Journal of Computer Science and Technology

   

Query Authentication Using Intel SGX for Blockchain Light Clients

Qi-Feng Shao1,2(邵奇峰), Member, CCF, Zhao Zhang1(张召), Member, CCF, Che-Qing Jin1,*(金澈清), Distinguished Member, CCF, and Ao-Ying Zhou1(周傲英), Fellow, CCF   

  1. 1School of Data Science and Engineering, East China Normal University, Shanghai 200062, China
    2School of Software, Zhongyuan University of Technology, Zhengzhou 450007, China

Due to limited computing and storage resources, light clients and full nodes coexist in a typical blockchain system. Any query from light clients must be forwarded to full nodes for execution, and light clients verify the integrity of query results returned. Since existing verifiable queries based on an authenticated data structure (ADS) suffer from significant network, storage and computing overheads by virtue of verification objects (VOs), an alternative way turns to the trusted execution environment (TEE), with which light clients do not need to receive or verify any VO. However, state-of-the-art TEEs cannot deal with large-scale applications conveniently due to the limited secure memory space (e.g., the size of the enclave in Intel SGX (software guard extensions), a typical TEE product, is only 128MB). Hence, we organize data hierarchically in trusted (enclave) and untrusted memory, along with hot data buffered in the enclave to reduce page swapping overhead between two kinds of memory. Cost analysis and empirical study validate the effectiveness of our proposed scheme. The VO size of our scheme is reduced by one to two orders of magnitude compared with that of the traditional scheme.


中文摘要

1、研究背景:目前,区块链轻节点需要根据区块头部中的Merkle根及全节点返回的Merkle分支来验证交易数据,其自身存在以下不足:首先,轻节点需要持续同步并存储最新的区块数据以及与交易相关的Merkle分支,这给轻节点带来了网络和存储开销;其次,轻节点需要依据区块链头部数据和交易的Merkle分支验证交易数据,这给轻节点带来了计算上的开销;最后,其仅仅支持单个交易的查询及存在性验证,并不支持范围查询、连接查询和聚合查询及其查询结果集的完整性验证。
2、目的:现有Merkle-tree应用于区块链可验证查询时,其在传回查询结果时伴随着传回批量的VO。为了验证查询结果,接收且拼接这些VO会增加资源受限的轻节点的网络与计算开销。因此,本文提出基于Intel SGX可信硬件为区块链轻节点提供可验证查询,使得轻节点无需接收和处理任何VO,从而达成零代价的可验证查询。
3、方法:针对当前区块链轻节点因资源受限而无法高效验证全节点查询结果的问题,首次提出基于Intel SGX可信硬件为区块链轻节点提供可信查询服务。针对SGX Enclave空间受限的问题,提出MB-tree与SGX相结合的方案,仅将常用MB-tree结点运行于可信Enclave内。针对传统MB-tree频繁数据更新造成的连锁Hash计算开销问题,利用区块链周期性批量更新数据的特性,在Enclave内构建了基于MB-tree与Skip List的混合索引,通过Skip List缓冲多个新增区块数据,并定期将缓冲排序后的交易数据批量更新至MB-tree,减少了逐项更新MB-tree带来的重复查询及摘要更新开销。
4、结果:针对整合SGX后的MB-tree的查询处理:对于MB-tree点查询,SGX中MB-tree的吞吐量是传统MB-tree的1.6倍左右;对于MB-tree范围查询,SGX中MB-tree的执行时间为传统MB-tree的60%;对于MB-tree修改,其更新时间和摘要计算减少约4倍。
5、结论:基于软件的区块链和基于硬件的SGX都强调数据处理的可信性。因此我们将SGX整合到区块链系统,以增强区块链数据的可验证查询处理,从而使得轻结点无需涉及验证处理。本文基于SGX研究了区块链上可验证的范围查询,连接查询和聚合查询。未来,我们计划将该方法扩展到处理其他查询类型,例如可验证的top-k和滑动窗口查询。


Key words: blockchain, query authentication, MB-tree (Merkle B-tree), Intel SGX (software guard extensions)

;

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] Zhou Di;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] Li Wei;. A Structural Operational Semantics for an Edison Like Language(2)[J]. , 1986, 1(2): 42 -53 .
[3] Chen Shihua;. On the Structure of Finite Automata of Which M Is an(Weak)Inverse with Delay τ[J]. , 1986, 1(2): 54 -59 .
[4] Li Wanxue;. Almost Optimal Dynamic 2-3 Trees[J]. , 1986, 1(2): 60 -71 .
[5] Feng Yulin;. Recursive Implementation of VLSI Circuits[J]. , 1986, 1(2): 72 -82 .
[6] C.Y.Chung; H.R.Hwa;. A Chinese Information Processing System[J]. , 1986, 1(2): 15 -24 .
[7] Jin Lan; Yang Yuanyuan;. A Modified Version of Chordal Ring[J]. , 1986, 1(3): 15 -32 .
[8] Wu Enhua;. A Graphics System Distributed across a Local Area Network[J]. , 1986, 1(3): 53 -64 .
[9] Zhang Cui; Zhao Qinping; Xu Jiafu;. Kernel Language KLND[J]. , 1986, 1(3): 65 -79 .
[10] Wang Jianchao; Wei Daozheng;. An Effective Test Generation Algorithm for Combinational Circuits[J]. , 1986, 1(4): 1 -16 .

ISSN 1000-9000(Print)

         1860-4749(Online)
CN 11-2296/TP

Home
Editorial Board
Author Guidelines
Subscription
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
Tel.:86-10-62610746
E-mail: jcst@ict.ac.cn
 
  Copyright ©2015 JCST, All Rights Reserved