Parakeet: Practical Key Transparency for
End-to-End Encrypted Messaging
Harjasleen Malvai∗† , Lefteris Kokoris-Kogias‡§ , Alberto Sonnino‡¶ , Esha Ghoshk ,
Ercan Oztürk∗∗ , Kevin Lewi∗∗ , and Sean Lawlor∗∗
∗ UIUC, † IC3, ‡ Mysten Labs, § IST Austria, ¶ University College London (UCL), k Microsoft Research, ∗∗ Meta
Abstract—Encryption alone is not enough for secure end-to-
end encrypted messaging: a server must also honestly serve public
keys to users. Key transparency has been presented as an efficient
solution for detecting (and hence deterring) a server that attempts
to dishonestly serve keys. Key transparency involves two major
components: (1) a username to public key mapping, stored and
cryptographically committed to by the server, and, (2) an out-
of-band consistency protocol for serving short commitments to
users. In the setting of real-world deployments and supporting
production scale, new challenges must be considered for both of
these components. We enumerate these challenges and provide
solutions to address them. In particular, we design and imple-
ment a memory-optimized and privacy-preserving verifiable data
structure for committing to the username to public key store.
To make this implementation viable for production, we also
integrate support for persistent and distributed storage. We
also propose a future-facing solution, termed “compaction”, as
a mechanism for mitigating practical issues that arise from
dealing with infinitely growing server data structures. Finally,
we implement a consensusless solution that achieves the min-
imum requirements for a service that consistently distributes
commitments for a transparency application, providing a much
more efficient protocol for distributing small and consistent
commitments to users. This culminates in our production-grade
implementation of a key transparency system (Parakeet) which
we have open-sourced, along with a demonstration of feasibility
through our benchmarks.
I. I NTRODUCTION
The use of end-to-end encrypted (E2EE) messaging ([31],
[32]) ensures that conversations between users remain private.
It is just as vital, though, to make sure these interactions
happen with the right people. To avoid being compromised by
a man-in-the-middle attack, users must discover the necessary
public keys to identify each other. In reality, this is accom-
plished either by scanning QR codes in person to validate
recipient public keys or by depending on a service provider to
generate the relevant public key of a communication partner.
The term key transparency refers to a system in which a
service provider stores the public keys of individuals on a
publicly accessible key directory server so that users can query
this server for messaging individuals in their contact list.
However, since the server can supply users with outdated or
fabricated keys, this strategy makes the server a single point
of failure. To counteract this, three complimentary methods
have been discussed in existing literature. Firstly, users must
be able to verify public keys served by the identity provider
as well as their own key(s) on a regular basis. Secondly, the
key changes must be publicly auditable, to ensure that the
server is adhering to certain update rules. Finally, a consistency
enforcement protocol must be used to prevent the server from
serving different versions of the directory to different users.
To address the problem of providing auditable identity bind-
ings, Chase et al. [16] introduced a primitive called verifiable
key directory (VKD) and defined its required security proper-
ties. Their system, called SEEMless, instantiates a VKD and
proves the correctness of the underlying scheme. Although the
evaluation of SEEMless indicates that it veers toward practical-
ity, SEEMless makes the following simplifying assumptions,
omitting issues that must still be resolved in order to be
applicable to a large-scale, real-world deployment. SEEMless
assumes that there exists a mechanism for clients to obtain
consistent views of a small server commitment, at every server
epoch. Their implementation relies on local RAM storage
to store all of the data ever required for key transparency.
Scalable implementations need a separate, optimized storage
layer. The data structure that SEEMless uses to keep state,
which they call a history tree, assumes that it is feasible to
perpetually store enough data to reconstruct the state of the
server’s cryptographic data structure from any epoch. Even
though their data structure is well-optimized to satisfy the
requirement of storing this much data, it becomes a bottleneck
when scaling to billions of users.
Hence, while a good starting point, these assumptions render
SEEMless, as is, infeasible for large-scale deployments. For
instance, WhatsApp, one of the most popular end-to-end
encrypted messaging apps, has a monthly active user base
of 2 billion [2] and has been downloaded on average 0.66
billion times [3] in the last five years. With the rollout of
multi-device [1] where each user device has a separate key,
the daily new key creations can be estimated to be roughly
5.4 million (based on an average of 3 devices/browsers per
user and download numbers). If we assume that existing users
update their keys at a similar volume, a rough estimate doubles
this to approximately 10 million. This leads SEEMless’s data
structure to require approximately 27TB (counting existing
and new keys based on number of key updates/creations) of
storage within the first year (See Appendix I).
A. Our Contributions
In this work, we present Parakeet, a key transparency system
which is designed specifically to overcome the scalability chal-
lenges that limit prior academic works from being practical for
real-world encrypted messaging applications.
 We achieve this by constructing a more efficient VKD,
extending the VKD to support compaction, and then leveraging
a simple consistent broadcast protocol to avoid the reliance on
clients having to connect to blockchains (and the scalability
issues associated with this dependence) to achieve consistency.
Below, we elaborate on these three central contributions:
1) Building an efficient VKD. A VKD is a cryptographic
primitive, defined and implemented by [16], which allows
an identity provider to store an evolving set of label-value
pairs, commit to this set, and respond (using cryptographic
proofs) to client queries about this committed set and its up-
dates. At a scale of billions of users, however, the efficiency
requirements of a system implementing a VKD become
more stringent than [16]’s implementation is able to meet.
We address these limitations by implementing a crypto-
graphic construction called an ordered zero-knowledge set
(oZKS), which allows us to more efficiently realize a VKD
with storage improvements of up to an order of magnitude
when compared against existing solutions. In addition to
the storage optimizations for the VKD, we also present a
modular and flexible data-layer API, called StorageAPI,
which can be implemented using any distributed database
solution. Our VKD implementation, written in Rust, has
been published as an open-source library [5].
2) Supporting compaction. Many works on verifiable data
structures that support updates require append-only data
structures ([41], [16]). In large-scale practical contexts,
requiring the support of an ever-growing storage and in-
memory system that supports append-only data structures
can be a barrier for the deployment of key transparency. We
introduce the term “compaction” to refer to an operation
that allows reducing the data stored on the server by purg-
ing ancient and obsolete entries. Secure compaction loosens
the requirement for append-only data structures, as intro-
duced in [16], through a minimal additional assumption. By
extending the existing oZKS functionality to enable secure
deletions, we present our two-phase compaction paradigm
of a VKD, which can be brought on par to existing
works with comparable performance. The novelty of our
oZKS construction consists of the mechanism for enabling
secure deletions. We include a theoretical discussion of our
construction here as we believe it is of independent interest
for any applications which may be limited by the storage
requirements of append-only verifiable data structures.
3) Serving commitments. All of the equivocation-based se-
curity definitions for transparency require users being able
to access a small shared commitment. Some works assume
a shared public ledger, such as a blockchain [41], [13].
Others rely on out-of-band gossip (see, e.g. [33]). However,
at a scale of billions of users, these mechanisms all have
drawbacks. For example, across platforms and geographic
regions, picking good out-of-band mechanisms, which do
not result in disconnected partitions of sets of users, is
a challenge. As [41] analyzed, using a blockchain to
respond a large number of queries could eventually result
2
in flooding the open ports of a large fraction of the nodes
of this chain. The alternative described by [41] is to use
a header relay network, i.e. a small number of nodes
serving a specific transparency application, essentially, a
centralized service. Since none of these solutions have
tackled this problem at a scale of billions of clients, finding
the minimal set of requirements for a consistency protocol
remains an open question. To this end, we propose a light-
weight consensusless consistency protocol that provides
these guarantees with low performance overhead.
Paper organization. In Section II, we present an overview of
the Parakeet system, which consists of the VKD construction,
the consistency protocol and an interface between the two. In
Section III, we review the original VKD definition and present
a more storage-efficient construction based on an oZKS. In
Section IV, we extend VKDs to support the compaction
operation to address storage limitations in practical systems.
In Section V, we describe the consistency protocol used by
Parakeet to serve commitments. In Section VI, we provide
microbenchmarks and comparisons to prior works, run against
our open-source implementation of the system. We discuss
related works in Section VII and conclude in Section VIII.
II. OVERVIEW
A central entity called the identity provider (IdP) keeps a
local database linking users’ identifiers (e.g. phone numbers)
to their public keys. It periodically sends a commitment of its
latest state to a distributed set of authorities, called witnesses,
that ensure its correct behavior. The witnesses store the latest
commitment and also communicate with clients to make
sure the identity provider is not censoring or eclipsing them.
The users query the identity provider to look up the public
key associated with a specific user identifier. Each user can
additionally monitor the history of their own public key. The
identity provider is trusted for ensuring that only permissioned
users can perform particular actions.
A. System & Threat Model
Participants. Parakeet is run by the following participants:
• Identity provider (IdP): The entity keeping the identifier-
to-key binding for every user and replying to users’ queries.
• Witnesses: A distributed set of authorities that cross-check
the IdP.
• Users: Ask the IdP to store a specific key bound to their
identifier, and query it to look up the key bound to specific
identifiers. Users can also periodically check the history of
their own key, to ensure that the server did not make any
unwarranted changes to their key.
The IdP and each of the witnesses generate a key pair
consisting of a private signature key and the corresponding
public verification key, so that their identity is known.
By definition, an honest witness always follows the Parakeet
protocol, while a faulty (or Byzantine) one may deviate
arbitrarily. We present the Parakeet protocol for 3f +1 equally-
trusted witnesses, assuming a fixed (but unknown) subset of
at most f Byzantine witnesses. In this setting, a quorum is
defined as any subset of 2f + 1 witnesses. (As for many
BFT protocols, our proofs only use the classical properties
of quorums thus apply to all Byzantine quorum systems [30].)
When a protocol message is signed by a quorum of witnesses,
it is said to be certified: we call such a jointly signed message
a certificate. Additionally, we assume the network is fully
asynchronous [21]. The adversary may arbitrarily delay and
reorder messages; however, messages are eventually delivered.
We discuss the various guarantees for these parties below.
Properties. The consistency protocol of Parakeet satisfies the
following properties:
• Consistency: For a given epoch t, if a user outputs a com-
mitment comt and a different user outputs a commitment
com0t , then comt =com0t .
• Validity: If an honest witness outputs comt as valid, then
comt was proposed by the identity provider.
• Termination: If the identity provider runs the protocol
honestly for epoch t, commitment comt , eventually the
identity provider will produce a certificate certt for t.
The security properties of the VKD of Parakeet are more
complicated to formally state, so we defer a more formal
treatment to appendix B and section III. At a high level, we
require that the construction of a VKD satisfy:
• Completeness: If an identity provider honestly serves val-
ues, then, for any label label, registered with the identity
provider, all users should receive (and accept) consistent
views of the value associated with label.
• Soundness: As stated before, the soundness definition used
in this paper is that of non-equivocation, i.e., if, at an epoch
t, Bob accepts a value val as Alice’s key, the server cannot
convince Alice that her key was val0 for the same epoch t
with val0 6= val. Note, this is in the presence of auditors.
• Privacy: Privacy for a VKD is defined with respect to
all parties who are not the identity provider itself. The
responses to all API calls made by parties which are not the
identity provider are zero-knowledge with a well-defined,
permissible leakage function.
B. Overview of our VKD Solution
Our VKD solution, aimed at real-world, large-scale ap-
plications, removes a majority of the assumptions made by
previous works in this domain, such as, [16], [34]. We modify
the constructions and definitions presented in [16] to use
a primitive called ordered zero-knowledge set (oZKS) [6],
which, together with a secure commitment scheme (cCS) and
a verifiable random function (sVRF), allow us to instantiate
a VKD in space linear in the number of updates for labels
in the VKD. This is in contrast to [16]’s construction, that
additionally requires space linear in the number of server
epochs, with a high constant factor (linear in the security
parameter). We further augment these constructions to provide
a method to allow compacting the underlying data-structures,
i.e., deleting values which are no longer in use, while still
requiring very little monitoring from the user to provide
3
security. This combines the space efficiency gains of a VKD
construction which relies on the assumption that users monitor
their keys constantly (e.g. [34]), with the security gains of a
construction based on append-only data structures (e.g.[16]).
C. Overview of our Consistency Protocol
Our first result is to debunk the common belief that such sys-
tems require consensus [36], [41], [16]. A first correct but inef-
ficient solution would be to use simple Reliable Broadcast [14]
to achieve all required properties in full asynchrony, a setting
where deterministic consensus is actually impossible [22].
This, however, is inefficient. Instead, we design a tailor-made
solution for Parakeet (Section V). The resulting system has
low-latency, and additionally the identity provider can be
natively sharded across many machines (unlike consensus-
based solutions) to allow unbounded horizontal scalability.
D. Bridging the VKD & the Consistency Protocol
For the most part, we handle the consistency and VKD
components of Parakeet separately. However, they do need to
communicate with each other. Here, we provide an application
programming interface (API) to bridge this gap. The IdP must
provide small commitments to the witnesses and the users need
to communicate with the witnesses to receive these up-to-date
commitments. To this end, we define a simple witness API.
As stated above, the witnesses run the consistency protocol
to certify a commitment to the internal state of the VKD. So,
our witness API includes an algorithm for the IdP to propose
a commitment at each server epoch and prove that it correctly
updated its VKD (WitnessAPI.ProposeNewEp). We also allow
any party to query the witnesses to retrieve the commitment
and certificate for an epoch (WitnessAPI.GetCom). Finally,
the API call WitnessAPI.VerifyCert verifies the certificate for
a commitment. The details of this API are in appendix D.
III. V ERIFIABLE K EY D IRECTORY
In this section, we will discuss the primitive Verifiable Key
Directory (VKD), defined by [16], and its properties. Recall
that a VKD consists of three types of parties: (1) an identity
provider (or, server), (2) users, and (3) independent auditors.
In a VKD, each user has an associated label, denoting their
username. The server stores a directory Dir of label-value
pairs. Each value corresponds to a public key. The clients
can request updates to their own public keys – equivalent to
requesting a change to the state of Dir. For efficiency, many
such requests are batched together, with updates going into
effect at discrete timesteps (epochs). So, Dir is stateful, has of
an ordered sequence of states Dirt , one state per epoch t.
To support verifiability in a VKD, each state of the directory
needs a corresponding commitment comt . The commitment
comt is made public using the WitnessAPI defined in ap-
pendix D. This model assumes that any changes to the direc-
tory go into effect when the corresponding epoch t goes into
effect and the commitment, comt , for this epoch is published.
The security of a VKD crucially relies on at least one
honest auditor per epoch checking the latest update for validity.
This assumption is common across a majority of the work in
this area (see, e.g. [43], [16]), in order to maintain client-
side efficiency. In this work, we realize this assumption using
the witnesses, each of which runs the auditing operation as
part of executing WitnessAPI.ProposeNewEp. Note that the
WitnessAPI solution can be used in addition to any other
solution, such as gossip for distributing commitments [33]
or client auditing [43], also discussed in Section VII. When
serving billions of users across different geographical regions
and platforms, it is not always reasonable to expect clients to
run audit operations or to participate in a connected gossip
network, so using a set of witnesses only increases security.
A. Outline of this Section
The rest of this section is devoted to revisiting the VKD
primitive, with improvements targeted for production. In sec-
tion III-B, we recall the various algorithms for this primitive
and its properties. For our storage-optimized VKD, we need
the oZKS primitive, whose motivation and properties we de-
scribe in section III-C. Then, in section III-D, we describe our
VKD construction using the oZKS, which achieves properties
identical to [16]. Even with improved efficiency, several prac-
tical problems remain, including: (1) allowing users to have
multiple devices linked to their accounts, and multiple updates
for the same user in an epoch, (discussed in section III-E), and
(2) introducing a separate, efficient storage layer for a scalable
VKD implementation (discussed in section III-F).
B. VKD Definition
The primitive verifiable key directory (VKD) was first
defined by Chase, et. al. [16]. As stated before, the VKD server
holds a directory mapping labels to values with one state per
epoch. The commitment to this state (and the proof of correct
update) is published by the server, using VKD.Publish.
When users want to lookup the public key for a particular
label, they request this by calling VKD.Query. The response
to a lookup comes with a proof of correctness, which the
requesting user can verify (with VKD.VerifyQuery). Each user
can also check the history of her own key, implicitly, for her
label, getting a mapping t → valt of the state of the associated
value at every epoch. The user can get this history and its proof
(VKD.KeyHistory), as well as verify it (VKD.VerifyHistory).
Any party can verify the output of a publish (VKD.VerifyUpd)
or a sequence of publish operations (VKD.Audit).
Soundness and privacy of a VKD. The soundness definition
for the VKD primitive is exactly the same as that of [16].
This definition captures the non-equivocation property stated
in section II-A, assuming that the server never deletes any
existing records. We also define the privacy of a VKD the
same way as [16]: all operations are zero knowledge with a
well defined leakage function.
C. Ordered (Append-Only) Zero-Knowledge Set with Deletion
As a step towards a more space-efficient implementation of
a VKD than that of SEEMless, we replace their aZKS building
block with a primitive which we call an ordered append-only
4
zero-knowledge set (oZKS). Here, we discuss the properties
of oZKS and briefly describe our implementation.
An oZKS is actually a further generalization of the append-
only zero-knowledge set (aZKS) primitive, which was first
introduced in [16]. [6] presents an implementation (and
corresponding informal definition) of an oZKS construction.
The oZKS primitive is used in a setting where a party (often
called a server) holds a data-store of label-value pairs (with
unique labels), and is trusted for privacy, but not to serve
consistent views of label-value pairs. The party uses oZKS
to commit to label-value pairs where the labels are all unique.
Initial work on zero-knowledge sets (e.g. [17], [35], [15])
committed to static data stores. The aZKS primitive ex-
tended this to include insertions only. The recent imple-
mentation of an append-only oZKS [6] extends the aZKS
to include a strict ordering on when elements are inserted.
Thus, an oZKS should support verifiable algorithms for: ini-
tially committing to a datastore (oZKS.CommitDS), insertions
(oZKS.InsertionToDS), membership/non-membership queries
(oZKS.QueryMem and oZKS.QueryNonMem). We use the
oZKS primitive to build our VKD construction in section III-D.
Comparing with the oZKS from [6]. Note that the append-
only property of the implementations of both [6]’s oZKS
and [16]’s aZKS require an ever-growing storage requirement
on the server. In large-scale practical applications, never
purging obsolete data can be infeasible. The novelty of the
oZKS construction in our work consists specifically of the
mechanism for enabling secure deletions. We present this as
a middle ground solution between fully mutable auditable
data structures that require users to be always online (e.g.
CONIKS), and append-only auditable data structures that lead
to an unreasonable server storage cost for long-running sys-
tems (e.g. prior and concurrent work on oZKS and SEEMless).
[18] also formalizes the protocol presented in the im-
plementation [6] and extends it to provide post-compromise
security. Their construction is still append-only and does not
support secure deletion. So, our contribution is orthogonal to
that of [18].
We introduce the secure deletion extension here for com-
pleteness and apply it in section IV. For verifiability, the dele-
tion operation of an oZKS with compaction is actually a two-
step process: marking nodes as candidates for deletion (a pro-
cess we call tombstoning, through oZKS.TombstoneElts) and
deletion of tombstoned elements (oZKS.DeleteElts). In ap-
pendix B, we provide a formal definition of all of these algo-
rithms and in appendix C, we describe our oZKS construction.
Our oZKS implementation. Similarly to [16]’s aZKS, our
oZKS instantiation uses a Merkle Patricia Trie (MPT) to
commit to label-value pairs. However, instead of using a
complicated persistent data-structure, which requires storing
all states of every MPT node, for the oZKS data structure, we
simply include the epoch a leaf was inserted as part of the
value committed for a node. This allows us to store one MPT
which mutates over time and old states of nodes in this tree
can be garbage collected, instead of persisting forever. Also,
note that for privacy, the MPT-based oZKS implementation
computes leaf labels using a verifiable random function (VRF)
(defined in appendix C), which is a deterministic function
computable only by the holder of a secrete key for a publicly
known public key, PK. Any party can, however, check the
correct computation of a VRF using PK. For privacy of
the actual value associated with a label, we use a hiding
commitment scheme. Concretely, this means that to add label
with value val to the datastore and update the corresponding
commitment at epoch t, the owner of the datastore adds a
leaf with label VRF(label) and value (com(val); t) to the
MPT. Figure 1 shows an example of the MPT-based aZKS
used by [16] as it evolves through various insertions. Figure 2
shows an example of our oZKS construction, with the same
leaves being inserted as in Figure 1.
Note that this constitutes only a simple oZKS, without the
tombstone or deletion algorithms. We discuss tombstoning and
deletion in section IV.
Soundness and privacy. The oZKS without the
TombstoneElts and DeleteElts algorithms is said to be
sound if, given at least one honest auditor in every epoch,
the server cannot delete any elements which were previously
committed. I.e., the oZKS without tombstones or deletions
is append-only. At first glance, the terms “append-only” and
“with deletion” for an oZKS may seem like contradictions.
What we intend to capture is a mechanism to commit to
a set, in an append-only manner, but with the additional
ability to remove very old values which may no longer be
needed by the calling application. Hence, the soundness
property of this data structure, defined in appendix B, is that
values may only be marked for deletion if they are older
than an epoch permitted by a system parameter. Other than
the fixed epochs for tombstoning old-enough nodes, and
correspondingly for deleting nodes marked as tombstoned,
the data structure should only allow insertions for labels not
present in the datastore already. As in the privacy definition
for the aZKS of [16], we require all functions for the oZKS
to be zero-knowledge, with a well-defined leakage function.
Leakage for our implementation. Our oZKS construction,
when committing to an initial data store (oZKS.CommitDS),
leaks the size of the datastore. The oZKS.InsertionToDS also
leaks the size of the datastore before and after the update.
For each inserted element, the adversary also learns whether
it queried for this element before and if it did, this tells the
adversary when this element was added. oZKS.TombstoneElts
and oZKS.DeleteElts leak when the tombstoned (resp. deleted)
elements were inserted and the size of the datastore before
and after each call. The responses to oZKS.QueryMem and
oZKS.QueryNonMem, in addition to the actual response, also
leak the size of the datastore and for oZKS.QueryMem, it leaks
when this element was added.
D. Revisiting the SEEMless VKD Construction
In this section, we construct a VKD (without compaction)
using an oZKS, instead of an aZKS and also summarize the
5
concrete implementation strategy for our VKD implementa-
tion. This replacement of an aZKS with an oZKS results in
functionality which is equivalent to that of SEEMless [16]
with significant space savings. The formal description of this
construction is in appendix E.
Concrete implementation. As mentioned in section III-C, our
concrete implementation of the oZKS consists of a Merkle
Patricia Trie (MPT), used to commit to a leaf’s value and
bind it to the epoch in which it was inserted. This MPT-based
oZKS is an important component of our VKD construction. In
addition to this oZKS, the VKD requires a database to store
actual username to value mappings as well as when each value
was added. Suppose a user with username Alice first joined
the system at a time t with public key value val1 . Thus, val1 is
the first version of Alice’s public key and the server adds the
label ‘Alice|1’ with value val1 to the oZKS at epoch t. If at a
later epoch t0 , Alice’s key is updated from version i to i + 1
with new value val0 , the server inserts the labels ‘Alice|i|stale’
with value equal to the empty string, and ‘Alice|(i + 1)’ with
value equal to val0 to the oZKS. At a lower level, this means
that at epoch t0 , the server adds to the MPT the leaves whose
labels are ‘VRF(Alice|(i + 1))0 and ‘VRF(Alice|i|stale)0 , with
values (com(val0 ); t0 ) and (com(); t0 ), respectively.
Soundness and privacy. The soundness definition of this
VKD construction is identical to that of [16]. At a high level,
as long as for epochs up till epoch t, (1) a client with label
label checks the states of key using the VKD.VerifyHistory
algorithm, (2) the WitnessAPI is honest, and (3) at least one
honest auditing party verifies each update using VKD.Audit,
then the identity provider could not have output a diverging
view of the val associated with label at any epoch less than
t. In other words, in the presence of auditing and witnesses,
Alice and Bob must always agree on the view of valAlice —the
value associated with the label Alice. The leakage functions of
this construction match those of [16]’s construction exactly.
Space efficiency improvements. The aZKS construction
of [16] allows reconstructing the state of verification data for
a data store at any time, by storing all intermediate states ever
generated. Both our work and [16] implement a compressed
version of a Merkle Patricia Trie, where, for a random set of
leaves, the expected depth of a leaf in a tree with n leaves is
log(n). Thus, if a new node is added to the MPT of [16], this
results in adding O(log(n)) new states to persistent storage.
Even with batching, this means that the space complexity of
their implementation depends on the number of epochs, in
addition to the number of leaves added. However, the space
complexity of our oZKS implementation only depends on the
total number of leaves added. The impact of this difference is
quite significant, as shown in Section VI.
E. Other Practical Considerations
In addition to the compaction extension, we discuss the
following additional considerations for practical deployments
of key transparency for messaging applications.
 h =
h =  H(h0 , 0,
 H(h000 , 000, h110 , 110)
h110 , 110) h0 =
H(h000 , 000 h110 =
 h0 = H() 0 110 H(v110 )
h000 = h110 = h011 , 011)
000 110
H(v000 ) H(v110 )
Epoch 0

Epoch 1: After inserting label- h000 = h011 =

value pairs (000, v000 ) and 000 011
H(v000 ) H(v011 )
(110, v110 ).
Epoch 2: After inserting label-value pair (011, v011 ).
Fig. 1: An example of the evolution of the SEEMless Merkle Patricia Trie-based aZKS construction with 3-bit labels. The aZKS starts with no entries at
epoch 0, which is committed in the tree with a single node, with label  and commitment H(). At the first epoch, two new leaves are inserted and at epoch 2,
a third leaf is inserted. Note that the values inserted in this tree correspond to the entries inserted in Figure 2. However, in contrast to the oZKS construction,
the tree at epoch 2 as is cannot be used to reconstruct any of its previous states. SEEMless optimizes the ability to get values from previous states using
storage compression.

h = h =
H(h000 , 000, H(h0 , 0,
 
h110 , 110) h110 , 110)

h0 =
 h = H() h110 =
000 110 H(h000 , 000, 0 110
H(v110 , 1)
h011 , 011)
Epoch 0 h000 = h110 =
H(v000 , 1) H(v110 , 1)
h000 = h011 =
000 011
Epoch 1: After inserting label- H(v000 , 1) H(v011 , 2)
value pairs (000, v000 ) and
(110, v110 ). Epoch 2: After inserting label-value pair (011, v011 ).
Fig. 2: An example of the evolution of our Merkle Patricia Trie-based oZKS construction with 3-bit labels. The oZKS starts with no entries at epoch 0,
which is committed in the tree with a single node, with label  and commitment H(). At the first epoch, two new leaves are inserted and at epoch 2, a third
leaf is inserted. Note that the tree at epoch 2 can be used to reconstruct any of its previous states.

User interfaces. In this work, we assume that the server
is trusted for bootstrapping users. For example, if a user
loses their phone, there is a mechanism for them to recover
their account. We also assume that the client application has
interfaces to inform users about various events including: if
witnesses are offline for extended periods of time, if a proof
failed to verify, or if a public key they requested to add to their
account did not take effect within a specified time period. [38]
discusses some of the design considerations for a user-facing
transparency system. We leave further study to future work.
Multiple devices per user. A common property of most
mainstream messaging applications is the ability to associate
one user account with multiple devices owned by the user (e.g.
computer, mobile phone), each with a distinct E2EE keypair.
This means that a VKD must support a set of public keys
belonging to a user, as opposed to just a single key. This
simply involves using the set of public keys as the values in
the VKD, ensuring that validating client queries involves a
membership check instead of an exact match of public key.
Multiple updates per epoch. Depending on the length of the
epochs, clients may submit multiple updates to their public key
values within the span of a single epoch. Only publishing the
latest key received for a user within an epoch can lead to issues
with consistency for clients which may have been messaged
within the fast key updates. Instead, when sequencing these
updates, the server can designate the ordering by adding an
ordered list of public keys as opposed to a single key per
epoch. Then, clients can check for list membership when
querying for proofs, and the server can use the ordering to
ascertain the latest key after the next epoch begins.
Together, these adjustments to client public keys result in
an ordered list (multiple updates per epoch) of sets (multiple
devices) of public keys being hashed in our VKD construction.
F. Storage API
As discussed in Section I, a large-scale VKD implementation
requires a separate storage solution which we call StorageAPI.
Warmup. As a first attempt at defining StorageAPI, we may
want only two operations on top of a simple database:
• val/⊥ ← StorageAPI.GetFromStorage(key): This call takes
as input a key (key). If the key is in the database, it returns
the associated value (val). Otherwise, it outputs ⊥.
• 1/⊥ ← StorageAPI.SetToStorage(key, val): This call takes
as inputs a key key and corresponding value val. It outputs 1,
if this value is successfully in the database and ⊥ otherwise.
We could use this simple API for all data types by defining
the storage keys for each type as an encoded binary vector with
a prefix to demarcate types. The implementer of StorageAPI

