Commitment accumulator¶
All resource commitments are stored in an append-only data structure called a commitment accumulator. Every time a resource is created, its commitment is added to the commitment accumulator. The resource commitment accumulator is external to the resource machine, but the resource machine can read from it. A commitment accumulator is a cryptographic accumulator that allows to prove membership for elements accumulated in it, provided a witness and the accumulated value.
Each time a commitment is added to the accumulator, the accumulator and all witnesses of the already accumulated commitments are updated. For a commitment that existed in the accumulator before a new one was added, both the old witness and the new witness (with the corresponding accumulated value parameter) can be used to prove membership. However, the older the witness (and, consequently, the accumulator) that is used in the proof, the more information about the resource it reveals (an older accumulator gives more concrete boundaries on the resource's creation time). For that reason, it is recommended to use fresher parameters when proving membership.
Accumulator functionality¶
The commitment accumulator has type Accumulator
and is parametrised over the types Witness
,CommitmentIdentifier
, and AccumulatedValue
. The commitment accumulator interface must support the following functionality:
add(Accumulator, CommitmentIdentifier) -> Witness
adds an element to the accumulator, returning the witness used to prove membership.witness(Accumulator, CommitmentIdentifier) -> Maybe Witness
for a given element, returns the witness used to prove membership if the element is present, otherwise returns nothing.verify(CommitmentIdentifier, Witness, AccumulatedValue) -> Bool
verifies the membership proof for a commitment identified withCommitmentIdentifier
element with a membership witnesswitness
for the accumulated valuevalue
.value(Accumulator) -> AccumulatedValue
returns the accumulator value.
Merkle tree¶
Currently, the commitment accumulator is assumed to be a Merkle tree CMTree
of depth \(depth_{CMtree}\), where the leaves contain the resource commitments and the intermediate nodes' values are of type MerkleTreeNodeHash
.
Note
The type MerkleTreeNodeHash
of the CMTree
nodes and the type of the leafs Commitment
are distinct types.
Interface¶
For a Merkle tree:
CommitmentIdentifier
type corresponds to the identifier of the resource commitment used to locate the commitment's position in the treeWitness
element is a path to the stored commitmentAccumulatedValue
corresponds to the Merkle tree root
and the functions:
add
adds the resource commitment to the tree, returning the path to the commitmentwitness
finds the resource commitment in the tree and returns the path to itverify
uses the resource commitment and the path to reconstruct the root. ReturnsTrue
if the constructed value is equal to the provided valuevalue
returns the tree root
Todo
shielded notes: To support the systems with stronger privacy requirements, the witness for such a proof must be a private input when proving membership.