Skip to content

Commit b2ef820

Browse files
committed
add non-inclusion for proof of correct operation
1 parent d996ad3 commit b2ef820

File tree

4 files changed

+34
-11
lines changed

4 files changed

+34
-11
lines changed

doc/book/insert-update-proofs.html

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -209,15 +209,22 @@ <h2 id="proof-of-update"><a class="header" href="#proof-of-update">Proof-of-Upda
209209
<p>The value of the leaf of the Merkle tree changes, but the index of the leaf remains the same, because it depends on the identifier (the e-mail address). We know that when the input to a hash function changes, the output also changes. Since the "value" field is part of the input of the hash of the leaf, the hash of the leaf changes accordingly.
210210
To proof the update, it is sufficient if we consider the old root (the cryptographic commitment) and perform a proof-of-membership before the value was updated, with the "old" leaf, so to say. The verification of the proof then involves performing a proof-of-membership of the leaf with the updated value and using this to calculate the new root and compare it with the current root.</p>
211211
<p>In Jellyfish Merkle trees, a new version of the tree is created with each update, enabling efficient history recording while maintaining the integrity of previous states. This versioning system ensures that updates can be tracked and verified across different states of the tree and also allows reuse of unmodified parts, which helps to increase efficiency. Accordingly, when updates are made, all nodes along the updated path are given a higher version, so the verifier needs to know which version to check the update against.</p>
212-
<h2 id="insert-proofs"><a class="header" href="#insert-proofs">Insert Proofs</a></h2>
213-
<p>The insertion proof consists</p>
212+
<h2 id="proof-of-insert"><a class="header" href="#proof-of-insert">Proof-of-Insert</a></h2>
214213
<h3 id="why-uniqueness-matters"><a class="header" href="#why-uniqueness-matters">Why uniqueness matters</a></h3>
215214
<blockquote>
216215
<p>Non-membership queries are important [...] as well; otherwise, the service's dictionary might contain more than one tuple for the <a href="mailto:bob@dom.org">bob@dom.org</a> label, allowing the service to show different tuples to different clients. [...] Alice can safely encrypt sensitive data using the public key the service returns for Bob.</p>
217216
</blockquote>
218217
<p>We briefly recall what the unique identifier means and why this is important. The email addresses in Prism act as unique identifiers and in order for the service to behave correctly, it must be ensured that no email address can be inserted twice. We imagine scenarios including when the Id <a href="mailto:bob@dom.org">bob@dom.org</a> appears twice or more in the dictionary:
219218
Bob adds multiple keys and also revokes some of those keys. If there are several entries for <a href="mailto:bob@dom.org">bob@dom.org</a>, scenarios are conceivable in which Bob adds a key to his first entry '<a href="mailto:bob@dom.org">bob@dom.org</a>' and later has to revoke it because the corresponding private key was stolen by Oskar. Now it could happen that the revoke operation is entered in the hashchain of the second entry '<a href="mailto:bob@dom.org">bob@dom.org</a>', in which the add operation of this key doesn't occur. Now when Alice goes through the operations in the first entry '<a href="mailto:bob@dom.org">bob@dom.org</a>', she will find that the stolen key has not been revoked and she thinks that she can perform encryption with this key. Since a requirement of Verdict is that we rule out these scenarios (as best we can), accordingly we need to make use of Proofs-of-Non-Membership for this.</p>
220-
<p>TODO: uniqueness still matters but should it be discussed somewhere here?</p>
219+
<h3 id="proof-of-correct-insert-operation"><a class="header" href="#proof-of-correct-insert-operation">Proof of correct insert operation</a></h3>
220+
<p>Insertion proofs consist of the inserted key, a non-membership proof of the node in the current tree, a membership proof of the new node in the JMT, and the updated merkle root.</p>
221+
<p>The non-inclusion proof has two variants for different cases:</p>
222+
<ol>
223+
<li>A leaf exists where the missing leaf <em>should</em> be, sharing a prefix with the key (recall that the path to the leaf is determined by the key bytes, and paths get compressed for effeciency)</li>
224+
<li>The node key leads to an empty subtree</li>
225+
</ol>
226+
<p>After finding the position the new node should be inserted into, it is inserted and a membership proof is created.</p>
227+
<p>Verification of update proofs is pretty self explanatory -- The non-inclusion proof is verified against the current state root, then the insertion is carried out locally to test that the membership proof leads to the same new root.</p>
221228

