COSE R. Bryce
Internet-Draft DataTrails
Intended status: Experimental 21 October 2024
Expires: 24 April 2025
Merkle Mountain Range for Immediately Verifiable and Replicable
Commitments
draft-bryce-cose-merkle-mountain-range-proofs-00
Abstract
This specification describes the COSE encoding of proofs for post-
order traversal binary Merkle trees, also known as history trees and
Merkle mountain ranges. Proving and verifying are defined in terms
of the cryptographic asynchronous accumulator described by
ReyzinYakoubov (https://eprint.iacr.org/2015/718.pdf). The technical
advantages of post-order traversal binary Merkle trees are discussed
in CrosbyWallachStorage
(https://static.usenix.org/event/sec09/tech/full_papers/crosby.pdf)
and PostOrderTlog (https://research.swtch.com/tlog#appendix_a).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 24 April 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
Bryce Expires 24 April 2025 [Page 1]
Internet-Draft MMRIVER October 2024
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Verifiable Data Structure . . . . . . . . . . . . . . . . . . 4
4. Inclusion Proof . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. inclusion_proof_path . . . . . . . . . . . . . . . . . . 4
5. Receipt of Inclusion . . . . . . . . . . . . . . . . . . . . 5
5.1. Verifying the Receipt of inclusion . . . . . . . . . . . 6
5.2. included_root . . . . . . . . . . . . . . . . . . . . . . 7
6. Consistency Proof . . . . . . . . . . . . . . . . . . . . . . 8
6.1. consistency_proof_path . . . . . . . . . . . . . . . . . 9
7. Receipt of Consistency . . . . . . . . . . . . . . . . . . . 10
7.1. Verifying the Receipt of consistency . . . . . . . . . . 10
7.1.1. consistent_roots . . . . . . . . . . . . . . . . . . 11
8. Appending a leaf . . . . . . . . . . . . . . . . . . . . . . 12
8.1. add_leaf_hash . . . . . . . . . . . . . . . . . . . . . . 12
8.2. Implementation defined storage methods . . . . . . . . . 14
8.2.1. Get . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.2.2. Append . . . . . . . . . . . . . . . . . . . . . . . 14
8.3. Node values . . . . . . . . . . . . . . . . . . . . . . . 14
8.3.1. hash_pospair64 . . . . . . . . . . . . . . . . . . . 14
9. Essential supporting algorithms . . . . . . . . . . . . . . . 15
9.1. index_height . . . . . . . . . . . . . . . . . . . . . . 15
9.2. peaks . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10. Security Considerations . . . . . . . . . . . . . . . . . . . 16
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
11.1. Additions to Existing Registries . . . . . . . . . . . . 16
11.2. New Registries . . . . . . . . . . . . . . . . . . . . . 16
12. Normative References . . . . . . . . . . . . . . . . . . . . 16
Appendix A. References . . . . . . . . . . . . . . . . . . . . . 17
A.1. Informative References . . . . . . . . . . . . . . . . . 17
Appendix B. Assumed bit primitives . . . . . . . . . . . . . . . 17
B.1. log2floor . . . . . . . . . . . . . . . . . . . . . . . . 17
B.2. most_sig_bit . . . . . . . . . . . . . . . . . . . . . . 18
B.3. bit_length . . . . . . . . . . . . . . . . . . . . . . . 18
B.4. all_ones . . . . . . . . . . . . . . . . . . . . . . . . 18
B.5. ones_count . . . . . . . . . . . . . . . . . . . . . . . 18
B.6. trailing_zeros . . . . . . . . . . . . . . . . . . . . . 18
Appendix C. Implementation Status . . . . . . . . . . . . . . . 18
C.1. Implementers . . . . . . . . . . . . . . . . . . . . . . 19
C.1.1. DataTrails . . . . . . . . . . . . . . . . . . . . . 19
C.1.2. Robin Bryce (1) . . . . . . . . . . . . . . . . . . . 19
Bryce Expires 24 April 2025 [Page 2]
Internet-Draft MMRIVER October 2024
C.1.3. Robin Bryce (2) . . . . . . . . . . . . . . . . . . . 20
C.1.4. Mimblewimble . . . . . . . . . . . . . . . . . . . . 20
C.1.5. Herodotus . . . . . . . . . . . . . . . . . . . . . 20
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 21
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction
A post ordered binary merkle tree is, logically, the unique series of
perfect binary merkle trees required to commit its leaves.
