mirror of
https://github.com/0glabs/0g-chain.git
synced 2024-12-27 16:55:21 +00:00
235 lines
7.7 KiB
Protocol Buffer
235 lines
7.7 KiB
Protocol Buffer
|
syntax = "proto3";
|
||
|
|
||
|
package ics23;
|
||
|
option go_package = "github.com/confio/ics23/go";
|
||
|
|
||
|
enum HashOp {
|
||
|
// NO_HASH is the default if no data passed. Note this is an illegal argument some places.
|
||
|
NO_HASH = 0;
|
||
|
SHA256 = 1;
|
||
|
SHA512 = 2;
|
||
|
KECCAK = 3;
|
||
|
RIPEMD160 = 4;
|
||
|
BITCOIN = 5; // ripemd160(sha256(x))
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
LengthOp defines how to process the key and value of the LeafOp
|
||
|
to include length information. After encoding the length with the given
|
||
|
algorithm, the length will be prepended to the key and value bytes.
|
||
|
(Each one with it's own encoded length)
|
||
|
*/
|
||
|
enum LengthOp {
|
||
|
// NO_PREFIX don't include any length info
|
||
|
NO_PREFIX = 0;
|
||
|
// VAR_PROTO uses protobuf (and go-amino) varint encoding of the length
|
||
|
VAR_PROTO = 1;
|
||
|
// VAR_RLP uses rlp int encoding of the length
|
||
|
VAR_RLP = 2;
|
||
|
// FIXED32_BIG uses big-endian encoding of the length as a 32 bit integer
|
||
|
FIXED32_BIG = 3;
|
||
|
// FIXED32_LITTLE uses little-endian encoding of the length as a 32 bit integer
|
||
|
FIXED32_LITTLE = 4;
|
||
|
// FIXED64_BIG uses big-endian encoding of the length as a 64 bit integer
|
||
|
FIXED64_BIG = 5;
|
||
|
// FIXED64_LITTLE uses little-endian encoding of the length as a 64 bit integer
|
||
|
FIXED64_LITTLE = 6;
|
||
|
// REQUIRE_32_BYTES is like NONE, but will fail if the input is not exactly 32 bytes (sha256 output)
|
||
|
REQUIRE_32_BYTES = 7;
|
||
|
// REQUIRE_64_BYTES is like NONE, but will fail if the input is not exactly 64 bytes (sha512 output)
|
||
|
REQUIRE_64_BYTES = 8;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
ExistenceProof takes a key and a value and a set of steps to perform on it.
|
||
|
The result of peforming all these steps will provide a "root hash", which can
|
||
|
be compared to the value in a header.
|
||
|
|
||
|
Since it is computationally infeasible to produce a hash collission for any of the used
|
||
|
cryptographic hash functions, if someone can provide a series of operations to transform
|
||
|
a given key and value into a root hash that matches some trusted root, these key and values
|
||
|
must be in the referenced merkle tree.
|
||
|
|
||
|
The only possible issue is maliablity in LeafOp, such as providing extra prefix data,
|
||
|
which should be controlled by a spec. Eg. with lengthOp as NONE,
|
||
|
prefix = FOO, key = BAR, value = CHOICE
|
||
|
and
|
||
|
prefix = F, key = OOBAR, value = CHOICE
|
||
|
would produce the same value.
|
||
|
|
||
|
With LengthOp this is tricker but not impossible. Which is why the "leafPrefixEqual" field
|
||
|
in the ProofSpec is valuable to prevent this mutability. And why all trees should
|
||
|
length-prefix the data before hashing it.
|
||
|
*/
|
||
|
message ExistenceProof {
|
||
|
bytes key = 1;
|
||
|
bytes value = 2;
|
||
|
LeafOp leaf = 3;
|
||
|
repeated InnerOp path = 4;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
NonExistenceProof takes a proof of two neighbors, one left of the desired key,
|
||
|
one right of the desired key. If both proofs are valid AND they are neighbors,
|
||
|
then there is no valid proof for the given key.
|
||
|
*/
|
||
|
message NonExistenceProof {
|
||
|
bytes key = 1; // TODO: remove this as unnecessary??? we prove a range
|
||
|
ExistenceProof left = 2;
|
||
|
ExistenceProof right = 3;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
CommitmentProof is either an ExistenceProof or a NonExistenceProof, or a Batch of such messages
|
||
|
*/
|
||
|
message CommitmentProof {
|
||
|
oneof proof {
|
||
|
ExistenceProof exist = 1;
|
||
|
NonExistenceProof nonexist = 2;
|
||
|
BatchProof batch = 3;
|
||
|
CompressedBatchProof compressed = 4;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
LeafOp represents the raw key-value data we wish to prove, and
|
||
|
must be flexible to represent the internal transformation from
|
||
|
the original key-value pairs into the basis hash, for many existing
|
||
|
merkle trees.
|
||
|
|
||
|
key and value are passed in. So that the signature of this operation is:
|
||
|
leafOp(key, value) -> output
|
||
|
|
||
|
To process this, first prehash the keys and values if needed (ANY means no hash in this case):
|
||
|
hkey = prehashKey(key)
|
||
|
hvalue = prehashValue(value)
|
||
|
|
||
|
Then combine the bytes, and hash it
|
||
|
output = hash(prefix || length(hkey) || hkey || length(hvalue) || hvalue)
|
||
|
*/
|
||
|
message LeafOp {
|
||
|
HashOp hash = 1;
|
||
|
HashOp prehash_key = 2;
|
||
|
HashOp prehash_value = 3;
|
||
|
LengthOp length = 4;
|
||
|
// prefix is a fixed bytes that may optionally be included at the beginning to differentiate
|
||
|
// a leaf node from an inner node.