6
determines the underlying storage layer to handle each type.
This also maintains unique keys for individual records without
changing the storage key type signature.
Handling storage latency. Of course, in a practical implemen-
tation, storage will have to consist of a set of geographically
spread-out, duplicated nodes. This means that one of the
biggest bottlenecks in timely update of the server’s verifiable
data structures, as well as client queries, is memory la-
tency. For large-scale end-to-end encrypted messaging identity
providers, what may not be a problem, however, is bandwidth.
Hence, we add batched storage APIs to leverage the high-
bandwidth to reduce latency. We define these APIs as:
• {vali }i ← StorageAPI.BatchGetFromStorage({keyi }i ):
This call should take as input a set of keys keyi and
return values vali stored in the database associated with the
corresponding key. If labeli is not in the database, vali = ⊥.
• 1/⊥ ← StorageAPI.BatchSetToStorage({(keyi , vali )}i ):
This call takes as inputs a set of key-value pairs (keyi , vali ),
and outputs 1, if all values are successfully set and ⊥ if any
errors occur. Note that this implicitly implies atomacity of
a single BatchSetToStorage operation.
Batching-friendly oZKS. Note that batching storage opera-
tions is not enough on its own, unless the algorithms we
implement are also amenable to batched memory accesses.
In particular, underlying our implementation of an oZKS is a
compressed Merkle Patricia Trie, whose construction satisfies
the following invariant:
Each node is the longest common prefix of its children.
This implies that, for example, just looking at the label
for a leaf being inserted does not automatically allow the
server to know which nodes (and corresponding keyi ’s) to use
with BatchGetFromStorage. To solve this problem, our imple-
mentation starts with assuming that the storage solution has
caching capabilities. Under the assumption of a large enough
cache, if we can preload nodes for a batched operations, say,
VKD.Publish, the operation itself can be done as if in RAM.
Later, the cache can be flushed to persistent memory as a
single transaction operation. oZKS operations requiring tree-
traversals are called with a leaf label as input, batched versions
of these operations are called with a set of leaf labels leaves.
To optimize remote persistent storage accesses, at a high level,
we implement procedures which operate following two steps:
(1) compute a set prefixes of all prefixes of values in
leaves, (2) starting at the tree’s root node, begin a breadth-
first search for nodes with labels in the set prefixes, batch-
fetching labels at the same depth. This ensures that all of the
nodes required to run algorithms for the labels in leaves will
be loaded at the end of the preload operation with only one
access to persistent storage per layer of the Merkle Patricia
Trie, without overwhelming the cache by having to load the
entire tree. In fact, the set of nodes retrieved to cache is exactly
the set required for the original oZKS batched operation.
So far, we have omitted any discussion of batching for
set (write) storage operations. This is easier, since batching
writes is equivalent to flushing an in-memory cache of the
7
updated nodes, an operation our storage interface requires.
The only writing operation is VKD.Publish, and once it has
completed its changes, we can commit all of the changes in
the transaction cache as a single atomic operation (assuming
the storage layer supports this). Since all of the modified data
will be in the cache, flushing the cache in a timely manner is
all that is needed to ensure up-to-date views of storage.
Other storage considerations. Even with our cache-based
solution, there is an underlying assumption that the storage
layer can support a cache-sized atomic write operation. For
very large systems, we would like to further loosen this
requirement, by adding support for the situation in which the
storage layer cannot atomically (or at least efficiently) commit
the entire transaction of changes in a single operation. We
make some simple modifications to the data-structure layer to
prevent inconsistencies in read operations during an update.
All proof generation operations use an epoch value stored in
the oZKS data-structure to determine the latest epoch, denoted
(LatestEp). LatestEp must be updated last in order to ensure
that the data corresponding to LatestEp has been written for
all parts of the data-structure, before any reading is permitted.
Once the oZKS’s latest epoch is updated, all operations will
take the new epoch as truth and access consistent values.
With this in mind, we need to change the stored record for
a tree node to store two values at a time: the previous and the
current value. For atomicity, this means storing a dual-value
struct, each value with an associated epoch. Read and write
operations read the epoch stored at these values to determine
which to designate as current and which as previous. The read
operation always reads the value whose epoch is less than or
equal to LatestEp, and the write operation overwrites values
whose epoch is less than LatestEp. This allows us to update
tree nodes without impacting proof generation operations.
IV. VKD WITH C OMPACTION
Previous constructions, such as [16] and ([43], [34]) seem
to fall into two extreme categories: (1) works that assume
the server’s storage to be linear in the number of updates,
and (2) works that assume users are either always online or
can retroactively check the server’s view of their keys for any
epochs they may have missed. This means that the client has
to do linear work in the number of server epochs to monitor
their keys. Also, at production scale, we must account for the
storage implications of being able to serve users who come
online infrequently—e.g., in case (2), the server would need
to store a large trove of history, perhaps even all of its data.
Even the soundness of our oZKS-based VKD construction
depends on the append-only property of the oZKS. In our
implementation, we instatiated the oZKS described above
using the Merkle Patricia Trie-based SA, as in [16]. For each
version added by the user, the server adds a label of the
form (uname|i) to the MPT and for each version retired by
the user, it adds a label of the form (uname|i|stale). So, the
space complexity of st for our VKD Pgrows linearly in the total
n
number of updates, i.e. |st| ∈ O( t=0 |St |) where St is the
input to the tth call to VKD.Publish. This poses two problems:
• the labels committed for a given user may never be deleted,
so it becomes impossible for a user to request that all data
associated with their account be deleted. This is (arguably)
in conflict with “right to be forgotten” regulations, such as
those laid out in the GDPR [4].
• eventually, traversing a tree which is monotonically growing
leads to unreasonable blowups in proof sizes as well as the
time taken to respond to queries and make server updates.
This motivates the need for a process of secure (and trans-
parent) compaction of storage on the VKD server. Naturally,
the best way to do this would be to delete very old data stored
on the VKD server, should it no longer be useful.
Overview of our paradigm. To address the issue of ever-
growing storage, we extend the VKD functionality to a VKD
with compaction, denoted cVKD. The compaction consists
of two phases: the tombstone phase, a special epoch when
some of the server’s data is marked for garbage collec-
tion, followed, after a period of time, by, the compaction
phase, a special epoch where values marked as tombstoned
are garbage collected i.e. deleted. All other epochs are ex-
pected to function as before, i.e., internal data structures
remain append-only. The auditors contribute global correct-
ness checks to the tombstone and compaction processes by
verifying that only data which is “old enough” is tomb-
stoned (VKD.VerifyTombstone), that only tombstoned values
are garbage collected (VKD.VerifyCompact) and, that in all
epochs which are not used for tombstoning or deletion, the
server updates its commitments correctly, as before. To ensure
that values are properly garbage collected, we require that
users monitor their own key history after each tombstone
phase, prior to the following compaction phase. Through
VKD.KeyHistory, the user checks any deletions were correct.
Soundness of a VKD with compaction. We provide a formal
definition of a cVKD in appendix B. The soundness definition
for a VKD is more general than a single tombstone or deletion
epoch, but rather, refers loosely to the following intuition. We
start with some requirements on the user for verifying her
own key. Specifically, we require that between any consecutive
tombstone and deletion, a user checks her key at least once.
Then, “if a user Alice verifies her key according to the
requirements and believes her own key at an epoch t was P K,
then, any other user must also believe that Alice’s key at epoch
t was P K”. Note that Alice checking her keys between all
“tombstone-deletion” epochs induces a mapping from “epoch
t to the freshest public key and version number at t”. For this
mapping to be unambiguous, and strictly increasing, a version
number cannot be deleted and reinserted without detection.
A. Construction
We extend the oZKS-based VKD construction from ap-
pendix E to include a compaction phase, to allow garbage
collection and verification of data which is no longer needed.
The following example and Figure 3 illustrate what kind
of data the server may want to delete in order to compact
its storage. Recall that when a user with username Alice
8
first joins the system, with public key PK1 , the VKD adds
the label Alice|1 with value PK1 to the oZKS. When Alice
updates their key from the first version PK1 to PK2 , the server
simultaneously adds the labels Alice|2 and Alice|1|stale with
values PK2 and  to the oZKS. This pattern generalizes to any
further updates by the user Alice. Suppose, after several years
of joining, Alice is on their 10th key version, and has come
online and checked their key history a few times in the interim.
The data for Alice|1, PK1 may not be useful and the server
may want to reduce storage costs by deleting such entries.
We motivate our final cVKD construction with preliminary
attempts to support compaction directly from a VKD.
Attempt 1. The most straightforward attempt at adding a com-
paction functionality to the VKD built using an oZKS involves
simply allowing the deletion of arbitrary, “old enough” oZKS
entries by introducing a oZKS.DeleteElts functionality. We
define “old enough” as a system parameter called StaleParam,
with the requirement that any entries deleted by the server
must have been inserted at least StaleParam epochs ago. That
is, if oZKS.DeleteElts is called in some epoch t, the only
entries the auditors will verify as correctly deleted were added
before the epoch t − StaleParam. In our MPT-based oZKS
implementation, this is easy to support, since the epoch a leaf
was added is included in the leaf’s hash. From the auditors’
point of view, as long as a deleted node is old enough, its
deletion was valid. For privacy, the auditors should not access
the plaintexts used to compute the VRF for the MPT.
What if certain users check their key history infrequently?
Suppose a user Alice is at version 20 of their public key
and version 10 was added a long time ago. The server could
mount an attack where it deletes a label Alice|10|stale but not
Alice|10. If the user Alice does not come online for a while,
the server could serve the stale value at version 10 for Alice,
in response to VKD.Query, then delete Alice|10. The server
could do all of this before Alice comes online to check their
public key. The only way to prevent this seems to be to store
all states for a long time, or to have users be always online:
both of which significantly degrade efficiency.
Attempt 2. We could try to patch the issues with the
oZKS.DeleteElts functionality in the previous attempt by
introducing a system parameter called DeletionEpochs such
that an oZKS.DeleteElts proof only verifies if it is called in an
epoch in the set DeletionEpochs with the important invariant
that the oZKS remains append-only at all non-deletion epochs.
We could then rely on the assumption that a user comes online
between any two consecutive elements of DeletionEpochs
to run VKD.KeyHistory on their own label. Now, if a user
Alice comes online, they can ensure that (1) the epochs for
version numbers are correctly ordered, for example, if the label
Alice|9 was inserted at epoch t9 and Alice|10 was inserted
at t10 , then t9 < t10 , (2) versions are marked stale at the
appropriate epoch, in the previous example, this means that
Alice|9|stale was inserted at t10 , and (3) for an honest IdP,
labels of the form Alice|version are always inserted before the
corresponding label Alice|version|stale, they should ensure that
 ...
100 200
Alice|1 Alice|2
inserted Alice|1|stale
inserted
Fig. 3: An example of labels corresponding to user Alice’s key updates. Since Alice has changed their key enough times since their initial entry into the
system and epochs before epoch 200 are considered old enough, Alice|1, Alice|1|stale can be deleted.
if Alice|version|stale is deleted, then so is Alice|version.
However, an issue still remains: suppose the server has two
consecutive deletion epochs del1 and del2 , with n non-deletion
epochs between them. Suppose, Alice comes online at epoch
del1 + 1 and checks their key history and then again at epoch
del2 + 1 checks their key history. Suppose at epoch del1 + 1
their latest key’s version number was 10, and the server now
inserted 3 fake keys for their between epochs del1 + 2 and
del2 , i.e. their key’s version right before the next deletion is
fallaciously 13. As part of del2 , the server could delete the
labels it added for Alice’s versions 11 through 13 and the
label Alice|10|stale. Such an attack could go undetected, unless
Alice came online in exactly the epoch del2 −1. In the presence
of network delays and users who are possibly offline for long
periods of time, we consider this requirement too restrictive.
Hence, we propose adding the restriction that StaleParam is
at least as large as the space between two deletions. Meaning,
auditors would not accept deletion of labels which were
inserted more recently than the most recent deletion. In the
above example, this would mean that StaleParam > del2 −del1
and any values inserted between del1 and del2 would remain
for Alice to check when they comes online at epoch del2 + 1.
Even with the restriction that StaleParam > max(deli+1 −
deli ), if the user does not immediately come online at each
epoch deli + 1, and her key is old enough, the server could
temporarily rollback her key’s version. Consider the following
case: a user Alice updates their key very infrequently and
their most recent key, say, version 10, is old enough to fit the
criteria for deletion. That is, Alice|10 was added at an epoch
older than StaleParam. At the next deletion epoch del, the
server could delete all record of their most recent key, i.e. the
labels Alice|10 and Alice|9|stale, effectively rolling back their
key to version 9. It could then re-insert the labels Alice|10
and Alice|9|stale before Alice checks their key history for this
round of deletions. All of the checks we mentioned above
would pass and yet, for a period of time, if another user Bob
queries for Alice, they would see a different version and value
than what Alice will see later. This is a subtle technical issue
but preventing such an attack is integral for a construction to
be considered sound!
The auditors could mitigate this issue by storing old labels
and ensuring deleted labels were not reinserted. This requires
auditors to be stateful and have linear storage complexity in
the size of the updates. This would make the auditor’s storage
as large as the server’s – which, our construction avoids.
We argue that the requirement that the user come online
immediately after every deletion epoch is also too strong. In
the next construction, we propose a design that fixes this issue.
9
1000
Alice|10
Alice|9|stale
inserted
Final construction. In our final construction, we patch this
last issue by including a set of tombstone epochs, denoted
TombstoneEpochs in the public parameters. A tombstone
epoch is an epoch when items are marked for deletion, i.e.
tombstoned, but not actually deleted. This allows users to
check their own key history and ensure that values marked
for deletion are appropriate, before they are actually deleted.
For example, if the IdP wants to delete the label Alice|10
at a deletion epoch del, it would first have to set the value of
Alice|10 to T OMBSTONE at the preceding tombstone epoch
TombEp. Between TombEp and del, Alice can run KeyHistory
and see if this is appropriate at the VKD level.
Meanwhile, at TombEp, the auditors ensure that the only
oZKS elements which are modified at TombEp are old enough,
according to the parameter StaleParam. At all epochs between
TombEp and del, the auditors continue checking append-only
proofs. At del, auditors check that the only oZKS elements
which are deleted have the value T OMBSTONE .
The final construction requires a client to come online between
deletion epochs and check the following set of conditions. If
the minimum valid version number it receives is min and its
current version number is current, then:
• Correct tombstoning or deletion. For all versions version
below min, it gets either (a) a non-membership proof for
uname|version, or (b) membership proofs for uname|version
and uname|version|stale, with either both of them or neither
of them having the value T OMBSTONE .
• Correct ordering. For any version version in the range min
to current − 1, that the epoch tversion when uname|version
was added is less than the epoch tversion+1 , when
uname|version + 1 was added.
• Correct version changes. For any version version in the
range min to current − 1, that uname|version + 1 and
uname|version|stale were added at the same epoch.
• Freshness of current value. For the current version current,
it checks for the non-membership of uname|current|stale.
• Non-membership of next few entries. For any version ∈
[current + 1, 2blog(current)c+1 ), uname|version wasn’t added.
• Non-membership of much further entries. For L, the most
recent server epoch, for any j ∈ [2blog(current)c+1 , 2blog(L)c ],
it checks a non-membership proof for uname|2j .
Soundness. We give a detailed proof for the soundness of this
construction in appendix B. The intuition for soundness is as
follows: For the most part, this construction with deletion is
identical to the one in section III, since all but a designated
set of epochs is append-only. The only divergence occurs at
tombstone or deletion epochs, and we show that dishonest
server behavior cannot go undetected, even in these epochs.
We require that a user must check their key history once for
each tombstone epoch, prior to the following deletion. If a
user’s key is at version, the server can show the wrong key
for a user in one of the following ways. The server could
try to change the public key committed to the label version:
this is mitigated by the auditors checking that the only change
being made is tombstoning or deletion of already tombstoned
values. If the server tombstones the label uname|version, the
user will detect that it is tombstoned since they will come
online before the next deletion. The second option is that the
server could show an older key, i.e. show a key for some
version version0 < version but this should be detected by the
one of the key history checks. The third option is that it could
try to add a higher version version0 > version: this is already
detected by the construction in section III. The fourth option is
that it could try to re-insert an old version number, which was
deleted, with a different key: this particular attack is unique to
the scenario with deletions and is detected by the key history
check, since if the server re-inserts an old version number, the
user will see this the next time they comes online, which will
be before the server has the opportunity to hide this change.
Assumptions. Recall that previous works, as well as our
construction in section III, make two major assumptions. First,
they assume that the server’s underlying data structure is
append-only, i.e. the identity provider could never delete any
verification data. Second, that users are not always online.
The guarantee is that if a user checks their key history for a
period of time, they will catch the a cheating server. In fact,
there is no upper bound on the time the user can wait before
checking their key history but still get the same guarantee.
This construction changes these assumptions as follows:
1) We assume that the system only considers a value stale-
enough to tombstone, if it was added before the previous
tombstone. The ability to tombstone and delete values
is already an improvement over previous, append-only
verifiable data structures. We argue that the compromise
of keeping data for a certain period of time is still a major
improvement for long-term storage costs.
2) Instead of allowing the user to go for an unbounded amount
of time before checking their key history, we require that
they come online between each pair of tombstone and
corresponding deletion epochs and check their key history
to get guarantees for that period. Since large servers only
need to run deletions infrequently, while more strict that the
previous assumption, this still provides a user with leeway.
In fact, this approach also has the added benefit that there
is an upper bound on the amount of time the server can
cheat for a particular user and go undetected.
Leakage. The leakage of the subset of algorithms of this
cVKD construction, which are inherited from the defi-
nition of a VKD is identical for this construction. For
cVKD.TombstoneElts and cVKD.Compact, they both leak
the size of the cVKD at the start of the operation. Also,
cVKD.TombstoneElts leaks the number of tombstoned values
and cVKD.Compact leaks the updated size of the cVKD.
10
Space efficiency. A compressed MPT is constructed with the
invariant that any node with only one child is deleted and
replaced by its child. This means that when a new leaf is
inserted, somewhere in the tree an additional new node will
have to be inserted to accommodate this leaf. When a leaf is
deleted, its immediate parent can also be deleted. Hence, for
each leaf deleted from this MPT-based VKD, the equivalent
of 2 MPT nodes worth of data can be erased from the server.
V. T HE PARAKEET C ONSISTENCY P ROTOCOL
Existing transparency overlays typically fall in two categories:
• Reactive Client-side Auditing: These protocols [34] offload
the consistency protocol to the clients. Clients are expected
to gossip among themselves about their views of the system
and construct fraud proofs showing that the IdP has misbe-
haved. Unfortunately, this class of protocols is too optimistic
for a security-critical infrastructure and too heavy for the end
user. As a result, there is a high risk that users do not eagerly
gossip proofs or that the adversary launches targeted eclipse
attacks [24] to isolate targeted users. Finally, gossip relies
on always-connected nodes forming a connected graph,
perpetually routing messages. This is impractical if the many
of nodes in the gossip network are small devices with
intermittent network connectivity and rely on battery power.
• Using a black-box blockchain as a trust anchor: This ap-
proach [41], [16] guarantees consistency as long as the
blockchain is secure, i.e., it does not have forks. This alle-
viates any risks for clients who only need to trust the black-
box blockchain, however, (i) it introduces a significant ex-
tension of the trust assumptions, which might not be correct
given the multitude of attacks blockchains suffer [11], (ii)
it limits the update speed of the system to the finality speed
of the blockchain (which is tens of minutes in Bitcoin), and
(iii) it doesn’t solve the problem of eclipse attacks against
clients as they remain a challenge in blockchains. Also, no
existing protocols has provided a detailed security analysis
for the interactions with any existing blockchain.
One way to avoid these issues is having auditors run consensus
on each update of the IdP, essentially replacing the trust
assumptions of the blockchain with a custom-made blockchain
just for the transparency layer. However, this is simply an
overkill. As a final contribution, Parakeet shows a consensus-
less protocol that achieves all the desired properties for defend-
ing against split-view attacks. Section V-C further extends this
protocol to provide censorship resistance and read-freshness.
A. Consensus-less Strong Consistency
The Parakeet protocol consists of network messages ex-
changed between the participants (Section II-A). The users
communicate with the identity provider (IdP) and witnesses.
The IdP communicates with the witnesses and users, but the
witnesses need not communicate directly with each other.
Updating the state. All updates to the state of the IdP start
with an update request sent by a user to the IdP. The request
contains a user identifier id and the new key pknew associated
with id. The IdP collects several user requests and runs the
 process update
notification
2 We provide an optional enhancement of the consistency
witness 1
witness 2
witness 3
witness 4
IdP
1 3
make update assemble
notification certificate
Fig. 4: Illustration of the key update protocol.
key-update protocol illustrated in Figure 4. The IdP broadcasts
an update notification to the witnesses to notify them that
the state of the key directory has been updated (Ê). This
notification contains the following fields: (i) a commitment
to its state comt , (ii) the epoch t, (iii) a proof π Upd that comt
is a valid commitment and that the state is a valid update of the
previous state, and (iv) a signature by the identity provider over
this data. Each witness locally verifies that the epoch number t
has been incremented by 1 and that the proof π Upd is valid; it
then counter-signs the update notification (Ë). Finally, the IdP
collects at 2/3f +1 witnesses’ signatures into a certificate (Ì)
which is attesting that a quorum of witnesses verified each past
update and the IdP could not have equivocated.
Reading the state. The user sends a read request to the
IdP to request the key associated with a specific identifier.
This request contains the identifier key to query. The identity
provider replies to read requests with a message containing the
following fields: (i) the key key associated with the identifier,
(ii) a certificate from the witnesses over its latest update
request, (iii) a proof that key is included in the certified state,
and (iv) a signature by the identity provider over this data.
B. Proofs Sketches
We provide the intuition for the proofs of consistency,
validity, and termination of the protocol defined in Section II.
Consistency. We prove consistency by contradiction. Let’s
assume two correct users output different commitments comt
and comt0 for the same epoch t. Then comt is signed by
2f + 1 witnesses out of which f + 1 are assumed honest.
Similarly, comt0 is signed by 2f + 1 witnesses out of which
f + 1 are honest and did not sign comt0 . But then there should
be f + 1 + f + 1 honest and f malicious witnesses. But
n = 3f + 1 < 3f + 2, hence a contradiction.
Validity. Validity directly follows from the integrity property
of the signature scheme used by the IdP and the soundness
of the proof π Upd . Honest witnesses only counter-sign update
notifications if they are correctly signed by the IdP and the
proof π Upd verifies. As a result, there cannot exist a valid
certificate over an invalid update.
Termination. Assuming all messages are eventually delivered
and there exist 2f +1 honest witnesses then the honest IdP will
send a single commitment for each epoch t which all honest
witnesses will counter-sign and produce a valid certificate for.
11
C. Anti-Censorship and Freshness Subprotocol
protocol presented in Section V providing censorship re-
sistance from malicious IdP. This protocol allows users to
tie the liveness of their update requests with the liveness
of the entire system effectively defending against selective
censorship attacks. The protocol works as follows:
• Users whose updates keep not appearing in the IdP’s state
send their update request to the witnesses.
• Every epoch witnesses collect these requests and forward
them to the IdP.
• Once the witness has forwarded a user update request, it
stops signing any future IdP’s update notification that do not
come with a proof that the user update has been included
in the state.
As a result the moment the censored client has sent their
update request to f + 1 honest witnesses, the liveness of the
protocol is tied to the update being included. Hence the IdP
can now only act as crashed and halt the whole system if it
wants to censor the update (at which point no other requests
can be processed).
A second enhancement of the consistency protocol is that
during an update the witnesses send their signature over not
only the hash of the tree but also their local timestamp. Then
clients are given the option to ask for 2f +1 timestamps during
a read operation. Given that a median timestamp is robust to
f faults and assuming bounded clock-drift clients can deduce
the freshness of the state tree received as reply. They can thus
choose to ignore the reply if it is too old (e.g., more than a
day old).
Given that now the updates are coupled to anti-censorship
and clients are aware of the time the state is updated in
Parakeet, we guarantee that key updates are included in a
timely manner in the state and every client quickly receives
the new update (otherwise a malicious IdP is forced to halt
the whole system ).
VI. I MPLEMENTATION AND B ENCHMARKS
We implement our VKD scheme presented in Section III in
Rust. We also implement a networked multi-core eventually
synchronous Parakeet based on our VKD. It uses tokio [7]
for asynchronous networking, ed25519-dalek [8] for el-
liptic curve based signatures, and data-structures are persisted
using Rocksdb [9] (unless otherwise specified). It uses TCP
to achieve reliable point-to-point channels, necessary to cor-
rectly implement the distributed system abstractions. We have
open-sourced both our VKD [5] and consistency protocol [5]
implementations (which together form Parakeet), including
our Amazon Web Services (AWS) orchestration scripts and
measurements data to enable reproducible results [10].
Benchmarks. We performed several benchmarks to thor-
oughly assess the practicality of Parakeet. To this end, we used
two kinds of AWS instances, both with up to 5Gbps of band-
width, running Linux Ubuntu server 20.04, running on 2.5GHz
Intel Xeon Platinum 8259CL machines: (1) t3.medium
instances with 2 virtual CPUs (1 physical core) and 4GB
memory. These machines are relatively cheap due to their
low specs and we chose them to assess how performant the
witnesses of Parakeet are. (2) t3.2xlarge instances with
8 virtual CPUs and 32GB of memory. These machines are
used to benchmark the most heavyweight IdP operations,
namely publish. We implemented IdP and Witnesses in Rust
and for signatures we used ed25519_dalek with 32-byte
public/private keys pairs.
A. Microbenchmarks
We microbenchmark the overhead of the consistency proto-
col on the AWS t3.medium instance and the IdP capabilities
of our implementation on the t3.2xlarge instances. We set
the committee size to 4 witnesses, the size of keys and values
to 32 bytes each (i.e. a key-value pair is 64 bytes), and a batch
size of 1,024 key-values per batch. In the tables below, every
measure displays the mean, standard deviation over 10 runs.
CPU analysis. Table II shows the results of microbenchmarks
for the following VKD operations:
1) Create notification: The IdP generates a batch of (random)
public keys and publishes them. Then it generates an audit
(append-only) proof over this publish operation. The audit
proof along with the the new tree root and the sequence
number are signed by the IdP. This message constitutes a
notification. Note that the result in table II only includes the
cost of the consistency and audit related operations, which
we derive by subtracting the server-side publish cost from
the total cost of publishing and creating a notification.
2) Verify notification: A witness verifies a notification. This
step consists of the verification of the IdP-generated signa-
ture and the audit proof.
3) Create vote: A witness signs the verified notification and
creates a vote.
4) Verify vote: A witness verifies a vote.
5) Aggregate certificate: A list of votes are combined to
form a certificate. The number of votes needed to create a
certificate is 2f + 1 (see Section V). With a four-witness
setup, this means combining 3 votes.
6) Verify certificate: All 3 votes in a certificate are verified.
The slowest operations are the generation and signing of audit
proofs, dispatching them to witnesses, Create notification, and
the verification of the signature and audit proof presented in
Create notification, i.e. Verify notification. Similarly, verifica-
tion of these two contributed to the second slowest operation
Verify notification. Comparatively, remaining operations were
very fast – completed under one millisecond.
Storage analysis. To examine the storage costs of Parakeet,
as well as SEEMless, we inserted 100,000 users at a time
to the respective VKDs with a MySQL-based storage layer,
running locally in a docker container. Figure 5 shows the
storage cost and its breakdown for Parakeet’s VKD, as the
number of users increases. For 5M users, the VKD requires
about 4.5GB and this cost grows linearly in number of users.
12
Measure Mean (ms) Std. (ms)
Verify notification 68.70 1.50
Create vote 0.02 0.00
Verify certificate 0.16 0.01
TABLE I: Microbenchmark of single core CPU overhead of the consis-
tency protocol operations of Parakeet on witness machines. Committee of
4 witnesses; notifications batch 1,024 updates of 64 bytes each; average and
standard dev. of 10 measurements.
Measure Mean (ms) Std. (ms)
Create notification 47.12 9.30
Verify vote 0.07 0.00
Aggregate certificate 0.00 0.00
TABLE II: Microbenchmark of witness CPU overhead of the consistency
protocol operations of Parakeet on the IdP machine; notifications batch 1,024
updates of 64 bytes each; average and standard dev. of 10 measurements.
At this rate, we would expect roughly 850GB for 1 billion
users – demonstrating the scalability of our solution.
Figure 6, shows the time it takes to run a publish operation
on Parakeet’s VKD. The storage layer of this experiment
implements a cache and uses a MySQL database for persistent
storage. Each of these update operations, as well as the ones
in fig. 5 required only one or two persistent storage accesses
each, and the storage accesses made up a majority of the time
it took for the publish operation to complete. For example,
for inserting 100k users on top of a VKD containing 500k
existing users, it took about 19 minutes, of which 12 were for
MySQL writes. We attempted to run similar benchmarks for
SEEMless. Our implementation of an aZKS included all the
same caching optimizations as the oZKS implementation we
used for Parakeet. With persistent memory, however, this data
structure became infeasible at fairly small scale. For example,
inserting 100k new users into a set of 300k users and this
operation took ≈ 66 minutes. Of this, 51 were spent writing
to persistent storage and about 7 were spent on reading from
it. This took 47 persistent storage accesses. In appendix I, we
show that as the number of epochs increases, for the same set
of users, SEEMless sees a large storage size blowup, versus
Parakeet, whose storage size remains constant.
B. End-to-end benchmarks
We evaluate the throughput and latency of our implementa-
tion of Parakeet through experiments on AWS. We particularly
aim to demonstrate the following claims:
(C1) Parakeet achieves enough throughput to operate at plan-
etary scale.
(C2) Parakeet achieves low latency even under high load, in
the WAN, and with large committee sizes.
(C3) Parakeet runs efficiently on cheap machines with low
specs (comparable to common HSMs).
(C4) Parakeet is robust when some parts of the system in-
evitably crash-fail. Note that evaluating BFT protocols in the
presence of Byzantine faults is still an open question [12].
We deploy a testbed on AWS, using t3.medium instances
across 5 different AWS regions: N. Virginia (us-east-1), N.
California (us-west-1), Sydney (ap-southeast-2), Stockholm
 30.0
Total User Data
Parakeet Storage (GB)
4 10 witnesses (batch: 2^10)
Merkle Tree Data Tree Metadata 25.0 20 witnesses (batch: 2^10)
20.0 50 witnesses (batch: 2^10)

