coniks-sys/coniks-go

Create Test Vectors

Opened this issue · 10 comments

A set of test vectors for

  • Tree hashing
  • VRF
  • Other crypto functions

Would be helpful for assessing cross-project and cross-language compatibility.
I've begun doing this in google/keytransparency#613

vqhuy commented

Thanks @gdbelvin, I've also begun doing this in #178.

Note that there is a difference between your tree hashing and ours: we use treeNonce []byte instead of treeID uint64.

Would you be interested in putting a maximum length on the treeNonce for compatibility?
Would be awesome to have a common interface.

vqhuy commented

@gdbelvin

Would you be interested in putting a maximum length on the treeNonce for compatibility?

In our implementation, it is a 32-byte array. Do you have any idea how should the interface be for compatibility?

/cc @masomel @arlolra @liamsi

After some more thought, I'd love to jump on a call to discuss this.
An 8 byte nonce would give us 32 bits of security before two tree nonces accidentally collided with each other. 2^32 trees would indeed be a lot of CONIKS and Key Transparency servers 👍. Is there a reason for more than 32 bits of security in the tree nonce?

As far as I remember this was discussed quite a while ago and we've decided to reuse HashSizeByte for simplicity (not introducing another constant) and some extra-bits of security. Another related reason was that we've decided to always hash the output of the system's randomness (and we use a 32-byte hash for that). But I agree that a 64-bit tree-nonce should be sufficient.

vqhuy commented

I think I don't want to let users (the developer/operator) supply the tree ID. As stated somewhere, maintaining the uniqueness of the counter (in this case the map/tree ID) is nontrivial.
As discussed at google/keytransparency#65 (comment), I'd love to know the reason why KT still use the tree nonce.

Trillian (the distributed merkle tree database) generates the treeID behind the scenes - the developers don't get to pick it.

As for maintaining uniqueness of the nonce, 64 bits is enough to ensure uniqueness for up to 2^32 servers.

vqhuy commented

Thanks for the explanation! Let's see what others say.