Right here’s a extremely speculative concept which isn’t asserted to be definitive nor sure. But it’s the one believable purpose I’ve contemplated given I reject the inconceivable presumption that Satoshi misunderstood or did ‘not should take into consideration’ size extension assaults. Size extension assaults are clearly not possible in Bitcoin as a result of size extension assaults (by no means apply in Bitcoin and) solely apply the place the hashed knowledge is secret. It’s not fathomable to me that Satoshi would have been so sloppy. Though by using the double hash in all places (c.f. additionally) he ostensibly supposed to idiot us into (i.e. give us sufficient rope to hold ourselves with) that anodyne clarification. That’s if as I speculate he solely had a use for the double hash for the spending perform.

Moreover double hashing doesn’t improve safety in opposition to collision nor second preimage assaults, c.f. additionally.

So think about sooner or later 256-bit ECDSA is realistically exploitable. Two situations: 1) all UXTO are trivially and affordably exploitable; or maybe first 2) solely excessive valued outputs are cheaply exploitable given excessive computational value.

Within the latter case no adversary may be assured of not being undermined by a competitor by way of booty proportion they need to award to the miners, because the miner who wins the block will take the (adversarial, booty grabbing) substitute transaction with the best charges. (Naive readers ought to be aware the miner can’t distinguish between an adversarial and the non-booty grabbing transaction.) This seems to be a Prisoner’s dilemma until within the seemingly unlikely occasion the miners can type a consensus 50+% oligarchy to implement mentioned booty proportion, rejecting all minority hashrate blocks which defect. One may argue that the excessive valued solely state of affairs exploit forces the formation of mentioned oligarchy, lest a mannequin appears to point out lack of the incentives compatibility that usually converges on a single longest (i.e. highest issue) chain rule. However miners gained’t probably destroy their non-repurposable sunk mining {hardware} capex, nor would hodlers have an incentive to forsake mentioned proportion of their ₿ for causes I clarify beneath.

In each situations there are UXTO that may’t be spent with out being stolen, until the Bitcoin validation protocol is modified to supply spending with a non-exploitable NIZKP (proof) of both preimage of the RIPEMD160(SHA256) hash.

(ADDED: naive readers be aware that compromising ECDSA doesn’t compromise the stationary unspent transactions outputs (UXTO) if the hash perform isn’t additionally compromised. These UXTO could be stranded by a risk to steal them with mentioned posited future ECDSA exploit when and iff spend transaction is printed to the community as a result of it reveals the ECDSA public key which is in any other case obscured and guarded by the hash till spending.)

I additionally contemplated an alternate through which the payor first data to the blockchain with a low valued (both not cheaply exploitable or within the first of aforementioned situations by incentivizing the miner out-of-band with coloured cash to not selected the adversarial) transaction with zero-valued outputs[1] or OP_RETURN (c.f. instance)[2] the hash(preimage||txn_hash) earlier than publishing finalization (i.e. proof) of the in any other case larger valued exploitable transaction.

Though each of these concepts would suffice if Satoshi has employed solely a single-hash, Satoshi could haven’t needed to rely upon a contentious political consequence (e.g. the block dimension restrict controversy) for the layer zero protocol change, in order to not maintain spending hostage interim. The miners would probably resist any resolution and if I could specific the tendentious undeniable fact that the 1% that usually decides (as a result of the inviolable power-law wealth distribution has no exceptions) could be impotent in both aforementioned state of affairs (thus opening up an influence vacuum of the factionalized analog of warlord chaos) if their UTXO can’t be spent with out being stolen. In different phrases, the Nash equilibrium is such that any adjustments to the layer zero protocol are secure provided that the vested pursuits of the financial majority (i.e. the 1%) don’t have any higher technique. Within the inconceivable occasion Satoshi was derelict sufficient to design such that the 1% could possibly be fully divested, the miners could be destroyed together with Bitcoin.

If as an alternative my second concept for the exploit work-around is employed on the intermediate preimage of the composite hash, i.e. RIPEMD160(preimage||txn_hash), thus an advert hoc coloured coin spend is immediately doable (and adopted by Schelling level conference as the one possibility) with none change required to the layer zero validation protocol that the miners implement. When spending with the intermediate preimage then the exploitable ECDSA public key was by no means revealed if the payor had spent his publicly acquired outputs to himself with a secret public key earlier than the ECDSA exploit arrived. The double hash is just required if the payor has some incentive to not publish the general public key (as an alternative of the mentioned intermediate) because the preimage to finalize (i.e. show) the coloured coin spend. Stated coloured cash stay non-exploitable thus probably retain worth regardless. The prospect of a future onerous fork that restores the flexibility to spend ₿ unexploited, incentivizes not spending with the general public key prematurely thus requiring the double hash interim for spending the advert hoc coloured cash.

I used to be motivated to conjure up this concept as a partial rebuttal to Craig “Faketoshi” Wright’s unsubstantiated declare that he defined the explanation for the double hash. That’s if my concept survives cross-examination by the community-at-large.

[1] To not be confused with blackhole public keys.

[2] Ignore the next drivel: ^{_{As an apart so I gained’t be ridiculed by the 1% financial majority who know the reality, however please if in case you have any conscience the next shouldn’t be thought-about when deciding whether or not to agree or disagree with my reply, my private opinion is OP_RETURN is an invalid fork that may finally be destroyed.}}