support split bagging in qmdb-current

Author: roberto-bayardo

storage/fuzz/fuzz_targets/current_ordered_operations.rs

@@ -53,6 +53,8 @@ enum CurrentOperation {
         bad_digests: Vec<[u8; 32]>,
         max_ops: NonZeroU64,
         bad_chunks: Vec<[u8; 32]>,
+        bad_prefix_peaks: Vec<[u8; 32]>,
+        bad_suffix_peaks: Vec<[u8; 32]>,
     },
     GetSpan {
         key: RawKey,
@@ -269,7 +271,14 @@ fn fuzz_family<F: Graftable + RootSpec>(data: &FuzzInput, suffix: &str) {
                     }
                 }
 
-                CurrentOperation::ArbitraryProof {start_loc, bad_digests, max_ops, bad_chunks} => {
+                CurrentOperation::ArbitraryProof {
+                    start_loc,
+                    bad_digests,
+                    max_ops,
+                    bad_chunks,
+                    bad_prefix_peaks,
+                    bad_suffix_peaks,
+                } => {
                     let current_op_count = db.bounds().await.end;
                     if current_op_count == 0 {
                         continue;
@@ -313,6 +322,36 @@ fn fuzz_family<F: Graftable + RootSpec>(data: &FuzzInput, suffix: &str) {
                                 &root
                             ), "proof with bad chunks should not verify");
                         }
+
+                        let bad_prefix_peaks =
+                            bad_prefix_peaks.iter().map(|d| Digest::from(*d)).collect();
+                        if range_proof.unfolded_prefix_peaks != bad_prefix_peaks {
+                            let mut bad_proof = range_proof.clone();
+                            bad_proof.unfolded_prefix_peaks = bad_prefix_peaks;
+                            assert!(!Db::<F>::verify_range_proof(
+                                &mut hasher,
+                                &bad_proof,
+                                start_loc,
+                                &ops,
+                                &chunks,
+                                &root
+                            ), "proof with bad prefix peaks should not verify");
+                        }
+
+                        let bad_suffix_peaks =
+                            bad_suffix_peaks.iter().map(|d| Digest::from(*d)).collect();
+                        if range_proof.unfolded_suffix_peaks != bad_suffix_peaks {
+                            let mut bad_proof = range_proof.clone();
+                            bad_proof.unfolded_suffix_peaks = bad_suffix_peaks;
+                            assert!(!Db::<F>::verify_range_proof(
+                                &mut hasher,
+                                &bad_proof,
+                                start_loc,
+                                &ops,
+                                &chunks,
+                                &root
+                            ), "proof with bad suffix peaks should not verify");
+                        }
                     }
                 }
 

storage/fuzz/fuzz_targets/current_unordered_operations.rs

@@ -53,6 +53,8 @@ enum CurrentOperation {
         bad_digests: Vec<[u8; 32]>,
         max_ops: NonZeroU64,
         bad_chunks: Vec<[u8; 32]>,
+        bad_prefix_peaks: Vec<[u8; 32]>,
+        bad_suffix_peaks: Vec<[u8; 32]>,
     },
 }
 
@@ -244,7 +246,14 @@ fn fuzz_family<F: Graftable + RootSpec>(data: &FuzzInput, suffix: &str) {
                     }
                 }
 
-                CurrentOperation::ArbitraryProof {start_loc, bad_digests, max_ops, bad_chunks} => {
+                CurrentOperation::ArbitraryProof {
+                    start_loc,
+                    bad_digests,
+                    max_ops,
+                    bad_chunks,
+                    bad_prefix_peaks,
+                    bad_suffix_peaks,
+                } => {
                     let current_op_count = db.bounds().await.end;
                     if current_op_count == 0 {
                         continue;
@@ -285,6 +294,36 @@ fn fuzz_family<F: Graftable + RootSpec>(data: &FuzzInput, suffix: &str) {
                                 &root
                             ), "proof with bad chunks should not verify");
                         }
+
+                        let bad_prefix_peaks =
+                            bad_prefix_peaks.iter().map(|d| Digest::from(*d)).collect();
+                        if range_proof.unfolded_prefix_peaks != bad_prefix_peaks {
+                            let mut bad_proof = range_proof.clone();
+                            bad_proof.unfolded_prefix_peaks = bad_prefix_peaks;
+                            assert!(!Db::<F>::verify_range_proof(
+                                &mut hasher,
+                                &bad_proof,
+                                start_loc,
+                                &ops,
+                                &chunks,
+                                &root
+                            ), "proof with bad prefix peaks should not verify");
+                        }
+
+                        let bad_suffix_peaks =
+                            bad_suffix_peaks.iter().map(|d| Digest::from(*d)).collect();
+                        if range_proof.unfolded_suffix_peaks != bad_suffix_peaks {
+                            let mut bad_proof = range_proof.clone();
+                            bad_proof.unfolded_suffix_peaks = bad_suffix_peaks;
+                            assert!(!Db::<F>::verify_range_proof(
+                                &mut hasher,
+                                &bad_proof,
+                                start_loc,
+                                &ops,
+                                &chunks,
+                                &root
+                            ), "proof with bad suffix peaks should not verify");
+                        }
                     }
                 }
 

