Incryptography andcomputer science, ahash tree orMerkle tree is atree in which every "leaf"node is labelled with thecryptographic hash of a data block, and every node that is not a leaf (called abranch,inner node, orinode) is labelled with the cryptographic hash of the labels of its child nodes. A hash tree allows efficient and secure verification of the contents of a largedata structure. A hash tree is a generalization of ahash list and ahash chain.
Demonstrating that a leaf node is a part of a given binary hash tree requires computing a number of hashes proportional to thelogarithm of the number of leaf nodes in the tree.[1] Conversely, in a hash list, the number is proportional to the number of leaf nodes itself. A Merkle tree is therefore an efficient example of acryptographic commitment scheme, in which the root of the tree is seen as a commitment and leaf nodes may be revealed and proven to be part of the original commitment.[2]
The concept of a hash tree is named afterRalph Merkle, who patented it in 1979.[3][4]
Hash trees can be used to verify any kind of data stored, handled and transferred in and between computers. They can help ensure that datablocks received from other peers in apeer-to-peer network are received undamaged and unaltered, and even to check that the other peers do not lie and send fake blocks.
Hash trees are used in:
Suggestions have been made to use hash trees intrusted computing systems.[12]
A hash tree is atree ofhashes in which the leaves (i.e., leaf nodes, sometimes also called "leafs") are hashes of datablocks in, for instance, a file or set of files. Nodes farther up in the tree are the hashes of their respective children. For example, in the above picturehash 0 is the result of hashing theconcatenation ofhash 0-0 andhash 0-1. That is,hash 0 =hash(hash 0-0 +hash 0-1 ) where "+" denotes concatenation.
Most hash tree implementations are binary (two child nodes under each node) but they can just as well use many more child nodes under each node.
Usually, acryptographic hash function such asSHA-2 is used for the hashing. If the hash tree only needs to protect against unintentional damage, unsecuredchecksums such asCRCs can be used.
In the top of a hash tree there is atop hash (orroot hash ormaster hash). Before downloading a file on aP2P network, in most cases the top hash is acquired from a trusted source, for instance a friend or a web site that is known to have good recommendations of files to download. When the top hash is available, the hash tree can be received from any non-trusted source, like any peer in the P2P network. Then, the received hash tree is checked against the trusted top hash, and if the hash tree is damaged or fake, another hash tree from another source will be tried until the program finds one that matches the top hash.[13]
The main difference from ahash list is that one branch of the hash tree can be downloaded at a time and the integrity of each branch can be checked immediately, even though the whole tree is not available yet. For example, in the picture, the integrity ofdata block L2 can be verified immediately if the tree already containshash 0-0 andhash 1 by hashing the data block and iteratively combining the result withhash 0-0 and thenhash 1 and finally comparing the result with thetop hash. Similarly, the integrity ofdata block L3 can be verified if the tree already hashash 1-1 andhash 0. This can be an advantage since it is efficient to split files up in very small data blocks so that only small blocks have to be re-downloaded if they get damaged. If the hashed file is big, such a hash list or hash chain becomes fairly big. But if it is a tree, one small branch can be downloaded quickly, the integrity of the branch can be checked, and then the downloading of data blocks can start.[citation needed]
The Merkle hash root does not indicate the tree depth, enabling asecond-preimage attack in which an attacker creates a document other than the original that has the same Merkle hash root. For the example above, an attacker can create a new document containing two data blocks, where the first ishash 0-0 +hash 0-1, and the second ishash 1-0 +hash 1-1.[14][15]
One simple fix is defined inCertificate Transparency: when computing leaf node hashes, a 0x00 byte is prepended to the hash data, while 0x01 is prepended when computing internal node hashes.[13] Limiting the hash tree size is a prerequisite of someformal security proofs, and helps in making some proofs tighter. Some implementations limit the tree depth using hash tree depth prefixes before hashes, so any extracted hash chain is defined to be valid only if the prefix decreases at each step and is still positive when the leaf is reached.
The Tiger tree hash is a widely used form of hash tree. It uses a binary hash tree (two child nodes under each node), usually has a data block size of 1024bytes and uses theTiger hash.[16]
Tiger tree hashes are used inGnutella,[17]Gnutella2, andDirect ConnectP2P file sharing protocols[18] and infile sharing applications such asPhex,[19]BearShare,LimeWire,Shareaza,DC++[20] andgtk-gnutella.[21]
When a replica is down for an extended period of time, or the machine storing hinted handoffs for an unavailable replica goes down as well, replicas must synchronize from one another. In this case, Cassandra and Riak implement a Dynamo-inspired process called anti-entropy. In anti-entropy, replicas exchange Merkle trees to identify parts of their replicated key ranges which are out of sync. A Merkle tree is a hierarchical hash verification: if the hash over the entire keyspace is not the same between two replicas, they will exchange hashes of smaller and smaller portions of the replicated keyspace until the out-of-sync keys are identified. This approach reduces unnecessary data transfer between replicas which contain mostly similar data.
{{cite book}}: CS1 maint: location missing publisher (link)