222229
</main>
223230

doc/book/print.html

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -379,15 +379,22 @@ <h2 id="proof-of-update"><a class="header" href="#proof-of-update">Proof-of-Upda
379379
<p>The value of the leaf of the Merkle tree changes, but the index of the leaf remains the same, because it depends on the identifier (the e-mail address). We know that when the input to a hash function changes, the output also changes. Since the "value" field is part of the input of the hash of the leaf, the hash of the leaf changes accordingly.
380380
To proof the update, it is sufficient if we consider the old root (the cryptographic commitment) and perform a proof-of-membership before the value was updated, with the "old" leaf, so to say. The verification of the proof then involves performing a proof-of-membership of the leaf with the updated value and using this to calculate the new root and compare it with the current root.</p>
381381
<p>In Jellyfish Merkle trees, a new version of the tree is created with each update, enabling efficient history recording while maintaining the integrity of previous states. This versioning system ensures that updates can be tracked and verified across different states of the tree and also allows reuse of unmodified parts, which helps to increase efficiency. Accordingly, when updates are made, all nodes along the updated path are given a higher version, so the verifier needs to know which version to check the update against.</p>
382-
<h2 id="insert-proofs"><a class="header" href="#insert-proofs">Insert Proofs</a></h2>
383-
<p>The insertion proof consists</p>
382+
<h2 id="proof-of-insert"><a class="header" href="#proof-of-insert">Proof-of-Insert</a></h2>
384383
<h3 id="why-uniqueness-matters"><a class="header" href="#why-uniqueness-matters">Why uniqueness matters</a></h3>
385384
<blockquote>
386385
<p>Non-membership queries are important [...] as well; otherwise, the service's dictionary might contain more than one tuple for the <a href="mailto:bob@dom.org">bob@dom.org</a> label, allowing the service to show different tuples to different clients. [...] Alice can safely encrypt sensitive data using the public key the service returns for Bob.</p>
387386
</blockquote>
388387
<p>We briefly recall what the unique identifier means and why this is important. The email addresses in Prism act as unique identifiers and in order for the service to behave correctly, it must be ensured that no email address can be inserted twice. We imagine scenarios including when the Id <a href="mailto:bob@dom.org">bob@dom.org</a> appears twice or more in the dictionary:
389388
Bob adds multiple keys and also revokes some of those keys. If there are several entries for <a href="mailto:bob@dom.org">bob@dom.org</a>, scenarios are conceivable in which Bob adds a key to his first entry '<a href="mailto:bob@dom.org">bob@dom.org</a>' and later has to revoke it because the corresponding private key was stolen by Oskar. Now it could happen that the revoke operation is entered in the hashchain of the second entry '<a href="mailto:bob@dom.org">bob@dom.org</a>', in which the add operation of this key doesn't occur. Now when Alice goes through the operations in the first entry '<a href="mailto:bob@dom.org">bob@dom.org</a>', she will find that the stolen key has not been revoked and she thinks that she can perform encryption with this key. Since a requirement of Verdict is that we rule out these scenarios (as best we can), accordingly we need to make use of Proofs-of-Non-Membership for this.</p>
390-
<p>TODO: uniqueness still matters but should it be discussed somewhere here?</p>
389+
<h3 id="proof-of-correct-insert-operation"><a class="header" href="#proof-of-correct-insert-operation">Proof of correct insert operation</a></h3>
390+
<p>Insertion proofs consist of the inserted key, a non-membership proof of the node in the current tree, a membership proof of the new node in the JMT, and the updated merkle root.</p>
391+
<p>The non-inclusion proof has two variants for different cases:</p>
392+
<ol>
393+
<li>A leaf exists where the missing leaf <em>should</em> be, sharing a prefix with the key (recall that the path to the leaf is determined by the key bytes, and paths get compressed for effeciency)</li>
394+
<li>The node key leads to an empty subtree</li>
395+
</ol>
396+
<p>After finding the position the new node should be inserted into, it is inserted and a membership proof is created.</p>
397+
<p>Verification of update proofs is pretty self explanatory -- The non-inclusion proof is verified against the current state root, then the insertion is carried out locally to test that the membership proof leads to the same new root.</p>
391398
<div style="break-before: page; page-break-before: always;"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.16.4/dist/katex.min.css">
392399
<h1 id="jellyfish-merkle-proofs"><a class="header" href="#jellyfish-merkle-proofs">Jellyfish Merkle Proofs</a></h1>
393400
<p>Jellyfish Merkle Trees (JMT) are designed to support efficient membership and non-membership proofs, similar to Indexed Merkle Trees from Verdict. However, the proof format and verification process are optimized for better performance and smaller proof sizes.</p>

