#### molecular

##### Active Member

Someone please explain this to me...

It seems to me the chances of a collision of sha² are higher than they are for sha: if you have a collision after the first round, since it's then the same input for the second round you also have a collision on the output of the second round (unless some other data is added in between). If you don't have a collision after the first round, you even have a second chance to get one in the second round.

Another way to view it is that sha() reduces entropy. You call it twice, you reduce entropy even more, hence you have higher chance of collision. I bet if you call sha256 often enough on 2 different inputs, at some point you'll end up with the same output.

I can see how double hashing makes constructing a collision harder because you cannot directly manipulate the input... your "collision attack logic" needs to span the function twice, which will probably make an attack harder in the sense that if it requires bruteforcing n bits in the single-hash case it will probably require 2n bits, which could probably be accomplished similarly by increasing internal sha rounds from 64 to 128? Or just using a stronger hash function. But maybe I don't see something... can anyone explain better than CSW why satoshi used double hashing?

What? How is sha256(1b3f7e..) = XgApmo in the first case.., but EsmpYg.. in the second case? That would mean sha256(1b3f7e..) <> sha256(1b3f7e..), which is false (unless the '..' are different in each case, which makes no sense) . Reductio ad absurdum.Example (continued) of a how a double hash solves the collision problem

> sha256^2(bzZWVV..)=sha256(1b3f7e..)=XgApmo..

> sha256^2(9sdFi3..)=sha256(1b3f7e..)=EsmpYg..

It seems to me the chances of a collision of sha² are higher than they are for sha: if you have a collision after the first round, since it's then the same input for the second round you also have a collision on the output of the second round (unless some other data is added in between). If you don't have a collision after the first round, you even have a second chance to get one in the second round.

Another way to view it is that sha() reduces entropy. You call it twice, you reduce entropy even more, hence you have higher chance of collision. I bet if you call sha256 often enough on 2 different inputs, at some point you'll end up with the same output.

I can see how double hashing makes constructing a collision harder because you cannot directly manipulate the input... your "collision attack logic" needs to span the function twice, which will probably make an attack harder in the sense that if it requires bruteforcing n bits in the single-hash case it will probably require 2n bits, which could probably be accomplished similarly by increasing internal sha rounds from 64 to 128? Or just using a stronger hash function. But maybe I don't see something... can anyone explain better than CSW why satoshi used double hashing?

Last edited: