Common use of Our Contribution Clause in Contracts

Our Contribution. We consider collapseability of tree hashing. We will make full use of ▇▇▇▇’▇ frame- work [8] in order to argue what conditions a tree hashing mode must meet in order to be collapseable. First, in Sect. 4 we consider the basic problem of tree hashing for fixed length messages. For messages of a certain fixed length n, we recursively define a tree hash function TH n. It is defined based on a split function split (n) ∈ {1,..., n−1} that prescribes how the final digest is derived from two tree hashes TH split(n) and TH n split(n) applied to the first split (n) and last n split (n) message blocks. Then, in Sect. 5, we detail how the result can be extended to variable length hashing using domain separation. In this case, it is assumed that processing of message blocks and chaining values is properly domain-separated in the way the mode calls its compression function. One way in doing so is by appending a 0 to message blocks and a 1 to chaining values. Intuitively, this makes it impossible to replace the chaining value of a subtree with a message block with the same value. We prove that the resulting variable length tree hash function is collapsing. This is done by extending trees with ‘empty’ blocks in such a way that we can reduce collapseability of the variable length mode to that of the fixed length mode. Finally, in Sect. 6, we consider a second way to turn the fixed length construc- tion into a variable length hashing mode: length encoding. Here, we allow any tree hashing mode, but the block length of the message will be included by using a final compression function call. This approach makes the final compression functions disjoint for different message lengths, and using previous techniques and the composition results of ▇▇▇▇, we likewise manage to prove collapseability. All three collapseability results come with a security bound that expresses the adversarial advantage relative to the collapseability of the underlying com- pression function, as well as with a complexity analysis of the resulting modes.

Our Contribution. We consider collapseability of tree hashing. We will make full use of ▇▇▇▇’▇ frame- work [8] in order to argue what conditions a tree hashing mode must meet in order to be collapseable. First, in Sect. 4 we consider the basic problem of tree hashing for fixed fixed length messages. For messages of a certain fixed fixed length n, we recursively define define a tree hash function TH n. It is defined defined based on a split function split (n) ∈ {1,..., n−1} that prescribes how the final final digest is derived from two tree hashes TH split(n) and TH n split(n) applied to the first first split (n) and last n split (n) message blocks. Then, in Sect. 5, we detail how the result can be extended to variable length hashing using domain separation. In this case, it is assumed that processing of message blocks and chaining values is properly domain-separated in the way the mode calls its compression function. One way in doing so is by appending a 0 to message blocks and a 1 to chaining values. Intuitively, this makes it impossible to replace the chaining value of a subtree with a message block with the same value. We prove that the resulting variable length tree hash function is collapsing. This is done by extending trees with ‘empty’ blocks in such a way that we can reduce collapseability of the variable length mode to that of the fixed fixed length mode. Finally, in Sect. 6, we consider a second way to turn the fixed fixed length construc- tion into a variable length hashing mode: length encoding. Here, we allow any tree hashing mode, but the block length of the message will be included by using a final final compression function call. This approach makes the final final compression functions disjoint for different different message lengths, and using previous techniques and the composition results of ▇▇▇▇, we likewise manage to prove collapseability. All three collapseability results come with a security bound that expresses the adversarial advantage relative to the collapseability of the underlying com- pression function, as well as with a complexity analysis of the resulting modes.