Latency (s)
3
15.0
2
10.0
1 5.0
0 0.0
0 10 20 30 40 50 0 200 400 600 800
Number of keys (100K) Throughput (updates/s)

Fig. 5: Memory consumption of Parakeet’s VKD. Measurements at intervals Fig. 7: Throughput-latency performance of Parakeet. WAN measurements with
of 100k new users and up to 4.5M users. Total memory consumption is the 10, 20, 50 witnesses. No faulty witnesses, 1024 maximum batch size, and 64B
sum of memory required by the Merkle Patricia Trie data, some metadata and updates size.
the original database of usernames and public keys. 30.0
10 witnesses (batch: 2^5) 10 witnesses (batch: 2^10)
25.0 10 witnesses (batch: 2^7) 10 witnesses (batch: 2^15)
20.0

Latency (s)
15
Time (mins)

10
5 Total Time to Insert 100K Users
Database Read Time
0 Throughput (updates/s)
0 1 2 3
Number of keys (100K)
Fig. 6: Time to publish with insertion of a batch of 100k new users into
Parakeet’s VKD, with an existing VKD of sizes 0-500k. This graph also
includes the time for database reads and writes for each insertion.
(eu-north-1), and Tokyo (ap-northeast-1). Witnesses are dis-
tributed across those regions as equally as possible.
In the following sections, each measurement in the graphs
is the average of 3 independent runs, and the error bars
represent one standard deviation; errors bars are sometimes
too small to be visible on the graphs. Our baseline experiment
parameters are 10 honest witnesses, a batch size of 1024,
and an update size of 64B. We instantiate one benchmark
client (collocated on the same machine as the IdP) submitting
transactions at a fixed rate for a duration of 5 minutes. When
referring to latency, we mean the time elapsed from when the
client submits a request to when the IdP receives confirmation
that the request is successfully processed. We measure it by
tracking sample requests throughout the system.
Benchmark in the common case. Figure 7 illustrates the
latency and throughput of Parakeet for varying numbers of
witnesses. The maximum throughput we observe is around 800
updates/s while keeping the latency below 3.5 seconds. Based
on the system usages estimates for the large-scale end-to-end
encrypted messaging service WhatsApp (Section I), we would
arrive at the requirement to process around 120 updates/s.
Parakeet exceeds by over 6x the throughput required to operate
at this scale, and thus satisfies claims (C1) and (C3).
Figure 7 also illustrates that performance do not vary with
10, 20 or even 50 witnesses. This observation concurs with
Section VI-A showing that the bottleneck of Parakeet is the
IdP. Increasing the number of geo-distributed witnesses up to
50 doesn’t impact the end-to-end performance of the system;
Parakeet thus satisfies claim (C2). We however expect that
keeping increasing the number of witnesses will eventually
15.0
10.0
5.0
Database Write Time 0.0
0 200 400 600 800 1k
4 5
Fig. 8: Throughput-latency performance of Parakeet. WAN measurements with
10 witnesses. No faulty witnesses, various batch sizes, and 64B updates size.
make the network to become the system’s bottleneck.
Figure 8 illustrates the performance of Parakeet when vary-
ing the batch size form 25 to 215 . The maximum throughput
we observe for batches sizes of 25 and 27 is respectively 100
updates/s and 350 updates/s. This is much lower than the 800
updates/s that Parakeet can achieve when configured with a
batch size over 210 . Small batch sizes, however, allow Parakeet
to trade throughput for latency. Parakeet configured with a
batch size of 25 can process up to 100 updates/s in under
800ms, setting the batch size to 27 allows Parakeet to operate
at scale while robustly maintaining sub-second latency.
Benchmark under crash-faults. Figure 9 depicts the perfor-
mance of Parakeet when a committee of 10 witnesses suffers
1 to 3 (crash-)faults (the maximum that can be tolerated in this
setting). It shows that Parakeet’s performance is not affected
by (crash-)faults, thus satisfying claim (C4).
Contrarily to BFT consensus systems [28], Parakeet main-
tains a good level of throughput under crash-faults. The
underlying reason for steady performance under crash-faults
is that Parakeet doesn’t rely on a leader to drive the protocol.
This is in sharp contrast with related work (e.g. [16], [13],
[41]) that rely on an external blockchain for consistency.
VII. R ELATED W ORK
Key transparency. As discussed in Section I, this work
extends SEEMless [16] by instantiating a light-weight con-
sistency protocol to prevent server equivocation in a practical
setting, while also extending SEEMless to handle real-world
constraints on storage capacity, efficiency, and scalability to
billions of users. While Keybase ([23], [26]) was the first
deployment of an auditable public key directory (created as
a user-friendly alternative for PGP), CONIKS [34], was the

