From 41d60fa299b99d1ac1b4afc865924ad79a91a5d9 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Fri, 17 Mar 2023 09:45:57 +0100 Subject: Fork merkle package To get ranged inclusion proofs that operate on leaf hashes rather than the leaf data. Should probably be fixed upstream at some point. --- internal/merkle/compact.go | 115 +++++++++++++++++++ internal/merkle/merkle.go | 271 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 386 insertions(+) create mode 100644 internal/merkle/compact.go create mode 100644 internal/merkle/merkle.go diff --git a/internal/merkle/compact.go b/internal/merkle/compact.go new file mode 100644 index 0000000..6eeabd0 --- /dev/null +++ b/internal/merkle/compact.go @@ -0,0 +1,115 @@ +// BSD 2-Clause License +// +// Copyright (c) 2022, the ct authors +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this +// list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// From: +// https://gitlab.torproject.org/rgdd/ct/-/tree/main/pkg/merkle +// +// The only difference is that leaf hashes rather than leaf data are passed as +// input to TreeHeadFromRangeProof, thus also changing the nodes() helper. +package merkle + +import ( + "crypto/sha256" + "fmt" +) + +// node represents a subtree at some level and a particular index +type node struct { + index uint64 + hash [sha256.Size]byte +} + +// nodes returns a list of consecutive leaf hashes +func nodes(index uint64, leafHashes [][sha256.Size]byte) (n []node) { + for i, lh := range leafHashes { + n = append(n, node{index + uint64(i), lh}) + } + return +} + +// compactRange outputs the minimal number of fixed subtree hashes given a +// non-empty list of consecutive leaves that start from a non-zero index. For a +// definition of this algorithm, see the end of ../../doc/tlog_algorithms.md. +func compactRange(nodes []node) [][sha256.Size]byte { + // Step 1 + var hashes [][sha256.Size]byte + + // Step 2 + for len(nodes) > 1 { + // Step 2a + if xor(nodes[1].index, 1) != nodes[0].index { + hashes = append(hashes, nodes[0].hash) + nodes = nodes[1:] + } + + // Step 2b; Step 2c; Step 2c(iii) + for i := 0; i < len(nodes); i++ { + // Step 2c(i) + if i+1 != len(nodes) { + nodes[i].hash = HashInteriorNode(nodes[i].hash, nodes[i+1].hash) + nodes = append(nodes[:i+1], nodes[i+2:]...) + } + + // Step 2c(ii) + nodes[i].index = rshift(nodes[i].index) + } + } + + // Step 3 + return append(hashes, nodes[0].hash) +} + +// TreeHeadFromRangeProof computes a tree head at size n=len(leafHashes)+index +// if given a list of leaf hashes at indices index,...,n-1 as well as an +// inclusion proof for the first leaf in the tree of size n. This allows a +// verifier to check inclusion of one or more log entries with a single +// inclusion proof. +func TreeHeadFromRangeProof(leafHashes [][sha256.Size]byte, index uint64, proof [][sha256.Size]byte) (root [sha256.Size]byte, err error) { + var cr [][sha256.Size]byte + confirmHash := func(h [sha256.Size]byte) error { + if h != cr[0] { + return fmt.Errorf("aborted due incorrect right-node subtree hash") + } + cr = cr[1:] + return nil + } + copyRoot := func(r [sha256.Size]byte) error { + root = r + return nil + } + + if len(leafHashes) == 0 { + return [sha256.Size]byte{}, fmt.Errorf("need at least one leaf to recompute tree head from proof") + } + if len(leafHashes) > 1 { + cr = compactRange(nodes(index+1, leafHashes[1:])) + } + return root, inclusion(leafHashes[0], index, index+uint64(len(leafHashes)), proof, copyRoot, confirmHash) +} + +func xor(a, b uint64) uint64 { + return a ^ b +} diff --git a/internal/merkle/merkle.go b/internal/merkle/merkle.go new file mode 100644 index 0000000..872364f --- /dev/null +++ b/internal/merkle/merkle.go @@ -0,0 +1,271 @@ +// BSD 2-Clause License +// +// Copyright (c) 2022, the ct authors +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this +// list of conditions and the following disclaimer. +// +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// From: +// https://gitlab.torproject.org/rgdd/ct/-/tree/main/pkg/merkle +package merkle + +import ( + "crypto/sha256" + "fmt" +) + +// HashEmptyTree computes the hash of an empty tree. See RFC 6162, §2.1: +// +// MTH({}) = SHA-256() +func HashEmptyTree() [sha256.Size]byte { + return sha256.Sum256(nil) +} + +// HashLeafNode computes the hash of a leaf's data. See RFC 6162, §2.1: +// +// MTH({d(0)}) = SHA-256(0x00 || d(0)) +func HashLeafNode(data []byte) (hash [sha256.Size]byte) { + h := sha256.New() + h.Write([]byte{0x00}) + h.Write(data) + copy(hash[:], h.Sum(nil)) + return +} + +// HashInteriorNode computes the hash of an interior node. See RFC 6962, §2.1: +// +// MTH(D[n]) = SHA-256(0x01 || MTH(D[0:k]) || MTH(D[k:n]) +func HashInteriorNode(left, right [sha256.Size]byte) (hash [sha256.Size]byte) { + h := sha256.New() + h.Write([]byte{0x01}) + h.Write(left[:]) + h.Write(right[:]) + copy(hash[:], h.Sum(nil)) + return +} + +// inclusion implements the algorithm specified in RFC 9162, Section 2.1.3.2. +// In addition, the caller is allowed to confirm right-node subtree hashes. +func