[cryptography] Fwd: Last Call: <draft-laurie-pki-sunlight-05.txt> (Certificate Transparency) to Experimental RFC

CodesInChaos codesinchaos at gmail.com
Tue Jan 8 11:49:18 EST 2013

You're using a classical merkle tree which has only two tags, one for
leaves, and one for inner nodes.
This doesn't have any practical weaknesses, but lowers second pre-image
resistance from 2^256 to (2^256)/n. For realistic
input sizes that's still above 2^200, so it doesn't really matter.
I believe a construction that uses unique tags for each node (for example
using a (depth, node-index) pair is a bit stronger,
since it avoids this issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130108/dda91f9f/attachment.html>

More information about the cryptography mailing list