Stentonian
commented
3 weeks ago The one thing that the adversary could gain info-wise is tighter bounds on the number of users. We could adjust the way the tree is constructed to further obfuscate this data: https://hackmd.io/8HN5hgvXRfm2CVfeaMyhNA
The dapol security & privacy definitions rely on the tree being privately held by the custodian. It may be useful to be able to share the whole tree with a 3rd party. So it would then be necessary to adjust the security definitions to allow for shareable trees, and try prove them for dapol.
dapol paper: https://eprint.iacr.org/2021/1350
It would be useful to have this property because a) the custodian can share the tree with an auditor/regulator, and b) a 3rd party that will facilitate the generation of Merkle inclusion proofs for users so that the custodian does not know which ones are verifying.
In the privacy definitions the adversary has access to some subset of the database $\text{DB}[V]$ where $V$ is a set of corrupted users. They also have access to the inclusion proofs of $V$. If the whole tree is to be made public then the adversary would gain access to the inclusion proofs of all users $U$.