Literature about Merkle hash tries?
Benja Fallenstein
b.fallenstein at gmx.de
Tue Sep 30 18:14:20 EDT 2003
Hi all,
Does anybody on this list know literature about cryptographic hash
tries? (I hit on this idea when mulling about a different problem, and
was wondering what people have written about it.) I.e., a data structure
for keeping sets of pieces of data, by:
- computing a cryptographic hash of each piece, treating each hash as a
bitstring;
- organizing these in a trie ("A tree for storing strings in which there
is one node for every common prefix. The strings are stored in extra
leaf nodes," http://www.nist.gov/dads/HTML/trie.html);
- treating this trie as a Merkle hash tree.
For example, if we have four hashes starting [0001], [0010], [1110] and
[1111] respectively, ::
[root]
/ \
[0] [1]
/ \
[00] [11]
/ \ \
0001.. 0010.. [111]
/ \
1110.. 1111..
The nodes with one child can also be omitted for efficiency, i.e.::
[root]
/ \
/ \
/ \
[00] \
/ \ \
0001.. 0010.. [111]
/ \
1110.. 1111..
This could easily be extended to provide a mapping, by treating the keys
as above, and putting each values in the "extra leaf node" of their
corresponding key.
It seems to me that this data structure would--
- allow giving efficient proofs not only of membership, but also
non-membership, by giving the path through the tree that would end up at
that item, but show that it ends up at a different item. E.g., to prove
that a hash starting [0011] is not in the above set, give the path to
"0010..". (This could be used to implement CRTs.)
- be automatically approximately balanced (I haven't attempted a proof,
but since all prefixes are conjectured to be equally likely...)
- allow you to maintain a history of such trees with only O(log n)
additional storage cost per addition or removal-- i.e., if you already
have a whole tree with n items, and want to additionally store a tree
that has one item added, you only need O(log n) additional storage
space-- and you don't need to implement some complicated re-balancing
algorithm (if the previous conjecture holds).
It's functionally equivalent to having a binary search tree that stores
a value at each internal node, but it seems potentially simpler to
implement, particularly when you want to store a versioned history (e.g.
of a CRT), because you don't need to implement re-balancing.
So, anyway, anybody know references? I've not come across any yet.
Thanks,
- Benja
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list