13
 30.0
10 witnesses (batch: 2^10)
25.0 10 witnesses (batch: 2^10) - 1 faulty
20.0 10 witnesses (batch: 2^10) - 3 faulty
Latency (s)
15.0
10.0
5.0
0.0
0 200 400 600
Throughput (updates/s)
Fig. 9: Comparative throughput-latency under crash-faults of Parakeet. WAN
measurements with 10 witnesses. Zero, one, and three crash-faults, 1024
maximum batch size, and 64B updates size.
first academic work that formalized the notion of a service
that maintains and periodically commits to a public key
directory. SEEMless itself can be seen as an extension to
CONIKS. CONIKS essentially relies on a synchronous gossip
protocol among users in order to detect server equivocation.
Unfortunately, this assumption is both hard to scale efficiently
for millions of users and easily breakable over the internet.
Since then, multiple works have proposed different ways
of publishing directory commitments and serving audit proofs
to clients. EthIKS [13] and Catena [41] demonstrate how to
leverage a public blockchain (Ethereum and Bitcoin, resp.) as
a ledger to provide non-equivocation guarantees and support
auditability for the commitment to the CONIKS directory,
while minimizing bandwidth overhead for its clients. In this
paper we show that the strong assumption of using consensus
is unnecessary and instead propose a lightweight consistency
protocol. Mog [33] takes a different approach by proposing a
gossip protocol and a verifiable registry that allows individual
clients to perform their own auditing. The gossip protocol still
requires synchrony, however, it relies on the assumption of
sleepy committees to solve the consensus problem. In theory,
this would enable scalability but could hinder liveness for long
periods when there are not enough available witnesses or when
the network is unstable. In this work, instead, we have shown
that consensus is unnecessary for guaranteeing a consistent
view of the tree to the clients which enables us to provide
consistent views without relying on a good network. Finally,
KTACA [45] relies on clients to (1) gossip through out-of-
band channels to share consistent commitments to a directory,
(2) run any global client audits. Our work could be extended
to using sleepy committees or gossip, however we opted to
use highly available witnesses that should be deployed by
professional services (e.g., professional blockchain validators)
and will provide timely security to the users. KTACA addi-
tionally combines the gossip approach with anonymous key
history checks and lookups to prevent an adversarial server
from causing targetted forked views of its directory. Allowing
anonymous lookups, however, goes counter to our privacy
requirement, that only authenticated and permitted users be
permitted to query.
Several recent works on key transparency have focused on
improving auditor efficiency. Merkle2 [25] proposes a solution
which reduces the amount of work required for an auditor
to verify a series of key updates from linear to logarithmic,
assuming that key updates can be signed by clients through the
use of “signature chains”. However, it is unclear what integrity
protection the system will provide if the signature keys of the
clients are lost. Assuming that the clients can maintain long
term cryptographic secret keys is unrealistic, especially in the
setting of key transparency, where the focus is on building
800 a PKI for clients who cannot remember cryptographic key
material. AAD [40], Aardvark [29], Tomescu et. al. [42], Tyagi
et. al. [43], and Verdict [44] have proposed using accumu-
lators (bilinear and RSA) and SNARKs as commitments in
order to make auditor verification more efficient. However,
the computational overhead incurred from relying on the
algebraic assumptions themselves can outweigh the asymptotic
improvements over the number of key updates per epoch.
Atomic transactions. Atomic transactions [27] allow all-or-
none type of execution for a set of operations. In large systems,
they are often a necessity since the underlying database can
end up in an inconsistent state if operations are not sequen-
tially executed (e.g., withdrawing money from account A and
depositing it to account B). To this end, several solutions have
been proposed in the literature—[37], [39], [20] to name a few.
Although they are a strong primitive for building concurrent
applications, transactions come with their cost; locks might
leave the systems in a dead-locked state whereas failure in a
single operation can cancel a transaction and might require
re-execution of the whole set; or alternatively they might not
be supported cross-shard [19].
In VKD, we side-step such issues by (1) executing a publish
operation by a single writer and (2) preserving the previous
value of a node. (1) is needed to ensure that concurrent publish
operations not overwrite nodes’ updated states and (2) allows
us to allow concurrent reads (e.g., lookup proof generation)
and writes (i.e., publish operation). In result of these two
properties, we only require that the update order is preserved
only between the node updates and the latest epoch, i.e., we
allow the nodes to be updated in any order.
The downside of this approach is that the storage cost
is effectively doubled. Yet, we believe this is an acceptable
trade-off due to drastic storage reduction compared to existing
key transparency solutions such as SEEMless [16] and the
flexibility to use any storage as the underlying key directory.
VIII. C ONCLUSION
While much recent effort has focused on various aspects
of key transparency, large-scale applications on the order of
billions of users have not previously been considered. We
expose the gaps in purely academic scale implementations and
bridge these gaps is our design of Parakeet, a key transparency
system with large-scale deployment in mind. Our production-
grade implementation of Parakeet shows the feasibility of our
approach, which we further demonstrate through experiments.
ACKNOWLEDGMENTS
This work is supported by the Novi team at Meta. Harjasleen
Malvai was funded in part by IC3 industry partners and NSF
14
grant 1943499.
R EFERENCES
[1] “How whatsapp enables multi-device capability,” https://engineering.fb.
com/2021/07/14/security/whatsapp-multi-device/, [Online; accessed 5-
July-2022].
[2] “Most popular global mobile messenger apps as of January 2022,
based on number of monthly active users,” https://www.statista.
com/statistics/258749/most-popular-global-mobile-messenger-apps/,
[Online; accessed 5-July-2022].
[3] “Whatsapp revenue and usage statistics (2022),” https:
//www.businessofapps.com/data/whatsapp-statistics/, [Online; accessed
5-July-2022].
[4] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:
32016R0679&from=EN#d1e2606-1-1, 2015.
[5] https://github.com/facebook/akd, 2022.
[6] https://github.com/Microsoft/oZKS, 2022.
[7] https://github.com/tokio-rs/tokio, 2022.
[8] https://github.com/dalek-cryptography/ed25519-dalek, 2022.
[9] https://rocksdb.org/, 2022.
[10] https://github.com/asonnino/key-transparency/tree/main/scripts, 2022.
[11] S. Bano, A. Sonnino, M. Al-Bassam, S. Azouvi, P. McCorry, S. Meik-
lejohn, and G. Danezis, “Sok: Consensus in the age of blockchains,”
in Proceedings of the 1st ACM Conference on Advances in Financial
Technologies, 2019, pp. 183–198.
[12] S. Bano, A. Sonnino, A. Chursin, D. Perelman, Z. Li, A. Ching, and
D. Malkhi, “Twins: Bft systems made robust,” in 25th International Con-
ference on Principles of Distributed Systems (OPODIS 2021). Schloss
Dagstuhl-Leibniz-Zentrum für Informatik, 2022.
[13] J. Bonneau, “Ethiks: Using ethereum to audit a coniks key transparency
log,” in International Conference on Financial Cryptography and Data
Security. Springer, 2016, pp. 95–105.
[14] C. Cachin, R. Guerraoui, and L. Rodrigues, Introduction to reliable and
secure distributed programming. Springer Science & Business Media,
2011.
[15] D. Catalano, D. Fiore, and M. Messina, “Zero-knowledge sets with
short proofs,” in Annual International Conference on the Theory and
Applications of Cryptographic Techniques. Springer, 2008, pp. 433–
450.
[16] M. Chase, A. Deshpande, E. Ghosh, and H. Malvai, “Seemless: Secure
end-to-end encrypted messaging with less trust,” in Proceedings of
the 2019 ACM SIGSAC conference on computer and communications
security, 2019, pp. 1639–1656.
[17] M. Chase, A. Healy, A. Lysyanskaya, T. Malkin, and L. Reyzin,
“Mercurial commitments with applications to zero-knowledge sets,” in
Annual International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, 2005, pp. 422–439.
[18] B. Chen, Y. Dodis, E. Ghosh, E. Goldin, B. Kesavan, A. Marcedone, and
M. E. Mou, “Rotatable zero knowledge sets: Post compromise secure
auditable dictionaries with application to key transparency,” Cryptology
ePrint Archive, Paper 2022/1264, 2022, https://eprint.iacr.org/2022/1264.
[Online]. Available: https://eprint.iacr.org/2022/1264
[19] A. Cheng, X. Shi, L. Pan, A. Simpson, N. Wheaton, S. Lawande,
N. Bronson, P. Bailis, N. Crooks, and I. Stoica, “Ramp-tao: layering
atomic transactions on facebook’s online tao data store,” Proceedings of
the VLDB Endowment, vol. 14, no. 12, pp. 3014–3027, 2021.
[20] J. C. Corbett, J. Dean, M. Epstein, A. Fikes, C. Frost, J. J. Furman,
S. Ghemawat, A. Gubarev, C. Heiser, P. Hochschild et al., “Spanner:
Google’s globally distributed database,” ACM Transactions on Computer
Systems (TOCS), vol. 31, no. 3, pp. 1–22, 2013.
[21] C. Dwork, N. Lynch, and L. Stockmeyer, “Consensus in the presence
of partial synchrony,” Journal of the ACM (JACM), vol. 35, no. 2, pp.
288–323, 1988.
[22] M. J. Fischer, N. A. Lynch, and M. S. Paterson, “Impossibility of
distributed consensus with one faulty process,” Journal of the ACM
(JACM), vol. 32, no. 2, pp. 374–382, 1985.
[23] N. Group, https://keybase.io/docs-assets/blog/NCC Group Keybase
KB2018 Public Report 2019-02-27 v1.3.pdf, 2019.
[24] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, “Eclipse
attacks on bitcoin’s peer-to-peer network,” in USENIX 2015,
J. Jung and T. Holz, Eds. USENIX Association, 2015,
pp. 129–144. [Online]. Available: https://www.usenix.org/conference/
usenixsecurity15/technical-sessions/presentation/heilman
15
[25] Y. Hu, K. Hooshmand, H. Kalidhindi, S. J. Yang, and R. A. Popa,
“Merkle2 : A low-latency transparency log system,” in 2021 IEEE
Symposium on Security and Privacy (SP). IEEE, 2021, pp. 285–303.
[26] Keybase, https://keybase.io/ /api/1.0/merkle/root.json?seqno=1, 2014.
[27] B. W. Lampson, “Atomic transactions,” in Distributed
Systems—Architecture and Implementation. Springer, 1981, pp.
246–265.
[28] H. Lee, J. Seibert, E. Hoque, C. Killian, and C. Nita-Rotaru, “Turret:
A platform for automated attack finding in unmodified distributed
system implementations,” in 2014 IEEE 34th International Conference
on Distributed Computing Systems. IEEE, 2014, pp. 660–669.
[29] D. Leung, Y. Gilad, S. Gorbunov, L. Reyzin, and N. Zeldovich,
“Aardvark: A concurrent authenticated dictionary with short proofs,”
Cryptology ePrint Archive, Report 2020/975, 2020, https://eprint.iacr.
org/2020/975.
[30] D. Malkhi and M. Reiter, “Byzantine quorum systems,” Distributed
computing, vol. 11, no. 4, pp. 203–213, 1998.
[31] M. Marlinspike, “Advanced cryptographic ratcheting,” https://signal.org/
blog/advanced-ratcheting/, 2013.
[32] ——, “Whatsapp’s signal protocol integration is now complete,” https:
//signal.org/blog/whatsapp-complete/, 2016.
[33] S. Meiklejohn, P. Kalinnikov, C. S. Lin, M. Hutchinson, G. Belvin,
M. Raykova, and A. Cutter, “Think global, act local: Gossip and client
audits in verifiable data structures,” arXiv preprint arXiv:2011.04551,
2020.
[34] M. S. Melara, A. Blankstein, J. Bonneau, E. W. Felten, and M. J.
Freedman, “CONIKS: Bringing key transparency to end users,” in 24th
USENIX Security Symposium (USENIX Security 15), 2015, pp. 383–398.
[35] S. Micali, M. Rabin, and J. Kilian, “Zero-knowledge sets,” in 44th
Annual IEEE Symposium on Foundations of Computer Science, 2003.
Proceedings. IEEE, 2003, pp. 80–91.
[36] K. Nikitin, E. Kokoris-Kogias, P. Jovanovic, N. Gailly, L. Gasser,
I. Khoffi, J. Cappos, and B. Ford, “{CHAINIAC}: Proactive software-
update transparency via collectively signed skipchains and verified
builds,” in 26th {USENIX} Security Symposium ({USENIX} Security
17), 2017, pp. 1271–1287.
[37] D. Peng and F. Dabek, “Large-scale incremental processing using
distributed transactions and notifications,” in 9th USENIX Symposium
on Operating Systems Design and Implementation (OSDI 10), 2010.
[38] K. Pothong, L. Pschetz, R. Catlow, and S. Meiklejohn, “Problematising
transparency through LARP and deliberation,” in DIS ’21: Designing
Interactive Systems Conference 2021, Virtual Event, USA, 28 June, July
2, 2021, W. Ju, L. Oehlberg, S. Follmer, S. E. Fox, and S. Kuznetsov,
Eds. ACM, 2021, pp. 1682–1694.
[39] Y. Sovran, R. Power, M. K. Aguilera, and J. Li, “Transactional storage
for geo-replicated systems,” in Proceedings of the Twenty-Third ACM
Symposium on Operating Systems Principles, 2011, pp. 385–400.
[40] A. Tomescu, V. Bhupatiraju, D. Papadopoulos, C. Papamanthou,
N. Triandopoulos, and S. Devadas, “Transparency logs via append-only
authenticated dictionaries,” in Proceedings of the 2019 ACM SIGSAC
Conference on Computer and Communications Security, 2019, pp.
1299–1316.
[41] A. Tomescu and S. Devadas, “Catena: Efficient non-equivocation via
bitcoin,” in 2017 IEEE Symposium on Security and Privacy (SP). IEEE,
2017, pp. 393–409.
[42] A. Tomescu, Y. Xia, and Z. Newman, “Authenticated dictionaries with
cross-incremental proof (dis)aggregation,” Cryptology ePrint Archive,
Report 2020/1239, 2020, https://eprint.iacr.org/2020/1239.
[43] N. Tyagi, B. Fisch, J. Bonneau, and S. Tessaro, “Client-auditable
verifiable registries,” Cryptology ePrint Archive, 2021.
[44] I. Tzialla, A. Kothapalli, B. Parno, and S. Setty, “Transparency
dictionaries with succinct proofs of correct operation,” IACR Cryptol.
ePrint Arch., p. 1263, 2021. [Online]. Available: https://eprint.iacr.org/
2021/1263
[45] T. K. Yadav, D. Gosain, A. Herzberg, D. Zappala, and K. Seamons,
“Automatic detection of fake key attacks in secure messaging,” in
Proceedings of the 2022 ACM SIGSAC Conference on Computer and
Communications Security, 2022, pp. 3019–3032.
 A PPENDIX
A. VKD with Compaction Glossary
In order to discuss details about our approach to the
compaction of server-side storage, we will need some notation.
We gather notation for our construction here:
• T OMBSTONE : A special string to replace the value of an
oZKS entry which is valid to delete.
• TombstoneEpochs: The set of epochs when tombstone
marking is permitted. No insertions should be allowed in
this epoch, only tombstoning.
• CompactionEpochs or DeletionEpochs: The set of epochs
when entries with value T OMBSTONE are permitted to be
deleted from the oZKS.
• StaleParam: A system parameter for calculating the upper
bound for the epochs in which a node must have been
inserted in order to be valid for tombstoning.
• DeletionParam: A system parameter defining the number
of epochs between a tombstone epoch and the subsequent
compaction epoch. Assuming
CompactionEpochs and TombstoneEpochs are sorted in in-
creasing order, CompactionEpochs = {ti + DeletionParam
| ti is the ith element of TombstoneEpochs}i .
Also note that we use the terms identity provider and server
interchangeably.
B. Formal Definitions
Definition 1. Given a datastore, DS, i.e. a set of tuples (labeli ,
vali ), DS.Labels, denotes the set {label | ∃(label, ·) ∈ DS}.
Definition 2. An ordered append-only zero-knowledge set
(with compaction) (oZKS) is a data-structure with a set of
public parameters p, where p includes a set TombstoneEpochs
of epochs, and parameters StaleParam, DeletionParam. An
oZKS supports the following algorithms (oZKS.CommitDS,
oZKS.QueryMem, oZKS.QueryNonMem, oZKS.VerifyMem,
oZKS.VerifyNonMem, oZKS.InsertionToDS,
oZKS.VerifyInsertions, oZKS.TombstoneElts,
oZKS.VerifyTombstone, oZKS.DeleteElts, oZKS.VerifyDel)
described below:
• (com, stcom , DS1 ) ← oZKS.CommitDS(1λ , DS): This algo-
rithm takes in a datastore DS consisting of label-value pairs
(labeli , vali ) with unique keys, and a security parameter λ
and outputs: stcom , an internal state; com, a commitment to
DS; DS1 = {(labeli , vali , 1) | (labeli , vali ) ∈ DS}, here 1 is
the oZKS epoch, at which each tuple from DS was inserted
and aux is any extra information needed for for this tuple.
• (com0 , stcom0 , DSt+1 , πS , t + 1)
oZKS.InsertionToDS(stcom , DSt , S, t): This algorithm
takes in the current datastore DSt , the internal server
state stcom , the current server epoch t and a set S
of label-value pairs {(labeli , vali )} for an update,
such that (labeli , ·, ·) ∈ / DSi . The algorithm computes
S 0 = {(label, val, t + 1) | (label, val) ∈ S}. It returns
DSt+1 = DSt ∪ S 0 , com0 , the commitment to DSt+1 ,
stcom0 the updated internal state of the server and a
proof πS that com0 is a commitment to DSt+1 such that
DSt ⊆ DSt+1 and each entry of DSt+1 \ DSt = {(label,
val, t + 1) for some label and val}.
• 0/1 ← oZKS.VerifyInsertions(com, com0 , πS , t): Verifies
the proof πS that com, com0 commit to some datastores
DS, DS0 respectively, such that DS ⊆ DS0 and that DS0 \
DS = {(label, val, t) for some label, val}.
• (π, val, t)/⊥ ← oZKS.QueryMem(st, DS, label): This al-
gorithm takes a datastore DS and a corresponding inter-
nal state st, and a label label. If there exists an entry
(label, val, t) ∈ DS, then the algorithm returns (π, val, t)
where t is the oZKS epoch when the tuple with the label
label was inserted. If (label, ·, ·) ∈ / DS, return ⊥.
• 0/1 ← oZKS.VerifyMem(com, label, val, t, π): This algo-
rithm takes in a triple label, val, t, the membership proof
π for (label, val, t) with respect to com. It outputs 1 if the
proof verifies and 0 otherwise.
• π/⊥ ← oZKS.QueryNonMem(st, DS, label): This algo-
rithm takes a datastore DS and a corresponding internal
state st, and a label label. It returns π, a proof of non-
membership of label in DS.
• 0/1 ← oZKS.VerifyNonMem(com, label, π): This algo-
rithm takes in a label, com and a non-membership proof
π. It outputs 1 if the proof verifies and 0, if not.
• (com0 , stcom0 , DSt+1 , πS , t + 1) ←
oZKS.TombstoneElts(stcom , DSt , S, t, tstale ): This
algorithm should only be called if t ∈ TombstoneEpochs
and tstale = t − StaleParam. It algorithm takes in the
current datastore DSt , the internal server state stcom , the
current server epoch t, a stale epoch parameter tstale and a
set S of triples {(labeli , vali , ti )} for an update, such that
(labeli , vali , ti ) ∈ DSt . The algorithm checks that for each
(labeli , vali , tj ) ∈ S, tj ≤ tstale . It initializes DSt+1 = DSt
and for each (labeli , vali , tj ) ∈ S, it replaces the entry
(labeli , vali , tj ) of DSt+1 with (labeli , T OMBSTONE , tj ).
It returns this updated DSt+1 , com0 , the commitment to
DSt+1 , stcom0 the updated internal state of the server and
a proof πS that com0 is a commitment to the data store
DSt+1 such that (1) if (labeli , T OMBSTONE , tj ) ∈ DSt+1 ,
then (labelj , valj , tj ) ∈ DSt , for some valj , with
tj ≤ tstale ; (2) if (labelk , valk , tk ) ∈ DSt with
tk > tstale , then (labelk , valk , tk ) ∈ DSt+1 and, (3)
DSt+1 .Labels = DSt .Labels.
• 0/1 ← oZKS.VerifyTombstone(com, com0 , πS , t, tstale ):
Verifies the proof πS that com, com0 commit to some
datastores DS, DS0 respectively, such that DS0 .Labels =
DS.Labels, and that for any label ∈ DS0 .Labels such
← that (label, val, tj ) ∈ DS and (label, val0 , tj ) ∈ DS0 , with
val 6= val0 , then tj ≤ tstale . If all these checks pass, and com
is the commitment to the epoch t and tstale = t−StaleParam,
then this algorithm outputs 1, otherwise it outputs 0.
• (com0 , stcom0 , DSt+1 , πS , t + 1) ← oZKS.DeleteElts(stcom ,
DSt , t): This algorithm is only run if t − DeletionParam ∈
TombstoneElts. If so, takes in the current datas-
tore DSt , the internal server state stcom , the cur-
rent server epoch t and computes the set S =
16
 {(label, ·, ·)|(label, T OMBSTONE , ·) ∈ DSt }. It returns
DSt+1 = DSt \ S 0 , com0 , the commitment to DSt+1 ,
stcom0 the updated internal state of the server and a Pr[(label, {ti , comi , ΠUpd
i , auxi }n−1
i=1 , comn , tstale ,
proof πS that com0 is a commitment to DSt+1 such that ΠVer Ver λ
1 , (val1 , Epoch1 ), Π2 , (val2 , Epoch2 )) ← A(1 , p) :
DSt+1 ⊆ DSt and each entry of DSt \ DSt+1 = {(label,
T OMBSTONE , ·)|label ∈ DSt .Labels}. {oZKS.VerifyUpd(comi , comi+1 , ΠUpd i , ti + 1, auxi )}n−1
i=1
^
{ti+1 = ti + 1}n−1i=1
^
∀i ∈ [1, n], ti ∈/ TombstoneEpochs
^
∀i ∈ [1, n], ti − DeletionParam ∈ / TombstoneEpochs
^
1 ≤ l ≤ k ≤ n)
• 0/1 ← oZKS.VerifyDel(com, com0 , πS , t): If ^
t − DeletionParam ∈
/ TombstoneElts, then this oZKS.VerifyMem(coml , label, val1 , Epoch1 , ΠVer 1 )
algorithm outputs 0. Otherwise, it verifies the proof ^
(
πS that com, com0 commit to some datastores
DS, DS0 respectively, such that DS0 ⊆ DS and that (
DS \ DS0 = {(label, T OMBSTONE , ·)|label ∈ DSt .Labels}. (([l, k] ∩ TombstoneEpochs = [l, k] ∩ DeletionEpochs = ∅)∧
((val1 , Epoch1 ) 6= (val2 , Epoch2 ) ∧ oZKS.VerifyMem(comk ,
label, val2 , Epoch2 , ΠVer
2 ))
_
(oZKS.VerifyNonMem(comk , label, ΠVer
2 ))

))
• 0/1 ← oZKS.VerifyUpd(t1 , tn , {comi , πSi , auxi }n−1
i=1 , comn , πS ):
_
(
First, this algorithm checks that tn − t1 is the number
of commitments it received. It denotes ti+1 = ti + 1, [l, k] ∩ TombstoneElts = {j} ∧ [l, k] ∩ DeleteElts = ∅∧
for i ∈ [1, n − 1]. Then it outputs 1, if all of tstale = tj − StaleParam∧
the following checks pass. For i ∈ [1, n − 1]: if
(((val1 , Epoch1 ) 6= (val2 , Epoch2 ) ∧ Epoch1 > tstale
ti ∈ TombstoneEpochs, it parses auxi = tstale and runs the
check oZKS.VerifyTombstone(comi , comi+1 , πSi , ti , tstale ). ∧oZKS.VerifyMem(comk , label, val2 , Epoch2 , ΠVer
2 ))
ti −
_
Else, it ignores auxi and if ((val1 , Epoch1 ) 6= (val2 , Epoch2 )
DeletionParam ∈ TombstoneEpochs, it runs
oZKS.VerifyDel(comi , comi+1 , πSi , ti ), else, it runs ∧oZKS.VerifyMem(comk , label, val2 , Epoch2 , ΠVer
2 )
the check oZKS.VerifyInsertions(comi , comi+1 , πSi , ti ). ∧Epoch1 ≤ tstale ∧ val2 6= T OMBSTONE )
_
(oZKS.VerifyNonMem(comk , label, ΠVer
2 ))

))
_
(
[l, k] ∩ DeleteElts = {j}
∧(oZKS.VerifyNonMem(comk , label, ΠVer
2 )
∧val1 6= T OMBSTONE )
))].

