LNPBP-81: Tagged Merkle trees

LNPBP: 0081
Vertical: Cryptographic primitives
Title: Tagged merkle trees for client-side-validation
Author: Dr Maxim Orlovsky  <[email protected]>,
        Peter Todd
Comments-URI: https://github.com/LNP-BP/lnpbps/issues/<____>
Status: Draft
Type: Standards Track
Created: 2021-05-11
License: CC0-1.0

Abstract

Background

Motivation

Problems with modern merkle trees:

Depth extension attack: no commitment to the tree depth

Design

Based on bitcoin merklization with following modifications:

Tagged hashing for source data
Tagged hashing of each tree object
Commitments to depth, width and height of the tree
Custom placeholders for empty objects
Restricting tree source to 2^16 elements (height is always <=16)

Specification

Merkle node is represented by a single SHA256 hash over the following data, serialized as a byte stream without any separators:

branch type (byte)
tag (128-bit number)
depth (byte)
width (4 bytes, little-endian)
child node 1 (32 bytes)
child node 2 (32 bytes)

If one or both of the child nodes are absent, a constant consisting of 16 0xFF bytes is used.

The root is produced via CommitmentId procedure

Compatibility

Rationale

Reference implementation

Acknowledgements

References

Copyright

This document is licensed under the Creative Commons CC0 1.0 Universal license.

Test vectors

PreviousLNPBP-3: Tx output NextLNPBP-4: Multi-protocol

Last updated 8 months ago

hashtagAbstract

hashtagBackground

hashtagMotivation

hashtagDesign

hashtagSpecification

hashtagCompatibility

hashtagRationale

hashtagReference implementation

hashtagAcknowledgements

hashtagReferences

hashtagCopyright

hashtagTest vectors