SST：Aztec的Shared State Trees

1 Introduction

The Aztec team released the SST (Shared State Trees) data structure it designed in November. For specific documents, see:

https://github.com/LHerskind/RandomRamblings/blob/main/SST.pdf

And used Noir to make a censorable token access control example:

https://github.com/AztecProtocol/aztec-packages/blob/master/yarn-project/noir-contracts/src/contracts/token_blacklist_contract/src/main.nr（Noir语言）
- Currently using Merkle tree to commit
- In the future, consider using other on-chain polynomial commitment schemes to further reduce storage requirements, such ashttps://github.com/geometryresearch/semacaulk (Solidity+Rust). Semacaulk is a customized set membership proof Prover and Verifier that uses on-chain polynomial commitment to support cheap insertion, and the verification overhead is equivalent to verifying a single Groth16 proof.

SST (Shared State Trees) data structure supports:

Access state information in the private execution context to implement private state management.
Access state information in the public execution context to implement public state management.

SST’s shared access mechanism is particularly useful in the following scenarios:

1) Address registration: Supports contracts to interact with other contracts, making it easier to obtain address storage accessible in public execution and private execution.
2) Invariant value: specific constant value, such as a specific contract address. Benefit from being stored in a single, immutable location, providing consistency in both public and private scenarios.
3) Access control: manages permissions within the contract. For example, the token contract owner can mint new tokens, which is more efficient when shared between public execution and private execution.

2. single layer SST

contract specific SST is:
Insert image description here
where:

$\mathcal{C}_m$ is: for a specific contract $m$ 的一组values $V_{m,j}\forall j$ . [Currently using Merkle tree for commit. In the future, consider using other on-chain polynomial commitment schemes to further reduce storage requirements, such ashttps://github.com/geometryresearch/semacaulk (Solidity+Rust) . Semacaulk is a customized set membership proof Prover and Verifier that uses on-chain polynomial commitment to support cheap insertion, and the verification overhead is equivalent to verifying a single Groth16 proof. 】

Read a value from single layer SST:

Public reading: direct reading $V_{m,j}$ 。
private reading: that is, providing $V_{m,j}\in \mathcal{C}_m$ 的membership proof。

更新single layer SST中某value $V_{m,j}$ 为 $V_{m,j}'$ , need to be divided into 2 steps:

1) Confirmation $V_{m,j}\in \mathcal{C}_m$ , that is, the current value $V_{m,j}$ in state.
2）当 $V_{m,j}$ replaced with $V_{m,j}'$ After that, calculate the new commitment value $\mathcal{C}_m'$ 。

That is, every time the single layer SST is updated, the value needs to be updated $V_{m,j}$ The value itself, and the committed value of the single layer SST $\mathcal{C}_m$ . This approach has the following problems:

1) Contract leakage: When searching for a contract specific SST, which contract is being searched will be leaked.
2) Invalidate the previous membership proof. When two people update the value of the same contract at the same time, the first one to complete will invalidate the second one's proof.

3. Multilayer SST

In order to solve the problem of contract leakage, an additional layer is introduced, built as Multilayer SST:
Insert image description here
Read a certain value from Multilayer SST:

Public reading: direct reading $V_{i,j}$ 。
Private reading: Immediately available $V_{i,j}\in \mathcal{C}_i$ and $\mathcal{C}_i\in \mathcal{C}$ 的membership proof。

更新Multilayer SST中某value $V_{i,j}$ 为 $V_{i,j}'$ , need to be divided into 3 steps:

1）Verification $V_{i,j}\in \mathcal{C}_i$ and $\mathcal{C}_i\in \mathcal{C}$ ，即当前value $V_{i,j}$ in state.
2）当 $V_{i,j}$ exchange $V_{i,j}'$ After , calculate the new commitment value $\mathcal{C}_i'$ 。
3）Basically new $\mathcal{C}_i'$ , calculate new commitment value $\mathcal{C}'$ 。

这样， $\mathcal{C}_i\in \mathcal{C}$ is independent of other contracts. However, SST read cannot be used in private execution, because modifications to other contracts will invalidate its membership proof.

4. slow update SST

In order to solve the condition competition problem in multilayered SST, the concept of "delayed" update or "slow" update is introduced. Logically speaking, 2 trees need to be maintained and tracked:

current tree: for current value
pending tree: used for pending values

When the epoch interval is reached, the current current tree will be replaced with the pending tree, and a new pending tree will be enabled.
Insert image description here
This greatly solves the problem of read failure, but there is still the problem of update failure caused by other contracts. At the same time, due to the need to track two different trees that need to be updated at the same time, the amount of storage changes required is very high.

5. practical slow updates

In order to alleviate the amount of storage required for updates and the complexity of the slow update SST above, modifications have been made based on the slow update SST:

Amortize the overhead of epoch swap over the entire updates.

Insert image description here
The corresponding update process is:

The specific example is:

References

[1] Aztec 2023年11月 Shared State Trees - SST’s