LNP/BP Standards
  • List of specifications
  • Commitment schemes
    • LNPBP-1: Public keys
    • LNPBP-2: Script
    • LNPBP-3: Tx output
    • LNPBP-81: Tagged Merkle trees
    • LNPBP-4: Multi-protocol
    • LNPBP-6: PayTweak
    • LNPBP-12: TapRet
    • LNPBP-8: Single-use-seals
    • LNPBP-10: TxO seals
  • Bitcoin Protocol
    • LNPBP-5: Short tx ids
  • RGB
    • LNPBP-13: RGB consensus
    • RGB-20: Fungible assets
    • RGB-21: NFT collectibles
    • RGB-22: Digital identity
    • RGB-23: Audit logs
    • RGB-24: Domain names
    • LNPBP-31: Standard contractum lib
    • LNPBP-37: Invoices (rejected)
  • Lightning network protocol
    • LNPBP-46: LN derivations
    • LNPBP-50: Bifrost P2P
    • LNPBP-51: Bifrost channels
    • LNPBP-53: Multipeer channels
    • LNPBP-55: Bifrost HTLCs
Powered by GitBook
On this page
  • Abstract
  • Background
  • Motivation
  • Design
  • Specification
  • Compatibility
  • Rationale
  • Reference implementation
  • Acknowledgements
  • References
  • Copyright
  • Test vectors
Edit on GitHub
Export as PDF
  1. Commitment schemes

LNPBP-81: Tagged Merkle trees

PreviousLNPBP-3: Tx outputNextLNPBP-4: Multi-protocol

Last updated 4 days ago

LNPBP: 0081
Vertical: Cryptographic primitives
Title: Tagged merkle trees for client-side-validation
Author: Dr Maxim Orlovsky  <orlovsky@protonmail.ch>,
        Peter Todd
Comments-URI: https://github.com/LNP-BP/lnpbps/issues/<____>
Status: Draft
Type: Standards Track
Created: 2021-05-11
License: CC0-1.0

Abstract

Background

Motivation

Problems with modern merkle trees:

  • Depth extension attack: no commitment to the tree depth

Design

Based on bitcoin merklization with following modifications:

  • Tagged hashing for source data

  • Tagged hashing of each tree object

  • Commitments to depth, width and height of the tree

  • Custom placeholders for empty objects

  • Restricting tree source to 2^16 elements (height is always <=16)

Specification

Merkle node is represented by a single SHA256 hash over the following data, serialized as a byte stream without any separators:

  • branch type (byte)

  • tag (128-bit number)

  • depth (byte)

  • width (4 bytes, little-endian)

  • child node 1 (32 bytes)

  • child node 2 (32 bytes)

If one or both of the child nodes are absent, a constant consisting of 16 0xFF bytes is used.

The root is produced via CommitmentId procedure

Compatibility

Rationale

Reference implementation

Acknowledgements

References

Copyright

This document is licensed under the Creative Commons CC0 1.0 Universal license.

Test vectors

Abstract
Background
Motivation
Design
Specification
Compatibility
Rationale
Reference implementation
Acknowledgements
References
Copyright
Test vectors