I will proceed to explain once you confirm that do not understand why Merkle–Damgård construction is relevant? Either explain or admit you don't know. So I can proceed to teach you something. You are wasting my scarce time with your stalling/deception tactics and trolling.
No, you're the one wasting
my time. I don't have to explain anything. You do. And you're not. I can only assume by your lack of explanation that you can't produce one.
Next time you will realize not to fuck with me, because I know a lot more than you assume.
I assume you know nothing, so knowing more than that isn't much of an accomplishment. But please go ahead and demonstrate your accomplishment. We're all waiting.
I'll interpret your reply as an ostensibly intentional veiled admission that you could not answer the question. So I will proceed to explain the sort of theoretical analysis that I was interested in discussing in the thread that the "forum-Hitler" Gmaxwell nuked.
Tangentially note the disclaimer that I wrote in the OP of the thread which was nuked:Does anyone know what black hole Bitcoin core (Blockstream) developer Gmaxwell moved the quoted thread to?
[...]
I urge immediately peer review of my statements by other experts. I have not really thought deeply about this. This is just written very quickly off the top of my head. I am busy working on other things and can't put much time into this.
Craig Wright’s chosen source material (an article in which Jean-Paul Sartre explains his refusal of the Nobel Prize), surprisingly, generates the exact same signature as can be found in a bitcoin transaction associated with Satoshi Nakamoto.
Being at is was by that time late in the evening for my timezone and I had been awake roughly 18 hours already, and I was skimming in an attempt to make some quick feedback on this potentially important event, so I could return to my work asap. In the nuked thread, I quickly realized that the Sartre text hadn't been verified to match the hash, so I actually stopped posting in the nuked thread for a few hours. Then when I came back to thread, it didn't exist so I could no longer follow up or read what had been elucidated. Thus note my original focus was on how the hell could Craig have achieved that match, so he must have broken the hash. I had recalled that I had theoretically doubts about the double hashing which I had never bothered to discuss with anyone. It had been 2+ years since I did that research on cryptographic hash functions, so I had to decide if I was going to go dig back into that research or not. I figured I'd sleep on it and then be able to think with a clearer, rested mind about the implications of the revelation (to me) that the hash had not been verified to match the text because the portion of the text had not been sufficiently specified (again the "undisclosed" term didn't make sense to me in quick skimming because I had read on the blog that the Sartre text was referred to).
But instead of being able to sleep on it and then decide whether to let it go or dig back into my past research, my thread was nuked and I was under attack. Remember I don't back down from anyone when I think I am justified. When I think I am wrong, I mea culpa.
So now back to the subject matter of whether double hashing could theoretically lead to any weakening of the second preimage and/or collision security of the SHA-256 cryptographic hash function.
Afaik, there is no research on this question. If anyone is aware of any, please kindly inform me.
First I will note the Merkle–Damgård construction (which SHA-256 employs) is subject to
numerous generic attacks and even though afaik none of these are currently known to be a practical threat against a single hash of SHA-256, we can perhaps look to those generic attacks for potential clues as to what a double-hashing might enable which a single-hash application perhaps might not.
Note in the
pseudo-code for SHA-256 that what distinguishes a double-hashing from doubling rounds (i.e. "
Compression function main loop:") or repeating the input text in double the block chunks (i.e. "
Process the message in successive 512-bit chunks:"), is that the
h0 -
h8 compression function state
which is normally orthogonal to the input block chunks instead gets transmitted as input to a block chunk in the second hash application (i.e. "
Produce the final hash value (big-endian):") after being added to the output of the compression function (i.e. "Add the compressed chunk to the current hash value:"). And the
h0 -
h8 compression function state is
reset to a constant (i.e. "
Initialize hash values:").
The reason I think this might be theoretically significant is because we should note that the way cryptographic hash functions are typically broken is by applying
differential cryptanalysis. Differential cryptanalysis is attempting to find some occurrence of (even
higher order) differences between inputs that occurs with more frequent probability than a perfectly uniform distribution. In essence, differential cryptanalysis is leveraging some recurrent structure of the
confusion and diffusion and
avalanche effect of the algorithm.
