bip-taproot/tapscript: Prevention length-extension attacks in public key tweaking about bips HOT 6 CLOSED

Length extension attacks are only relevant in case part of the input to the hash is secret, and if the input is variable length. I believe that neither is the case for the bip-taproot tweaking, so I'd rather avoid the extra computational cost.

Do you see more concrete arguments why this may be desirable?

from bips.

No, it seems that all the participants know that whole input to the Merkle root hash used for tweaking the internal key, and nobody outside of the participatns are involved in the verification/check. Again, during the spending, the spending party provides all necessary information to reconstruct the Merkle root hash... So it seems to be unnecessary computational overhead, you are right

from bips.

I can't say that I am 100% sure that the length-extension attacks are impossible for Taproot... I was not able to construct the valid attach vector yet, but I was not able to find some sort of proof ("formal proof"?) that the attack is actually impossible.

Anyway, for RGB, which is client-side validated project, not putting high requirements on the computational performance, I decided to prefer HMAC, just to exclude the possibility of some attacks vectors appearing later down the road.

from bips.

As sipa says, there's no point in a length extension attack if the inputs are public.
You can easily do H(INOUTS ||NEW_ADVERSARY_DATA) and you'll get the same result.

Anyway there's no ambiguity for the commitments here because everything is constant length (a 32 byte pubkey and a 32byte sha256 output)

from bips.

Anyway there's no ambiguity for the commitments here because everything is constant length (a 32 byte pubkey and a 32byte sha256 output)

Theoretically, yes. Practically, I know how people can mess up with an implementation, opening a way for very odd attack vectors. So at least I think that it worth adding to the spec that the inputs for the SHA256 function in the tweaking procedure should be exactly of 64 bit length.

from bips.

Even if you are concerned about length extension attacks, they're never a concern when the length of data hashed is self-descriptive (i.e. if I'd give you the data fed to the hash function and append garbage to it, you'd still know where the garbage starts). Having fixed length data is one way of it being self-descriptive, but it's not the only one (other ways include having flag bits that determine what optional features are present, prefixing elements with their length, or having a terminator element at the end). I believe that all the hashes in bip-schnorr/bip-taproot/bip-tapscript have data with self-descriptive lengths.

from bips.