and Kohno and renamed "Cryptography Engineering") as a way to make SHA-256 invulnerable to "length-extension" attack. They called it "SHA-256d". We started using SHA-256d for everything when we launched the Tahoe-LAFS project in 2006, on the principle that it is hardly less efficient than SHA-256, and that it frees us from having to reason about whether length-extension attacks are dangerous every place that we use a hash function. I wouldn't be surprised if the inventors of Bitcoin used it for similar reasons. Why not use SHA-256d instead of SHA-256?

Note that the SHA-3 project required all candidates to have some method of preventing length-extension attacks. Some of them use a method that is rather like SHA-256d, i.e. they do an extra "finalization" hash of their state at the end, before emitting a result.

Related Questions

Over 10,000 runners competed in a large urban marathon. The times of the runners
Question #3382506
Over 100 planets have so far been detected beyond our solar system.This is accom
Question #1727211
Over 30 years ago Michael Porter identified a holistic approach to understanding
Question #412499
Over 30 years ago Michael Porter identified a holistic approach to understanding
Question #427041
Over 350 students look a college calculus final exam. The scores of the students
Question #3208901
Over 40 years ago, Frye and Edidin conducted experiments where they fused human
Question #278153
Over 40% of blood volume consists of oxygen-transporting cells called a) platele
Question #86289
Over 50 years ago, Stanley Milgram conducted some of the most influential and co
Question #3495663
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Chat Now And Get Quote

Navigate

Previous
Over my years of teaching I often ask the class, \"How many of you think organiz
Next
Over recent history , which of the following is true? (a) There are more childre

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.