IETF Logo Mail Archive

Re: [Cfrg] Merkle trees [was Re: streamable AEAD construct for stored data?]

Bill Cox <waywardgeek@gmail.com> Sat, 07 November 2015 17:53 UTC

Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC011ACC92 for <cfrg@ietfa.amsl.com>; Sat, 7 Nov 2015 09:53:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5u_SzVjLXxf for <cfrg@ietfa.amsl.com>; Sat, 7 Nov 2015 09:53:49 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 428DF1ACC91 for <cfrg@irtf.org>; Sat, 7 Nov 2015 09:53:49 -0800 (PST)
Received: by obbww6 with SMTP id ww6so88542290obb.0 for <cfrg@irtf.org>; Sat, 07 Nov 2015 09:53:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2+6yclRGkT2z9yqpt09USD52vArF91LaSrDhcdt7CEk=; b=s5FVOFu86Y/I1qyYikLkBvsOGDZTmCQS9nbGnfBldUV0aCpnF2qzDr0KBfhT2sj+/O c4U4r+lz88OAAm1iyDxer5DZTw3qrh1GDF+6qt79lxRi1W8o6eMaQw6TwVleZo9X2pVx qVy9DLKb1FjoRalYe9ZCMu4AOdjf509HC6Y9JSe+pQb9UcMONjkRDNZx5HJ53nHT6Fri p001yd2Q8sUt45NXvLeEVOj6Oz+Ad053OidBI2R0enjlQRA3u8Q0JTN4R3oXeKpf9622 v2eXwleY2O5Yj1yioeLH/dIvM80NWz+C0FpGjF5yLCtNgzr8aKMcusBZPpEB1RXZ/x9t /tYw==
MIME-Version: 1.0
X-Received: by 10.60.130.198 with SMTP id og6mr11951247oeb.31.1446918828591; Sat, 07 Nov 2015 09:53:48 -0800 (PST)
Received: by 10.60.116.129 with HTTP; Sat, 7 Nov 2015 09:53:48 -0800 (PST)
In-Reply-To: <F97D91CF-376F-4EC8-8963-A6DE2464ABDA@gmail.com>
References: <20151031193619.2CCF260350@jupiter.mumble.net> <5638E22D.9060003@st.com> <CAG5KPzzV0pOJV-fSoBue+5PuVc5FLvscugYAwCGNpwLCBFVzng@mail.gmail.com> <CAM_a8JzO9ThuAoo+yymzj_Gjbo4+4=W1ox2Faj6apmV6gq2r6g@mail.gmail.com> <F97D91CF-376F-4EC8-8963-A6DE2464ABDA@gmail.com>
Date: Sat, 07 Nov 2015 09:53:48 -0800
Message-ID: <CAOLP8p4c6x2OKxnaYL_PGt8a=-s8CdycyLa2mX7iddEtsWKMzQ@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
To: Bryan Ford <brynosaurus@gmail.com>
Content-Type: multipart/alternative; boundary="089e013d0ad4cc0fcd0523f70a91"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/seROo6zQe_FPAsi12T2gfarOpHc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Merkle trees [was Re: streamable AEAD construct for stored data?]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2015 17:53:51 -0000

On Sat, Nov 7, 2015 at 5:45 AM, Bryan Ford <brynosaurus@gmail.com> wrote:

> Hi Zooko,
>
> On Nov 4, 2015, at 11:01 AM, Zooko Wilcox-OHearn <zooko@leastauthority.com>
> wrote:
>
> Preventing length-extension attack was a prime requirement for SHA-3,
> because users had sometimes interpreted "can produce a terminal node
> that has this data as input" as a proof of "knows this data". This
> resulted in security failures, for example against naive key-prefix
> MACs.
>
> Now, what if I give you the root of a Merkle Tree but withhold from
> you the data (the inputs to the leaves). Should you be able to
> generate a new Merkle Tree which has my Merkle Tree as one of its
> subtrees? Obviously not! That would be a length-extension attack.
> Sakura ¹ and BLAKE2 ² (designed after SHA-3) don't allow that.
>
>
> In at least some Merkle tree usage scenarios I would argue are
> “reasonable,” that is precisely what you want.  In particular, you
> sometimes want Merkle trees to “compose” cleanly, allowing large Merkle
> trees to be built from smaller Merkle trees whose (individual) creators
> didn’t necessarily know or care how big the large, composed Merkle tree
> would be.
>

For your use case of global time-stamping (which is super cool), you should
differentiate the stuff being timestamped (leaf data from clients) from the
internal nodes generated by followers, by using a different hash for nodes
and leaves.  Otherwise, it is not entirely clear, given a proof, what
exactly was timestamped.

You could use a keyed hash like Blake2, or a keyed wrapper like HMAC or
HKDF2.  However, just prepending one sequence for leaves, and another for
internal nodes should be enough.  This is a super-simple change that will
improve your time-stamp application's security.

Bill

v2.23.0 | Report a Bug | By Email