Definition of a VKD. [16] defined a VKD as a collection of

the following algorithms (included here for completeness):
Soundness for oZKS with Compaction.
• (Dirt , stt , ΠUpd )/⊥ ← VKD.Publish(Dirt−1 , stt−1 , St ):
This algorithm takes as input a directory Dirt−1 , an
internal server sstate stt−1 and a set of updates St
consisting of (label, val) pairs. It updates Dirt−1 and stt−1
to reflect the updates in St . If this update is successful, the
algorithm updates the commitment using the WitnessAPI
Definition 3. An oZKS with compaction, defined in sec- and returns the next state stt , the updated directory Dirt
tion III-C is said to be sound if, for any PPT adversary A, and a proof that this update was correct. Otherwise it
each of the following is less than or equal to negl(λ): outputs ⊥.

17
 • (π, val, α) ← VKD.Query(stt , Dirt , label): This algo-
rithm takes as input a server internal state stt , a directory
Dirt and a label label and if label is in Dirt , it returns
the value val, the version number α and the proof π that
the provided information is correct with respect to the
commitment for the epoch t.
• 0/1 ← VKD.VerifyQuery(t, label, val, π, α): This algo-
rithm takes as input an epoch t, a label label, a purported
version number (α) and value val, corresponding to label
and a proof π that val and α are correct. It retrieves the
commitment comt for the epoch t using the WitnessAPI
and verifies π with respect to this commitment. It returns
1 if the proof verifies and 0 in any other case.
• ((vali , ti )ni=1 , ΠVer ) ←
VKD.KeyHistory(stt , Dirt , t, label): This algorithm
takes as input the internal state (stt ) and directory (Dirt )
at epoch t and a label label. It outputs an ordered set
of tuples (vali , ti )ni=1 , where vali is the purported value
corresponding to thatcameintoef f ectatepochti . It also
returns the proof ΠVer to attest to these state changes for
the label label.
• 0/1 ← VKD.VerifyHistory(t, label, (vali , ti )ni=1 , ΠVer ):
This algorithm takes as input the ordered set of tuples
(vali , ti )ni=1 and proof ΠVer , retrieves the commitment for
the epoch t and the label label, and verifies ΠVer with
respect to the commitment.
• 0/1 ← VKD.VerifyUpd(t, com, com0 , ΠUpd ): This algo-
rithm verifies the output of a single publish operation
with respect to an initial and  final commitment.
tn−1
• 0/1 ← VKD.Audit(t1 , tn , ΠUpd t ): This algorithm
t=t1
takes as input a starting epoch t1 and an ending epoch tn ,
retrieves the required commitments to verify the proofs
ΠUpd
t attesting to the correct evolution of the server’s
state.
Definition of a VKD with compaction. Our modified primi-
tive, which we call a VKD with compaction, denoted as cVKD,
is defined below. Note the additional set of public parameters:
(TombstoneEpochs, CompactionEpochs, StaleParam). These
determine when tombstoning (ordered set TombstoneEpochs)
or compaction (ordered set CompactionEpochs) are permitted,
and how old a piece of data needs to be, in order to be eligible
for tombstoning (StaleParam).
A VKD with compaction (cVKD) is a VKD with
public parameters (TombstoneEpochs, CompactionEpochs,
StaleParam) and following additional algorithms:
Upd
• (comt , Dirt , stt , Π , t) ← cVKD.TombstoneElts(Dirt−1 ,
stt−1 , t−1, S, tstale ): This algorithm takes as input an epoch
t − 1, the server’s directory Dirt−1 at this epoch, its internal
state stt−1 , a set S of items it wants to tombstone and a
parameter tstale to determine the cutoff for tombstoning. It
updates the data in the state and directory by tombstoning
the appropriate elements of S and returns the updated
Dirt , stt and corresponding commitment comt .
Upd
• 0/1 ← cVKD.VerifyTombstone(comt , comt+1 , Π , tstale ):
This algorithm takes as input two commitments from
18
consecutive epochs and a parameter tstale which tells it
which values are old enough for tombstoning, and verifies
the proof ΠUpd of correct tombstoning.
• (comt+1 , Dirt+1 , stt+1 , ΠUpd , t + 1) ← cVKD.Compact(
Dirt , stt , t): This algorithm takes in a directory Dirt , an
internal state stt , the epoch t and outputs the updated
directory, state, commitment and epoch, with tombstoned
values deleted. It also includes a proof for this update.
• 0/1 ← cVKD.VerifyCompact(comt , comt+1 , ΠUpd ): This
algorithm takes as input a server’s commitment before and
after a compaction and checks the proof ΠUpd that the only
change made by the server was removing data associated
with tombstoned values.
The constraints on TombstoneEpochs, CompactionEpochs
and StaleParam for a cVKD are as follows:
• If ti and ti+1 are two epochs in the ordered set
TombstoneEpochs, then, there exists a deletion epoch tdel ∈
DeleteElts, between them. That is, ti < tdel < ti+1 .
• A piece of data can only be marked as tombstoned in
a particular epoch ti ∈ TombstoneEpochs if it was in-
serted prior to the last tombstone epoch ti−1 . That is,
StaleParam > min{|t − t0 | : t, t0 ∈ TombstoneEpochs}.
Since we have introduced two new kinds of updates to the
server, we modify the key history and audit algorithms for a
cVKD as follows:
• 0/1 ← cVKD.VerifyHistory(t, label, mint , maxt ,
(vali , ti )maxt
i=mint , Π Ver
): This algorithm takes as input
an epoch t, with respect to which history is being verified
and a label label whose values are being checked, mint ,
which represents a minimum version number which is not
deleted or tombstoned at epoch t and maxt , the maximum
version number for label. It also includes the values and
epochs at which each version in [mint , maxt ] was inserted.
It obtains the server commitment at epoch t and verifies
the proof ΠVer that all versions below mint were correctly
tombstoned or deleted and that that the history presented
for versions from mint onwards is correct.
tn −1
• 0/1 ← cVKD.Audit(t1 , tn , {ΠUpd t }t=t1 ): For each epoch
t ∈ [t1 , tn − 1], if t ∈ TombstoneEpochs, this algorithm
gets the corresponding commitments and proof, passes it
to cVKD.VerifyTombstone, if t ∈ CompactionEpochs,
it passes the corresponding commitments and proof to
cVKD.VerifyCompact, else, it passes the appropriate inputs
to cVKD.VerifyUpd.
Definition 4. A VKD with compaction is said to be sound if,
for any PPT adversary A,
Pr[(label, {t, {(valtk , Epochtk )}max Ver
k=mint , Πt }t∈{t1 ,...,tn } ,
t
{(comk , ΠUpd tcurrent ∗ λ
k )}k=t1 , t , j, (π, val, β)) ← A(1 ) :
∧{comk ← WitnessAPI.GetCom(k)}tk=t
current
1
tcurrent −1
∧VKD.Audit(t1 , tcurrent , {(ΠUpd
k )}k=t1 ) DS, another commitment com0 to an update to DS, the
∧∀t ∈ [t1 , ..., tn ], VKD.VerifyHistory(t, label,
{(valti , Epochti )}max Ver
i=mint , Πt )
t
∧∀t ∈ TombstoneEpochs, s.t.
[t, t + DeletionParam] ∩ [t1 , ..., tcurrent ] 6= ∅
=⇒ {t1 , ..., tn } ∩ [t, t + DeletionParam] 6= ∅
∧t1 ≤ t2 ≤ ... ≤ tn ≤ tcurrent
∧StaleParam >
0 0
min{|t − t | | t, t ∈ TombstoneEpochs}
∧(
0 0
(∃t, t ∈ {t1 , ..., tn }, γ, (valtγ , Epochtγ ) 6= (valtγ , Epochtγ ))
∗
(tj−1 ≤ t < tj
∧(Epochtαj ≤ t∗ < Epochα+1
j t
∨ α = maxtj )
∧valtαj 6= val ∧ t∗ < t0j
∧VKD.VerifyQuery(t∗ , label, val, π))
)] ≤ negl(λ).
C. Constructing an oZKS
1) Strong Accumulators
• (com1 , DS1 , st1 ) ← SA.CommitDS(1λ , DS): This algo-
rithm takes in a data store DS, a security parameter 1λ
and outputs a commitment com1 to DS, a copy DS1 of
the data store and st1 , the internal state corresponding to
DS1 and com1 .
• (v, π) ← SA.Query(DSt , stt , comt , l): This algorithm
takes in a data store DSt , the corresponding internal state
and commitment to it stt , comt , and a queried label l. If
there exists a pair (l, v) ∈ DSt , the algorithm outputs v
and the proof π that (l, v) ∈ DSt . Otherwise it returns
v = ⊥ and π is a non-membership proof for l in DSt .
• 0/1 ← SA.Verify(com, l, v, π): Given a commitment com
to a datastore, a label l and corresponding string v, if
v = ⊥, the algorithm parses π as a non-membership proof
for l, with respect to the commitment com, otherwise, it
parses it as a membership proof for (l, v). The algorithm
outputs 1 if π verifies and 0 otherwise.
• (comt+1 , DSt1 , stt+1 , ΠUpd ) ← oZKS.TombstoneElts(stcom , DSt , S, t, tstale ):
SA.UpdateDS(DSt , stt , S): This algorithm takes in
a datastore DSt , corresponding stt , comt , as well as a
set S of updates. It initializes DSt+1 = DSt . For all
(l, v) ∈ S, if (l, v 0 ) ∈ DSt , for some v 0 , it replaces
this string in DSt+1 with (l, v), else, it adds (l, v)
to DSt+1 . It computes the corresponding updated
internal state stt+1 and commitment comt+1 and returns
comt+1 , DSt+1 , stt+1 as well as a proof ΠUpd , that
comt+1 is indeed the commitment to an update to the
data store comt commited to, with update set S.
• 0/1 ← SA.VerifyUpd(com, com0 , S, ΠUpd ): This algo-
rithm takes as input a commitment com to a data store
set of updates S and the proof that com0 was indeed the
result of updating DS with S. It outpus 1 if ΠUpd verifies,
otherwise, it outputs 0.
• (comt+1 , DSt1 , stt+1 , ΠUpd ) ←
SA.DeleteElts(DSt , stt , S): This algorithm takes in
a datastore DSt , corresponding stt , comt , as well as a
set S of deletions. It initializes DSt+1 = DSt . For all
(l, v) ∈ S, if (l, v) ∈ DSt , for some v, it removes (l, v)
from DSt+1 . It computes the corresponding updated
internal state stt+1 and commitment comt+1 and returns
comt+1 , DSt+1 , stt+1 as well as a proof ΠUpd , that
0 comt+1 is indeed the commitment to an update to the
data store comt commited to, with deletion set S.
∨ • 0/1 ← SA.VerifyDel(com, com0 , S, ΠUpd ): This algo-
rithm takes as input a commitment com to a data store
DS, another commitment com0 to an update to DS, the
set of deletions S and the proof that com0 was indeed the
result of deleting the entries of S from DS. It outputs 1
if ΠUpd verifies, otherwise, it outputs 0.
2) oZKS from a (SA, sVRF, sCS) triple.
Our oZKS construction, first implemented by [6] is very
similar to the aZKS construction of [16], based on a strong
accumulator (SA), a simulatable commitment scheme (sCS)
and a strong VRF (sVRF).
The main distinction between the oZKS construction and the
aZKS construction of [16] becomes clear when we consider
a call of the form oZKS.UpdateDS(stcom , DSt , S, t). The al-
gorithm computing oZKS.UpdateDS computes S 0 = {(label,
val, t + 1) | (label, val) ∈ S}, then it computes S 00 = {(l, v) |
l = sVRF.Compute(SK, label), v = (sCS(val; r), t + 1), for
(label, val) ∈ S 0 }, DSt+1 = DSt ∪ S 0 , DSSA SA
t+1 = DSt ∪ S .
00
SA 00
Finally, it calls SA.UpdateDS(DSt , S ). [16]’s aZKS simply
omits including the epoch t + 1 in the value committed in the
SA.
The proof of correct update includes the newly inserted pairs
S 00 = {(l, v)} and the auditor of the update must additionally
parse each v to ensure that it contains the correct epoch (t+1).
The main novelty of our oZKS construction is in the
tombstone and deletion paradigm. The additional functions to
support compaction are as follows.
0
• (com , stcom0 , DSt+1 , πS , t + 1) ←
This
algorithm should only be called if t ∈ TombstoneEpochs
and tstale = t − StaleParam. It algorithm takes in the
current datastore DSt , the internal server state stcom ,
the current server epoch t, a stale epoch parameter
tstale and a set S of triples {(labeli , vali , ti )} for
an update, such that (labeli , vali , ti ) ∈ DSt . The
19
 algorithm checks that for each (labeli , vali , tj ) ∈ S,
tj ≤ tstale . Then, this algorithm computes S 0 =
{(sVRF(SK, labeli ), T OMBSTONE , tj )|(labeli , vali , tj ) ∈
S, r ←$ {0, 1}λ }. It calls SA.UpdateDS(DSSA
t , stt , S )
SA SA
to obtain DSt+1 , stt+1 , comt+1 , π. It instantiates
DSt+1 = DSt and for each (labeli , vali , tj ) ∈ S,
it replaces the entry (labeli , vali , tj ) of DSt+1 with
(labeli , T OMBSTONE , tj ). It returns this updated
DSt+1 , com0 , the commitment to DSt+1 , stcom0 the
updated internal state of the server and a proof πS
that com0 is a commitment to the data store DSt+1
such that (1) if (labeli , T OMBSTONE , tj ) ∈ DSt+1 ,
then (labelj , valj , tj ) ∈ DSt , for some valj , with
tj ≤ tstale ; (2) if (labelk , valk , tk ) ∈ DSt with
tk > tstale , then (labelk , valk , tk ) ∈ DSt+1 and, (3)
DSt+1 .Labels = DSt .Labels.
• 0/1 ← oZKS.VerifyTombstone(com, com0 , πS , t, tstale ):
This algorithm parses πS to get the set S of en-
tries {(labeli , T OMBSTONE , tj )} and a proof π of
strong accumulator update. It verifies the proof π that
com, com0 include committments comSA , com0SA , such
that SA.VerifyUpd(comSA , com0SA , S, π) outputs 1. It
also checks that com, com0 commit to datastores DS,
DS0 such that DS0 .Labels = DS.Labels, and that for any
label ∈ DS0 .Labels such that (label, val, tj ) ∈ DS and
(label, val0 , tj ) ∈ DS0 , with val 6= val0 , then tj ≤ tstale
and label ∈ S. If all these checks pass, and com is the
commitment to the epoch t and tstale = t − StaleParam,
then this algorithm outputs 1, otherwise it outputs 0.
• (com0 , stcom0 , DSt+1 , πS , t + 1)
oZKS.DeleteElts(stcom , DSt , t): This algorithm is
only run if t − DeletionParam ∈ TombstoneElts. If so, it
takes in the current datastore DSt , the internal server state
stcom , the current server epoch t and computes the set
S = {(sVRF(SK, label), ·, ·)|(label, T OMBSTONE , ·) ∈
DSt }. It returns DSt+1 = DSt \ S, it gets
com0 and stcom0 by computing the subroutine
SA.DeleteElts(DSSA SA
t , stt , S), correspondingly updates
its state to get DSt+1 , stcom0 the updated internal
state of the server and a proof πS that com0 is
a commitment to DSt+1 such that DSt+1 ⊆ DSt
and each entry of DSt \ DSt+1 = {(label,
T OMBSTONE , ·)|label ∈ DSt .Labels}.
• 0/1 ← oZKS.VerifyDel(com, com0 , πS , t): If t −
DeletionParam ∈ / TombstoneElts, then this algorithm
outputs 0. Otherwise, it verifies the proof πS that
com, com0 commit to some datastores DS, DS0 respec-
tively, such that DS0 ⊆ DS and that DS \ DS0 =
{(label, T OMBSTONE , ·)|label ∈ DSt .Labels} by veri-
fying SA.VerifyDel.
3) Efficiency improvements due to oZKS
The major advantage of constructing an oZKS and including
the epoch a leaf was inserted in the tree is that if audits are
honestly verified, a SA membership proof includes when the
leaf was inserted. This means that only the latest commitment
of the SA needs to be verified, even in the case of historical
queries about some label. This alleviates the need to store all
states of an evolving oZKS for the VKD construction, making
0
space complexity of the VKD’s state st linear in the number
of leaves, rather than in the number of epochs, unlike the
construction using the aZKS of [16]. Additionally, this means
that the RAM complexity of multiple, simultaneous history
queries can be amortized over the number of queries and the
number of proofs πij being proven over all the history queries.
D. Witness API
The witness API is a set of algorithms (GetCom, VerifyCert,
ProposeNewEp) and a variable Epoch, initialized to 0.
• (comt , certt )/⊥ ← WitnessAPI.GetCom(t): This algo-
rithm, callable by any party, takes as input an epoch t and
if it has a commitment for this epoch, it returns the epoch
comt and the corresponding certificate certt . Else, it returns
⊥.
• 0/1 ← WitnessAPI.VerifyCert(comt , certt , p): This algo-
rithm verifies the certificate certt to comt , with respect to
public parameters p.
• certt /⊥ ← WitnessAPI.ProposeNewEp(t, comt , π): This
algorithm, called by a server, takes as input a proposed
commitment comt , an epoch t, as well as a proof π. It
verifies π using the Audit algorithm of the VKD solu-
tion implemented by the server, and if this verifies, if
WitnessAPI.Epoch = t − 1, WitnessAPI this algorithm sets
Epoch = t and outputs certt . Else, it outputs ⊥ and leaves
Epoch = t − 1.
← Note that we assume an implicit setup (which includes deter-
mining the various cryptographic operations, the identity of
the IdP, etc. We also assume that the identity of the parties
jointly supplying the WitnessAPI is public and they each have
known public keys.
E. oZKS-based VKD Construction
Below, we discuss the details of each of the API calls of
our VKD construction, using an oZKS. We assume that the
server’s identity (public key) is public and signs its responses
to user/auditor queries, so they cannot be impersonated.
Upd
• (Dirt , stt , Π )/⊥ ← VKD.Publish(Dirt−1 , stt−1 , St ): The
server receives as input a set St containing (label, val)
pairs. The algorithm instantiates a set St0 = ∅. If label
does not exist in VKD, it sets α = 1, else, label must
have a version number α − 1. In either case, the algo-
rithm adds (label|α, val) to St0 . If α > 1, it also adds
(label|α − 1|0 stale0 , 0) to St0 . It retrieves (stoZKS t−1 , DSt−1 )
from stt−1 , and gets the output (comt , stoZKS t , DSt , π, t)
0
of oZKS.InsertionToDS(stoZKS t−1 , DS t−1 , St , t − 1), updates
oZKS Upd
stt−1 with stt , DSt to get stt , sets Πt ← π.
Dirt starts off as equal to Dirt−1 . For each label ∈
St , if α (set above) is 1, the algorithm initializes an
empty list Llabel , else, it retrieves (label, Llabel ); it appends
(α, val, t + 1) to the front of Llabel and includes this
updated (label, Llabel ) in Dirt . Then, the algorithm calls
WitnessAPI.ProposeNewEp(t, comt , ΠUpd ). If WitnessAPI.
20

