zmanian
commented
7 years ago I think you should domain separate the the internal nodes and the serialization proof should explicitly state the domain separation tag to be as explicit as possible.
Closed AGWA closed 7 years ago
zmanian
commented
7 years ago I think you should domain separate the the internal nodes and the serialization proof should explicitly state the domain separation tag to be as explicit as possible.
It appears from https://github.com/SpinResearch/merkle.rs/blob/90d804e3ce9f313003014175184d393cde7737f1/src/hashutils.rs#L19-L28 that leaf hashes are calculated as
H(bytes)and internal node hashes are calculated asH(left || right). Consequentially, it's possible for a leaf to have the same hash as an internal node, and therefore for two different trees to have the same root hash. To avoid this, I suggest calculating leaf and internal node hashes asH(0x00 || bytes)andH(0x01 || left || right), respectively, Certificate Transparency-style.