Example,
6
2 5
0 1 3 4 7
This illustrates MMR(8), which is comprised of two perfect trees
rooted at 6 and 7. 7 is the root of a tree comprised of a single
element.
The peaks of the perfect trees form the accumulator.
The storage of a tree maintained in this way is addressed as a linear
array, and additions to the tree are always appends.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
* A complete MMR(n) defines an mmr with n nodes where no equal
height sibling trees exist.
* i shall be the index of any node, including leaf nodes, in the MMR
* g shall be the zero based height of a node in the tree.
* H(x) shall be the SHA-256 digest of any value x
* || shall mean concatenation of raw byte representations of the
referenced values.
Bryce Expires 24 April 2025 [Page 3]
Internet-Draft MMRIVER October 2024
In this specification, all numbers are unsigned 64 bit integers. The
maximum height of a single tree is 64 (which will have g=63 for its
peak).
3. Verifiable Data Structure
The integer identifier for this Verifiable Data Structure is 2.
4. Inclusion Proof
The CBOR representation of an inclusion proof is
inclusion-proof = bstr .cbor [
; zero based index of a tree node
index: uint
; path proving the node's inclusion
inclusion-path: [ + bstr ]
]
Note that the inclusion path for the index leads to a single
permanent node in the tree. This node will initially be a peak in
the accumulator, as the tree grows it will eventually be "buried" by
a new peak.
4.1. inclusion_proof_path
inclusion_proof_path(i, c) is used to produce the verification paths
for inclusion proofs and consistency proofs.
Given:
* c the index of the last node in any tree which contains i.
* i the index of the mmr node whose verification path is required.
And the methods:
* index_height (Section 9.1) which obtains the zero based height g
of any node.
And the constraints:
* i <= c
We define inclusion_proof_path as
Bryce Expires 24 April 2025 [Page 4]
Internet-Draft MMRIVER October 2024
def inclusion_proof_path(i, c):
path = []
g = index_height(i)
while True:
# The sibling of i is at i +/- 2^(g+1)
siblingoffset = (2 << g)
# If the index after i is higher, it is the left parent,
# and i is the right sibling
if index_height(i+1) > g:
# The witness to the right sibling is offset behind i
isibling = i - siblingoffset + 1
# The parent of a right sibling is stored immediately
# after
i += 1
else:
# The witness to a left sibling is offset ahead of i
isibling = i + siblingoffset - 1
# The parent of a left sibling is stored immediately after
# its right sibling
i += siblingoffset
# When the computed sibling exceedes the range of MMR(C+1),
# we have completed the path
if isibling > c:
return path
path.append(isibling)
# Set g to the height of the next item in the path.
g += 1
5. Receipt of Inclusion
The cbor representation of an inclusion proof is:
Bryce Expires 24 April 2025 [Page 5]
Internet-Draft MMRIVER October 2024
protected-header-map = {
&(alg: 1) => int
&(vds: 395) => 2
* cose-label => cose-value
}
* alg (label: 1): REQUIRED. Signature algorithm identifier. Value
type: int.
* vds (label: 395): REQUIRED. verifiable data structure algorithm
identifier. Value type: int.
The unprotected header for an inclusion proof signature is:
inclusion-proofs = [ + inclusion-proof ]
verifiable-proofs = {
&(inclusion-proof: -1) => inclusion-proofs
}
unprotected-header-map = {
&(vdp: 396) => verifiable-proofs
* cose-label => cose-value
}
The payload of an MMRIVER inclusion proof signature is the tree peak
committing to the nodes inclusion, or the node itself where the proof
path is empty. The algorithm included_root (Section 5.2) obtains
this value.
The payload MUST be detached. Detaching the payload forces verifiers
to recompute the root from the inclusion proof, this protects against
implementation errors where the signature is verified but the payload
merkle root does not match the inclusion proof.