storage/src/merkle/mod.rs

@@ -33,6 +33,8 @@ pub use position::Position;
 #[cfg(test)]
 pub(crate) use proof::build_range_proof;
 pub use proof::Proof;
+#[cfg(feature = "std")]
+pub(crate) use proof::{build_range_collection_proof, range_collection_nodes};
 pub use read::Readable;
 use thiserror::Error;
 

storage/src/merkle/proof.rs

@@ -738,6 +738,70 @@ impl<F: Family, D: Digest> Proof<F, D> {
             )
             .ok_or(ReconstructionError::InvalidProof)
     }
+
+    /// Authenticate the proven range without reconstructing the full generic Merkle root.
+    ///
+    /// This consumes only the sibling digests needed to rebuild the proven range peaks, then returns
+    /// those peak digests in `collected`. It deliberately does not consume peak-bagging witnesses
+    /// such as prefix peaks, after peaks, or backward-fold suffix accumulators.
+    ///
+    /// Current QMDB grafted proofs use this path because their final root is rebuilt by the wrapper
+    /// from the collected range peaks plus grafted prefix/suffix witnesses. Including generic
+    /// peak-bagging witnesses here would create proof bytes that the wrapper root ignores, making
+    /// those bytes malleable.
+    pub(crate) fn reconstruct_range_collecting<H, E>(
+        &self,
+        hasher: &H,
+        elements: &[E],
+        start_loc: Location<F>,
+        collected: &mut Vec<(Position<F>, D)>,
+    ) -> Result<(), ReconstructionError>
+    where
+        H: Hasher<F, Digest = D>,
+        E: AsRef<[u8]>,
+    {
+        if elements.is_empty() {
+            return Err(ReconstructionError::MissingElements);
+        }
+        if !start_loc.is_valid_index() {
+            return Err(ReconstructionError::InvalidStartLoc);
+        }
+        let end_loc = start_loc
+            .checked_add(elements.len() as u64)
+            .ok_or(ReconstructionError::InvalidEndLoc)?;
+        if end_loc > self.leaves {
+            return Err(ReconstructionError::InvalidEndLoc);
+        }
+
+        let range = start_loc..end_loc;
+        let bp = Blueprint::new_using_policy(
+            self.leaves,
+            self.inactive_peaks,
+            Bagging::ForwardFold,
+            range,
+        )
+        .map_err(|_| ReconstructionError::InvalidSize)?;
+
+        let mut sibling_cursor = 0usize;
+        let mut elements_iter = elements.iter();
+        for peak in &bp.range_peaks {
+            let peak_digest = peak.reconstruct_digest(
+                hasher,
+                &bp.range,
+                &mut elements_iter,
+                &self.digests,
+                &mut sibling_cursor,
+                Some(collected),
+            )?;
+            collected.push((peak.pos, peak_digest));
+        }
+
+        if elements_iter.next().is_some() || sibling_cursor != self.digests.len() {
+            return Err(ReconstructionError::ExtraDigests);
+        }
+
+        Ok(())
+    }
 }
 
 /// A perfect binary subtree within a peak, identified by its root position, height,
@@ -1222,6 +1286,52 @@ where
     )
 }
 
+/// Return the node positions needed by [`build_range_collection_proof`].
+#[cfg(feature = "std")]
+pub(crate) fn range_collection_nodes<F: Family>(
+    leaves: Location<F>,
+    inactive_peaks: usize,
+    range: Range<Location<F>>,
+) -> Result<Vec<Position<F>>, super::Error<F>> {
+    let bp = Blueprint::new_using_policy(leaves, inactive_peaks, Bagging::ForwardFold, range)?;
+    let mut fetch_nodes = Vec::new();
+    for peak in &bp.range_peaks {
+        peak.collect_siblings(&bp.range, &mut fetch_nodes);
+    }
+    Ok(fetch_nodes)
+}
+
+/// Build a proof containing only the sibling digests needed to authenticate the requested range.
+///
+/// The resulting proof cannot reconstruct a complete generic Merkle root on its own. It is intended
+/// for wrappers that rebuild a custom root from separately supplied peak witnesses, such as current
+/// QMDB grafted proofs.
+#[cfg(feature = "std")]
+pub(crate) fn build_range_collection_proof<F, D, E>(
+    leaves: Location<F>,
+    inactive_peaks: usize,
+    range: Range<Location<F>>,
+    get_node: impl Fn(Position<F>) -> Option<D>,
+    element_pruned: impl Fn(Position<F>) -> E,
+) -> Result<Proof<F, D>, E>
+where
+    F: Family,
+    D: Digest,
+    E: From<super::Error<F>>,
+{
+    let fetch_nodes = range_collection_nodes(leaves, inactive_peaks, range)?;
+    let mut digests = Vec::with_capacity(fetch_nodes.len());
+    for pos in fetch_nodes {
+        digests.push(get_node(pos).ok_or_else(|| element_pruned(pos))?);
+    }
+
+    Ok(Proof {
+        leaves,
+        inactive_peaks,
+        digests,
+    })
+}
+
 /// Returns the positions of the minimal set of nodes whose digests are required to prove the
 /// inclusion of the elements at the specified `locations`, using the provided root bagging.
 #[cfg(any(feature = "std", test))]