Merkle tree construction

[tbekas]

No description provided.

[benbierens]

We can rap-battle some more about the 1D array index stuff, if you'd like. (Or we can delay it till we get to serialization where we need to do it anyway.)

[elcritch]

We can rap-battle some more about the 1D array index stuff, if you'd like. (Or we can delay it till we get to serialization where we need to do it anyway.)

But @benbierens it's like log n less allocations!! ;) You can tell my embedded background shows -- I'm allergic to allocations.

[benbierens]

Oh yeah, no doubt the 1D thing is much better in this way. It's just, we were just starting and needed a way to think about what we were trying to do. So we started with lots of allocs.

[gmega]

I have what are mostly petty comments. 🙂 Overall it looks good, particularly given that it passes the tests.

[gmega]

I get why you are doing this, but to me this is a symptom that mcodec should be a property of the tree and not a property of the node. Not sure there's much of a way around it though.

[tbekas]

Yeah, initially I started implementing it this way, but the new code has to be compatible with already existing code and it's just easier to do it this way than converting to/from MultiHash in each public function. For the serialization though we will likely use a tree property instead of a node property.

[gmega]

Got it

[dryajov]

I don't think it's relevant to check the type of hash of the leafs, in fact we can just treat them as abstract blobs. We should just have this as a property of the entire tree.

In fact, we have some potential use cases, where the leafs can be pretty much anything, for example KZG commitments...

[tbekas]

I've address this by hardcoding a hashing algorithm for merkle trees tho SHA-256 in #516

[gmega]

Looks good to me!

[elcritch]

Looks like you're duplicating the last element when the tree is odd? It would probably be better to use a specific "null node".

The reason comes from reviewing the Bitcoin merkle trees there were some issues with duplicating issues at the end. With a properly constructed dataset in Bitcoin you could do a denial-of-service. See CVE-2012-2459.

There was a proposal for a better merkle design for Bitcoin at BIP-98. It describes the issue better. I didn't dive much into the proof side of things (maybe it's better).

It may all not apply to us, but I think prudence would say to use the fixes others did in case.

[elcritch]

@gmega your question about balanced merkle tree reminded me of this

[tbekas]

Fixed in the #516

[elcritch]

Could you add a short description noting the ordering of the nodes? When this comes up later it's nice to know "leaves start at 0..k, with proofs being k+1..n" or something similar.

[elcritch]

P.S. you could also add docs to the module. Just use ## like ## about this module as the comment block type and Nim doc gen will turn it into a module doc.

[tbekas]

Fixed in the #516

[elcritch]

Same as above! Just enough details to what the proof is of.

[tbekas]

Fixed in the #516

[elcritch]

Ok, created an issue to follow up on the pre-image attack thing to get this unblocked: #511

[dryajov]

Thanks for documenting this!

[elcritch]

Thanks! Note if you use ## here then it'd show up if we ever run docgen. :)

[tbekas]

Fixed in #516

[dryajov]

OK, I think this is looking good for a first pass.

We're missing proof validation (or am I blind?) and and tree validation when constructed with a merkle root. We can cover that in a separate PR tho.

We should also address the security concernes, but I'd leave it for a separate PR as well.

[dryajov]

Suggested change

	## Copyright (c) 2022 Status Research & Development GmbH
	## Copyright (c) 2023 Status Research & Development GmbH

[tbekas]

Fixed in #516

[tbekas]

I'm going to address all of the comments in the upcoming PR.