On Fri, Oct 30, 2015 at 11:32 AM, Taylor R Campbell
<campbell+cfrg(_at_)mumble(_dot_)net> wrote:
This requires only O(log n) working memory to compute the Merkle tree
-- it takes a single pass over the whole input.
...which reminds me:
As far as I know, everyone thinks they know how to do a Merkle tree
for things like this, but there doesn't seem to be a credible
standard, and there are at least two modern examples of doing it
wrong: Amazon's Glacier hash and (unless it changed) Bittorrent's new
Merkle tree.
Should CFRG consider standardizing a transport format for hash tree
verifiers (or proofs or whatever they're called) and for a large blob
that can be used to efficiently generate the proofs (essentially some
kind of serialized tree)? The Sakura construction could be a good
starting point. If I were designing such a standard, I would be
extremely hesitant to start with SHA256 or similar because of the lack
of personalization, whereas Sakura (and maybe BLAKE2) doesn't have
this problem.
Sadly, Sakura doesn't seem to be officially blessed yet.
--Andy
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp