improving authenticated dynamic dictionaries, with application to cryptocurrencies
TRANSCRIPT
Improving Authenticated Dynamic Dictionaries,with Applications to Cryptocurrencies
Leonid Reyzin1, Dmitry Meshkov2, Alexander Chepurnoy3, Sasha Ivanov4
1.Boston University, http://www.cs.bu.edu/faculty/reyzin. Research supported by the Waves platform.
2. IOHK Research and N. N. Semenov Institute of Chemical Physics, RAS, [email protected]
3. IOHK Research, [email protected] platform, [email protected]
MotivationTransactions validation has 2 parts:● Stateless validation: fee is positive,
signature is valid, ... Requires only data kept in the transaction
● State validation: sender has enough coins. Requires full state (1.5Gb in Bitcoin)
State
PubKey 1 3→PubKey 2 6→
…PubKey N 4→
MotivationTransactions validation:● Requires full state (even bigger problem for
multi-asset blockchains)
Multi-asset blockchain state
Asset 1 State
PubKey 1 3→PubKey 2 6→
…PubKey M 4→
Asset 2 State
PubKey 1 8→PubKey 2 7→
…PubKey L 2→
Asset N State
PubKey 1 3→PubKey 2 7→
…PubKey K 5→
MotivationWhere to store this big state?:● HDD => slow validation => DoS
● RAM => only powerful computers => centralization
Authenticated Dictionaries to the Rescue
Header
Consensus data
TransactionsMerkle tree
Tx_root
Header
Consensus data
TransactionsMerkle tree
Tx_root Tx_proofs_root
Transactionproofs
Our proposal
White, Bill. "A Theory for Lightweight Cryptocurrency Ledgers." (2015).
Proofs: authenticated state● Make state authenticated
● Easy: proof of a sender's balance (standard Merkle tree proof with respect to the root).
● More complicated: ensuring the prover changed the balances correctly.
● Important: we do not wish to trust the prover!
Merkle Root
Asset 1 State
PubKey 1 3→PubKey 2 6→
…PubKey M 4→
Pk1: 3 Pk2: 6 PkN: 4
Proofs: two-party● Proof of a sender balance AND tree changes● Should be enough to calculate new root hash● Verifier keeps root hash only
Root N-1
Pk1: 3
Root N
Pk2Pk1
Pk2: 6 PkN: 4 Pk2: 2 Pk1: 7 PkN: 4
Proofs: two-party● Prover
● Full verifier
● Light verifier
Root N-1
Pk1: 3
Root NTransactions
Pk2: 6 PkN: 4 Pk2: 2 Pk1: 7 PkN: 4
Asset 1 State
Asset 1 StatePubKey 1 3→PubKey 2 6→PubKey N 4→
Transactions
Asset 1 State
Asset 1 StatePubKey 1 2→PubKey 2 7→PubKey N 4→
Txs + proofsRoot N-1 Root N
Prior work
Skiplist1
Lookup proof size 1.5 log2N
Insert proof size 1.5 log2N
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
Ms.s
Prior work
Skiplist1 Red-black tree2
Lookup proof size 1.5 log2N 1.7 log
2N
Insert proof size 1.5 log2N 5 log
2N
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
2)Miller, Hicks, Katz, Shi. "Authenticated data structures, generically." 2014.
Prior work
Skiplist1 Red-black tree2 Ethereum trie3
Lookup proof size 1.5 log2N 1.7 log
2N 3 log
2N
Insert proof size 1.5 log2N 5 log
2N ???
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
2)Miller, Hicks, Katz, Shi. "Authenticated data structures, generically." 2014.3)Wood. "Ethereum: A secure decentralised generalised transaction ledger." 2014.
Our improvements: AVL
Skiplist1 Red-black tree2 Ethereum trie3 Our AVL+ tree
Lookup proof size 1.5 log2N 1.7 log
2N 3 log
2N log
2N
Insert proof size 1.5 log2N 5 log
2N ??? log
2N
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
2)Miller, Hicks, Katz, Shi. "Authenticated data structures, generically." 2014.3)Wood. "Ethereum: A secure decentralised generalised transaction ledger." 2014.
Our improvements: AVL
Skiplist1 Red-black tree2 Ethereum trie3 Our AVL+ tree
Lookup proof size 1.5 log2N 1.7 log
2N 3 log
2N log
2N
Insert proof size 1.5 log2N 5 log
2N ??? log
2N
Deterministic
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
2)Miller, Hicks, Katz, Shi. "Authenticated data structures, generically." 2014.3)Wood. "Ethereum: A secure decentralised generalised transaction ledger." 2014.
Our improvements: AVL
Main ideas:
● AVL tree paths are shorter than skiplist paths● Use deterministic rebalancing operations that
don't look off the main path● For N=106, proof size = 753 bytes
(32-byte hashes, 26-byte keys, 8-byte values)
Our improvements: batching
Root
● Transactions may change same public key● Multiple proofs can be combined together
pk1 pk2 pk3 pk4 pk5 pk6 pk7 pk8
Root
pk1 pk2 pk3 pk4 pk5 pk6 pk7 pk8
Multiple operations proof size● For tree N=106 and batch B=103, compressed
proof size is 400 bytes, plain – 750 bytes
Thank you!
● Paper: http://ia.cr/2016/994 ● Code: https://github.com/input-output-hk/scrypto● Slides: http://www.slideshare.net/DmitryMeshkov● Twitter: https://twitter.com/DmitryMeshkov● Email: [email protected]