Put 256 extra input bits into the SHA256Compress chaining variable, allowing a Merkle tree arity of 3 #2173
Labels
A-circuit
Area: zk-SNARK circuits
A-consensus
Area: Consensus rules
A-crypto
Area: Cryptography
I-performance
Problems and improvements with respect to performance
I-SECURITY
Problems and improvements related to security.
M-requires-nu
A network upgrade is required to implement this.
protocol spec
MerkleCRH is defined as SHA256Compress with the standard SHA-256 chaining variable. However, the Merkle–Damgård proof of collision resistance of SHA-256 assumes that SHA256Compress is collision-resistant on the 768-bit input consisting of both the chaining variable and the input block.
We could, therefore, use SHA256Compress with this 768-bit input to construct a Merkle tree of arity 3, which would reduce the required Merkle tree depth by a factor of log2(3) ≅ 1.585 (i.e. by ~36.9%) for any given number of note outputs. For example with 229 outputs, the required tree depth would be 19 instead of 29. Alternatively a tree with the current depth of 29 could support 329 ≅ 246 note outputs.
The text was updated successfully, but these errors were encountered: