1

To prevent second pre-image attacks, the Merkle Tree implementations I've looked at add a 0 prefix to the leaves and a 1 prefix to all other nodes as described at the bottom of this link:

https://flawed.net.nz/2018/02/21/attacking-merkle-trees-with-a-second-preimage-attack/

If we assume the Merkle Tree is a Complete Binary Tree, where all the leaves are on the same level and packed to the left, do we need to hash the leaves with a 0 prefix? Can we instead prefix all interior nodes with the tree depth as the article appears to hint at and not prefix the leaves? Am I missing something?

GuestMeNot
  • 11
  • 1
  • As long as you don't hash the output of a previous hash in the tree in such a way that you can simulate another node then this should be alright I think. If you store the intermediate hashes then you could have a small issue with domain separation, but I could argue that simply adding a zero or a one would not really avoid that issue either. Hopefully someone can have a more authoritative answer though; this is mainly well informed intuition. – Maarten Bodewes Sep 14 '22 at 09:50
  • If they are adding only to leaves they are obviously wrong there https://crypto.stackexchange.com/a/71313/18298 – kelalaka Sep 14 '22 at 11:34

0 Answers0