From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 26 Jan 2025 15:01:13 +0000 (+0300)
Subject: Draft -merkle hashing modes
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=7d0adf829eca6c16bf6a3cbbfb75cad11eda8ab33326d7432b65ddc3e9d73afb;p=keks.git

Draft -merkle hashing modes
---

diff --git a/spec/format/hashed.texi b/spec/format/hashed.texi
index 2653b32..8bf30f9 100644
--- a/spec/format/hashed.texi
+++ b/spec/format/hashed.texi
@@ -22,10 +22,21 @@ algorithms.
 @node pki-hashed-blake2b
 @subsection pki-hashed with BLAKE2b
 
-@url{https://www.blake2.net/, BLAKE2b} with
-512-bit output has @code{blake2b} algorithm identifier.
+    @url{https://www.blake2.net/, BLAKE2b} with
+    512-bit output has @code{blake2b} algorithm identifier.
 
-256-bit output has @code{blake2b256} algorithm identifier.
+    256-bit output has @code{blake2b256} algorithm identifier.
+
+@node pki-hashed-blake2b-merkle
+@subsection pki-hashed with BLAKE2b in Merkle-tree mode
+
+    BLAKE2b-512 is used in Merkle tree hashing mode, as described in
+    @url{https://datatracker.ietf.org/doc/html/rfc9162, RFC 9162},
+    except that no @code{0x00}/@code{0x01} constants are appended to
+    the hashed data, but BLAKE2b is initialised in keyed mode with
+    either "LEAF" or "NODE" keys.
+
+    @code{blake2b-merkle} algorithm identifier is used.
 
 @node pki-hashed-blake3
 @subsection pki-hashed with BLAKE3
@@ -46,27 +57,33 @@ algorithms.
     @url{https://keccak.team/, SHAKE} XOF function with fixed
     256 (SHAKE128) or 512 (SHAKE256) bit output.
 
-    Following algorithm identifiers are acceptable:
-    @code{shake128}, @code{shake256}.
+    @code{shake128}, @code{shake256} algorithm identifiers are used.
 
 @node pki-hashed-skein512
 @subsection pki-hashed with Skein-512
 
     512-bit @url{https://www.schneier.com/academic/skein/, Skein-512} hash.
 
-    @code{skein512} is acceptable algorithm identifier.
+    @code{skein512} algorithm identifier is used.
 
 @node pki-hashed-gost3411
 @subsection pki-hashed with GOST R 34.11-2012
 
     Streebog must be big-endian serialised.
 
-    Following algorithm identifiers are acceptable:
-    @code{streebog256}, @code{streebog512}.
+    @code{streebog256}, @code{streebog512} algorithm identifiers are used.
+
+@node pki-hashed-gost3411-merkle
+@subsection pki-hashed with GOST R 34.11-2012 in Merkle tree mode
+
+    Streebog-512 is used in Merkle tree hashing mode, as described in
+    @url{https://datatracker.ietf.org/doc/html/rfc9162, RFC 9162}.
+
+    @code{streebog512-merkle} algorithm identifier is used.
 
 @node pki-hashed-xxh3-128
 @subsection pki-hashed with XXH3-128
 
     128-bit @url{https://xxhash.com/, XXH3} hash must be big-endian encoded.
 
-    @code{xxh3-128} is acceptable algorithm identifier.
+    @code{xxh3-128} algorithm identifier is used.