Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

Andy Lutomirski <> Fri, 30 October 2015 22:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 667CD1ACF18 for <>; Fri, 30 Oct 2015 15:09:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.121
X-Spam-Status: No, score=0.121 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rhz0hHhqUiFs for <>; Fri, 30 Oct 2015 15:09:40 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4E25D1ACF0A for <>; Fri, 30 Oct 2015 15:09:40 -0700 (PDT)
Received: by oiad129 with SMTP id d129so67346992oia.0 for <>; Fri, 30 Oct 2015 15:09:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=IvAb7Irk6rQZK/5bD0oTQC5nKWvaoE0uDzRRR92Shfs=; b=KtXGase/LCN/wMvs5VoqMVNP2ItSOlGoHtZc0BkPbg1a7MxiLutYLt2Ro2PAdjB1AD gbYaxF8mfmJOqtuxtXlTe1XRZHd7hlVwPxzcFYcDbi3tfT/mXHeN7yhb9wmzHS/fYIzp 3I9FvIVM4Deua0iJgCZFpD68I+WKXwqCIzr8KkQkm6A1ESWfAucz6sbYX1XxYHz5zua8 uCZE2qdvlDwabiSBVCDRT4zO9VR8b/g6Wn3TI7P62LnCYyuhaeZ2X25bgU0NbSl6ytnY FjmVOEt9m1Gmcz+iVozrlvn+XqnL7baAXs1Jpb3BkmNTWe6NRdrPOGvgalBGX/FPl1MN Xs1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=IvAb7Irk6rQZK/5bD0oTQC5nKWvaoE0uDzRRR92Shfs=; b=Y5XArhzq9a+Kr5YWHWy1XSblaNhZquyg1xpdtFZCfVZBdbUpWMQehXKh/oQtaFSYr/ wl6XDEgzBBRYPa5VI7NID5xi3yARexeFzC0nA6eIcE24RokUe/6jeFFr8X3jUCuXZCI/ xpC0WOR8uOlQbQlOAILKCPMnB9ObV+EuueG7xp+5/zzgowgGLAoHptQmpl4p9hZZjOFS Hah4ImtsFZhZMhOrUNrrwZd6nu7qXkTSSME+5BbV3dkQXZ8agdzS3YN9LNGfxDSL67n+ iuZQnegK3D9EFuAVejq1Skv6OIgvn1dOrIy/WOfQJ1iSgh2aezFnEzCZz6E8JnJgKCNi sRwQ==
X-Gm-Message-State: ALoCoQlSS+2IrbxyBwgdTst7B5mF0yFvOAUBpbfXoXnOODazk9TzVfA4F7CE99N/OMVnfePhtSXI
X-Received: by with SMTP id i124mr6611321oif.122.1446242979565; Fri, 30 Oct 2015 15:09:39 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 30 Oct 2015 15:09:19 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Andy Lutomirski <>
Date: Fri, 30 Oct 2015 15:09:19 -0700
Message-ID: <>
To: Adam Langley <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
X-Mailman-Approved-At: Sun, 01 Nov 2015 07:51:57 -0800
Cc:, "" <>, Taylor R Campbell <>
Subject: Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Oct 2015 22:09:41 -0000

On Fri, Oct 30, 2015 at 2:28 PM, Adam Langley <> wrote:
> On Fri, Oct 30, 2015 at 11:47 AM, Andy Lutomirski <> wrote:
>> As far as I know, everyone thinks they know how to do a Merkle tree
>> for things like this, but there doesn't seem to be a credible
>> standard, and there are at least two modern examples of doing it
>> wrong: Amazon's Glacier hash and (unless it changed) Bittorrent's new
>> Merkle tree.
> Do you have references for either of these two issues? I wasn't aware of them.

No, but here goes:

Amazon does this:

Take 1MB chunks (and a possible short trailing chunk).  Hash them with
SHA256.  Then, as long as you have more than one hash in your array,
hash pairs of hashes together and just keep the extra odd one at the
end, if any.  This reduces the number of hashes from n to ceil(n/2).
When you have exactly one hash left, you're done.

This is vulnerable to a trivial second-preimage attack.  Fortunately,
it seems to be okay if you also store the length of the data along
with the hash value.

I don't know what Bittorrent is actually doing, but I found this
thing:  It seems
similarly broken.