5.1. Verifying the Receipt of inclusion
The inclusion proof and signature are verified in order. First the
verifiers applies the inclusion proof to a possible entry (set
member) bytes. If this process fails, the inclusion proof may have
been tampered with. If this process succeeds, the result is a merkle
root, which in the attached as the COSE Sign1 payload. Second the
verifier checks the signature of the COSE Sign1. If the resulting
signature verifies, the Receipt has proved inclusion of the entry in
the verifiable data structure. If the resulting signature does not
verify, the signature may have been tampered with.
Bryce Expires 24 April 2025 [Page 6]
Internet-Draft MMRIVER October 2024
It is recommended that implementations return a single boolean result
for Receipt verification operations, to reduce the chance of
accepting a valid signature over an invalid inclusion proof.
As the proof must be processed prior to signature verification the
implementation SHOULD check the lengths of the proof paths are
appropriate for the provided tree sizes.
5.2. included_root
The algorithm included_root calculates the accumulator peak for the
provided proof and node value.
Given:
* i is the index the nodeHash is to be shown at
* nodehash the value whose inclusion is to be shown
* proof is the path of sibling values committing i.
And the methods:
* index_height (Section 9.1) which obtains the zero based height g
of any node.
* hash_pospair64 (Section 8.3.1) which applies H to the new node
position and its children.
We define included_root as
Bryce Expires 24 April 2025 [Page 7]
Internet-Draft MMRIVER October 2024
def included_root(i, nodehash, proof):
root = nodehash
g = index_height(i)
for sibling in proof:
# If the index after i is higher, it is the left parent,
# and i is the right sibling
if index_height(i + 1) > g:
# The parent of a right sibling is stored immediately after
i = i + 1
# Set `root` to `H(i+1 || sibling || root)`
root = hash_pospair64(i + 1, sibling, root)
else:
# The parent of a left sibling is stored immediately after
# its right sibling.
i = i + (2 << g)
# Set `root` to `H(i+1 || root || sibling)`
root = hash_pospair64(i + 1, root, sibling)
# Set g to the height of the next item in the path.
g = g + 1
# If the path length was zero, the original nodehash is returned
return root
6. Consistency Proof
A consistency proof shows that the accumulator, defined in
ReyzinYakoubov (https://eprint.iacr.org/2015/718.pdf), for tree-
size-1 is a prefix of the accumulator for tree-size-2.
The signature is over the complete accumulator for tree-size-2
obtained using the proof and the, supplied, possibly empty, list of
right-peaks which complete the accumulator for tree-size-2.
The receipt of consistency is defined so that a chain of cumulative
consistency proofs can be verified together.
Bryce Expires 24 April 2025 [Page 8]
Internet-Draft MMRIVER October 2024
The cbor representation of a consistency proof is:
consistency-path = [ * bstr ]
consistency-proof = bstr .cbor [
; previous tree size
tree-size-1: uint
; latest tree size
tree-size-2: uint
; the inclusion path from each accumulator peak in
; tree-size-1 to its new peak in tree-size-2.
consistency-paths: [ + consistency-path ]
; the additional peaks that
; complete the accumulator for tree-size-2,
; when appended to those produced by the consistency paths
right-peaks: [ *bstr ]
]
6.1. consistency_proof_path
Produces the verification paths for inclusion of the peaks of tree-
size-1 under the peaks of tree-size-2.
right-peaks are obtained by invoking peaks(tree-size-2 - 1), and
discarding length(proofs) from the left.
Given:
* ifrom is the last index of tree-size-1
* ito is the last index of tree-size-2
And the methods:
* inclusion_proof_path (Section 4.1)
* Section 9.2
And the constraints:
* ifrom <= ito
We define consistency_proof_paths as
Bryce Expires 24 April 2025 [Page 9]
Internet-Draft MMRIVER October 2024
def consistency_proof_paths(ifrom, ito):
proof = []
for i in peaks(ifrom):
proof.append(inclusion_proof_path(i, ito))
return proof
7. Receipt of Consistency
The cbor representation of an inclusion proof for MMRIVER is:
protected-header-map = {
&(alg: 1) => int
&(vds: 395) => 2
* cose-label => cose-value
}
* alg (label: 1): REQUIRED. Signature algorithm identifier. Value
type: int.
* vds (label: 395): REQUIRED. verifiable data structure algorithm
identifier. Value type: int.