inclusion(leaf [sha256.Size]byte, index, size uint64, proof [][sha256.Size]byte, + confirmRoot func([sha256.Size]byte) error, confirmHash func([sha256.Size]byte) error) error { + // Step 1 + if index >= size { + return fmt.Errorf("leaf index must be in [%d, %d]", 0, size-1) + } + + // Step 2 + fn := index + sn := size - 1 + + // Step 3 + r := leaf + + // Step 4 + for i, p := range proof { + // Step 4a + if sn == 0 { + return fmt.Errorf("reached tree head with %d remaining proof hash(es)", len(proof[i:])) + } + + // Step 4b + if isLSB(fn) || fn == sn { + // Step 4b, i + r = HashInteriorNode(p, r) + + // Step 4b, ii + if !isLSB(fn) { + for { + fn = rshift(fn) + sn = rshift(sn) + + if isLSB(fn) || fn == 0 { + break + } + } + } + } else { + // Step 4b, i + r = HashInteriorNode(r, p) + + // Extension: allow the caller to confirm right-node subtree hashes + if err := confirmHash(p); err != nil { + return fmt.Errorf("subtree index %d: %v", fn, err) + } + } + + // Step 4c + fn = rshift(fn) + sn = rshift(sn) + } + + // Step 5 + if sn != 0 { + return fmt.Errorf("stopped at subtree with index %d due to missing proof hashes", fn) + } + return confirmRoot(r) +} + +// consistency implements the algorithm specified in RFC 9162, §2.1.4.2 +func consistency(oldSize, newSize uint64, oldRoot, newRoot [sha256.Size]byte, proof [][sha256.Size]byte) error { + // Step 1 + if len(proof) == 0 { + return fmt.Errorf("need at least one proof hash") + } + + // Step 2 + if isPOW2(oldSize) { + proof = append([][sha256.Size]byte{oldRoot}, proof...) + } + + // Step 3 + fn := oldSize - 1 + sn := newSize - 1 + + // Step 4 + for isLSB(fn) { + fn = rshift(fn) + sn = rshift(sn) + } + + // Step 5 + fr := proof[0] + sr := proof[0] + + // Step 6 + for i, c := range proof[1:] { + // Step 6a + if sn == 0 { + return fmt.Errorf("reached tree head with %d remaining proof hash(es)", len(proof[i+1:])) + } + + // Step 6b + if isLSB(fn) || fn == sn { + // Step 6b, i + fr = HashInteriorNode(c, fr) + // Step 6b, ii + sr = HashInteriorNode(c, sr) + // Step 6b, iii + if !isLSB(fn) { + for { + fn = rshift(fn) + sn = rshift(sn) + + if isLSB(fn) || fn == 0 { + break + } + } + } + } else { + // Step 6b, i + sr = HashInteriorNode(sr, c) + } + + // Step 6c + fn = rshift(fn) + sn = rshift(sn) + } + + // Step 7 + if sn != 0 { + return fmt.Errorf("stopped at subtree with index %d due to missing proof hashes", fn) + } + if fr != oldRoot { + return fmt.Errorf("recomputed old tree head %x is not equal to reference tree head %x", fr[:], oldRoot[:]) + } + if sr != newRoot { + return fmt.Errorf("recomputed new tree head %x is not equal to reference tree head %x", sr[:], newRoot[:]) + } + return nil +} + +// VerifyInclusion verifies that a leaf's data is commited at a given index in a +// reference tree +func VerifyInclusion(data []byte, index, size uint64, root [sha256.Size]byte, proof [][sha256.Size]byte) error { + if size == 0 { + return fmt.Errorf("tree size must be larger than zero") + } + + confirmHash := func(h [sha256.Size]byte) error { return nil } // No compact range extension + confirmRoot := func(r [sha256.Size]byte) error { + if r != root { + return fmt.Errorf("recomputed tree head %x is not equal to reference tree head %x", r[:], root[:]) + } + return nil + } + return inclusion(HashLeafNode(data), index, size, proof, confirmRoot, confirmHash) +} + +// VerifyConsistency verifies that an an old tree is consistent with a new tree +func VerifyConsistency(oldSize, newSize uint64, oldRoot, newRoot [sha256.Size]byte, proof [][sha256.Size]byte) error { + checkTree := func(size uint64, root [sha256.Size]byte) error { + if size == 0 { + if root != HashEmptyTree() { + return fmt.Errorf("non-empty tree head %x for size zero", root[:]) + } + if len(proof) != 0 { + return fmt.Errorf("non-empty proof with %d hashes for size zero", len(proof)) + } + } else if root == HashEmptyTree() { + return fmt.Errorf("empty tree head %x for tree size %d", root[:], size) + } + return nil + } + + if err := checkTree(oldSize, oldRoot); err != nil { + return fmt.Errorf("old: %v", err) + } + if err := checkTree(newSize, newRoot); err != nil { + return fmt.Errorf("new: %v", err) + } + if oldSize == 0 { + return nil + } + + if oldSize == newSize { + if oldRoot != newRoot { + return fmt.Errorf("different tree heads %x and %x with equal tree size %d", oldRoot, newRoot, oldSize) + } + if len(proof) != 0 { + return fmt.Errorf("non-empty proof with %d hashes for equal tree size %d", len(proof), oldSize) + } + return nil + } + if oldSize > newSize { + return fmt.Errorf("old tree size %d must be smaller than or equal to the new tree size %d", oldSize, newSize) + } + + return consistency(oldSize, newSize, oldRoot, newRoot, proof) +} + +// isLSB returns true if the least significant bit of num is set +func isLSB(num uint64) bool { + return (num & 1) != 0 +} + +// isPOW2 returns true if num is a power of two (1, 2, 4, 8, ...) +func isPOW2(num uint64) bool { + return (num & (num - 1)) == 0 +} + +func rshift(num uint64) uint64 { + return num >> 1 +} -- cgit v1.2.3