Bitcoin safety by no means relied on resistance to length-extension as a result of preimages are public anyway, and customary perception is that the double was used only for defense-in-depth.
I do not suppose Bitcoin ever makes use of hashes in a method that might undergo from size extensions, however I suppose Satoshi went with the protected alternative of stopping it in every single place.
To keep away from this property, Ferguson and Schneier urged utilizing SHA256d = SHA256(SHA256(x)) which avoids length-extension assaults. This building has some minor weaknesses (not related to bitcoin), so I would not advocate it for brand spanking new protocols, and would use HMAC with fixed key, or truncated SHA512 as an alternative.
https://bitcoin.stackexchange.com/a/8461/137501
The paper’s discovery is fascinating in that it strikes SHA256d additional away from a random oracle which has implications for secondary on-chain makes use of (e.g. in sensible contracts or as 32-byte P2SH wrapper).
Curiously, Bitcoin builders did not suppose that securing towards length-extension issues in order that they went with plain SHA256 for SegWit P2WSH handle hashes.
Later, Bitcoin Money builders selected SHA256d for P2SH32, thus sustaining consistency with the remainder of the protocol, and unlinkability between never-spent-from addresses.
This discovery you current considerably weakens unlinkability property of SHA256d hashes. Readers is likely to be desirous about some older associated work, that has already proven a weak point towards an unique use-case (Dodis et al., 2013):
We exhibit a cryptographic setting, referred to as mutual proofs of labor, through which the highlighted construction of H2 may be exploited. In mutual proofs of labor, two events show to one another that they’ve computed some asserted quantity of computational effort. This activity is impressed by, and much like, consumer puzzles [20, 21, 27, 28, 40] and puzzle auctions [42]. We give a protocol for mutual proofs of labor whose computational activity is computing hash chains. This protocol is safe when utilizing a random oracle, however when utilizing as an alternative H2 an attacker can cheat by abusing the structural properties mentioned above.