Not only does the double-hashing introduce a constant
h0 -
h8 midstream thus introducing a known recurrent structure into the middle of the unified algorithm of a double-hashing, but it shifts the normally orthogonal compression function state to the input that it is designed supposed to be orthogonal to. On top of that, the additions of the
h0 -
h8 state at the midpoint, can possibly mean the starting state of the midpoint is known to have a higher probability of zeros in the least significant bits (LSBs). This last sentence observation comes from some research I did when I created a much higher bandwidth design variant of Berstein's ChaCha by fully exploiting AVX2 SIMD, that was for a specific purpose of creating a faster memory hard proof-of-work function. In that research, I had noted the following quote of an excerpt in my unfinished, rough draft, unpublished white paper written in late 2013 or early 2014 (and kindly note that the following might have errors because it was not reviewed for publishing and was merely notes for myself on my research understanding at that time 2+ years ago):
Security
Addition and multiplication modulo (2^n - 1) diffuse through high bits but set low bits to 0. Without shuffles or rotation permutation to diffuse changes from high to low bits, addition and multiplication modulo (2^n - 1) can be broken with low complexity working from the low to the high bits [5].
The overflow carry bit, i.e. addition modulo ∞ minus addition modulo (2^n - 1), obtains the value 0 or 1 with equal probability, thus addition modulo (2^n - 1) is discontinuous i.e. defeats linearity over the ring Z/(2^n) [6] because the carry is 1 in half of the instances [7] and defeats linearity over the ring Z/2 [8] because the low bit of both operands is 1 in one-fourth of the instances.
The number of overflow high bits in multiplication modulo ∞ minus multiplication modulo (2^n - 1) depends on the highest set bits of the operands, thus multiplication modulo (2^n - 1) defeats linearity over the range of rings Z/2 to Z/(2^n).
Logical exclusive-or defeats linearity over the ring Z/(2^n) always [8] because it is not a linear function operator.
Each multiplication modulo ∞ amplifies the amount diffusion and confusion provided by each addition. For example, multiplying any number by 23 is equivalent to the number multiplied by 16 added to the number multiplied by 4 added to the number multiplied by 2 added to the number. This is recursive since multiplying the number by 4 is equivalent to the number multiplied by 2 added to the number multiplied by 2. Addition of a number with itself is equivalent to a 1 bit left shift or multiplication by 2. Multiplying any variable number by another variable number creates additional confusion.
Multiplication defeats rotational cryptoanalysis [9] because unlike for addition, rotation of the multiplication of two operands never distributes over the operands i.e. is not equal to the multiplication of the rotated operands. A proof is that rotation is equivalent to the exclusive-or of left and right shifts. Left and right shifts are equivalent to multiplication and division by a factor of 2, which don't distribute over multiplication e.g. (8 × 8 ) × 2 ≠ (8 × 2) × (8 × 2) and (8 × 8 ) ÷ 2 ≠ (8 ÷ 2) × (8 ÷ 2). Addition modulo ∞ is always distributive over rotation [9] because addition distributes over multiplication and division e.g. (8 + 8 ) ÷ 2 = (8 ÷ 2) + (8 ÷ 2). Due to the aforementioned non-linearity over Z/(2^n) due to carry, addition modulo (2^n - 1) is only distributive over rotation with a probability 1/4 up to 3/8 depending on the relative number of bits of rotation [9][10].
However, multiplication modulo (2^n - 1) sets all low bits to 0 orders-of-magnitude more frequently than addition modulo (2^n - 1)—a degenerate result that squashes diffusion and confusion.
[5] Khovratovich, Nikolic. Rotational Cryptanalysis of ARX. 2 Related Work.
[6] Daum. Cryptanalysis of Hash Functions of the MD4-Family.
4.1 Links between Different Kinds of Operations.
[7] Khovratovich, Nikolic. Rotational Cryptanalysis of ARX.
6 Cryptanalysis of generic AR systems.
[8] Berstein. Salsa20 design. 2 Operations.
[9] Khovratovich, Nikolic. Rotational Cryptanalysis of ARX.
3 Review of Rotational Cryptanalysis.
[10] Daum. Cryptanalysis of Hash Functions of the MD4-Family.
4.1.3 Modular Additions and Bit Rotations. Corollary 4.12.
So now put those aforementioned insights about potential recurrent structure at the midpoint of the double-hashing, together with the reality that a
Boomerang attack is a differential cryptoanalysis that employs a midpoint in a cipher to form new attacks that weren't plausible on the full cipher. Bingo!
I'll refrain from providing my further insights on specifics beyond this initial sharing. Why? Because I've been treated like shit by Gmaxwell and you all here grant him too much Hitler-esque control over the Bitcoin Technical Discussion subforum where these sort of discussions are supposed to occur, so I will take my toys else where. Enjoy your echo chamber.
Do I have an attack against Bitcoin's double-hashing? I leave that for you to ponder.
