Validator node hashing does not use domain separation #5205
Comments
This was referenced Feb 24, 2023
stringhandler
pushed a commit
that referenced
this issue
Feb 28, 2023
Description --- Uses the consensus hashing API to construct the hasher used to pre-hash validator node data for Merkle roots. Updates a test. Closes [issue 5205](#5205). Motivation and Context --- The hasher currently used to pre-hash validator node keys and shard identifiers does not use domain separation or the consensus hashing API. This PR updates the hasher construction using the API. How Has This Been Tested? --- Existing tests pass. BREAKING CHANGE: Renders existing validator node Merkle roots invalid.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Validator node public keys and shard identifiers are hashed for the purpose of computing the root of a Merkle mountain range (soon to be replaced with a balanced binary hash tree). However, the hasher uses raw
Blake256with concatenation instead of a safer domain-separated hasher.Because both the Merkle mountain range and (proposed) balanced binary hash tree implementations are generically vulnerable to second-preimage attacks, they must rely on application-specific data context or caller-provided domain separated for mitigation.
It would be safer (and good practice) to use domain separation for computation of leaf node hashes computed from validator node data.
The text was updated successfully, but these errors were encountered: