In the above case, what you need is the “construct” to provide integrity of the logs. Therefore, we need collision-resistance (and therefore secure against second pre-image attack). If you can find two inputs of the above construct with the same output, this would mean that you found a very bad property of SHA-256 as one would be able to find SHA-256 values of 2 different inputs which have essentially most of the bytes correlated. Equally important as a cryptography engineering practice is that the data structure (that is hashed) is serialized through an injective function (big issue while appending variable-size arrays for instance. More on this, Horton Principle and Pascal Junod’s post). Namely, you need to make sure that the collision resistance applies at the original data structure (and not the serialization).In the context of a Merkle tree, one also need to serialize the leaves differently than the inner nodes as explained here Note that making a modulo operation and then hashing would be totally broken. Finally, this construct has the undesirable property of having a bias, namely if P is not an integer divisor of 2^256, the output will definitely not uniformly distributed over 0…P-1. The question is whether it is an issue in this context?
7 Likes