Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id BEC96918
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 27 Jun 2017 04:13:14 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail149055.authsmtp.co.uk (outmail149055.authsmtp.co.uk
	[62.13.149.55])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0B98FCC
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 27 Jun 2017 04:13:13 +0000 (UTC)
Received: from mail-c245.authsmtp.com (mail-c245.authsmtp.com [62.13.128.245])
	by punt21.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v5R4DBnX062202;
	Tue, 27 Jun 2017 05:13:11 +0100 (BST)
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
	[52.5.185.120]) (authenticated bits=0)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id v5R4D9iJ064003
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 27 Jun 2017 05:13:10 +0100 (BST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by petertodd.org (Postfix) with ESMTPSA id 18E5A4019E;
	Tue, 27 Jun 2017 04:13:09 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
	id 6D66F207F9; Tue, 27 Jun 2017 00:13:08 -0400 (EDT)
Date: Tue, 27 Jun 2017 00:13:08 -0400
From: Peter Todd <pete@petertodd.org>
To: "Russell O'Connor" <roconnor@blockstream.io>
Message-ID: <20170627041308.GA23776@savin.petertodd.org>
References: <CAMZUoK=f3hXHkqJBDfiLGSrgXi_ppgyH6+XWD9W54EYFWLm1+Q@mail.gmail.com>
	<20170528082624.GA14552@fedora-23-dvm>
	<CAMZUoK=8xaVp2Qoc7kvx8FdPbpY0rEpSba8kQVRQGjX4p0haxg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C"
Content-Disposition: inline
In-Reply-To: <CAMZUoK=8xaVp2Qoc7kvx8FdPbpY0rEpSba8kQVRQGjX4p0haxg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: ee7e8ab8-5aee-11e7-801f-9cb654bb2504
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	aAdMdAUUEkAaAgsB AmEbW1FeUV57WGM7 bghPaBtcak9QXgdq
	T0pMXVMcUgAKBWgI X2QeVB1ydwYIfXx0 ZQg3C3cOVBUofVt4
	ExsBCGwHMGB9YGAe Bl1RJFFSdQcYLB1A alQxNiYHcQ5VPz4z
	GA41ejw8IwAXAWxw Tx0NKl5aT0ERVhU7 QggfATQpEgUgSj8w
	KxFuEFkbAF1ZNUt6 GF0nXk4RLxIeaEV0 HkdEGj4RG0MMSjFD 
X-Authentic-SMTP: 61633532353630.1039:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] A Method for Computing Merkle Roots of Annotated
 Binary Trees
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 04:13:14 -0000


--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 29, 2017 at 10:55:37AM -0400, Russell O'Connor wrote:
> > This doesn't hold true in the case of pruned trees, as for the pruning =
to
> > be
> > useful, you don't know what produced the left merkleRoot, and thus you
> > can't
> > guarantee it is in fact a midstate of a genuine SHA256 hash.
> >
>=20
> Thanks for the review Peter.  This does seem like a serious issue that I
> hadn't considered yet.  As far as I understand, we have no reason to think
> that the SHA-256 compression function will be secure with chosen initial
> values.

Relevant: fixed points can be found for the SHA256 compression function, if=
 the
attacker can control the IV:

https://crypto.stackexchange.com/questions/48580/fixed-point-of-the-sha-256=
-compression-function

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJZUdtPAAoJECSBQD2l8JH7vW8H+wTog/EVQkNq5Zu5i8dNMSk1
u7XfJST+3iJn7BluFL2OqEQMOWw6IxVha96ETHE45rxSdpugfDg4Jz7tZ1kuuoId
onkGVvAQeRXWgAY/AKjZ6CrMF1bEpmoNzed2Mz4cq4M4VfItLQupM7dmeTiM/VEN
DgiBXmE3PhnLkM9Oj8evjiuW9BQaqGNfHBHxIWQyNmB7YfhlB+WPY2M4RFhsW65z
s0vuQTMS7/jTSK0luRFmDmQmv781XQhgFfuqWLwZtIPKU9YODiBil3WQClQOV1J/
PDHcZvl2DaNjO2IhIh20EvJjwbuFtUC5Qv4iEJedjadv+1iwpTmsFp63rhkrc7Y=
=rZye
-----END PGP SIGNATURE-----

--a8Wt8u1KmwUX3Y2C--