From: Brooks Boyd <boydb@midnightdesign•ws>
To: bitcoin-development@lists•sourceforge.net
Subject: Re: [Bitcoin-development] bitcoinj 0.11 released, with p2sh, bip39 and payment protocol support
Date: Wed, 5 Feb 2014 09:09:31 -0600 [thread overview]
Message-ID: <CANg-TZBvZGwXaNoz5h7FD7Rh072+qc6T3FrUV-J81o4xZEuZ9A@mail.gmail.com> (raw)
In-Reply-To: <20140204160414.GA23803@savin>
[-- Attachment #1: Type: text/plain, Size: 2150 bytes --]
On Tue, Feb 4, 2014 at 10:04 AM, Peter Todd <pete@petertodd•org> wrote:
>
> On Tue, Feb 04, 2014 at 04:17:47PM +0100, Natanael wrote:
> > Because it's trivial to create collisions! You can choose exactly what
> > output you want. That's why XOR is a very bad digest scheme.
>
> You're close, but not quite.
>
> So, imagine you have a merkle tree, and you're trying to timestamp some
> data at the bottom of the tree. Now you can successfully timestamp the
> top digest in the Bitcoin blockchain right, and be sure that digest
> existed before some time. But what about the digests at the bottom of
> the tree? What can an attacker do exactly to make a fake timestamp if
> the tree is using XOR rather than a proper hash function?
>
Given a tree like:
G
/ \
E F
/ \
C D
/ \
A B
Where G is the root hash and A is the legitimate data that was included in
the tree, the legitimate user provides B, D and F along with A to prove A
is part of the tree G.
Now an attacker could just make up an arbitrary set of values that XOR
together into G, like:
G
/ \
Z Y
And could therefore claim Z is part of tree G by providing Y. But if A is
also trying to prove its a part of G, we know the first level of the tree
must be E and F. It cannot also be Z and Y, so one of the two users is
lying and the deceit is obvious, though not obvious which user is lying.
An attacker could look more convincing by using the data passed with A as a
starting point:
G
/ \
E F
/ \
/ \
/ \
C D
/ \ / \
A B Z Y
Instead of working off of G, work of the lowest branch provided by A in its
verification (D, in this case), and create the fake data Z, and calculate Y
such that Z XOR Y == D (which is just Z XOR D). Now the attacker can claim
Z is part of G by supplying Y, C, and F. The tree looks valid (it can
coexist with the proof provided by A, at least until someone else claims to
be a descendant of the D node as well), and since G was verified by
timestamp, looks like Z existed before that timestamp, when really it could
be added at any time by calculating Z XOR D.
Brooks
[-- Attachment #2: Type: text/html, Size: 2773 bytes --]
next prev parent reply other threads:[~2014-02-05 15:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-04 12:01 Mike Hearn
2014-02-04 13:03 ` Peter Todd
2014-02-04 13:13 ` Mike Hearn
2014-02-04 13:17 ` Peter Todd
2014-02-04 14:43 ` Jeff Garzik
2014-02-04 14:46 ` Peter Todd
2014-02-04 15:17 ` Natanael
2014-02-04 16:04 ` Peter Todd
2014-02-05 7:57 ` Jeremy Spilman
2014-02-05 15:09 ` Brooks Boyd [this message]
2014-02-07 9:21 ` Peter Todd
2014-02-07 10:48 ` Mike Hearn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANg-TZBvZGwXaNoz5h7FD7Rh072+qc6T3FrUV-J81o4xZEuZ9A@mail.gmail.com \
--to=boydb@midnightdesign$(echo .)ws \
--cc=bitcoin-development@lists$(echo .)sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox