Why does Bitcoin use two rounds of SHA256?

Question

Each blocked is hashed twice. Why isn't one application of SHA256 enough?

score 13 · Accepted Answer · edited Apr 13 '17 at 12:48

13

From Zooko's answer provided in Crypto StackExchange:

SHA-256(SHA-256(x)) was proposed by Ferguson and Schneier in their excellent book "Practical Cryptography" (later updated by Ferguson, Schneier, and Kohno and renamed "Cryptography Engineering") as a way to make SHA-256 invulnerable to "length-extension" attack. They called it "SHA-256d".

edited Apr 13 '17 at 12:48

Community

1

answered Jul 30 '12 at 21:52

Stephen Gornick

26,990
12
67
141

Length extension attacks [are impossible in Bitcoin](https://bitcoin.stackexchange.com/questions/110065/checksum-sha256sha256prefixdata-why-double-hashing#comment124932_110071) because length extension attacks only apply where the hashed data is secret. This answer is incorrect. – Shelby Moore III Feb 22 '22 at 10:40

score -1 · Answer 2 · answered Feb 22 '22 at 10:40

My conjecture is the double hashing everywhere was a red-herring to make us think Satoshi was sloppy, lame and take our focus away from a posited valid use case for the RIPEMD160(SHA256).

My lengthy and elaborate rationale is in my answer on the related question.

Why does Bitcoin use two rounds of SHA256?

2 Answers2

Linked