Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/modules/multiset/README.md
- This file was added.
Secp256k1 multiset module | |||||
========================= | |||||
Abstract | |||||
-------- | |||||
This module allows calculating a cryptographically secure hash for a | |||||
set with the properties: | |||||
* The order of the elements of the set does not effect the hash | |||||
* Elements can be added to the set without recalculating the entire set | |||||
Or mathematically, it is: | |||||
* Commutative: H(a,b) = H(b,a) | |||||
* Associative: H(H(a,b),c) = H(a,H(b,c)) | |||||
Hence it behaves similar to XORing the hashes of the individual elements, | |||||
but without the cryptographic weakness of XOR. | |||||
Motivation | |||||
---------- | |||||
The multiset can be used by cryptocurrencies to cheaply create and | |||||
maintain a commitment to the full UTXO set as proposed by Pieter Wiulle [1] | |||||
It can also be used with a bucketed approach to enable cheap UTXO-proofs as | |||||
proposed by Tomas van der Wansem [2] | |||||
Usage | |||||
----- | |||||
// Construct a multiset of (data1,data3) | |||||
unsigned char data1[100],data2[150],data3[175]; | |||||
... | |||||
secp256k1_multiset x,y; | |||||
secp256k1_multiset_init (context, &x); | |||||
// add all 3 data elements | |||||
secp256k1_multiset_add(context, &y, data1, sizeof(data1)); | |||||
secp256k1_multiset_add(context, &y, data2, sizeof(data2)); | |||||
secp256k1_multiset_add(context, &y, data3, sizeof(data3)); | |||||
// remove data2 | |||||
secp256k1_multiset_remove(context, &y, data2, sizeof(data2)); | |||||
// convert to hash | |||||
secp256k1_multiset_finalize(context, hashBuffer, &x); | |||||
Algorithm | |||||
--------- | |||||
Using Elliptic Curves as multisets is described in [3]. | |||||
This implementation uses trial-and-hash [4] to convert the hash into | |||||
point on the secp256k1 curve which serves as multiset. The curve's | |||||
group operations are then used to add and remove multisets. | |||||
Associativity and Commutativity then follow. | |||||
Security | |||||
-------- | |||||
The hash is secure against collision attacks. | |||||
The algorithm used is susceptible to timing attacks. Therefore it does | |||||
not securely conceal the underlying data being hashed. | |||||
For the purpose of UTXO commitments this is not relevant. | |||||
Faster and constant time algorithms exists [3] but only for char-2 curves. | |||||
References | |||||
---------- | |||||
[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014337.html | |||||
[2] https://lists.linuxfoundation.org/pipermail/bitcoin-ml/2017-September/000240.html | |||||
[3] https://arxiv.org/pdf/1601.06502.pdf | |||||
[4] https://eprint.iacr.org/2009/226.pdf | |||||