Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Authenticated Dynamic Dictionaries

Published byStephany Brooks Modified over 6 years ago

Similar presentations

Presentation on theme: "Improving Authenticated Dynamic Dictionaries"— Presentation transcript:

1 Improving Authenticated Dynamic Dictionaries
with Applications to Cryptocurrencies Leonid Reyzin Dmitry Meshkov Alexander Chepurnoy Sasha Ivanov Boston University (work supported by Waves Platform) IOHK Research & N. N. Semenov Institute for Chemical Physics, RAS IOHK Research Waves Platform

2 Motivation: validating transactions
14 PKA PKD Stateless validation: Check syntax, signature of PKA, etc. All required info is in the transaction itself Stateful validation: Check that PKA has  (+ fee) Requires knowing how much PKA has based on prior transactions PKA 36 PKE 347 PKI 12 PKM 12 PKB 684 PKF 98 PKJ 285 PKN 76 PKC  2 PKG  50 PKK  463 PKO  3 PKD  13 PKH  54 PKL  3 PKP  88 Large (and growing!) dictionary data structure. Currently in Bitcoin: 1.5GB (serialized). Even worse in multiasset blockchains: one per asset.

3 Problem: blockchain validation requires storing a large state
Q: Where to keep this state? A1: Disk storage => slow validation => DoS [CVE ] A2: RAM => only powerful computers => centralization

4 Problem: blockchain validation requires storing a large state
Observation: transaction verifier does not need this data structure PKA 36 PKE 347 PKI 12 PKM 12 PKB 684 PKF 98 PKJ 285 PKN 76 PKC  2 PKG  50 PKK  463 PKO  3 PKD  13 PKH  54 PKL  3 PKP  88

5 Problem: blockchain validation requires storing a large state
Observation: transaction verifier does not need this data structure PKA 36 PKE 347 PKI 12 PKM 12 PKB 684 PKF 98 PKJ 285 PKN 76 PKC  2 PKG  50 PKK  463 PKO  3 PKD  13 PKH  54 PKL  3 PKP  88 Needs only proof of a single fact: the amount that PKA has Idea [early versions in Miller ‘12, Ethereum/Wood ‘14, White ‘15]: Use authenticated data structures (root in block header) and include a proof of sender’s balance with each transaction.

6 Authenticated account balances
Block header Consensus data Transactions root hash PKA 36 PKB 684 PKD 13 PKC 2 PKE 347 PKF 98 PKH 54 PKG 50 hash Accounts root hash

7 Authenticated account balances
Block header Assume, for now, this can be trusted Consensus data Transactions root hash Accounts root hash hash hash hash hash hash hash PKA 36 PKB 684 PKC 2 PKD 13 PKE 347 PKF 98 PKG 50 PKH 54 14 When a miner includes this transaction, she includes the Merkle path to “PKA 36” PKA PKD A “light verifier” can check the block without storing the state (thus getting traditional full-node security guarantees)

8 Verifier Block header Consensus data Transactions root hash …
Accounts root hash Transactions + proofs Y/N Verifier Guaranteed not to take too long (to prevent DoS)

9 Transactions root hash
Miner (Prover) Block header Next block header Consensus data Transactions root hash New root hash Accounts root hash hash hash hash hash hash hash 22 27 PKA 36 PKB 684 PKC 2 PKD 13 PKE 347 PKF 98 PKG 50 PKH 54 PKA PKD 14 PKF PKE 35 PKB PKH 29

10 Verifier Needs to Check New Root Hash
This can be trusted because verified from previous block, all the way back to genesis Block header Next block header Consensus data Transactions root hash New root hash Accounts root hash = Transactions + proofs Y/N + New root hash Verifier Need to support authentication and root hash update for: - update value of key - insert new (key, value) + rebalance tree - delete key + rebalance tree Ours: 2-party model – only provers and verifiers Note: In typical authenticated data structures (e.g., Certificate Transparency), Verifier is not checking the new root. Our model is strictly harder. More typical: 3-party model

11 : Proof Length Prior Work
All relevant prior work is based on Merkle trees; differences are how to structure/rebalance the underlying binary tree Skip list [Papamanthou-Tamassia ’07] Update existing 1.5 H log N Insert new 1.5 H log N Problem: (bad randomness => unbalanced tree => very long proofs => DoS) require trusted randomness N = # of PKs H = length of hash