The unprotected header for an inclusion proof signature is:
consistency-proofs = [ + consistency-proof ]
verifiable-proofs = {
&(consistency-proof: -2) => consistency-proof
}
unprotected-header-map = {
&(vdp: 396) => verifiable-proofs
* cose-label => cose-value
}
The payload MUST be detached. Detaching the payload forces verifiers
to recompute the roots from the consistency proofs. This protects
against implementation errors where the signature is verified but the
payload is not genuinely produced by the included proof.
7.1. Verifying the Receipt of consistency
Verification accommodates verifying the result of a cumulative series
of consistency proofs.
Bryce Expires 24 April 2025 [Page 10]
Internet-Draft MMRIVER October 2024
Perform the following for each consistency-proof in the list,
verifying the signature with the output of the last.
1. Initialize current proof as the first consistency-proof.
2. Initialize accumulatorfrom to the peaks of tree-size-1 in the
current proof.
3. Initialize ifrom to tree-size-1 - 1 from the current proof.
4. Initialize proofs to the consistency-paths from the current
proof.
5. Apply the algorithm consistent_roots (Section 7.1.1)
6. Apply the peaks algorithm to obtain the accumulator for tree-
size-2
7. From the peaks for tres-size-2, discard from the left the number
of roots returned by consistent_roots.
8. Create the consistent accumulator by appending the remaining
peaks to the consistent roots.
9. If there are no remaining proofs, use the consistent accumulator
as the detached payload and verify the signature of the COSE
Sign1.
It is recommended that implementations return a single boolean result
for Receipt verification operations, to reduce the chance of
accepting a valid signature over an invalid consistency proof.
As the proof must be processed prior to signature verification the
implementation SHOULD check the lengths of the proof paths are
appropriate for the provided tree sizes.
7.1.1. consistent_roots
consistent_roots returns the descending height ordered list of
elements from the accumulator for the consistent future state.
Implementations MUST require that the number of peaks returned by
Section 9.2(ifrom) equals the number of entries in accumulatorfrom.
Given:
* ifrom the last index in the complete MMR from which consistency
was proven.
Bryce Expires 24 April 2025 [Page 11]
Internet-Draft MMRIVER October 2024
* accumulatorfrom the node values corresponding to the peaks of the
accumulator for tree-size-1
* proofs the inclusion proofs for each node in accumulatorfrom for
tree-size-2
And the methods:
* included_root (Section 5.2)
* Section 9.2
We define consistent_roots as
def consistent_roots(ifrom, accumulatorfrom, proofs):
frompeaks = peaks(ifrom)
# if length(frompeaks) != length(proofs) -> ERROR
roots = []
for i in range(len(accumulatorfrom)):
root = included_root(
frompeaks[i], accumulatorfrom[i], proofs[i])
if roots and roots[-1] == root:
continue
roots.append(root)
return roots
8. Appending a leaf
An algorithm for appending to a tree maintained in post order layout
is provided. Implementation defined methods for interacting with
storage are specified.
8.1. add_leaf_hash
When a new node is appended, if its height matches the height of its
immediate predecessor, then the two equal height siblings MUST be
merged. Merging is defined as the append of a new node which takes
the adjacent peaks as its left and right children. This process MUST
proceed until there are no more completable sub trees.
add_leaf_hash(f) adds the leaf hash value f to the tree.
Given:
Bryce Expires 24 April 2025 [Page 12]
Internet-Draft MMRIVER October 2024
* f the leaf value resulting from H(x) for the caller defined leaf
value x
* db an interface supporting the Section 8.2.2 and Section 8.2.1
implementation defined storage methods.
And the methods:
* index_height (Section 9.1)
* Section 8.3.1
We define add_leaf_hash as
def add_leaf_hash(db, f: bytes):
# Set g to 0, the height of the leaf item f
g = 0
# Set i to the result of invoking Append(f)
i = db.append(f)
# If index_height(i) is greater than g (#looptarget)
while index_height(i) > g:
# Set ileft to the index of the left child of i,
# which is i - 2^(g+1)
ileft = i - (2 << g)
# Set iright to the index of the the right child of i,
# which is i - 1
iright = i - 1
# Set v to H(i + 1 || Get(ileft) || Get(iright))
# Set i to the result of invoking Append(v)
i = db.append(
hash_pospair64(i+1, db.get(ileft), db.get(iright)))
# Set g to the height of the new i, which is g + 1
g += 1
return i
Bryce Expires 24 April 2025 [Page 13]
Internet-Draft MMRIVER October 2024
8.2. Implementation defined storage methods
The following methods are assumed to be available to the
implementation. Very minimal requirements are specified.
Informally, the storage must be array like and have no gaps.
8.2.1. Get
Reads the value from the tree at the supplied index.
The read MUST be consistent with any other calls to Append or Get
within the same algorithm invocation.
Get MAY fail for transient reasons.
8.2.2. Append
Appends new node to storage and returns the index that will be
occupied by the node provided to the next call to append.
The implementation MUST guarantee that the results of Append are
immediately available to Get calls in the same invocation of the
algorithm.
Append MUST return the node i identifying the node location which
comes next.
The implementation MAY defer commitment to underlying persistent
storage.
Append MAY fail for transient reasons.
8.3. Node values
Interior nodes in the MUST prefix the value provided to H(x) with
pos.
The value v for any interior node MUST be H(pos || Get(LEFT_CHILD) ||
Get(RIGHT_CHILD))
The algorithm for leaf addition is provided the result of H(x)
directly.
8.3.1. hash_pospair64
Returns H(pos || a || b), which is the value for the node identified
by index pos - 1
Bryce Expires 24 April 2025 [Page 14]
Internet-Draft MMRIVER October 2024
Editors note: How this draft accommodates hash alg agility is tbd.
Given:
* pos the size of the MMR whose last node index is pos - 1
* a the first value to include in the hash after pos
* b the second value to include in the hash after pos
And the constraints:
* pos < 2^64
* a and b MUST be hashes produced by the appropriate hash alg.
We define hash_pospair64 as
def hash_pospair64(pos, a, b):
# Note: Hash algorithm agility is tbd, this example uses SHA-256
h = hashlib.sha256()
# Take the big endian representation of pos
h.update(pos.to_bytes(8, byteorder="big", signed=False))
h.update(a)
h.update(b)
return h.digest()
9. Essential supporting algorithms
9.1. index_height
index_height(i) returns the zero based height g of the node index i
Given:
* i the index of any mmr node.
We define index_height as
def index_height(i) -> int:
pos = i + 1
while not all_ones(pos):
pos = pos - most_sig_bit(pos) + 1
return bit_length(pos) - 1
Bryce Expires 24 April 2025 [Page 15]
Internet-Draft MMRIVER October 2024
9.2. peaks
peaks(i) returns the peak indices for MMR(i+1), which is also its
accumulator.
Assumes MMR(i+1) is complete, implementations can check for this
condition by testing the height of i+1
Given:
* i the index of any mmr node.
We define peaks
def peaks(i):
peak = 0
peaks = []
s = i+1
while s != 0:
# find the highest peak size in the current MMR(s)
highest_size = (1 << log2floor(s+1)) - 1
peak = peak + highest_size
peaks.append(peak-1)
s -= highest_size
return peaks
10. Security Considerations
See the security considerations section of:
* [RFC9053]
11. IANA Considerations
Editors note: Hash agility is desired. We can start with SHA-256.
Two of the referenced implementations use BLAKE2b-256, We would like
to add support for SHA3-256, SHA3-512, and possibly Keccak and
Pedersen.
11.1. Additions to Existing Registries
Editors note: todo registry requests
11.2. New Registries
12. Normative References
Bryce Expires 24 April 2025 [Page 16]
Internet-Draft MMRIVER October 2024
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
August 2022, .
