Bitcoin only uses RIPEMD160(SHA256(x)) only in places where the relevant attack is a second pre-image, not a collision. If neither hashfunction is pathological, the pre-image resistance of this construction can't be broken without breaking both hashes. So this construction isn't that silly.
> As for length extension attacks, I don't believe I should be concerned, should I? The transfer of messages within the network is dependent on a defined protocol, so any extra bytes would just be interpreted as a malformed message. If you use it in a broken construction, you should be concerned. If you're not, then there is little reason to worry. Length extensions are only a problem with a few specific constructions. In particular using SHA256(k||m) as MAC is broken. If you want a hash based MAC with SHA-2, use HMAC instead.
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
