From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9DE22B4B for ; Thu, 7 Sep 2017 02:00:16 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com [209.85.213.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 29A48127 for ; Thu, 7 Sep 2017 02:00:16 +0000 (UTC) Received: by mail-vk0-f47.google.com with SMTP id c82so7326136vkd.4 for ; Wed, 06 Sep 2017 19:00:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream-io.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=VWfmxZDtjon43OlFu0GNSn3O730dRpCCia3H488ZOvs=; b=M5Bnqpxq6xWs6EP7gpvdY1GMh+Dq3uDhHa75rum+9J6hrCXEJL8zFxO5zCepILe7pe fAhpKauCXtY450+yf+0xkoasfUh30QOJYaDlJ/HXtFDNz8RbTubn75ibmMU2gnFln4Z2 7adHT2wRZN4Tp9Xr35PUeH5rAP/JTGQ/cl/ZAYoA98wlc7n2hGQtksId2urv9lqBrx3t A7JgecOtDLx4j2lpKsd/bKNnvl+dIowuzV+tc+To3U/R5K9gc1QbF4SOmQIvYCRW8HZc 5hQyP9U3qm0CTz7na9neWXq8Hai12ENtPYeltDU4K/y/nw7J8f2smYxb/RkhMsLb+I7V cGJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=VWfmxZDtjon43OlFu0GNSn3O730dRpCCia3H488ZOvs=; b=mE02wPZE66GXSP/rDTRpjIuzUgHriHAacfSXMbSBagx95JcnnwzrCX7ruuXfHGG7ny 0QikT35NgVXHkfZ073106UMRWqFJKbLLKN9ve+hy2c9DeCof6QZWCk1OolgSHDuzP2+c 5pnbx2xDMQQtBj68zjXQsXNXcEvW6TyS3D2DttsY3SQHbaPoJTg3i0wxyeWqT951aB+T DB5fO8hvVWFhD8UOIZM2vPGatLFvpwM12YHcHbvUUFpQaIh5DEYO9CYaFKdGy4LW6mmf 2Mu8ZMff35ELthjTMgVJE3DYQoSBPt9f9lizN/GLIPYx+OmNWLvJuG9V9ZDmd8ywHchH +1gw== X-Gm-Message-State: AHPjjUjyVrvWwUhB3GlpH/EmuRdWAPiXZXs8ZfxPi+TGFP8JOr44E0AP +MbQaBrX432Ehtxxp8AZfR8PQYofHl77 X-Google-Smtp-Source: ADKCNb5PqaA4ahPb18TOrXKONG8UKeNjyJFvi2iwxD0PSh1bH0QvpswGNYlWCXA5EZPT+gX6YV2CLjm10WwjXPpl8Ss= X-Received: by 10.31.189.134 with SMTP id n128mr580991vkf.11.1504749615209; Wed, 06 Sep 2017 19:00:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.90.142 with HTTP; Wed, 6 Sep 2017 18:59:54 -0700 (PDT) From: "Russell O'Connor" Date: Wed, 6 Sep 2017 21:59:54 -0400 Message-ID: To: Mark Friedenbach , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="001a114db88c4a779c05588fd215" X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Fast Merkle Trees X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2017 02:00:16 -0000 --001a114db88c4a779c05588fd215 Content-Type: text/plain; charset="UTF-8" The fast hash for internal nodes needs to use an IV that is not the standard SHA-256 IV. Instead needs to use some other fixed value, which should itself be the SHA-256 hash of some fixed string (e.g. the string "BIP ???" or "Fash SHA-256"). As it stands, I believe someone can claim a leaf node as an internal node by creating a proof that provides a phony right-hand branch claiming to have hash 0x80000..0000100 (which is really the padding value for the second half of a double SHA-256 hash). (I was schooled by Peter Todd by a similar issue in the past.) On Wed, Sep 6, 2017 at 8:38 PM, Mark Friedenbach via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Fast Merkle Trees > BIP: https://gist.github.com/maaku/41b0054de0731321d23e9da90ba4ee0a > Code: https://github.com/maaku/bitcoin/tree/fast-merkle-tree > --001a114db88c4a779c05588fd215 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The fast hash for internal nodes needs to use an= IV that is not the standard SHA-256 IV. Instead needs to use some other fi= xed value, which should itself be the SHA-256 hash of some fixed string (e.= g. the string "BIP ???" or "Fash SHA-256").

As it stands, I believe someone can claim a leaf node as an internal node= by creating a proof that provides a phony right-hand branch claiming to ha= ve hash 0x80000..0000100 (which is really the padding value for the second = half of a double SHA-256 hash).

(I was schooled by Peter Todd = by a similar issue in the past.)

On Wed, Sep 6, 2017 at 8:3= 8 PM, Mark Friedenbach via bitcoin-dev <bitcoin-dev@li= sts.linuxfoundation.org> wrote:
Fast Merkle Trees
BIP: https://gist.github.com/maaku/41b0054de0731321d23e9da90ba4ee0a
Code: https://github.com/maaku/bitcoin/tr= ee/fast-merkle-tree
--001a114db88c4a779c05588fd215--