LNPBP-81: Tagged Merkle trees

LNPBP: 0081
Vertical: Cryptographic primitives
Title: Tagged merkle trees for client-side-validation
Author: Dr Maxim Orlovsky  <[email protected]>,
        Peter Todd
Comments-URI: https://github.com/LNP-BP/lnpbps/issues/<____>
Status: Draft
Type: Standards Track
Created: 2021-05-11
License: CC0-1.0

Abstract

Background

Motivation

Problems with modern merkle trees:

  • Depth extension attack: no commitment to the tree depth

Design

Based on bitcoin merklization with following modifications:

  • Tagged hashing for source data

  • Tagged hashing of each tree object

  • Commitments to depth, width and height of the tree

  • Custom placeholders for empty objects

  • Restricting tree source to 2^16 elements (height is always <=16)

Specification

Merkle node is represented by a single SHA256 hash over the following data, serialized as a byte stream without any separators:

  • branch type (byte)

  • tag (128-bit number)

  • depth (byte)

  • width (4 bytes, little-endian)

  • child node 1 (32 bytes)

  • child node 2 (32 bytes)

If one or both of the child nodes are absent, a constant consisting of 16 0xFF bytes is used.

The root is produced via CommitmentId procedure

Compatibility

Rationale

Reference implementation

Acknowledgements

References

This document is licensed under the Creative Commons CC0 1.0 Universal license.

Test vectors

Last updated