On Mon, May 29, 2017 at 10:55:37AM -0400, Russell O'Connor wrote: > > This doesn't hold true in the case of pruned trees, as for the pruning to > > be > > useful, you don't know what produced the left merkleRoot, and thus you > > can't > > guarantee it is in fact a midstate of a genuine SHA256 hash. > > > > Thanks for the review Peter. This does seem like a serious issue that I > hadn't considered yet. As far as I understand, we have no reason to think > that the SHA-256 compression function will be secure with chosen initial > values.
Relevant: fixed points can be found for the SHA256 compression function, if the attacker can control the IV: https://crypto.stackexchange.com/questions/48580/fixed-point-of-the-sha-256-compression-function -- https://petertodd.org 'peter'[:-1]@petertodd.org
signature.asc
Description: Digital signature
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