12 : Proof Length Prior Work
All relevant prior work is based on Merkle trees; differences are how to structure/rebalance the underlying binary tree Skip list Red-black+ [Miller-Hicks-Katz-Shi ‘14] work for generic data structures Update existing 1.5 H log N (H+K) log N Insert new 1.5 H log N 3 (H+K) log N trusted randomness red-black tree rebalancing requires more nodes N = # of PKs H = length of hash K = length of PK

13 Don’t produce a proof that allows verifier to compute new root
: Proof Length Prior Work All relevant prior work is based on Merkle trees; differences are how to structure/rebalance the underlying binary tree Skip list Red-black+ Various 3-party solutions Update existing 1.5 H log N (H+K) log N [Naor-Nissim 00, GT00,GTS01, AGT01,MNDGKS04, GPT07,CW11…] H log N Insert new 1.5 H log N 3 (H+K) log N N/A trusted randomness Don’t produce a proof that allows verifier to compute new root N = # of PKs H = length of hash K = length of PK

14 : Proof Length Prior Work
All relevant prior work is based on Merkle trees; differences are how to structure/rebalance the underlying binary tree Skip list Red-black+ Update existing 1.5 H log N (H+K) log N Insert new 1.5 H log N 3 (H+K) log N trusted randomness N = # of PKs H = length of hash K = length of PK

15 : Proof Length Our Work All relevant prior work is based on Merkle trees; differences are how to structure/rebalance the underlying binary tree Skip list Red-black+ AVL+ Update existing 1.5 H log N (H+K) log N H log N Insert new 1.5 H log N 3 (H+K) log N H log N trusted randomness Source of improvements: - AVL trees have near-optimal depth (unlike skip lists) - Rebalancing operations in AVL trees almost never use nodes that are not on the path to the leaf N = # of PKs H = length of hash - Targeted (as opposed to generic) algorithms K = length of PK

16 Implementation results: single-op proof size
- For N = our modify/insert proof size = 765 bytes (with 256-bit keys/hashes, 64-bit values) - Deletion proofs are about 50 bytes longer - Improves many 3-party works (e.g., [Crosby-Wallach ‘11])

17 Further improvement: combining proofs
Block header Next block header Consensus data Transactions root hash New accounts root hash Accounts root hash hash hash hash hash hash hash PKA 36 PKB 684 PKC 2 PKD 13 PKE 347 PKF 98 PKG 50 PKH 54 PKA PKD 14 - These proofs overlap. - Some values can omitted because verifier will compute them PKF PKE 35 PKB PKH 29

18 Further improvement: combining proofs
Block header Next block header Consensus data Transactions root hash New accounts root hash Accounts root hash hash hash hash hash hash hash PKA 36 PKB 684 PKC 2 PKD 13 PKE 347 PKF 98 PKG 50 PKH 54 PKA PKD 14 - These proofs overlap. - Some values can omitted because verifier will compute them PKF PKE 35 PKB PKH 29

19 Further improvement: combining proofs
Block header Next block header Consensus data Transactions root hash New accounts root hash Accounts root hash hash hash hash hash hash hash PKA 36 PKB 684 PKC 2 PKD 13 PKE 347 PKF 98 PKG 50 PKH 54 PKA PKD 14 - These proofs overlap. - Some values can omitted because verifier will compute them PKF PKE 35 PKB PKH 29

20 Further improvement: combining proofs
Block header Next block header Consensus data Transactions root hash New accounts root hash Accounts root hash hash hash hash hash hash hash PKA 36 PKB 684 PKC 2 PKD 13 PKE 347 PKF 98 PKG 50 PKH 54 PKA PKD 14 - These proofs overlap. - Some values can omitted because verifier will compute them PKF PKE 35 PKB PKH 29

21 Implementation results: batching proofs
For N = and batch B = 2000 : compressed proof is  370 bytes per operation (instead of  760 uncompressed)

22 Conclusion: authenticated data structures enable verification on commodity hardware!
Paper: ia.cr/2016/994 github.com/input-output-hk/scrypto wavesplatform.com/ Code (public domain): Coming to Waves Platform:

Download ppt "Improving Authenticated Dynamic Dictionaries"

Similar presentations

CSE332: Data Abstractions Lecture 8: AVL Delete; Memory Hierarchy Dan Grossman Spring 2010.

CSE332: Data Abstractions Lecture 8: AVL Delete; Memory Hierarchy Dan Grossman Spring 2010.
CS 206 Introduction to Computer Science II 12 / 03 / 2008 Instructor: Michael Eckmann.

CS 206 Introduction to Computer Science II 12 / 03 / 2008 Instructor: Michael Eckmann.
©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Part B Part A:  Index Definition in SQL  Ordered Indices  Index Sequential.

©Silberschatz, Korth and Sudarshan12.1Database System Concepts Chapter 12: Part B Part A:  Index Definition in SQL  Ordered Indices  Index Sequential.
CS 206 Introduction to Computer Science II 12 / 01 / 2008 Instructor: Michael Eckmann.

CS 206 Introduction to Computer Science II 12 / 01 / 2008 Instructor: Michael Eckmann.
B + -Trees (Part 1). Motivation AVL tree with N nodes is an excellent data structure for searching, indexing, etc. –The Big-Oh analysis shows most operations.

B + -Trees (Part 1). Motivation AVL tree with N nodes is an excellent data structure for searching, indexing, etc. –The Big-Oh analysis shows most operations.
B + -Trees (Part 1) COMP171. Slide 2 Main and secondary memories  Secondary storage device is much, much slower than the main RAM  Pages and blocks.

B + -Trees (Part 1) COMP171. Slide 2 Main and secondary memories  Secondary storage device is much, much slower than the main RAM  Pages and blocks.
CS 206 Introduction to Computer Science II 11 / 24 / 2008 Instructor: Michael Eckmann.

CS 206 Introduction to Computer Science II 11 / 24 / 2008 Instructor: Michael Eckmann.
CSE 326: Data Structures Lecture #13 Extendible Hashing and Splay Trees Alon Halevy Spring Quarter 2001.

CSE 326: Data Structures Lecture #13 Extendible Hashing and Splay Trees Alon Halevy Spring Quarter 2001.
Oct 29, 2001CSE 373, Autumn 20011 External Storage For large data sets, the computer will have to access the disk. Disk access can take 200,000 times longer.

Oct 29, 2001CSE 373, Autumn External Storage For large data sets, the computer will have to access the disk. Disk access can take 200,000 times longer.
CSE332: Data Abstractions Lecture 8: Memory Hierarchy Tyler Robison Summer 2010 1.

CSE332: Data Abstractions Lecture 8: Memory Hierarchy Tyler Robison Summer
Balanced Search Trees 15-211 Fundamental Data Structures and Algorithms Margaret Reid-Miller 3 February 2005.

Balanced Search Trees Fundamental Data Structures and Algorithms Margaret Reid-Miller 3 February 2005.
CS 206 Introduction to Computer Science II 04 / 22 / 2009 Instructor: Michael Eckmann.

CS 206 Introduction to Computer Science II 04 / 22 / 2009 Instructor: Michael Eckmann.
Lecture 11COMPSCI.220.FS.T - 20041 Balancing an AVLTree Two mirror-symmetric pairs of cases to rebalance the tree if after the insertion of a new key to.

Lecture 11COMPSCI.220.FS.T Balancing an AVLTree Two mirror-symmetric pairs of cases to rebalance the tree if after the insertion of a new key to.
1 Multi-Level Indexing and B-Trees. 2 Statement of the Problem When indexes grow too large they have to be stored on secondary storage. However, there.

1 Multi-Level Indexing and B-Trees. 2 Statement of the Problem When indexes grow too large they have to be stored on secondary storage. However, there.
CSE - 5311 Advanced Algorithms Instructor : Gautam Das Submitted by Raja Rajeshwari Anugula & Srujana Tiruveedhi.

CSE Advanced Algorithms Instructor : Gautam Das Submitted by Raja Rajeshwari Anugula & Srujana Tiruveedhi.
Section #9: Bitcoins. Digital currency Unique string of bits Use cryptography for security and privacy Not tied to names: hard to trace Finite set of.

Section #9: Bitcoins. Digital currency Unique string of bits Use cryptography for security and privacy Not tied to names: hard to trace Finite set of.
COSC 2007 Data Structures II Chapter 13 Advanced Implementation of Tables II.

COSC 2007 Data Structures II Chapter 13 Advanced Implementation of Tables II.
CS422 Principles of Database Systems Indexes

CS422 Principles of Database Systems Indexes
Block Chain 101 May 2017.

Block Chain 101 May 2017.
Efficient Asynchronous Accumulators for Distributed PKI

Efficient Asynchronous Accumulators for Distributed PKI

Similar presentations

Ads by Google