You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>The value of the leaf of the Merkle tree changes, but the index of the leaf remains the same, because it depends on the identifier (the e-mail address). We know that when the input to a hash function changes, the output also changes. Since the "value" field is part of the input of the hash of the leaf, the hash of the leaf changes accordingly.
210
210
To proof the update, it is sufficient if we consider the old root (the cryptographic commitment) and perform a proof-of-membership before the value was updated, with the "old" leaf, so to say. The verification of the proof then involves performing a proof-of-membership of the leaf with the updated value and using this to calculate the new root and compare it with the current root.</p>
211
211
<p>In Jellyfish Merkle trees, a new version of the tree is created with each update, enabling efficient history recording while maintaining the integrity of previous states. This versioning system ensures that updates can be tracked and verified across different states of the tree and also allows reuse of unmodified parts, which helps to increase efficiency. Accordingly, when updates are made, all nodes along the updated path are given a higher version, so the verifier needs to know which version to check the update against.</p>
<p>Non-membership queries are important [...] as well; otherwise, the service's dictionary might contain more than one tuple for the <ahref="mailto:bob@dom.org">bob@dom.org</a> label, allowing the service to show different tuples to different clients. [...] Alice can safely encrypt sensitive data using the public key the service returns for Bob.</p>
217
216
</blockquote>
218
217
<p>We briefly recall what the unique identifier means and why this is important. The email addresses in Prism act as unique identifiers and in order for the service to behave correctly, it must be ensured that no email address can be inserted twice. We imagine scenarios including when the Id <ahref="mailto:bob@dom.org">bob@dom.org</a> appears twice or more in the dictionary:
219
218
Bob adds multiple keys and also revokes some of those keys. If there are several entries for <ahref="mailto:bob@dom.org">bob@dom.org</a>, scenarios are conceivable in which Bob adds a key to his first entry '<ahref="mailto:bob@dom.org">bob@dom.org</a>' and later has to revoke it because the corresponding private key was stolen by Oskar. Now it could happen that the revoke operation is entered in the hashchain of the second entry '<ahref="mailto:bob@dom.org">bob@dom.org</a>', in which the add operation of this key doesn't occur. Now when Alice goes through the operations in the first entry '<ahref="mailto:bob@dom.org">bob@dom.org</a>', she will find that the stolen key has not been revoked and she thinks that she can perform encryption with this key. Since a requirement of Verdict is that we rule out these scenarios (as best we can), accordingly we need to make use of Proofs-of-Non-Membership for this.</p>
220
-
<p>TODO: uniqueness still matters but should it be discussed somewhere here?</p>
219
+
<h3id="proof-of-correct-insert-operation"><aclass="header" href="#proof-of-correct-insert-operation">Proof of correct insert operation</a></h3>
220
+
<p>Insertion proofs consist of the inserted key, a non-membership proof of the node in the current tree, a membership proof of the new node in the JMT, and the updated merkle root.</p>
221
+
<p>The non-inclusion proof has two variants for different cases:</p>
222
+
<ol>
223
+
<li>A leaf exists where the missing leaf <em>should</em> be, sharing a prefix with the key (recall that the path to the leaf is determined by the key bytes, and paths get compressed for effeciency)</li>
224
+
<li>The node key leads to an empty subtree</li>
225
+
</ol>
226
+
<p>After finding the position the new node should be inserted into, it is inserted and a membership proof is created.</p>
227
+
<p>Verification of update proofs is pretty self explanatory -- The non-inclusion proof is verified against the current state root, then the insertion is carried out locally to test that the membership proof leads to the same new root.</p>
<p>The value of the leaf of the Merkle tree changes, but the index of the leaf remains the same, because it depends on the identifier (the e-mail address). We know that when the input to a hash function changes, the output also changes. Since the "value" field is part of the input of the hash of the leaf, the hash of the leaf changes accordingly.
