Date post: | 12-Apr-2017 |
Category: |
Science |
Upload: | dmitry-meshkov |
View: | 2 times |
Download: | 0 times |
Improving Authenticated Dynamic Dictionaries,with Applications to Cryptocurrencies
Leonid Reyzin1, Dmitry Meshkov2, Alexander Chepurnoy3, Sasha Ivanov4
1.Boston University, http://www.cs.bu.edu/faculty/reyzinResearch supported by the Waves platform, wavesplatform.com
2. IOHK Research, [email protected] 3. IOHK Research, [email protected] platform, [email protected]
Motivation: validating transactionsPKA PKD 14
Stateless validation: Check syntax, signature of PKA, etc.
Stateful validation: Check that PKA has 14 (+ fee)
All required info is in the transaction itself
Requires knowing how much PKA has based on prior transactions
Large (and growing!) dictionary data structure. Currently in Bitcoin: 1.5GB (serialized).Even worse in multiasset blockchains: one per asset.
PKA 36PKB 684
PKD 13PKC 2
PKE 347PKF 98
PKH 54PKG 50
PKI 12PKJ 285
PKL 3PKK 463
PKM 12PKN 76
PKP 88PKO 3
…
Miners should validate transactions efficiently. They can:1.Keep State in RAM => Mining centralization2.Do not keep State => SPV mining
Motivation: big state problems
Problems for users:● Can’t validate blocks on low-end hardware● Long validation on commodity hardware
=>● Users move to centralized services
Motivation: big state problems
Header
Consensus data
TransactionsMerkle tree
Tx_root
Header
Consensus data
TransactionsMerkle tree
Tx_root Tx_proofs_root
Transactionproofs
Our proposal
Idea [early versions in Miller ‘12, Ethereum/Wood ‘14, White ‘15]: Use authenticated data structures (root in block header) and include a proof of sender’s balance with each transaction.
Authenticated Dictionaries to the Rescue
● Make state authenticated
● Easy: proof of a sender's balance (standard Merkle tree proof with respect to the root).
● More complicated: ensuring the prover changed the balances correctly.
● Important: we do not wish to trust the prover!
Merkle Root
PKA: 36 PK
B: 384 PK
D: 13
PKA 36PKB 684
PKD 13PKC 2
…
Proofs: authenticated state
● Prover
● Light verifier
Proofs verify balances and calculate new root hash
Root N-1
PKA 36
Root N
Transactions
PKB 684 PKD 13 PKA 22 PKB 684 PKD 27
Txs + proofsRoot N-1 Root N
proofs
Blockchain parties
Skiplist1
Lookup proof size 1.5 H log2N
Insert proof size 1.5 H log2N
Deterministic
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
N = # of PKsH = length of hash
Prior work
Skiplist1 Red-black tree2
Lookup proof size 1.5 H log2N (H + K) log
2N
Insert proof size 1.5 H log2N 3 (H + K) log
2N
Deterministic
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
2)Miller, Hicks, Katz, Shi. "Authenticated data structures, generically." 2014.
N = # of PKsH = length of hashK = length of PK
Prior work
Skiplist1 Red-black tree2 Our AVL+ tree
Lookup proof size 1.5 H log2N (H + K) log
2N H log
2N
Insert proof size 1.5 H log2N 3 (H + K) log
2N H log
2N
Deterministic
1) Papamanthou and Tamassia. "Time and space efficient algorithms for two-party authenticated data structures." 2007.
2)Miller, Hicks, Katz, Shi. "Authenticated data structures, generically." 2014.
N = # of PKsH = length of hashK = length of PK
Our improvements: AVL
● For N=106, AVL+ proof size 765 bytes (32-byte hashes, 32-byte keys, 8-byte values)
Single operation proof size
Root
● There are a lot of transactions in block● Transactions may change same public key● Multiple proofs can be combined together
PKA 36 PKB 684 PKD 13PKC 2 PKE 347 PKF 98 PKH 54PKG 50
hash hash hash hash
hashhash
14 PKDPKA
Our improvements: batching
Root
● Proofs can contain same hashes
14 PKDPKA
PKB 684 PKD 13PKC 2 PKE 347 PKF 98 PKH 54PKG 50
hash hash hash hash
hashhash
PKA 36
Our improvements: batching
Root
● Some hashes from one proof may be calculated from other proofs
14 PKDPKA
PKA 36 PKB 684 PKD 13PKC 2 PKE 347 PKF 98 PKH 54PKG 50
hash hash hash hash
hashhash
Our improvements: batching
● For tree N=106 and batch B=103, compressed proof size is 400 bytes, plain 765 bytes
Multiple operations proof size
Conclusion
Authenticated data structures enable:● Verification on low-end hardware● Mining on commodity hardware
● Paper: https://ia.cr/2016/994 ● Code: https://github.com/input-output-hk/scrypto● Coming on: https://wavesplatform.com● Slides: https://www.slideshare.net/DmitryMeshkov● Twitter: https://twitter.com/DmitryMeshkov● Email: [email protected]
Thank you!