📅 Original date posted:2017-09-06
📝 Original message:This design purposefully does not distinguish leaf nodes from internal nodes. That way it chained invocations can be used to validate paths longer than 32 branches. Do you see a vulnerability due to this lack of distinction?
> On Sep 6, 2017, at 6:59 PM, Russell O'Connor <roconnor at blockstream.io> wrote:
>
> The fast hash for internal nodes needs to use an IV that is not the standard SHA-256 IV. Instead needs to use some other fixed value, which should itself be the SHA-256 hash of some fixed string (e.g. the string "BIP ???" or "Fash SHA-256").
>
> As it stands, I believe someone can claim a leaf node as an internal node by creating a proof that provides a phony right-hand branch claiming to have hash 0x80000..0000100 (which is really the padding value for the second half of a double SHA-256 hash).
>
> (I was schooled by Peter Todd by a similar issue in the past.)
>
>> On Wed, Sep 6, 2017 at 8:38 PM, Mark Friedenbach via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
>> Fast Merkle Trees
>> BIP: https://gist.github.com/maaku/41b0054de0731321d23e9da90ba4ee0a
>> Code: https://github.com/maaku/bitcoin/tree/fast-merkle-tree
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170906/e53c24c8/attachment.html>;
Mark Friedenbach [ARCHIVE] /
npub1r3…48d0u
2023-06-07 18:05:42
in reply to nevent1q…gh2m
Author Public Key
npub1r3san9v5njl6798hvauyu9ntm6r9c7u8s0t65wls58gpfdcvqp5sa48d0uPublished at
2023-06-07 18:05:42Event JSON
{
"id": "2586f97ddebd3c0e9a986c094ba891e079131f256344e5b9d8379f4e2b35d82c",
"pubkey": "1c61d995949cbfaf14f767784e166bde865c7b8783d7aa3bf0a1d014b70c0069",
"created_at": 1686161142,
"kind": 1,
"tags": [
[
"e",
"825a0a580a35c1399d7ead6bfccb66b0f57217d2e5df4783a984d32afbb5a960",
"",
"root"
],
[
"e",
"a579c3128a76a56c228fb226ae515c2cf9395fe7e4a5b756e9a574dd30cfeda0",
"",
"reply"
],
[
"p",
"6b8e77368804013d7126ba4b77c7963bcfeff909135791531097d7a0f03ca85d"
]
],
"content": "📅 Original date posted:2017-09-06\n📝 Original message:This design purposefully does not distinguish leaf nodes from internal nodes. That way it chained invocations can be used to validate paths longer than 32 branches. Do you see a vulnerability due to this lack of distinction?\n\n\u003e On Sep 6, 2017, at 6:59 PM, Russell O'Connor \u003croconnor at blockstream.io\u003e wrote:\n\u003e \n\u003e The fast hash for internal nodes needs to use an IV that is not the standard SHA-256 IV. Instead needs to use some other fixed value, which should itself be the SHA-256 hash of some fixed string (e.g. the string \"BIP ???\" or \"Fash SHA-256\").\n\u003e \n\u003e As it stands, I believe someone can claim a leaf node as an internal node by creating a proof that provides a phony right-hand branch claiming to have hash 0x80000..0000100 (which is really the padding value for the second half of a double SHA-256 hash).\n\u003e \n\u003e (I was schooled by Peter Todd by a similar issue in the past.)\n\u003e \n\u003e\u003e On Wed, Sep 6, 2017 at 8:38 PM, Mark Friedenbach via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\u003e Fast Merkle Trees\n\u003e\u003e BIP: https://gist.github.com/maaku/41b0054de0731321d23e9da90ba4ee0a\n\u003e\u003e Code: https://github.com/maaku/bitcoin/tree/fast-merkle-tree\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170906/e53c24c8/attachment.html\u003e",
"sig": "19d26a31277d3b9c76648f1c679aa55e85784438bb5309a95278dd84dcffaebcc7539d9779065a2b605edc8c8c242711b4e60ab5943ed7bfefe0d8394a365ac2"
}