Closed achamayou closed 2 years ago
TxDigest := Digest(Digest(Write Set), Digest(User claims), Digest(Commit Evidence))
Commit Secret:= HMAC(Ledger Secret[TxID], TxID)
Commit Evidence:="ce:{TxID}:{Commit Secret}", eg. ce:2.57:06fef62c80b6471c7005c1b114166fd1b0e077845f5ad544ad4eea4fb1d31f78
Commit receipts
Terminology: Execution Receipt vs Commit Receipt
Commit Receipt := Execution Receipt + Evidence of Commit
How can a user trust a receipt is for a committed state?
1. The receipt or its constituent parts are only ever produced, or released out of the enclave after commit happens
The contents of the signature Tx stay in enclave until commit?
No
The contents of the signature tx are temporarily encrypted when written out, and decrypted and re-written in place on commit.
No
2. The receipt contains an additional piece of evidence, produced or released after commit happens.
- A later signature
TxID <- Sig1 = Sig([..TxID..]) <- Sig2([commit >= Sig1])
No
TxID <- Sig(commit >= TxID)
? Doesn't bound commit latency. Lose provenance. Also No- Another signature
Sig(commit >= TxID)
, not in the ledger: expensive, cache (efficient via view history for old values)? Stable across catastrophic recoveries.Can work, but expensive
- A Nonce/Secret
Cheap to produce, include digest in receipt (committment), release in the fullness of time on commit.
Note: ledger alone doesn't tell you what's committed. Need a receipt (or a snapshot). Doesn't seem like a big problem, if service is live, can ask for receipt. If not, members decide, persistence is meaningless and provenance can still be checked.
If
Digest(Nonce)
in ledger, then:Else:
Seems best, simple and low overhead
What goes in the nonce?
Commit Nonce/Secret := HMAC(Ledger Secret[TxID], TxID)
Granular, unique per-Tx.
Commit Nonce/Secret := HMAC(Ledger Secret[TxID@Previous signature], TxID@Previous signature)
Same nonce for all transactions between
Sig
andnext(Sig)
=> fewer nonces if we decide to store them.But more difficult for a node to derive the nonce, must find signature that immediately precedes transaction. Unless we tag each Tx with the TxID of the previous signature. Or tag the TxID in the next signature, but then there's no provenance.
Intuition of difficulties around rekey, but no obvious counter-example.
Can the nonce go in the ledger?
To make sure the ledger alone is enough to produce commit receipts (assuming transparent user claims!), we could store the nonces in either their own transaction, or a signature, from time to time.
It must not be a signature, signatures can only contain a signature!
If we store the nonces, having them per signature rather than per transaction may be attractive.
But storing the nonces in a separate Tx generates a constant stream of transactions, the "Treadmill problem".
If we batch, we must batch per signature because:
TxID in receipt
How can a user trust a receipt is for a specific TxID?
Preferred direction summary
Top-level
Commit evidence
Easy to derive, requires no storage.