Gregory Maxwell
Gregory Maxwell
@roconnor-blockstream In a few minutes I can break our scheme with pre-hashing and all hashes turned to sha1. I cannot do so without the pre-hashing. If I could, it would...
> This would imply that the inner layer needs enough memory to hold the "something" string, or needs interactive processing to be feed the "something" string twice, or maybe it...
It sounds a little like you're leaning towards talking about libsecp256k1 re apis. Libsecp256k1 intends to, in so much as realistic, to provide complete cryptosystems-- not a cryptosystem-do-it-yourself-kit. The callers...
At this point I think it is unattractive to make protocol incompatible changes purely for the sake of non-bitcoin applications. Presumably you could spec something out which wasn't incompatible.
I think this is the right thing to do. It needs a locking fix in fRelayTxes (broken in master), and removal of the feerate from RelayTransaction's prototype; but I'm not...
H(priv || pub || pad to block (if pub isn't 32 bytes) || random || pad to block || message) is superior, as it increases the precomputable data, and still...
My reasoning was that there should be no attacker controlled data in a compression function run where the midstate is a constant secret.
Well the drawback is two compression function runs at runtime instead of one... but high speed implementations can implement alternative schemes. Also the drawback is that you can't use comparison...
> Seems more likely than not that such attacks exist. At least it's easy to imagine an otherwise hash function that is vulnerable. To be fair, any implementation where sha256...
> (b) H(rand||priv||pub||msg): 3, 3, 1 How are you getting 1 compression with precomputed priv/rand? Are you forgetting the 8 byte length? This should be 3, 3, 2. I don't...