Re: [Cfrg] Merkle trees [was Re: streamable AEAD construct for stored data?]
Bill Cox <waywardgeek@gmail.com> Sat, 07 November 2015 17:53 UTC
Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC011ACC92 for <cfrg@ietfa.amsl.com>; Sat, 7 Nov 2015 09:53:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5u_SzVjLXxf for <cfrg@ietfa.amsl.com>; Sat, 7 Nov 2015 09:53:49 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 428DF1ACC91 for <cfrg@irtf.org>; Sat, 7 Nov 2015 09:53:49 -0800 (PST)
Received: by obbww6 with SMTP id ww6so88542290obb.0 for <cfrg@irtf.org>; Sat, 07 Nov 2015 09:53:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2+6yclRGkT2z9yqpt09USD52vArF91LaSrDhcdt7CEk=; b=s5FVOFu86Y/I1qyYikLkBvsOGDZTmCQS9nbGnfBldUV0aCpnF2qzDr0KBfhT2sj+/O c4U4r+lz88OAAm1iyDxer5DZTw3qrh1GDF+6qt79lxRi1W8o6eMaQw6TwVleZo9X2pVx qVy9DLKb1FjoRalYe9ZCMu4AOdjf509HC6Y9JSe+pQb9UcMONjkRDNZx5HJ53nHT6Fri p001yd2Q8sUt45NXvLeEVOj6Oz+Ad053OidBI2R0enjlQRA3u8Q0JTN4R3oXeKpf9622 v2eXwleY2O5Yj1yioeLH/dIvM80NWz+C0FpGjF5yLCtNgzr8aKMcusBZPpEB1RXZ/x9t /tYw==
MIME-Version: 1.0
X-Received: by 10.60.130.198 with SMTP id og6mr11951247oeb.31.1446918828591; Sat, 07 Nov 2015 09:53:48 -0800 (PST)
Received: by 10.60.116.129 with HTTP; Sat, 7 Nov 2015 09:53:48 -0800 (PST)
In-Reply-To: <F97D91CF-376F-4EC8-8963-A6DE2464ABDA@gmail.com>
References: <20151031193619.2CCF260350@jupiter.mumble.net> <5638E22D.9060003@st.com> <CAG5KPzzV0pOJV-fSoBue+5PuVc5FLvscugYAwCGNpwLCBFVzng@mail.gmail.com> <CAM_a8JzO9ThuAoo+yymzj_Gjbo4+4=W1ox2Faj6apmV6gq2r6g@mail.gmail.com> <F97D91CF-376F-4EC8-8963-A6DE2464ABDA@gmail.com>
Date: Sat, 07 Nov 2015 09:53:48 -0800
Message-ID: <CAOLP8p4c6x2OKxnaYL_PGt8a=-s8CdycyLa2mX7iddEtsWKMzQ@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
To: Bryan Ford <brynosaurus@gmail.com>
Content-Type: multipart/alternative; boundary="089e013d0ad4cc0fcd0523f70a91"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/seROo6zQe_FPAsi12T2gfarOpHc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Merkle trees [was Re: streamable AEAD construct for stored data?]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2015 17:53:51 -0000
On Sat, Nov 7, 2015 at 5:45 AM, Bryan Ford <brynosaurus@gmail.com> wrote: > Hi Zooko, > > On Nov 4, 2015, at 11:01 AM, Zooko Wilcox-OHearn <zooko@leastauthority.com> > wrote: > > Preventing length-extension attack was a prime requirement for SHA-3, > because users had sometimes interpreted "can produce a terminal node > that has this data as input" as a proof of "knows this data". This > resulted in security failures, for example against naive key-prefix > MACs. > > Now, what if I give you the root of a Merkle Tree but withhold from > you the data (the inputs to the leaves). Should you be able to > generate a new Merkle Tree which has my Merkle Tree as one of its > subtrees? Obviously not! That would be a length-extension attack. > Sakura ¹ and BLAKE2 ² (designed after SHA-3) don't allow that. > > > In at least some Merkle tree usage scenarios I would argue are > “reasonable,” that is precisely what you want. In particular, you > sometimes want Merkle trees to “compose” cleanly, allowing large Merkle > trees to be built from smaller Merkle trees whose (individual) creators > didn’t necessarily know or care how big the large, composed Merkle tree > would be. > For your use case of global time-stamping (which is super cool), you should differentiate the stuff being timestamped (leaf data from clients) from the internal nodes generated by followers, by using a different hash for nodes and leaves. Otherwise, it is not entirely clear, given a proof, what exactly was timestamped. You could use a keyed hash like Blake2, or a keyed wrapper like HMAC or HKDF2. However, just prepending one sequence for leaves, and another for internal nodes should be enough. This is a super-simple change that will improve your time-stamp application's security. Bill
- [Cfrg] streamable AEAD construct for stored data? Daniel Kahn Gillmor
- Re: [Cfrg] streamable AEAD construct for stored d… Natanael
- Re: [Cfrg] streamable AEAD construct for stored d… Watson Ladd
- Re: [Cfrg] streamable AEAD construct for stored d… Natanael
- Re: [Cfrg] streamable AEAD construct for stored d… Daniel Kahn Gillmor
- Re: [Cfrg] streamable AEAD construct for stored d… Hanno Böck
- Re: [Cfrg] streamable AEAD construct for stored d… Watson Ladd
- Re: [Cfrg] streamable AEAD construct for stored d… Taylor R Campbell
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Adam Langley
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Björn Edström
- [Cfrg] Merkle trees [was Re: streamable AEAD cons… Taylor R Campbell
- Re: [Cfrg] streamable AEAD construct for stored d… Zooko Wilcox-OHearn
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andrey Jivsov
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Watson Ladd
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Paul Lambert
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andy Lutomirski
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andy Lutomirski
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Gilles Van Assche
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] Merkle trees Taylor R Campbell
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Zooko Wilcox-OHearn
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Tony Arcieri
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] streamable AEAD construct for stored d… Bryan Ford
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bill Cox
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] streamable AEAD construct for stored d… Alex Elsayed
- Re: [Cfrg] Merkle trees Gilles Van Assche