Re: [openpgp] [Cfrg] streamable AEAD construct for stored data?

On Fri, Oct 30, 2015 at 03:09:19PM -0700, Andy Lutomirski wrote:
> No, but here goes:
>
> Amazon does this:
>
> http://docs.aws.amazon.com/amazonglacier/latest/dev/checksum-calculations.html
>
> Take 1MB chunks (and a possible short trailing chunk).  Hash them with
> SHA256.  Then, as long as you have more than one hash in your array,
> hash pairs of hashes together and just keep the extra odd one at the
> end, if any.  This reduces the number of hashes from n to ceil(n/2).
> When you have exactly one hash left, you're done.
>
> This is vulnerable to a trivial second-preimage attack.  Fortunately,
> it seems to be okay if you also store the length of the data along
> with the hash value.
Mind explaining in a bit more detail what exactly you think this attack
is? Bitcoin did have an attack on a similar implementation, but with the
critical difference that in Bitcoin rather than moving the odd block up
to the "next level" it was duplicated:

https://github.com/bitcoin/bitcoin/blob/d22701118413b876579c020ea90ecf7a0d5671cb/src/primitives/block.cpp#L17

-- 
'peter'[:-1]@petertodd.org
00000000000000001082036bc5c78a25a50b85744159b260e5136771a5611715

signature.asc
Description: Digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp