Reckle Trees: Updatable Merkle Batch Proofs with Applications

Charalampos Papamanthou; Shravan Srinivasan; Nicolas Gailly; Ismael Hishon-Rezaizadeh; Andrus Salumets; Stjepan Golemac

Paper 2024/493

Reckle Trees: Updatable Merkle Batch Proofs with Applications

Charalampos Papamanthou

, Lagrange Labs, Yale University

Shravan Srinivasan

, Lagrange Labs

Nicolas Gailly

, Lagrange Labs

Ismael Hishon-Rezaizadeh

, Lagrange Labs

Andrus Salumets

, Lagrange Labs

Stjepan Golemac

, Lagrange Labs

Abstract

We propose Reckle trees, a new vector commitment based on succinct RECursive arguments and MerKLE trees. Reckle trees' distinguishing feature is their support for succinct batch proofs that are updatable - enabling new applications in the blockchain setting where a proof needs to be computed and efficiently maintained over a moving stream of blocks. Our technical approach is based on embedding the computation of the batch hash inside the recursive Merkle verification via a hash-based accumulator called canonical hashing. Due to this embedding, our batch proofs can be updated in logarithmic time, whenever a Merkle leaf (belonging to the batch or not) changes, by maintaining a data structure that stores previously-computed recursive proofs. Assuming enough parallelism, our batch proofs are also computable in $O(\log n)$ parallel time - independent of the size of the batch. As a natural extension of Reckle trees, we also introduce Reckle+ trees. Reckle+ trees provide updatable and succinct proofs for certain types of Map/Reduce computations. In this setting, a prover can commit to a memory $\mathsf{M}$ and produce a succinct proof for a Map/Reduce computation over a subset $I$ of $\mathsf{M}$. The proof can be efficiently updated whenever $I$ or $\mathsf{M}$ changes. We present and experimentally evaluate two applications of Reckle+ trees, dynamic digest translation and updatable BLS aggregation. In dynamic digest translation we are maintaining a proof of equivalence between Merkle digests computed with different hash functions, e.g., one with a SNARK-friendly Poseidon and the other with a SNARK-unfriendly Keccak. In updatable BLS aggregation we maintain a proof for the correct aggregation of a $t$-aggregate BLS key, derived from a $t$-subset of a Merkle-committed set of individual BLS keys. Our evaluation using Plonky2 shows that Reckle trees and Reckle+ trees have small memory footprint, significantly outperform previous approaches in terms of updates ($10\times$ to $15\times$) and verification ($4.78\times$ to $1485\times$) time, enable applications that were not possible before due to huge costs involved (Reckle trees are up to 200 times faster), and have similar aggregation performance with previous implementations of batch proofs.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Minor revision. ACM CCS 2024
DOI: 10.1145/3658644.3670354
Keywords: vector commitments proof updates aggregation MapReduce
Contact author(s): shravan @ lagrange dev
History: 2024-10-09: revised; 2024-03-27: received; See all versions
Short URL: https://ia.cr/2024/493
License: CC BY

BibTeX

@misc{cryptoeprint:2024/493,
      author = {Charalampos Papamanthou and Shravan Srinivasan and Nicolas Gailly and Ismael Hishon-Rezaizadeh and Andrus Salumets and Stjepan Golemac},
      title = {Reckle Trees: Updatable Merkle Batch Proofs with Applications},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/493},
      year = {2024},
      doi = {10.1145/3658644.3670354},
      url = {https://eprint.iacr.org/2024/493}
}