On https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/ballot/, Ben Kaduk wrote: > > If m <= k, the right subtree entries D[k:n] only exist in the current > > tree. We prove that the left subtree entries D[0:k] are consistent > > and add a commitment to D[k:n]: > > > > SUBPROOF(m, D_n, b) = SUBPROOF(m, D[0:k], b) : MTH(D[k:n]) > > This 'b' is always 'false', right?
Despite being one of the document authors, I am yet to fully get my head around Section 2 (Cryptographic Components), so yesterday I sought help off-list from several folks who I'm sure have a better grasp of the crypto. Here's what we came up with (which I believe I now understand and agree with! :-) ): Short answer: "PROOF(m, D_n) = SUBPROOF(m, D_n, true)" appears just a few lines above, so no. Long answer: No. The first substitution of "PROOF(m, D_n)" gives you an invocation of SUBPROOF with b=true. As you recurse down, you may reach a call where all further recursive calls have b=false, but the base case should be b=true. SUBPROOF is defined in four cases. b could be either true or false depending on whether and how it was invoked by the third case, fourth case, or the base case from the definition of PROOF. The SUBPROOF case that Ben's question refers to is for m != n, m <= k, and any b. ________________________________ From: Trans <[email protected]> on behalf of Paul Wouters <[email protected]> Sent: 12 May 2021 20:08 To: Salz, Rich <[email protected]> Cc: Roman Danyliw <[email protected]>; Trans <[email protected]> Subject: Re: [Trans] Spinning a new version draft of draft-ietf-trans-rfc6962-bis CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wed, 12 May 2021, Salz, Rich wrote: > There are still open open issues from Ben Kaduk's DISCUSS ballot, which I > listed in > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Ftrans%2FyFJRli55wJ68EcQy5H97b97t8yY%2F&data=04%7C01%7C%7C1d243dd6e8544642471908d915797540%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637564433669991858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BUOYOEvOmgRkppZonghLgulUgUSiD9v6FYZGDCg480I%3D&reserved=0 > > One of them requires someone in the WG to confirm. The other two require > more input from Ben. The two issues needing input from Ben seem to be thing Ben needs to act on. So please disregard these from now as there is nothing we can do there. That leaves only one issue unconfirmed: In 2.1.4.1 “Generating a Consistency Proof”: > If m <= k, the right subtree entries D[k:n] only exist in the current > tree. We prove that the left subtree entries D[0:k] are consistent > and add a commitment to D[k:n]: > > SUBPROOF(m, D_n, b) = SUBPROOF(m, D[0:k], b) : MTH(D[k:n]) > >This 'b' is always 'false', right? Does “this b” mean the one on the right-hand side of the equal sign? And if so, does the WG have an answer to the question? I believe this refers to the table in 5.5 “Retrieve Merkle Inclusion Proof, Signed Tree Head and Consistency Proof by Leaf Hash”: Can one or two people from the WG please clarify this issue so we can cut a new draft and start a WGLC. Paul _______________________________________________ Trans mailing list [email protected] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftrans&data=04%7C01%7C%7C1d243dd6e8544642471908d915797540%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637564433669991858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hqFZywSs%2Fb3LsLjW5cG18pxSjrvdvU0mYzg%2BC8aVvDc%3D&reserved=0
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
