Re: [Cfrg] Merkle trees
Gilles Van Assche <gilles.vanassche@st.com> Fri, 20 November 2015 10:03 UTC
Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F317D1ACD0B for <cfrg@ietfa.amsl.com>; Fri, 20 Nov 2015 02:03:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.596
X-Spam-Level:
X-Spam-Status: No, score=-1.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_DYNAMIC=1.004, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTetzEPF0H9g for <cfrg@ietfa.amsl.com>; Fri, 20 Nov 2015 02:03:47 -0800 (PST)
Received: from mx07-00178001.pphosted.com (mx07-00178001.pphosted.com [62.209.51.94]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 383621ACD0A for <cfrg@irtf.org>; Fri, 20 Nov 2015 02:03:46 -0800 (PST)
Received: from pps.filterd (m0046037.ppops.net [127.0.0.1]) by m0046037.ppops.net (8.14.5/8.14.5) with SMTP id tAK9vMcm000610; Fri, 20 Nov 2015 11:03:44 +0100
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by m0046037.ppops.net with ESMTP id 1y834cym6t-1 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 20 Nov 2015 11:03:44 +0100
Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id B17D346; Fri, 20 Nov 2015 10:03:12 +0000 (GMT)
Received: from Webmail-eu.st.com (safex1hubcas6.st.com [10.75.90.73]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id A1638E08; Fri, 20 Nov 2015 10:03:42 +0000 (GMT)
Received: from [10.137.3.249] (10.137.3.249) by webmail-eu.st.com (10.75.90.73) with Microsoft SMTP Server id 8.3.389.2; Fri, 20 Nov 2015 11:03:42 +0100
From: Gilles Van Assche <gilles.vanassche@st.com>
References: <20151103205735.974CE604A2@jupiter.mumble.net>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
Message-ID: <564EF0AA.1020203@st.com>
Date: Fri, 20 Nov 2015 11:06:34 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151103205735.974CE604A2@jupiter.mumble.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-11-20_04:2015-11-20,2015-11-20,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Q2pjWrE2kxUYSBDMriHPEjEToN4>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Merkle trees
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 10:03:49 -0000
Hi Taylor, Sorry for the late answer. On 11/03/2015 09:57 PM, Taylor R Campbell wrote: > With apologies for my false claim above, I must have skimmed the > paper[1] too quickly to come to that conclusion -- it was a bit more > general and abstract than the Blake2 tree-hashing specification. No problemo. And yes, Sakura is not tight to a particular hash function. > Do I understand correctly that Sakura is map from tree shape to > encoding, not necessarily with a fixed number of bytes per message > chunk or fixed fanout, depth per message length, &c.? Yes, or "to encodings" since there could be more than one possible encodings for a given tree shape, given the degrees of freedom that are foreseen in Sakura. Alternatively, we speak about "Sakura-compatible modes", where a mode specifies unambiguously how to shape and format the tree. > That is, you > get is something like the following, with, e.g., H = RawSHAKE256 and > with the shape of the tree specified by the caller, no matter how long > a, b, and c are? > > Sakura-H(a) = H(a || root=1) > Sakura-H(a || b) = > H(H(a || root=0) || H(b || root=0) || nrCVs=2 || interleave=0 || root=1) > Sakura-H((a || b) || c) = > H(H(H(a || root=0) || H(b || root=0) || nrCVs=2 || interleave=0 || > root=0) > || H(c || root=0) > || nrCVs=2 > || interleave=0 > || root=1) > > If I understand correctly, that suggests that Sakura-H(a || b) is not > a function of Sakura-H(a), since it is the root (`final') node that is > distinguished from other (`inner') nodes, not leaf nodes (`message > hops'?) that are distingushed from branch nodes (`chaining hops'?). > > I expect that property from a random oracle -- but it's not as useful > for deduplication, since the additional storage for a || b can't be > derived from just the storage index of a, namely Sakura-H(a). I see your point. Alternatively to your example above, one could define MyTreeH(a) = H(H(a || root=0) || nrCVs=1 || root=1). This way, H(a || root=0) would be a "hash over chunk a", where this chunk could be reused in other files, and H(a || root=1) or H(H(a || root=0) || nrCVs=1 || root=1) a "hash over a file whose full content is composed of chunk a only". In other words, the root/final flag behaves like domain separation between the hash of a (complete) file versus the hash of a chunk (not necessarily a complete file). Kind regards, Gilles
- [Cfrg] streamable AEAD construct for stored data? Daniel Kahn Gillmor
- Re: [Cfrg] streamable AEAD construct for stored d… Natanael
- Re: [Cfrg] streamable AEAD construct for stored d… Watson Ladd
- Re: [Cfrg] streamable AEAD construct for stored d… Natanael
- Re: [Cfrg] streamable AEAD construct for stored d… Daniel Kahn Gillmor
- Re: [Cfrg] streamable AEAD construct for stored d… Hanno Böck
- Re: [Cfrg] streamable AEAD construct for stored d… Watson Ladd
- Re: [Cfrg] streamable AEAD construct for stored d… Taylor R Campbell
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Adam Langley
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Björn Edström
- [Cfrg] Merkle trees [was Re: streamable AEAD cons… Taylor R Campbell
- Re: [Cfrg] streamable AEAD construct for stored d… Zooko Wilcox-OHearn
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andrey Jivsov
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Watson Ladd
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Paul Lambert
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andy Lutomirski
- Re: [Cfrg] [openpgp] streamable AEAD construct fo… Andy Lutomirski
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Gilles Van Assche
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] Merkle trees Taylor R Campbell
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Zooko Wilcox-OHearn
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Tony Arcieri
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Ben Laurie
- Re: [Cfrg] streamable AEAD construct for stored d… Bryan Ford
- Re: [Cfrg] streamable AEAD construct for stored d… Andy Lutomirski
- Re: [Cfrg] streamable AEAD construct for stored d… Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bill Cox
- Re: [Cfrg] Merkle trees [was Re: streamable AEAD … Bryan Ford
- Re: [Cfrg] streamable AEAD construct for stored d… Alex Elsayed
- Re: [Cfrg] Merkle trees Gilles Van Assche