Author: Russell O'Connor 2017-05-29 14:55:37
Published on: 2017-05-29T14:55:37+00:00
In a discussion on the Bitcoin development mailing list, Russell O'Connor pointed out that not all of the inputs to the SHA256 compression function are equal. 'merkleRoot' is designed to ensure that the first argument of the SHA256 compression function is only fed some output of the SHA256 compression function. However, Peter Todd noted that this does not hold true in the case of pruned trees, as for the pruning to be useful, you don't know what produced the left merkleRoot, and thus you can't guarantee it is in fact a midstate of a genuine SHA256 hash. O'Connor acknowledged this, stating that there is no reason to think that the SHA-256 compression function will be secure with chosen initial values. He suggested a solution involving putting the hash of the tags into Sha256Compress's first argument, which would still hold the Merkle-Damgard property under certain conditions about tags determining the type of node, but would lose the ability to cleverly avoid collisions between the Sha256 and MerkleRoot functions by using safe tags.
Updated on: 2023-06-12T01:06:41.069864+00:00