ProposeNewEp outputs ⊥, the algorithm reverts all its
internal changes to stt−1 , Dirt−1 , and outputs ⊥. Finally,
the algorithm returns (Dirt , stt , ΠUpd ).
• (π, val, α) ← VKD.Query(stt , Dirt , label): If label ∈ / Dirt ,
this algorithm outputs ⊥. Else, it recovers α, the latest
version number for label, i.e. the first entry of Llabel . It
sets β = 2blog(α)c , and parses out (stoZKS t , DSt ) out of stt
it computes (1) (πmem , val, i) ← oZKS.QueryMem(stoZKS t ,
DSt , label|α), (2) πfresh ← oZKS.QueryNonMem(stoZKS t ,
DSt , label|α|0 stale0 ) and (3) (πhist , valhist , ihist ) ← oZKS.
QueryMem(stoZKS t , DSt , label|β). The algorithm sets π =
(πmem , πfresh , πhist , i, valhist , ihist , ) and returns (π, val, α).
• 0/1 ← VKD.VerifyQuery(t, label, val, π, α): The client
running this algorithm calls WitnessAPI.GetCom(t) to
obtain (comt , certt ). If WitnessAPI.VerifyCert(comt , certt ,
p) outputs 0, then this algorithm outputs 0. Else, it
parses π as (πmem , πfresh , πhist , i, valhist , ihist ), sets β =
2blog(α)c and returns 1 if all of the following re-
turn 1: (1) oZKS.VerifyMem(comt , label|α, val, i, πmem ), (2)
oZKS.VerifyNonMem(comt , label|α|0 stale0 , πfresh ) and (3)
oZKS.VerifyMem(comt , label|β, valhist , ihist , πhist ).
• ((vali )ni=1 , ΠVer ) ← VKD.KeyHistory(stt , Dirt , t, label): If
label is not in Dirt , then the algorithm returns ⊥. Else, it
computes stoZKS t , DSt from stt and retrieves (label, Llabel )
from Dirt . Let Llabel = {(i, vali , ti )}ni=1 . Then, for each
i = 2, ..., n, the algorithm computes
– (π1i , vali , ti ) ← oZKS.QueryMem(st, DS, label|i),
– (π2i , 0, ti ) ← oZKS.QueryMem(st, DS, label|i−1|0 stale0 ),
It also computes (π11 , val1 , t1 ) ← oZKS.QueryMem(st, DS,
label|1). With a = blog(n)c+1, b = blog(t)c, and α = 2a −
1, the algorithm computes π3j ← oZKS.QueryNonMem(st,
DS, label|j) for j = n + 1, ..., α. It also gets π4k ← oZKS.
QueryNonMem(st, DS, label|2k ) for k ∈ a, ..., b. Finally,
it sets ΠVer = ((π1i )ni=1 , (π2i )ni=2 , (π3j )α k b
j=n+1 , (π4 )k=a ) and
n Ver
outputs ((vali , ti )i=1 , Π ).
• 0/1 ← VKD.VerifyHistory(t, label, (vali , ti )ni=1 , ΠVer ):
This algorithm calls WitnessAPI.GetCom(t) to obtain
(comt , certt ). If WitnessAPI.VerifyCert(comt , certt , p) out-
puts 0, then this algorithm outputs 0. Else, this algorithm
parses ΠVer as ((π1i )ni=1 , (π2i )ni=2 , (π3j )α k b
j=n+1 , (π4 )k=a )
where a = blog(n)c + 1, b = blog(t)c and α = 2a − 1.
It outputs 1 if t1 < t2 < ... < tn , and all of the following
output 1:
– oZKS.VerifyMem(comt , label|i, vali , ti , π1i ) for i ∈ [1, n].
– oZKS.VerifyMem(comt , label|i − 1|0 stale0 , 0, ti , π2i ) for
i = [2, n].
– oZKS.VerifyNonMem(comt , label|j, π3j ) for j ∈ [n +
1, α].
– oZKS.VerifyNonMem(comt , label|2k , π4k ) for k ∈ [a, b].
tn−1
• 0/1 ← VKD.VerifyUpd(t1 , tn , (comt , ΠUpd t )t=t1 , comtn ):
This algorithm outputs 1 if
oZKS.VerifyInsertions(comti , comti +1 , πti , ti + 1) outputs
1 for each i ∈ [1, n − 1].
tn−1
• 0/1 ← VKD.Audit(t1 , tn , (ΠUpd t )t=t1 ): This algorithm
takes as input a starting time t1 and an end time tn .
21
tn −1
It checks that t1 < tn and that the tuple (ΠUpd t )t=t1 )
Upd
parses to exactly tn − t1 proofs Πt . If this check
fails, it outputs 0, and if it passes, the algorithm obtains
(comt , certt ) ← WitnessAPI.GetCom(t) for t ∈ [t1 , tn ].
It verifies WitnessAPI.VerifyCert(comt , certt , p), for t ∈
[t1 , tn ], and if it outputs 0, the algorithm outputs 0.
Else, the algorithm outputs 1 if VKD.VerifyUpd(ti , ti +
1, (comti , ΠUpd
ti ), comti +1 ) outputs 1 for each i ∈ [1, n − 1].
F. cVKD: VKD with Secure Compaction
1) Secure Compaction: Attempt 1
As a first attempt, let us extend the oZKS data structure
of [6] to support two additional algorithms:
• (com0 , stcom0 , DSt+1 , πS , t + 1) ← oZKS.DeleteElts1 (stcom ,
DSt , S, t, tstale ): This algorithm takes in the current datastore
DSt , the internal server state stcom , the current server epoch
t, a stale epoch parameter tstale and a set S of triples
{(labeli , vali , ti )} for an update, such that (labeli , vali , ti ) ∈
DSt . The algorithm checks that for each (·, ·, tj ) ∈ S, tj ≤
tstale . It returns DSt+1 = DSt \ S 0 , com0 , the commitment
to DSt+1 , stcom0 the updated internal state of the server and
a proof πS that com0 is a commitment to DSt+1 such that
DSt+1 ⊆ DSt and each entry of DSt \ DSt+1 = {(labelj ,
valj , tj ) for some tj ≤ t}.
• 0/1 ← oZKS.VerifyDel1 (com, com0 , πS , tstale ): Verifies the
proof πS that com, com0 commit to some datastores DS, DS0
respectively, such that DS0 ⊆ DS and that DS \ DS0 =
{(label, val, t) for some t ≤ tstale }.
Based on these two algorithms, we could construct com-
paction as follows:
• (Dirt , stt , ΠUpd )/⊥ ← VKD.Compact1 (Dirt−1 , stt−1 , t − 1,
tstale ): The algorithm initializes St = ∅. For (label, Llabel ) ∈
Dirt−1 , for (α, val, tα ) ∈ Llabel , if tα ≤ tstale , it adds
(label|α) to St . If α > 1, it also adds (label|α − 1|0 stale0 )
to St . Then, it obtains (comoZKS , stoZKS , DSoZKS , πSt , t) ←
t t t
oZKS.DeleteElts1 (stcom , DSt−1 , St , tstale ), updates the cor-
responding state stt = (DSoZKS , stoZKS ), deletes the
t t
corresponding (α, val, tα ) tuples from Llabel for each
label to get Dirt , comt = comoZKS . Then, it calls
t
WitnessAPI.ProposeNewEp(t, comt , ΠUpd ). If WitnessAPI.
ProposeNewEp outputs ⊥, the algorithm reverts all its
internal changes to stt−1 , Dirt−1 , and outputs ⊥. Otherwise
it returns (Dirt , stt , ΠUpd ).
The auditing algorithm VKD.VerifyCompact1 , which ver-
ifies the proof output by VKD.Compact1 would work in
the obvious way, calling oZKS.VerifyDel1 as a subroutine.
Correspondingly, VKD.Audit must be modified, so at epochs
which include deletions, it calls VKD.VerifyCompact1 , instead
of VKD.VerifyUpd.
This construction, however, creates a problem if a user is
not always online. Consider the following attack: suppose the
server is at epoch 1000, the label Alice is at version 10, with
value val10 . Also suppose that the entry val10 for Alice was
inserted in epoch 100. Now, if tstale = 101 the server could
compact the oZKS label Alice|10 and roll back her key to its
previous version.
2) Secure Compaction: Attempt 2
Recall that when a client performs a lookup for label
label, the IdP internally calls VKD.Query to obtain param-
eters including a value val, a version α and proofs π =
(πmem , πfresh , πhist ). Here πfresh is a non-membership proof for
the label label|α|0 stale0 in the underlying oZKS. If compaction
simply designed as VKD.Compact1 above, a malicious server
may only add label|α|0 stale0 label to St for some time-step
t and never the label|α label, which makes it possible for
a lookup proof to pass with a stale (or compromised key)
returned upon a lookup.
We attempt to mitigate this issue by introducing a special
public parameter DeletionEpochs, such that calls to oZKS
deletion will only verify if they are made at an epoch in the
set DeletionEpochs. We propose an updated deletion for the
oZKS.
0 t ∈ CompactionEpochs. If not, there is at least one epoch
• (com , stcom0 , DSt+1 , πS , t + 1) ← oZKS.DeleteElts2 (stcom ,
DSt , S, t, tstale ): This algorithm runs if and only if t ∈
DeletionEpochs. All other operations are the same as
oZKS.DeleteElts1 .
0 should be able to check their entire key-history when coming
• 0/1 ← oZKS.VerifyDel2 (com, com , πS , tstale , t): In addi-
tion to the checks in oZKS.VerifyDel1 , this algorithm also
ensures that the version number of DS is t and t ∈
DeletionEpochs.
Since deletions in the updated oZKS API are only pos-
sible at epochs in the set, DeletionEpochs, we can up-
date our VKD to include a corresponding public parameter
CompactionEpochs, and introduce the following assumption:
All users come online at deletion epochs to ensure their
stale keys are deleted appropriately.
As in the previous construction VKD.Compact2
and VKD.VerifyCompact2 call oZKS.DeleteElts and
oZKS.VerifyDel as subroutines. VKD.Compact2 only runs
at epochs in CompactionEpochs and VKD.VerifyCompact2
only verifies if the epoch presented is in CompactionEpochs.
Finally, we augment VKD.Audit as follows:
Upd tn −1
• VKD.Audit(t1 , tn , (Πt , auxt )t=t ): Now,
1 As stated before, even if compaction were supported with
t = t1 , ..., tn − 1, if t ∈ CompactionEpochs,
this algorithm parses aux = tstale and calls
VKD.VerifyCompact2 (comt , comt+1 , ΠUpd , tstale ). Else, it
calls VKD.VerifyUpd(t, t + 1, (comt , ΠUpd t ), comt+1 ). It
outputs 1, if all subroutines output 1, otherwise it outputs
0.
The algorithm VKD.KeyHistory gets modified to the fol-
lowing:
n Ver
• 0/1 ← VKD.VerifyHistory1 (t, label, (vali , ti )i=j , Π
This algorithm calls WitnessAPI.GetCom(t) to obtain
(comt , certt ). If WitnessAPI.VerifyCert(comt , certt , p)
outputs 0, then this algorithm outputs 0. The algorithm
parses ΠVer as (π deleted , π undeleted ).
It parses π deleted as ((π1i )ji=1 , (π2i )ji=2 ). Then, it verifies
– oZKS.VerifyNonMem(comt , label|i, π1i ) for 1 ≤ i < j.
– oZKS.VerifyNonMem(comt , label|i|stale, π2i ) for 1 ≤
i < j.
This algorithm parses π undeleted as
i n i n j α k b
((π1 )i=1j , (π2 )i=2 , (π3 )j=n+1 , (π4 )k=a ) where
a = blog(n)c + 1, b = blog(t)c and α = 2a − 1.
It outputs 1 if t1 < t2 < ... < tn , and all of the
following output 1:
– oZKS.VerifyMem(comt , label|i, vali , ti , π1i ) for i ∈
[j, n].
– oZKS.VerifyMem(comt , label|i−1|0 stale0 , 0, ti , π2i ) for
i = [j + 1, n].
– oZKS.VerifyNonMem(comt , label|j, π3j ) for j ∈ [n +
1, α].
– oZKS.VerifyNonMem(comt , label|2k , π4k ) for k ∈
[a, b].
While the above patch mitigates the previous attack of
arbitrary mutations, this patch would only work to satisfy
soundness if the user audits her own key history at every epoch
where the server could cheat by deleting her latest version,
rolling back to a previous one, then reinserting the correct
version. Recall that our original assumption was that a user
online at any epoch, after any amount of time offline.
Besides, even if each user came online at each epoch in
CompactionEpochs, the server losing part of its history in
compaction epochs means that if the server deletes a user’s
latest key (if it was old enough), the audit would pass and
the user would have no way to show that its latest key was
deleted.
In the following design, we (1) slacken the requirement for
when a user needs to come online to check that it’s key is
going to be correctly deleted, and (2) give the user a way to
contest the changes to its own existing keys.
3) Two-phase Compaction
In this section, we present our final construction, which we
call a two-phase compaction, which allows a VKD to support
the algorithm Compact, without additional privacy leakage.
for
fixed epochs which are demarcated for compaction, since after
compaction, there is no record of the changes made, unless a
user is online at the compaction epoch, she cannot ensure that
any oZKS entries associated with her label were not modified.
We weaken this requirement by allowing a grace period for a
user to check her key history, before a compaction, by marking
oZKS entries slated for deletion as tombstoned for a while,
before they are actually deleted.
): Now, we use the algorithms (oZKS.TombstoneElts,
oZKS.VerifyTombstone, oZKS.DeleteElts, oZKS.VerifyDel),
defined in section III-C to construct a VKD with compaction.
Recall that when a client performs a lookup for label
label, the IdP internally calls VKD.Query to obtain param-
eters including a value val, a version α and proofs π =
(πmem , πfresh , πhist ). Here πfresh is a non-membership proof for
22
the label label|α|0 stale0 in the underlying oZKS. If compaction
simply designed as VKD.Compact1 above, a malicious server
may only add label|α|0 stale0 label to St for some time-step
t and never the label|α label, which makes it possible for
a lookup proof to pass with a stale (or compromised key)
returned upon a lookup.
Finally, we can define compaction as follows:
Upd
• (comt , Dirt , stt , Π , t)
VKD.TombstoneElts(Dirt−1 , stt−1 , t − 1, tstale ):
As in VKD.Compact1 and VKD.Compact2 , the
algorithm initializes StoZKS = ∅, StAVD = ∅. For
(label, Llabel ) ∈ Dirt−1 , for (α, val, tα ) ∈ Llabel :
– If tα ≤ tstale , it adds (label|α) to St .
– If α > 1, it also adds (label|α − 1|0 stale0 ) to St .
Then, it obtains the required stoZKS t and DSt and calls
oZKS.TombstoneElts( stcom , DSt , St , tstale ). It updates the
corresponding state, deletes the corresponding (α, val, tα )
tuples from Llabel for each label. Then, the algorithm calls
WitnessAPI.ProposeNewEp(t, comt , ΠUpd ). If WitnessAPI.
ProposeNewEp outputs ⊥, the algorithm reverts all its
internal changes to stt−1 , Dirt−1 , and outputs ⊥. Finally,
this algorithm returns the updated commitments and proof
output by oZKS.TombstoneElts.
Upd
• 0/1 ← VKD.VerifyTombstone(comt , comt+1 , Π
This algorithm calls WitnessAPI.GetCom(t) to ob-
tain (comt , certt ) and WitnessAPI.GetCom(t + 1) to
get (comt+1 , certt+1 ). Finally, it parses ΠUpd to get
ΠUpd
oZKS . If either WitnessAPI.VerifyCert(comt , certt , p) or
WitnessAPI.VerifyCert(comt+1 , certt+1 , p) outputs 0, the
algorithm outputs 0. Otherwise, it returns the output of
oZKS.VerifyDel(comoZKS , com0oZKS , ΠUpd oZKS , tstale ).
Upd
• (comt+1 , Dirt+1 , stt+1 , Π , t+1) ← VKD.Compact(Dirt ,
stt , t, tstale ): This algorithm parses out DSoZKS t , stoZKS
t from
oZKS oZKS
stt and calls oZKS.DeleteElts(stt , DSt , t, tstale ), to
oZKS
obtain (comoZKS oZKS
t+1 , stt+1 , DSt+1 , πS , t+1), which it uses to
update comt , stt , Dirt to get comt+1 , stt+1 , Dirt+1 and sets
ΠUpd = πS and returns (comt+1 , Dirt+1 , stt+1 , ΠUpd , t+1).
Upd
• 0/1 ← VKD.VerifyCompact(comt , comt+1 , Π
oZKS
This algorithm simply parses out comt , comoZKS
t+1 from
comt , comt+1 , respectively, and outputs the output of
oZKS.VerifyDel(comoZKS t , comoZKS
t+1 , Π
Upd
, tstale ).
The VerifyHistory algorithm has the following extra checks:
n Ver
• 0/1 ← VKD.VerifyHistory(t, label, (vali , ti )i=α , Π
min
This algorithm is the same as VKD.VerifyHistory1 , except
