Segwit arbitrary commitment trees & faster hashing #75
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The witness root is allowed to be placed at an arbitrary position up to seven layers deep in a Merkle tree structure. The witness nonce is now the branch through the commitment tree to the witness root, and a single byte is added to the commitment output specifying this path in compact form. This allows other consensus commitments to be added in the future with a minimal number of bytes and without requiring a certain position for each commitment in the tree.
This allows the intermediate state of a SHA-256 run to be saved for future resumption, or in the case of fast Merkle trees to perform a non-padded hash.
A fast Merkle branch uses midstate to perform a single SHA-256 compression per branch, and is not vulnerable to CVE-2012-2459. It produces different hashes though, so can only be used for new hash trees going forward.
7 tasks
|
As I've said before on #49, I really consider using midstates here a hack, and only a marginal improvement. Regarding new commitment structures, I think we should work on separate proposal for compact non-consensus-critical commitments, independent from the structures used for segwit (and potential follow-up extensions). As long as we need to put commitments underneath the transaction tree, those will dominate the costs for fraud proofs anyway. |
|
Going to leave it open for further comments. |
sipa
force-pushed
the
segwit-master
branch
2 times, most recently
from
ad4f9c7 to
bb2a89e
Compare
sipa
force-pushed
the
segwit-master
branch
4 times, most recently
from
d9ae807 to
3cb46c1
Compare
sipa
force-pushed
the
segwit-master
branch
6 times, most recently
from
8e3310c to
e847337
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The witness root is allowed to be placed at an arbitrary position up to seven layers deep in a Merkle tree structure. The witness nonce is now the branch through the commitment tree to the witness root, and a single byte is added to the commitment output specifying this path in compact form. This allows other consensus commitments to be added in the future with a minimal number of bytes and without committing at this time for a certain position for the segwit branch within the tree.
In addition, switch to fast Merkle trees for witness. A fast Merkle branch uses midstate to perform a single SHA-256 compression per branch, and is not vulnerable to CVE-2012-2459. It produces different hashes though, so can only be used for new hash trees going forward.