Open OR13 opened 2 years ago
https://flawed.net.nz/2018/02/21/attacking-merkle-trees-with-a-second-preimage-attack/
In the above example, our inputs are L1, L2, L3, and L4. These eventually output the root hash value at the top of the diagram. But as you can see from the diagram, the inputs to the middle layer are the concatenated hashes of the previous layer, and we can just pass those two values directly into the Merkle Tree and get the same root hash value back.
A second preimage attack can easily be constructed by taking the intermediate hashes as inputs to the merkle tree. This would result in the same merkle root being formed.
So far, I have noticed 2 possible solutions to this:
^ my understanding is that both of these ideas revolve around treating leaf and internal nodes differently.
I feel that using different hash functions for leaves and internals
is the current behaviour of your implementation.
Although computeNextLevel()
always uses the same hash function, I would like to consider the process of salting members as part of leaf node's hash function. If this assumption is accepted, then there are effectively 2 different hashes:
hash(m)
hash(hash(Buffer.concat([m, calculateMessageNonce(m, i, rootNonce, hash)])))
A second preimage attack by taking intermediate hashes as inputs, would result in those intermediate hashes being salted, and having a different resulting merkle root.
This raises the question of what effect starting with "salted member leaf nodes" has.