IETF Logo Mail Archive

Re: [Cfrg] Merkle trees

Gilles Van Assche <gilles.vanassche@st.com> Fri, 20 November 2015 10:03 UTC

Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F317D1ACD0B for <cfrg@ietfa.amsl.com>; Fri, 20 Nov 2015 02:03:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.596
X-Spam-Level:
X-Spam-Status: No, score=-1.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_DYNAMIC=1.004, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTetzEPF0H9g for <cfrg@ietfa.amsl.com>; Fri, 20 Nov 2015 02:03:47 -0800 (PST)
Received: from mx07-00178001.pphosted.com (mx07-00178001.pphosted.com [62.209.51.94]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 383621ACD0A for <cfrg@irtf.org>; Fri, 20 Nov 2015 02:03:46 -0800 (PST)
Received: from pps.filterd (m0046037.ppops.net [127.0.0.1]) by m0046037.ppops.net (8.14.5/8.14.5) with SMTP id tAK9vMcm000610; Fri, 20 Nov 2015 11:03:44 +0100
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by m0046037.ppops.net with ESMTP id 1y834cym6t-1 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 20 Nov 2015 11:03:44 +0100
Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id B17D346; Fri, 20 Nov 2015 10:03:12 +0000 (GMT)
Received: from Webmail-eu.st.com (safex1hubcas6.st.com [10.75.90.73]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id A1638E08; Fri, 20 Nov 2015 10:03:42 +0000 (GMT)
Received: from [10.137.3.249] (10.137.3.249) by webmail-eu.st.com (10.75.90.73) with Microsoft SMTP Server id 8.3.389.2; Fri, 20 Nov 2015 11:03:42 +0100
From: Gilles Van Assche <gilles.vanassche@st.com>
References: <20151103205735.974CE604A2@jupiter.mumble.net>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
Message-ID: <564EF0AA.1020203@st.com>
Date: Fri, 20 Nov 2015 11:06:34 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151103205735.974CE604A2@jupiter.mumble.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-11-20_04:2015-11-20,2015-11-20,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Q2pjWrE2kxUYSBDMriHPEjEToN4>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Merkle trees
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 10:03:49 -0000

Hi Taylor,

Sorry for the late answer.

On 11/03/2015 09:57 PM, Taylor R Campbell wrote:
> With apologies for my false claim above, I must have skimmed the
> paper[1] too quickly to come to that conclusion -- it was a bit more
> general and abstract than the Blake2 tree-hashing specification.

No problemo. And yes, Sakura is not tight to a particular hash function.

> Do I understand correctly that Sakura is map from tree shape to
> encoding, not necessarily with a fixed number of bytes per message
> chunk or fixed fanout, depth per message length, &c.?

Yes, or "to encodings" since there could be more than one possible
encodings for a given tree shape, given the degrees of freedom that are
foreseen in Sakura. Alternatively, we speak about "Sakura-compatible
modes", where a mode specifies unambiguously how to shape and format the
tree.

> That is, you
> get is something like the following, with, e.g., H = RawSHAKE256 and
> with the shape of the tree specified by the caller, no matter how long
> a, b, and c are?
>
> Sakura-H(a) = H(a || root=1)
> Sakura-H(a || b) =
>   H(H(a || root=0) || H(b || root=0) || nrCVs=2 || interleave=0 || root=1)
> Sakura-H((a || b) || c) =
>   H(H(H(a || root=0) || H(b || root=0) || nrCVs=2 || interleave=0 ||
> root=0)
>     || H(c || root=0)
>     || nrCVs=2
>     || interleave=0
>     || root=1)
>
> If I understand correctly, that suggests that Sakura-H(a || b) is not
> a function of Sakura-H(a), since it is the root (`final') node that is
> distinguished from other (`inner') nodes, not leaf nodes (`message
> hops'?) that are distingushed from branch nodes (`chaining hops'?).
>
> I expect that property from a random oracle -- but it's not as useful
> for deduplication, since the additional storage for a || b can't be
> derived from just the storage index of a, namely Sakura-H(a).

I see your point.

Alternatively to your example above, one could define MyTreeH(a) = H(H(a
|| root=0) || nrCVs=1 || root=1). This way, H(a || root=0) would be a
"hash over chunk a", where this chunk could be reused in other files,
and H(a || root=1) or H(H(a || root=0) || nrCVs=1 || root=1) a "hash
over a file whose full content is composed of chunk a only". In other
words, the root/final flag behaves like domain separation between the
hash of a (complete) file versus the hash of a chunk (not necessarily a
complete file).

Kind regards,
Gilles

v2.23.0 | Report a Bug | By Email