|
||
|
bytes prefix = 5;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
InnerOp represents a merkle-proof step that is not a leaf.
|
||
|
It represents concatenating two children and hashing them to provide the next result.
|
||
|
|
||
|
The result of the previous step is passed in, so the signature of this op is:
|
||
|
innerOp(child) -> output
|
||
|
|
||
|
The result of applying InnerOp should be:
|
||
|
output = op.hash(op.prefix || child || op.suffix)
|
||
|
|
||
|
where the || operator is concatenation of binary data,
|
||
|
and child is the result of hashing all the tree below this step.
|
||
|
|
||
|
Any special data, like prepending child with the length, or prepending the entire operation with
|
||
|
some value to differentiate from leaf nodes, should be included in prefix and suffix.
|
||
|
If either of prefix or suffix is empty, we just treat it as an empty string
|
||
|
*/
|
||
|
message InnerOp {
|
||
|
HashOp hash = 1;
|
||
|
bytes prefix = 2;
|
||
|
bytes suffix = 3;
|
||
|
}
|
||
|
|
||
|
|
||
|
/**
|
||
|
ProofSpec defines what the expected parameters are for a given proof type.
|
||
|
This can be stored in the client and used to validate any incoming proofs.
|
||
|
|
||
|
verify(ProofSpec, Proof) -> Proof | Error
|
||
|
|
||
|
As demonstrated in tests, if we don't fix the algorithm used to calculate the
|
||
|
LeafHash for a given tree, there are many possible key-value pairs that can
|
||
|
generate a given hash (by interpretting the preimage differently).
|
||
|
We need this for proper security, requires client knows a priori what
|
||
|
tree format server uses. But not in code, rather a configuration object.
|
||
|
*/
|
||
|
message ProofSpec {
|
||
|
// any field in the ExistenceProof must be the same as in this spec.
|
||
|
// except Prefix, which is just the first bytes of prefix (spec can be longer)
|
||
|
LeafOp leaf_spec = 1;
|
||
|
InnerSpec inner_spec = 2;
|
||
|
// max_depth (if > 0) is the maximum number of InnerOps allowed (mainly for fixed-depth tries)
|
||
|
int32 max_depth = 3;
|
||
|
// min_depth (if > 0) is the minimum number of InnerOps allowed (mainly for fixed-depth tries)
|
||
|
int32 min_depth = 4;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
InnerSpec contains all store-specific structure info to determine if two proofs from a
|
||
|
given store are neighbors.
|
||
|
|
||
|
This enables:
|
||
|
|
||
|
isLeftMost(spec: InnerSpec, op: InnerOp)
|
||
|
isRightMost(spec: InnerSpec, op: InnerOp)
|
||
|
isLeftNeighbor(spec: InnerSpec, left: InnerOp, right: InnerOp)
|
||
|
*/
|
||
|
message InnerSpec {
|
||
|
// Child order is the ordering of the children node, must count from 0
|
||
|
// iavl tree is [0, 1] (left then right)
|
||
|
// merk is [0, 2, 1] (left, right, here)
|
||
|
repeated int32 child_order = 1;
|
||
|
int32 child_size = 2;
|
||
|
int32 min_prefix_length = 3;
|
||
|
int32 max_prefix_length = 4;
|
||
|
// empty child is the prehash image that is used when one child is nil (eg. 20 bytes of 0)
|
||
|
bytes empty_child = 5;
|
||
|
// hash is the algorithm that must be used for each InnerOp
|
||
|
HashOp hash = 6;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
BatchProof is a group of multiple proof types than can be compressed
|
||
|
*/
|
||
|
message BatchProof {
|
||
|
repeated BatchEntry entries = 1;
|
||
|
}
|
||
|
|
||
|
// Use BatchEntry not CommitmentProof, to avoid recursion
|
||
|
message BatchEntry {
|
||
|
oneof proof {
|
||
|
ExistenceProof exist = 1;
|
||
|
NonExistenceProof nonexist = 2;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
/****** all items here are compressed forms *******/
|
||
|
|
||
|
message CompressedBatchProof {
|
||
|
repeated CompressedBatchEntry entries = 1;
|
||
|
repeated InnerOp lookup_inners = 2;
|
||
|
}
|
||
|
|
||
|
// Use BatchEntry not CommitmentProof, to avoid recursion
|
||
|
message CompressedBatchEntry {
|
||
|
oneof proof {
|
||
|
CompressedExistenceProof exist = 1;
|
||
|
CompressedNonExistenceProof nonexist = 2;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
message CompressedExistenceProof {
|
||
|
bytes key = 1;
|
||
|
bytes value = 2;
|
||
|
LeafOp leaf = 3;
|
||
|
// these are indexes into the lookup_inners table in CompressedBatchProof
|
||
|
repeated int32 path = 4;
|
||
|
}
|
||
|
|
||
|
message CompressedNonExistenceProof {
|
||
|
bytes key = 1; // TODO: remove this as unnecessary??? we prove a range
|
||
|
CompressedExistenceProof left = 2;
|
||
|
CompressedExistenceProof right = 3;
|
||
|
}
|