Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getHexProof() cannot be verified with verify() #53

Open
grempe opened this issue Apr 15, 2022 · 0 comments
Open

getHexProof() cannot be verified with verify() #53

grempe opened this issue Apr 15, 2022 · 0 comments
Labels
needs documentation

Comments

@grempe
Copy link

grempe commented Apr 15, 2022
edited

If I request a getHexProof() for a leaf I am unable to later verify the proof. The other two proof forms seem to work.

Here is an example showing the use of getProof(), getHexProof(), and getPositionalHexProof()

Since it does not contain the positional info needed to verify I am not sure why the output of getPositionalHexProof() is not what getHexProof() returns.

If this is for some reason intentional it really needs to be documented as to why. Otherwise this is a footgun.

const { MerkleTree } = require('merkletreejs')
const crypto = require('crypto')

function sha256(data) {
  return crypto.createHash('sha256').update(data).digest()
}

const leaves = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p'].map(x => sha256(x))

const treeOne = new MerkleTree(leaves, sha256)
// console.log(treeOne.toString())
const rootOne = treeOne.getRoot().toString('hex')
const leafOne = sha256('a')
const proofOne = treeOne.getProof(leafOne)
console.log(treeOne.verify(proofOne, leafOne, rootOne)) // true

const treeTwo = new MerkleTree(leaves, sha256)
// console.log(treeTwo.toString())
const rootTwo = treeTwo.getRoot().toString('hex')
const leafTwo = sha256('a')
const proofTwo = treeTwo.getHexProof(leafTwo) // <--
console.log(treeTwo.verify(proofTwo, leafTwo, rootTwo)) // false ???

const treeThree = new MerkleTree(leaves, sha256)
// console.log(treeThree.toString())
const rootThree = treeThree.getRoot().toString('hex')
const leafThree = sha256('a')
const proofThree = treeThree.getPositionalHexProof(leafThree)
console.log(treeThree.verify(proofThree, leafThree, rootThree)) // true

Update : After reviewing the tests it seems you can get it to work, but only if you create the tree with { sortPairs: true }

https://github.com/miguelmota/merkletreejs/blob/21ce84a950c9a3a53bcd1360ea0b80004d099268/test/MerkleTree.test.js#L134

const treeTwo = new MerkleTree(leaves, sha256, { sortPairs: true })
// console.log(treeTwo.toString())
const rootTwo = treeTwo.getRoot().toString('hex')
const leafTwo = sha256('a')
const proofTwo = treeTwo.getHexProof(leafTwo)
console.log(treeTwo.verify(proofTwo, leafTwo, rootTwo)) // true

This behavior is not documented in the README, or in the function signature:

https://github.com/miguelmota/merkletreejs/blob/master/src/MerkleTree.ts#L535

I now also see a closed issue that you closed as 'expected behavior'. If this is in fact the desired behavior can you please take this bug as a need to fully document this behavior somewhere?

#27

Thanks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grempe @miguelmota