On Mon, May 29, 2017 at 10:55:37AM -0400, Russell O'Connor wrote:
> > This doesn't hold true in the case of pruned trees, as for the pruning to
> > be
> > useful, you don't know what produced the left merkleRoot, and thus you
> > can't
> > guarantee it is in fact a midstate of a genuine SHA256 hash.
> >
> 
> Thanks for the review Peter.  This does seem like a serious issue that I
> hadn't considered yet.  As far as I understand, we have no reason to think
> that the SHA-256 compression function will be secure with chosen initial
> values.

Relevant: fixed points can be found for the SHA256 compression function, if the
attacker can control the IV:

https://crypto.stackexchange.com/questions/48580/fixed-point-of-the-sha-256-compression-function

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org