📅 Original date posted:2017-02-24
📝 Original message:On Fri, 2017-02-24 at 16:18 +0100, Aymeric Vitte via bitcoin-dev wrote:
> Not sure that you really read deeply what I sent, because stating
> that
> hashing files continuously instead of hashing the intermediate steps
> just gives more latitude to the attacker can't be true when the
> attacker
> has absolutely no control over the past files
What prevents the attacker to provide different past files when talking
to parties who are still in the initial state?
Then the question is: knowing the hash state, is it as easy to find a
> collision between two files that will be computed in the next round
> than
> finding a collision between two files only?
With the original usage of the hash function, the hash state is always
the initial state. Now that the attacker has some control over the hash
state even. In other words, if the original use of the hash function
was vulnerable, then your scheme is vulnerable for the initial state.
Concrete attack: If you can find x != y with H(x) = H(y), then you can
also find m, x != y, with H(m||x) = H(m||y), just by setting m = "".
Not sure if this is the right place to discuss that issue though...
Best,
Tim
Tim Ruffing [ARCHIVE] /
npub1cm…dwkls
2023-06-07 17:56:38
in reply to nevent1q…xa2g
Author Public Key
npub1cmt6gqyfw3sdngkq0wadtpe3kmgyyeld6ad0g2h5tar3kpzcrmpqddwklsPublished at
2023-06-07 17:56:38Event JSON
{
"id": "182391368e9d22ce2d18f03fa13bb076f2f812cd372932b2a8ccf19d9c054311",
"pubkey": "c6d7a400897460d9a2c07bbad58731b6d04267edd75af42af45f471b04581ec2",
"created_at": 1686160598,
"kind": 1,
"tags": [
[
"e",
"37053a195373ca87d2cc167b4470872a0425d55bfe62c38a20deac2033060b94",
"",
"root"
],
[
"e",
"e2aaed8111e06ea77c8a58b466c986ce4ab71063b78d56650f2a88370bc192cd",
"",
"reply"
],
[
"p",
"a2711d6616d348a3542bb2a791a9e51fcbc7b7d1d20652e5abe16d3e179321df"
]
],
"content": "📅 Original date posted:2017-02-24\n📝 Original message:On Fri, 2017-02-24 at 16:18 +0100, Aymeric Vitte via bitcoin-dev wrote:\n\u003e Not sure that you really read deeply what I sent, because stating\n\u003e that\n\u003e hashing files continuously instead of hashing the intermediate steps\n\u003e just gives more latitude to the attacker can't be true when the\n\u003e attacker\n\u003e has absolutely no control over the past files\nWhat prevents the attacker to provide different past files when talking\nto parties who are still in the initial state?\n\nThen the question is: knowing the hash state, is it as easy to find a\n\u003e collision between two files that will be computed in the next round\n\u003e than\n\u003e finding a collision between two files only?\nWith the original usage of the hash function, the hash state is always\nthe initial state. Now that the attacker has some control over the hash\nstate even. In other words, if the original use of the hash function\nwas vulnerable, then your scheme is vulnerable for the initial state.\n\nConcrete attack: If you can find x != y with H(x) = H(y), then you can\nalso find m, x != y, with H(m||x) = H(m||y), just by setting m = \"\". \n\nNot sure if this is the right place to discuss that issue though...\n\nBest,\nTim",
"sig": "3c63f4268c27bd8cacffe2b3cea5b54d257c8242df55c8d0df5d5a92408e0d5382c3878159ef3c77aed866512cd48555f9ffd898e66ca1b7372b0ca8e819b708"
}