IETF Logo Mail Archive

Re: [Trans] Verifying inclusion proof

Adam Eijdenberg <eijdenberg@google.com> Tue, 30 June 2015 17:05 UTC

Return-Path: <eijdenberg@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A5A1B3222 for <trans@ietfa.amsl.com>; Tue, 30 Jun 2015 10:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mj-0W6066DzD for <trans@ietfa.amsl.com>; Tue, 30 Jun 2015 10:05:37 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E47381B3218 for <trans@ietf.org>; Tue, 30 Jun 2015 10:05:26 -0700 (PDT)
Received: by ykdv136 with SMTP id v136so14905054ykd.0 for <trans@ietf.org>; Tue, 30 Jun 2015 10:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=I+ZEShX9BUlxak1om49cEmPRhbqvIxrE5zuWuML7cfk=; b=TMemiAS9tRksC5xNVWdMjCq4P82dodaUtezWRWXsP/1GnBfiT7zmixSileyvmffk6L ki0kzEY63H+X2Lj9VTyCgPZUrpoIM9wfEkl+mA2EoRlEzPm2Mzc19HHQnUJZiSDoahGT KvhCUcSPpaXis22uEMaI59O9wa+AlUG2blt6DDzAI2DpO5I2sx0mEwtaSgoZpB0fw9tj WnCXn6KR4FsvidX3BwTDEVHGuthWchf9kB2Qi3iLgCzBYd0RSmav15Z/aN8HmAIFfX0z GnZ+nIQoTKj/n24+IiG8dohZwIEGSy2ZhfNNp80ZMDzGiq2An7KG4IyjTGpoKV1NlaRJ eBRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=I+ZEShX9BUlxak1om49cEmPRhbqvIxrE5zuWuML7cfk=; b=TSJhmrunUfQx5naMb0JB5yxr8twnBwe5oOi3kKa510RVvYMPR5D/8UABI/6rx1L4XN i5mF3LCfK+iIiZfpSGD3axv+WGA8PH3x4J2JYMs7yZBW8Ufp2S42qRUM+/SLIR+0z9FA HDuDx9AGl2R/713a9O5tPeWuudl/zJpzQZoYO/xXvGIoK9J6SoiE6eFILZWoDzhj2IoE SpdFD5RvZ9TC5hcrIXOTP1nVtxyqtdbgjhhJ8UqCMzG9gc57ySntoTDSCPO4mZYFfEtm JDiLrKvv4o4GkaMkAvID+prSoFfg4PrxF/nElItSUq+HEZpNCZi9RrNSFjKYUGjJ36Hc J6QQ==
X-Gm-Message-State: ALoCoQlDYF1UdBbW8R626foHWt4hMWrJgNnjLpzYiA1Q3+QRfK8gfgXifPAA14sWXKEbYIdVWAOi
X-Received: by 10.170.208.81 with SMTP id z78mr26479751yke.106.1435683926018; Tue, 30 Jun 2015 10:05:26 -0700 (PDT)
MIME-Version: 1.0
References: <558D61DE.8020402@nic.cz> <CACM=_OeTnNCk+VSiQ1E5T2_a7YkxwxZ2w8HJSg13wtVc2wQUfA@mail.gmail.com> <55900D1D.2030009@bbn.com> <CABrd9SQV6tybHwgo=ZATEPjhsV64=5=O-fi10pcwHnAHCyArDA@mail.gmail.com> <20150628220648.GI13302@hezmatt.org> <CABrd9SS7-dDYUhJkFe99YQ2EtdO6x10y=VOc4Qr6ERL+PZq0hQ@mail.gmail.com> <20150629230458.GX30545@hezmatt.org> <CABrd9SSwixBdaF38LS4zf6KSCOqk=VML1MBia+to=eBfPhcfkg@mail.gmail.com>
In-Reply-To: <CABrd9SSwixBdaF38LS4zf6KSCOqk=VML1MBia+to=eBfPhcfkg@mail.gmail.com>
From: Adam Eijdenberg <eijdenberg@google.com>
Date: Tue, 30 Jun 2015 17:05:14 +0000
Message-ID: <CAP9QY5asTWD=xdLu0esrCPAk1JsO6VCGqhvPMVggZuaYn=21Bg@mail.gmail.com>
To: Ben Laurie <benl@google.com>, Matt Palmer <mpalmer@hezmatt.org>
Content-Type: multipart/alternative; boundary="001a114503e26bdd910519bf36a0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/sYifcCJtIvbHlyETknRcIjn2TqQ>
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Verifying inclusion proof
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 17:05:40 -0000

On Tue, Jun 30, 2015 at 5:30 AM Ben Laurie <benl@google.com> wrote:

> On 30 June 2015 at 00:04, Matt Palmer <mpalmer@hezmatt.org> wrote:
> > On Mon, Jun 29, 2015 at 12:29:47PM +0100, Ben Laurie wrote:
> >> On 28 June 2015 at 23:06, Matt Palmer <mpalmer@hezmatt.org> wrote:
> >> > On Sun, Jun 28, 2015 at 04:26:51PM +0100, Ben Laurie wrote:
> >> >> On 28 June 2015 at 16:05, Stephen Kent <kent@bbn.com> wrote:
> >> >> > IETF standards need to be unambiguous. Code is very helpful, but
> it is not a
> >> >> > substitute
> >> >> > for a rigorous description of how to resolve the issue that Onderj
> raised.
> >> >>
> >> >> Whilst I am not necessarily opposed to that, there has to be a point
> >> >> at which you stop explaining what can be worked out given existing
> >> >> information. The RFC does state how the hash is calculated, from
> which
> >> >> it is clear what the placement of each node is in the hash
> >> >> calculation.
> >> >
> >> > s/it is clear/it is possible to determine/
> >> >
> >> > I would be in favour of more clarity around exactly how the inclusion
> proof
> >> > is represented; I recall having significant trouble comprehending how
> >> > inclusion proofs "worked", and ended up examining existing
> operational logs
> >> > and using trial and error to determine how the inclusion proof was
> >> > presented.
> >>
> >> Feel free to open a ticket. However, the mechanism for verifying
> >> inclusion in a Merkle tree is widely available in standard texts, for
> >> example 3.3 in
> http://www.emsec.rub.de/media/crypto/attachments/files/2011/04/becker_1.pdf
> .
> >
> > That document doesn't appear to be referenced in 6962bis, nor would it, I
> > assume, answer the question "how is the inclusion proof represented in
> the
> > response to get-sth-consistency".
>
> Fair enough. Do you have proposed text?
>

Would the following text be helpful for /get-proof-by-hash? (I realize the
immediate question refers to get-sth-consistency, I'd be happy to tackle
that next)

To verify the Merkle Tree root hash for the tree_size provided as input, a
client can use the hash provided as input combined with applying the
audit_path and leaf_index returned as output in the following manner (note,
all values must be base64 decoded first):

1. Set the intermediate result "r" to hash.

2. For each "i" from 0 up to LENGTH(audit_path) - 1:

   If the least significant bit of (leaf_index >> i) is set, then:

   a. Set r to HASH(0x01 || audit_path[i] || r)

   otherwise:

   b. Set r to HASH(0x01 || r || audit_path[i])

3. Return r

If "r" is equal to the root hash previously returned by /get-sth for the
same tree_size that was passed as input, then the log has successfully
proven the inclusion of the certificate that the Merkle tree leaf hash was
constructed from.




>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

v2.23.0 | Report a Bug | By Email