IETF Logo Mail Archive

Re: [Cfrg] Merkle trees [was Re: streamable AEAD construct for stored data?]

Bryan Ford <brynosaurus@gmail.com> Mon, 09 November 2015 05:28 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8CE1B6517 for <cfrg@ietfa.amsl.com>; Sun, 8 Nov 2015 21:28:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8JT0nNKztujx for <cfrg@ietfa.amsl.com>; Sun, 8 Nov 2015 21:28:06 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD2991B6515 for <cfrg@irtf.org>; Sun, 8 Nov 2015 21:28:04 -0800 (PST)
Received: by wmec201 with SMTP id c201so58633192wme.1 for <cfrg@irtf.org>; Sun, 08 Nov 2015 21:28:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=aLEUjAPj9NVwas6HdtZFTURL1hqa71+/KRAe8Qr1WK4=; b=a3yv8a+o3nfhIwe+H+Pzww0ENkF4icSLVUnNVcZCckHu4o46uA4MKSZ1Zb+Z5MCS84 K2sh19wlmJK7qtyOGj2ZNQrUN4LDOw0Gw4RMMKITIT5+tD80uhyN5Wft8TOZCHk6MwEk fhA1+0FZT6YUfHYf4gppkRzgmn2YxetTe92v8ZD7VeMeeMnFT0qHd7xaOAqI7f8eY20u QFsDm5u/AM3z44kx4VV/gQeI+2qt8IxxoB0775jDWJnDQccmgRlCwB74V6mRDQmW4+zC v3EdlJas3Dg5Kms/apriSGMaKF7EZeVA4f1MkooKkY/zS8IFhQm/g+S6X53mWCW2aHgn qIfQ==
X-Received: by 10.28.7.67 with SMTP id 64mr22483008wmh.70.1447046883376; Sun, 08 Nov 2015 21:28:03 -0800 (PST)
Received: from proz.dclient.lsne.ch (85-218-12-53.dclient.lsne.ch. [85.218.12.53]) by smtp.gmail.com with ESMTPSA id jh4sm13293256wjb.33.2015.11.08.21.28.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 08 Nov 2015 21:28:01 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_D0F53EF2-008D-47DF-86B9-5DD05C5CE094"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <CAOLP8p4c6x2OKxnaYL_PGt8a=-s8CdycyLa2mX7iddEtsWKMzQ@mail.gmail.com>
Date: Mon, 09 Nov 2015 06:27:59 +0100
Message-Id: <4463A128-3503-4176-87E9-C725C96D48E5@gmail.com>
References: <20151031193619.2CCF260350@jupiter.mumble.net> <5638E22D.9060003@st.com> <CAG5KPzzV0pOJV-fSoBue+5PuVc5FLvscugYAwCGNpwLCBFVzng@mail.gmail.com> <CAM_a8JzO9ThuAoo+yymzj_Gjbo4+4=W1ox2Faj6apmV6gq2r6g@mail.gmail.com> <F97D91CF-376F-4EC8-8963-A6DE2464ABDA@gmail.com> <CAOLP8p4c6x2OKxnaYL_PGt8a=-s8CdycyLa2mX7iddEtsWKMzQ@mail.gmail.com>
To: Bill Cox <waywardgeek@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/XEXyAyeGoke23bVSiIPVyt3SPGU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Merkle trees [was Re: streamable AEAD construct for stored data?]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2015 05:28:08 -0000

On Nov 7, 2015, at 6:53 PM, Bill Cox <waywardgeek@gmail.com> wrote:
> On Sat, Nov 7, 2015 at 5:45 AM, Bryan Ford <brynosaurus@gmail.com <mailto:brynosaurus@gmail.com>> wrote:
> Hi Zooko,
> 
>> On Nov 4, 2015, at 11:01 AM, Zooko Wilcox-OHearn <zooko@leastauthority.com <mailto:zooko@leastauthority.com>> wrote:
>> 
>> Preventing length-extension attack was a prime requirement for SHA-3,
>> because users had sometimes interpreted "can produce a terminal node
>> that has this data as input" as a proof of "knows this data". This
>> resulted in security failures, for example against naive key-prefix
>> MACs.
>> 
>> Now, what if I give you the root of a Merkle Tree but withhold from
>> you the data (the inputs to the leaves). Should you be able to
>> generate a new Merkle Tree which has my Merkle Tree as one of its
>> subtrees? Obviously not! That would be a length-extension attack.
>> Sakura ¹ and BLAKE2 ² (designed after SHA-3) don't allow that.
> 
> In at least some Merkle tree usage scenarios I would argue are “reasonable,” that is precisely what you want.  In particular, you sometimes want Merkle trees to “compose” cleanly, allowing large Merkle trees to be built from smaller Merkle trees whose (individual) creators didn’t necessarily know or care how big the large, composed Merkle tree would be.
> 
> For your use case of global time-stamping (which is super cool), you should differentiate the stuff being timestamped (leaf data from clients) from the internal nodes generated by followers, by using a different hash for nodes and leaves.  Otherwise, it is not entirely clear, given a proof, what exactly was timestamped.

Indeed, cleanly distinguishing the semantic difference between leaves and internal nodes seems worthwhile and easily doable even in situations like these where we want trees to be composable.  We will still want clients to be able to submit either “leaf hashes” or “subtree hashes” for timestamping, the latter case allowing any client to build a tree of his own (or perhaps reuse one previously timestamped by some other timeline) and effectively get a new “collective timestamp” all at once on everything in the submitted subtree (without the client ever having to transmit the subtree itself).  But the semantic difference between those two types of “submissions” could be easily distinguished via a flag parameter submitted along with the hash or nonce to be timestamped.

B

> You could use a keyed hash like Blake2, or a keyed wrapper like HMAC or HKDF2.  However, just prepending one sequence for leaves, and another for internal nodes should be enough.  This is a super-simple change that will improve your time-stamp application's security.
> 
> Bill

v2.23.0 | Report a Bug | By Email