[bitcoin-dev] A Method for Computing Merkle Roots of Annotated Binary Trees

Peter Todd pete at petertodd.org
Sun May 28 08:26:24 UTC 2017


On Mon, May 22, 2017 at 03:05:49AM -0400, Russell O'Connor via bitcoin-dev wrote:
> Not all of the inputs to the SHA256 compression function are created
> equal.  Only the second argument, the chunk data, is applied to the SHA256
> expander.  `merkleRoot` is designed to ensure that the first argument of
> the SHA256 compression function is only fed some output of the SHA256
> compression function.  In fact, we can prove that the output of the
> `merkleRoot` function is always the midstate of some SHA256 hash.  To see
> this, let us explicitly separate the `sha256` function into the padding
> step, `sha256Pad`, and the recursive hashing step, `unpaddedSha256`.

This doesn't hold true in the case of pruned trees, as for the pruning to be
useful, you don't know what produced the left merkleRoot, and thus you can't
guarantee it is in fact a midstate of a genuine SHA256 hash.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20170528/def153ff/attachment.sig>


More information about the bitcoin-dev mailing list