
Leaf-Node Weakness in Bitcoin Merkle Tree Design - bscphil
https://bitslog.wordpress.com/2018/06/09/leaf-node-weakness-in-bitcoin-merkle-tree-design/
======
petertodd
Note that this is a mostly theoretical weakness: the cost to attack is orders
of magnitude higher than cost of simply creating fake blocks, which are almost
just as good at defauding SPV clients (particularly when you have a pile of
money left over by using the cheaper attack!).

Anyway, not many SPV clients actually exist these days - instead it's much
more common for "lite" wallets to actually use trusted servers.

~~~
tCfD
Then these so-called 'lite' wallets should be referred to with a much more
contextually pertinent description such as 'trustful' wallets.

~~~
petertodd
I wish they were frankly. Unfortunately there's endless dishonesty and fraud
in the blockchain world in projects denying that their solutions involve huge
amounts of trust; that's just a mild example out of many.

------
proofofmoon
> Mining several blocks in private to confirm the fake transaction may be
> needed to prevent the other miners from reorganizing the blockchain in order
> to steal the fees and output of transaction T. If the attacker is not in
> collusion with 51% of the miners, then this may cost the attacker millions
> in rented hashing power ...

Does this mean that this exploit only has value to an attacker who is already
capable of sustaining a 51% attack?

~~~
mickronome
No, AFAIU it only implies that such an attacker would have to face the multi
million dollar cost of renting enough hashing power to guarantee that no-one
could steal the 'loot' before the attack has settled. I didn't study the
article a lot, but it seems the attack transaction(s) previously crafted can
essentially be stolen by any node working with it, and that the costs sunk by
the attacker to craft the could then be avoided by THAT attacker.

------
chabes
Some discussion from the author's twitter post:
[https://twitter.com/spudowiar/status/1005551128233299968](https://twitter.com/spudowiar/status/1005551128233299968)

------
wslh
If you are interested in Sergio's insightful trip don't miss his story:
[https://bitslog.wordpress.com/about/](https://bitslog.wordpress.com/about/)

Disclaimer: he co-founded one of my companies.

------
mappu
The very popular Gnutella/DC TTH algorithm was distinguishing between Merkle
tree and leaf nodes for security/correctness in circa 2000, so it's not clear
why Bitcoin (2009) left it out.

------
ggg9990
Interesting to see how much intellectual rigor is in the theory of Bitcoin,
and how little in the long term market. It’s the exact opposite of most
startup sectors.

------
thespirit
Other resources related to this
[https://en.wikipedia.org/wiki/Merkle_tree#Second_preimage_at...](https://en.wikipedia.org/wiki/Merkle_tree#Second_preimage_attack)
[https://crypto.stackexchange.com/questions/2106/what-is-
the-...](https://crypto.stackexchange.com/questions/2106/what-is-the-purpose-
of-using-different-hash-functions-for-the-leaves-and-interna)
[https://crypto.stackexchange.com/questions/43430/what-is-
the...](https://crypto.stackexchange.com/questions/43430/what-is-the-reason-
to-separate-domains-in-the-internal-hash-algorithm-of-a-merkl/44971#44971)
[https://bitcointalk.org/?topic=102395](https://bitcointalk.org/?topic=102395)