doc/book/searchindex.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

doc/src/insert-update-proofs.md

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,7 @@ To proof the update, it is sufficient if we consider the old root (the cryptogra
4343

4444
In Jellyfish Merkle trees, a new version of the tree is created with each update, enabling efficient history recording while maintaining the integrity of previous states. This versioning system ensures that updates can be tracked and verified across different states of the tree and also allows reuse of unmodified parts, which helps to increase efficiency. Accordingly, when updates are made, all nodes along the updated path are given a higher version, so the verifier needs to know which version to check the update against.
4545

46-
## Insert Proofs
47-
48-
The insertion proof consists
46+
## Proof-of-Insert
4947

5048
### Why uniqueness matters
5149

@@ -54,4 +52,15 @@ The insertion proof consists
5452
We briefly recall what the unique identifier means and why this is important. The email addresses in Prism act as unique identifiers and in order for the service to behave correctly, it must be ensured that no email address can be inserted twice. We imagine scenarios including when the Id <bob@dom.org> appears twice or more in the dictionary:
5553
Bob adds multiple keys and also revokes some of those keys. If there are several entries for <bob@dom.org>, scenarios are conceivable in which Bob adds a key to his first entry '<bob@dom.org>' and later has to revoke it because the corresponding private key was stolen by Oskar. Now it could happen that the revoke operation is entered in the hashchain of the second entry '<bob@dom.org>', in which the add operation of this key doesn't occur. Now when Alice goes through the operations in the first entry '<bob@dom.org>', she will find that the stolen key has not been revoked and she thinks that she can perform encryption with this key. Since a requirement of Verdict is that we rule out these scenarios (as best we can), accordingly we need to make use of Proofs-of-Non-Membership for this.
5654

57-
TODO: uniqueness still matters but should it be discussed somewhere here?
55+
### Proof of correct insert operation
56+
57+
Insertion proofs consist of the inserted key, a non-membership proof of the node in the current tree, a membership proof of the new node in the JMT, and the updated merkle root.
58+
59+
The non-inclusion proof has two variants for different cases:
60+
61+
1. A leaf exists where the missing leaf *should* be, sharing a prefix with the key (recall that the path to the leaf is determined by the key bytes, and paths get compressed for effeciency)
62+
2. The node key leads to an empty subtree
63+
64+
After finding the position the new node should be inserted into, it is inserted and a membership proof is created.
65+
66+
Verification of update proofs is pretty self explanatory -- The non-inclusion proof is verified against the current state root, then the insertion is carried out locally to test that the membership proof leads to the same new root.

0 commit comments

Comments
 (0)