380
380
To proof the update, it is sufficient if we consider the old root (the cryptographic commitment) and perform a proof-of-membership before the value was updated, with the "old" leaf, so to say. The verification of the proof then involves performing a proof-of-membership of the leaf with the updated value and using this to calculate the new root and compare it with the current root.</p>
381
381
<p>In Jellyfish Merkle trees, a new version of the tree is created with each update, enabling efficient history recording while maintaining the integrity of previous states. This versioning system ensures that updates can be tracked and verified across different states of the tree and also allows reuse of unmodified parts, which helps to increase efficiency. Accordingly, when updates are made, all nodes along the updated path are given a higher version, so the verifier needs to know which version to check the update against.</p>
<p>Non-membership queries are important [...] as well; otherwise, the service's dictionary might contain more than one tuple for the <ahref="mailto:bob@dom.org">bob@dom.org</a> label, allowing the service to show different tuples to different clients. [...] Alice can safely encrypt sensitive data using the public key the service returns for Bob.</p>
387
386
</blockquote>
388
387
<p>We briefly recall what the unique identifier means and why this is important. The email addresses in Prism act as unique identifiers and in order for the service to behave correctly, it must be ensured that no email address can be inserted twice. We imagine scenarios including when the Id <ahref="mailto:bob@dom.org">bob@dom.org</a> appears twice or more in the dictionary:
389
388
Bob adds multiple keys and also revokes some of those keys. If there are several entries for <ahref="mailto:bob@dom.org">bob@dom.org</a>, scenarios are conceivable in which Bob adds a key to his first entry '<ahref="mailto:bob@dom.org">bob@dom.org</a>' and later has to revoke it because the corresponding private key was stolen by Oskar. Now it could happen that the revoke operation is entered in the hashchain of the second entry '<ahref="mailto:bob@dom.org">bob@dom.org</a>', in which the add operation of this key doesn't occur. Now when Alice goes through the operations in the first entry '<ahref="mailto:bob@dom.org">bob@dom.org</a>', she will find that the stolen key has not been revoked and she thinks that she can perform encryption with this key. Since a requirement of Verdict is that we rule out these scenarios (as best we can), accordingly we need to make use of Proofs-of-Non-Membership for this.</p>
390
-
<p>TODO: uniqueness still matters but should it be discussed somewhere here?</p>
389
+
<h3id="proof-of-correct-insert-operation"><aclass="header" href="#proof-of-correct-insert-operation">Proof of correct insert operation</a></h3>
390
+
<p>Insertion proofs consist of the inserted key, a non-membership proof of the node in the current tree, a membership proof of the new node in the JMT, and the updated merkle root.</p>
391
+
<p>The non-inclusion proof has two variants for different cases:</p>
392
+
<ol>
393
+
<li>A leaf exists where the missing leaf <em>should</em> be, sharing a prefix with the key (recall that the path to the leaf is determined by the key bytes, and paths get compressed for effeciency)</li>
394
+
<li>The node key leads to an empty subtree</li>
395
+
</ol>
396
+
<p>After finding the position the new node should be inserted into, it is inserted and a membership proof is created.</p>
397
+
<p>Verification of update proofs is pretty self explanatory -- The non-inclusion proof is verified against the current state root, then the insertion is carried out locally to test that the membership proof leads to the same new root.</p>
<p>Jellyfish Merkle Trees (JMT) are designed to support efficient membership and non-membership proofs, similar to Indexed Merkle Trees from Verdict. However, the proof format and verification process are optimized for better performance and smaller proof sizes.</p>
Copy file name to clipboardExpand all lines: doc/src/insert-update-proofs.md
+13-4Lines changed: 13 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,9 +43,7 @@ To proof the update, it is sufficient if we consider the old root (the cryptogra
43
43
44
44
In Jellyfish Merkle trees, a new version of the tree is created with each update, enabling efficient history recording while maintaining the integrity of previous states. This versioning system ensures that updates can be tracked and verified across different states of the tree and also allows reuse of unmodified parts, which helps to increase efficiency. Accordingly, when updates are made, all nodes along the updated path are given a higher version, so the verifier needs to know which version to check the update against.
45
45
46
-
## Insert Proofs
47
-
48
-
The insertion proof consists
46
+
## Proof-of-Insert
49
47
50
48
### Why uniqueness matters
51
49
@@ -54,4 +52,15 @@ The insertion proof consists
54
52
We briefly recall what the unique identifier means and why this is important. The email addresses in Prism act as unique identifiers and in order for the service to behave correctly, it must be ensured that no email address can be inserted twice. We imagine scenarios including when the Id <bob@dom.org> appears twice or more in the dictionary:
55
53
Bob adds multiple keys and also revokes some of those keys. If there are several entries for <bob@dom.org>, scenarios are conceivable in which Bob adds a key to his first entry '<bob@dom.org>' and later has to revoke it because the corresponding private key was stolen by Oskar. Now it could happen that the revoke operation is entered in the hashchain of the second entry '<bob@dom.org>', in which the add operation of this key doesn't occur. Now when Alice goes through the operations in the first entry '<bob@dom.org>', she will find that the stolen key has not been revoked and she thinks that she can perform encryption with this key. Since a requirement of Verdict is that we rule out these scenarios (as best we can), accordingly we need to make use of Proofs-of-Non-Membership for this.
56
54
57
-
TODO: uniqueness still matters but should it be discussed somewhere here?
55
+
### Proof of correct insert operation
56
+
57
+
Insertion proofs consist of the inserted key, a non-membership proof of the node in the current tree, a membership proof of the new node in the JMT, and the updated merkle root.
58
+
59
+
The non-inclusion proof has two variants for different cases:
60
+
61
+
1. A leaf exists where the missing leaf *should* be, sharing a prefix with the key (recall that the path to the leaf is determined by the key bytes, and paths get compressed for effeciency)
62
+
2. The node key leads to an empty subtree
63
+
64
+
After finding the position the new node should be inserted into, it is inserted and a membership proof is created.
65
+
66
+
Verification of update proofs is pretty self explanatory -- The non-inclusion proof is verified against the current state root, then the insertion is carried out locally to test that the membership proof leads to the same new root.
0 commit comments