Sakura specifies a tree hash mode for e.g. Keccak (SHA-3). Are there any reasons

Question

Sakura specifies a tree hash mode for e.g. Keccak (SHA-3). Are there any reasons to use the Sakura tree hash mode in a Generalized Merkle Signature Scheme? It seems to me Sakura primarily solves a uniqueness problem with using tree hashes for large data when the depth of the tree is variable.

Trivially, if Sakura mode is not used and the depth d tree-hash of data M=M0|M1|...|Mn-1 is D, then the depth d?1 tree hash of data M? (where M?0=f(M0)|f(M1) etc) is also D. If Sakura is used, such trivial collisions will be impossible.

This problem doesn't seem to exist in GMSS, considering that the leaf-nodes consist of OTS public keys and not plain text fragments.

Explanation / Answer

In general there is no reason to use tree hash modes for Merkle trees. The reason is that a Merkle tree itself is already some kind of tree hash mode. The important thing about this kind of mode is that it allows to compute the root node given the value of one leaf and one node per tree level.

The possible ambiguity of hashes is not relevant for hash-based signatures as for these the tree height and thereby the number of leaves are predefined.   

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.