Appendix A. References
A.1. Informative References
* ReyzinYakoubov (https://eprint.iacr.org/2015/718.pdf)
* CrosbyWallach
(https://static.usenix.org/event/sec09/tech/full_papers/
crosby.pdf)
* CrosbyWallachStorage
(https://static.usenix.org/event/sec09/tech/full_papers/
crosby.pdf) 3.3 Storing the log on secondary storage
* PostOrderTlog (https://research.swtch.com/tlog#appendix_a)
* PeterTodd (https://lists.linuxfoundation.org/pipermail/bitcoin-
dev/2016-May/012715.html)
* KnuthTBT (https://www-cs-faculty.stanford.edu/~knuth/taocp.html)
2.3.1 Traversing Binary Trees
* BNT (https://eprint.iacr.org/2021/038.pdf)
Appendix B. Assumed bit primitives
B.1. log2floor
Returns the floor of log base 2 x
def log2floor(x):
return x.bit_length() - 1
Bryce Expires 24 April 2025 [Page 17]
Internet-Draft MMRIVER October 2024
B.2. most_sig_bit
Returns the mask for the the most significant bit in pos
def most_sig_bit(pos) -> int:
return 1 << (pos.bit_length() - 1)
The following primitives are assumed for working with bits as they
commonly have library or hardware support.
B.3. bit_length
The minimum number of bits to represent pos. b011 would be 2, b010
would be 2, and b001 would be 1.
def bit_length(pos):
return pos.bit_length()
B.4. all_ones
Tests if all bits, from the most significant that is set, are 1,
b0111 would be true, b0101 would be false.
def all_ones(pos) -> bool:
msb = most_sig_bit(pos)
mask = (1 << (msb + 1)) - 1
return pos == mask
B.5. ones_count
Count of set bits. For example ones_count(b101) is 2
B.6. trailing_zeros
The count of nodes above and to the left of pos
(v & -v).bit_length() - 1
Appendix C. Implementation Status
Note to RFC Editor: Please remove this section as well as references
to BCP205 before AUTH48.
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in BCP205. The
description of implementations in this section is intended to assist
the IETF in its decision processes in progressing drafts to RFCs.
Bryce Expires 24 April 2025 [Page 18]
Internet-Draft MMRIVER October 2024
Please note that the listing of any individual implementation here
does not imply endorsement by the IETF. Furthermore, no effort has
been spent to verify the information presented here that was supplied
by IETF contributors. This is not intended as, and must not be
construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to BCP205, "this will allow reviewers and working groups to
assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
C.1. Implementers
C.1.1. DataTrails
An open-source implementation was initiated and is maintained by Data
Trails Inc. - DataTrails.
Uses SHA-256 as the hash alg
C.1.1.1. Implementation Name
An application demonstrating the concepts is available at
https://app.datatrails.ai/ (https://app.datatrails.ai/).
C.1.1.2. Implementation URL
An open-source implementation is available at:
* https://github.com/datatrails/go-datatrails-merklelog
C.1.1.3. Maturity
Used in production. SEMVER unstable (no backwards compat declared
yet)
C.1.2. Robin Bryce (1)
C.1.2.1. Implementation URL
A minimal reference implementation of this draft. Used to generate
the test vectors in this draft, is available at:
Bryce Expires 24 April 2025 [Page 19]
Internet-Draft MMRIVER October 2024
* https://github.com/robinbryce/merkle-mountain-range-
proofs/blob/main/algorithms.py
C.1.2.2. Maturity
Reference only
C.1.3. Robin Bryce (2)
C.1.3.1. Implementation URL
A minimal tiled log implementation
* https://github.com/robinbryce/mmriver-tiles-ts
C.1.3.2. Maturity
Prototype
C.1.4. Mimblewimble
Is specifically committing to positions as we describe, but is
committing zero based indices, and uses BLAKE2B as the HASH-ALG.
Accounting for those differences, their commitment trees would be
compatible with this draft.
C.1.4.1. Implementation URL
An implementation is available here:
* https://github.com/mimblewimble/grin/blob/master/doc/mmr.md (Grin
is a rust implementation of the mimblewimble protocol)
* https://github.com/BeamMW/beam/blob/master/core/merkle.cpp (Beam
is a C++ implementation of the mimblewimble protocol)
C.1.5. Herodotus
C.1.5.1. Implementation URL
https://github.com/HerodotusDev/rust-accumulators
Production, supports keccak, posiedon & pedersen hash algs
Editors note: test vectors, based on a SHA256 instantiation, are
currently provided in a separate document. (./test-vectors.md)
Bryce Expires 24 April 2025 [Page 20]
Internet-Draft MMRIVER October 2024
Acknowledgments
Author's Address
Robin Bryce
DataTrails
Email: robinbryce@gmail.com
Bryce Expires 24 April 2025 [Page 21]