Post by atriiks on Mar 3, 2023 3:09:00 GMT -5
The above relation R will now be used to show that all cases of deletion that we want to take into account can be reduced to proving and verifying in zero knowledge (ZK) the previous class of statements.
The first thing to notice is that if a transaction tr is redacted, the leaf in the Merkle tree representing the transaction tr subject to deletion would have an invalid hash (due to the fact that the illicit content has been replaced by zeros), so a node P that wants to validate the block B containing tr would reject B . Here, it is where the NIZK proof π comes into the play. Every time a full node N has to delete data from a set of transactions T={T1,…,Tl} in a block B , N executes the following steps.
N modifies the set of transactions T generating a new set of transactions T′={T′1,…,T′l} where all data to be redacted in each transaction in T are substituted with zeroes.
N replaces T with T′ in B .
For each redacted transaction T′i , i∈{1,…,l} , in T′ , N generates a proof πi for the previous statement Ti . We remark that the replacement occurs only in allowed positions, that is in places where redaction is not harmful. Indeed the indexes of modified bytes are public, therefore anyone can check that these bytes are either data stored in an OP_RETURN opcode or data stored in a scriptSig of a coinbase transaction.
N deletes the redacted contents from her local Bitcoin blockchain.
Every time someone requests B to N , N will send the blockchain containing T′ together with the generated proofs {π1,…,πl} and the statements for the proofs.
By means of {π1,…,πl} , P can check that B , identified by a Merkle Root, is consistent with some set T′ of transactions that is identical to the set T in B except for some substrings (recall that the indices in which the substrings yi ’s occur and their lengths are public). P runs Verify on input the public statement that depends only from X1,…,Xn+1 , h and the indices and the lengths of the deleted substrings (but does not need the actual deleted strings that are the witness known only to the prover). If the Verify procedure accepts the proof for each redacted transaction in each block, then P can assume that the downloaded blockchain is consistent and can be used. Let us analyze the cases in which the redaction can be performed.
The first thing to notice is that if a transaction tr is redacted, the leaf in the Merkle tree representing the transaction tr subject to deletion would have an invalid hash (due to the fact that the illicit content has been replaced by zeros), so a node P that wants to validate the block B containing tr would reject B . Here, it is where the NIZK proof π comes into the play. Every time a full node N has to delete data from a set of transactions T={T1,…,Tl} in a block B , N executes the following steps.
N modifies the set of transactions T generating a new set of transactions T′={T′1,…,T′l} where all data to be redacted in each transaction in T are substituted with zeroes.
N replaces T with T′ in B .
For each redacted transaction T′i , i∈{1,…,l} , in T′ , N generates a proof πi for the previous statement Ti . We remark that the replacement occurs only in allowed positions, that is in places where redaction is not harmful. Indeed the indexes of modified bytes are public, therefore anyone can check that these bytes are either data stored in an OP_RETURN opcode or data stored in a scriptSig of a coinbase transaction.
N deletes the redacted contents from her local Bitcoin blockchain.
Every time someone requests B to N , N will send the blockchain containing T′ together with the generated proofs {π1,…,πl} and the statements for the proofs.
By means of {π1,…,πl} , P can check that B , identified by a Merkle Root, is consistent with some set T′ of transactions that is identical to the set T in B except for some substrings (recall that the indices in which the substrings yi ’s occur and their lengths are public). P runs Verify on input the public statement that depends only from X1,…,Xn+1 , h and the indices and the lengths of the deleted substrings (but does not need the actual deleted strings that are the witness known only to the prover). If the Verify procedure accepts the proof for each redacted transaction in each block, then P can assume that the downloaded blockchain is consistent and can be used. Let us analyze the cases in which the redaction can be performed.