it also ensures that if vali = T OMBSTONE , then both the
labels label|i and label|i|stale have the value T OMBSTONE .
It also ensures that if label|i does not correspond to the
value T OMBSTONE , then neither does label|i|stale. Finally,
it ensures that valn 6= T OMBSTONE , i.e. the most recent
value of this user is not tombstoned. If all checks pass, this
algorithm outputs 1, otherwise it outputs 0.
The updated algorithms mean that VKD.Audit is defined as
follows:
Upd tn −1
• VKD.Audit(t1 , tn , (Πt )t=t 1
): If for any of the
epochs, t ∈ [t1 , tn − 1], t is in TombstoneEpochs,
the auditor calls VKD.VerifyTombstone(comt , comt+1 ,
ΠUpd
t , t − StaleParam), else, if t − DeletionParam ∈
TombstoneEpochs, i.e. t ∈ CompactionEpochs,
call VKD.VerifyCompact(comt , comt+1 , ΠUpdt ,
t − DeletionParam − StaleParam). For all other
t ∈ [t1 , tn − 1], this algorithm calls VKD.VerifyUpd(t, t + 1,
(comt , ΠUpd
t ), comt+1 ). It outputs 1, if all subroutines
output 1, otherwise it outputs 0.
←
Soundness for VKD with Compaction.
Theorem 1. The construction for a VKD with compaction
in appendix F3 satisfies Definition 4.
Proof. First, note that for any epoch t, the value comt received
by all pairs of parties must be equal. If not, the adversary of the
WitnessAPI can use a VKD adversary to output inconsistent
values, breaking the security of the WitnessAPI.
Suppose for every t ∈ TombstoneElts such that [t, t +
DeletionParam] ∩ [t1 , tcurrent ] is non-empty, the user receives
a verifying key history proof at some epoch t0 ∈ [t, t +
DeletionParam]. Also, assume that the system parameter
StaleParam is large enough that no data relating to changes
in the label-value set of the VKD made between between two
consecutive tombstone epochs is tombstoned.
, tstale ): Now, if the user receives two
(t, {(valtk , Epochtk )}max , Π Ver
t ),
t
proofs k=mint
(u, {(valuk , Epochuk )}max u
, Π Ver
) in response to
k=minu u
VKD.KeyHistory, with t1 ≤ t < u ≤ tcurrent . For any
version number β ∈ [mint , maxt ] ∩ [minu , maxu ], we claim
that (valtβ , Epochtβ ) = (valuβ , Epochuβ ). Suppose not: to
generate such a pair of proofs, the adversary would have to
include membership proofs for diverging views of the same
label ‘label|β’ in the oZKS at times t and u. Recall that
we assume that if any deletion epochs occurred between t
and u, the user checked correct tombstoning of any deleted
values. This means that if the label label|β is included in
both proofs, the minimum version number minu ≤ β and the
value committed with the label label|β must have remained
, tstale ):
unchanged in the epochs between t and u. Thus, for valuβ and
valtβ to diverge, the adversary must have produced proofs of
diverging views in the oZKS.
Fact. For two history proofs from epochs t and
u, for any version β, included in both proofs,
): (valtβ , Epochtβ ) = (valuβ , Epochuβ ).
We have established that if a user is checking once be-
tween any pair of tombstone epochs in [t1 , tcurrent ], any two
VKD.KeyHistory proofs which pass must contain the same
(val, Epoch) for a given version number β.
Now, suppose a call to VKD.Query returns proof π,
which verifies at some epoch t∗ ∈ [t1 , tn ], with version
α and the associated value-epoch pair (val, Epoch). Also,
suppose that for some t ∈ [t1 , ..., tn ], the proof ΠVer t ,
with associated values (valk , Epochk )}maxt
k=mint passes, such
that t∗ ∈ [Epochβ , Epochβ+1 ] for some version number
β ∈ [mint , maxt ].
23
 We only consider the case where val 6= T OMBSTONE ,
since users should not accept T OMBSTONE as a value, in
response to VKD.Query.
At a high level, our soundness definition requires that with
high probability, val = valβ .
Case I t∗ , t ∈ [TombEpk , TombEpk+1 ), for some k. An
adversary could cause a disparity between val and valβ in one
of the following ways:
0
• α = β, val 6= val : In this case, the adversary must
produce a membership proof for label|α in the oZKS,
with values val, valβ which are unequal. Recall that
except for tombstone and deletion epochs, the oZKS must
remain append-only. Further, any oZKS values which
are deleted in a deletion epoch must be tombstoned. If
val 6= T OMBSTONE at the epoch T OMBSTONE k , this
breaks the security of the oZKS, since an oZKS adversary
can use this VKD adversary as a subroutine to produce
proofs for disparate values within epochs which are not
tombstone epochs.
• α < β: For VKD.VerifyHistory to output 1 with
Epochβ ≤ t∗ , for all α < β, it should either (1)
receive a non-membership proof of label|α in the oZKS
or (2) a membership proof of label|α|stale that should
have been added at epoch Epochα ≤ Epochβ. On
the other hand, for VKD.VerifyQuery to pass, it should
have verified a membership proof of label|α as well as
a non-membership proof of label|α|stale at epoch t∗ .
Hence, if a VKD.VerifyQuery returned 1, and either (1)
or (2) is true, the adversary violated the requirement
that the auditors ensure that the epoch when a node is
inserted is committed with its value in the oZKS and that
both membership and non-membership checks of non-
tombstoned values passed,
blog(β)c+1
• 2 > α > β: In order for ΠVer to verify with
the history at epoch t, with the version number β for
epochs [Epochβ , Epochβ+1 ), it needs to present one of
the following: (1) a proof of oZKS membership for the
label label|α with value (val, t∗ ), with t∗ > t, or, (2) a
non-membership proof in the oZKS of the label label|α at
the epoch t. If either of these oZKS proofs was generated,
in order for π to also verify, the adversary would have
to also generate either (1) both a membership and non-
membership proof for the same label, or (2) generate two
membership proofs mapping to distinct value-epoch pairs.
This would allow constructing an oZKS adversary.
bβc+1
• α ≥ 2 + 1: In this case, for the proof π to verify,
at epoch t∗ , the adversary must have generated a proof
of oZKS membership for the label label|2bαc mapping to
a tuple of the form (·, t00 ) such that t00 < t. As in the
previous case, the adversary must have also generated
either (1) a proof of oZKS membership for the label
label|2bαc but mapping to a tuple (·, t000 ) with t000 > t∗ , or
(b) an oZKS non-membership proof for the same label.
All of these violate oZKS soundness.
Case II t∗ ∈ [TombEpk , TombEpk+1 ), and t ∈
[TombEpk+1 , TombEpk+2 ), for some k. Again, we consider
24
the following cases:
• α = β, val 6= valβ : Recall that (valβ , Epochβ ) are
only included in the output of KeyHistory if valβ 6=
T OMBSTONE . Also recall that the oZKS auditors check
that any value which is not marked tombstoned is not
mutated. Hence, this reduces to the problem of the
adversary showing diverging views for the label label|α
in the oZKS – the probability of the adversary succeeding
is negligible due to the security of the oZKS.
• α < β: This reduces to two cases: (1) mint ≤ α <
β ≤ maxt and (2) α < mint . In case (1), if the proof
ΠVer verifies, we know that for i < j, Epochi < Epochj
and the label label|i|stale must include a proof of being
inserted at the epoch Epochi+1 . Hence, at epoch t∗ , the
adversary must have shown a non-membership proof for
label|α|stale as part of π, but a membership proof for
label|α|stale with epoch Epochα+1 ≤ t∗ ≤ Epochβ as
part of ΠVer . This violates the oZKS security. For case
(2), this means that α was never included with the proof
ΠVer and hence we do not need to consider it.
• β < α ≤ maxt : By the same argument as in the
previous case, for VerifyQuery to verify with version
number α at epoch t∗ , Epoch ≤ t∗ . However, for
VerifyHistory to pass, it must include a membership
proof of the label label|β|stale, inserted at an epoch
Epochβ < e ≤ Epoch ≤ t∗ . Thus the adversary either
included membership proofs for label|α with epochs
Epochα 6= Epoch in ΠVer , π, or got an Audit to pass
with the wrong epoch committed at a leaf.
blog βc+1
• maxt < α ≤ 2 − 1 or α ≥ 2blog βc+1 : The cases
are identical to the corresponding cases in Case I above.
Hence, with all but negligible probability, α = β and val =
val0 in both cases. Note that we require that for every pair of
tombstone epochs which intersect with the interval [t1 , tcurrent ],
we require some element of {t1 , ..., tn } to be in that interval.
We also showed that the values for the same version number
during two key history checks should match, hence covering
these two cases is exhaustive.
G. Summary of the aZKS Construction from [16]
Append-only Zero Knowledge Set (aZKS) was introduced
in [16] (Section 3). We summarize the construction below.
Part of the text is copied verbatim from [16].
aZKS is a primitive that lets a (malicious) prover commit
to an append-only dictionary of (label,value) pairs (where the
labels form a set) such that: 1) the commitment is succinct and
does not leak any information about the committed dictionary
2) the prover can prove statements about membership and non-
membership of (label,value) pairs with respect to the succinct
commitment 3) the prover can prove that for two dictionaries,
D1 , D2 , D1 ⊆ D2 with respect to their respective succinct
commitments and 4) the proofs are efficient and do not leak
any information about the rest of the committed dictionary.
aZKS has two security properties: Soundness and Zero-
Knowledge Privacy (with leakage). Soundness ensures that a
malicious prover 1) will not be able to produce two verifying
proofs for two different values for the same label with respect
to a commitment or 2) should not be able to modify an existing
label. Zero-Knowledge privacy property captures that the
query proofs and append-proofs leak no information beyond
the query answer (which is a value or ⊥ for membership
queries and a bit indicating validity of an an append operation)
and a well-defined leakage function.
H. Summary of SEEMless construction [16]
In this section, we summarize the construction from [16],
Section 4. Part of the text is copied verbatim from [16].
SEEMless assumes that server’s identity and public key is
known to each user and auditor and all the messages from
the server are signed under the server’s key, so that the server
cannot be impersonated.
SEEMless uses two aZKS: one “all” aZKS to store all
versions of all (label, val) pairs, and a second “old” aZKS
that stores all of the out of date label versions. SEEMless also
uses a hash chain. Hash Chain is a classical authentication data
structure that chains multiple data elements by successively
applying cryptographic hashes, e.g. a hash chain that hashes
elements a, b, c is H(c, H(b, H(a)).
• VKD.Publish(Dirt−1 , stt−1 , St ): At every epoch, the server
gets a set St of (label, value) pairs that have to be added
to the VKD. The server first checks if the label already
exists for some version α − 1, else sets α = 1. It adds a
new entry (label | α, val) to the “all” aZKS and also adds
(label | α − 1, null) to the “old” aZKS if α > 1. If the
new version α = 2i for some i, then the server adds a
marker entry (label | mark |i,“marker”) to the “all” aZKS.
The server computes commitments to both the aZKS, and
adds them to the hash chain to obtain a new head comt .
It also produces a proof ΠUpd consisting of the previous
and new pair of aZKS commitments comall,t−1 , comall,t
and comold,t−1 , comold,t and the corresponding aZKS update
proofs.
• VKD.Query(stt , Dirt , label): When a client Bob queries for
Alice’s label, he should get the val corresponding to the
latest version α for Alice’s label and a proof of correctness.
Bob gets three proofs in total: First is the membership
proof of (label | α, val) in the “all” aZKS. Second is
the membership proof of the most recent marker entry
(label |mark |a) for α ≥ 2a . And third is non membership
proof of label | α in the “old” aZKS. Proof 2 ensures that
Bob is not getting a value higher than Alice’s current version
and proof 3 ensures that Bob is not getting an old version
for Alice’s label.
• VKD.VerifyQuery(t, label, val, π, α): The client checks each
membership or non-membership proof, and the hash chain.
Also check that version α as part of proof is less than current
epoch t.
• VKD.KeyHistory(stt , Dirt , t, label): The server first
retrieves all the update epochs t1 , . . . , tα for
label versions 1, . . . , α from T , the corresponding
comall,t1 −1 , comall,t1 , . . . , comall,tα −1 , comall,tα
25
SEEMless
Unspecificed
Verifiable
Commitment
Random
Serving
Function
Commitment Mechanism
aZKS
Scheme
Fig. 10: Schematic of the building blocks for SEEMless.
and comold,t1 , . . . , comold,tα and the hashes
necessary to verify the hash chain:
H(comall,0 , comold,0 ), . . . , H(comall,t , comold,t ). For
versions i = 1 to n, the server retrieves the vali for ti and
version i of label from Dirti . Let 2a ≤ α < 2a+1 for some
a where α is the current version of the label. The server
generates the following proofs (together called as Π):
1) Correctness of comti and comti −1 : For each
i, output comti comti −1 . Also output the
values necessary to verify the hash chain:
H(comall,0 , comold,0 ), . . . , H(comall,t , comold,t ).
2) Correct version i is set at epoch ti : For each i:
Membership proof for (label| i) with value vali in the
“all” aZKS with respect to comti .
3) Server couldn’t have shown version i − 1 at or after
ti : For each i: Membership proof in “old” aZKS with
respect to comti for (label| i − 1).
4) Server couldn’t have shown version i before epoch
ti : For each i: Non membership proof for (label| i) in
“all” aZKS with respect to comti −1 .
5) Server can’t show any version from α + 1 to 2a+1 at
epoch t or any earlier epoch: Non membership proofs
in the “all” aZKS with respect to comt for (label| i +
1), (label| i + 2), . . . , (label| 2a+1 − 1).
6) Server can’t show any version higher than 2a+1 at
epoch t or any earlier epoch: Non membership proofs
in “all” aZKS with respect to comt for marker nodes
(label| mark| a + 1) up to (label| mark| log t).
• VKD.VerifyHistory(t, label, (vali , ti )ni=1 , ΠVer ): Verify each
of the above proofs.
 tn−1

• VKD.Audit(t1 , tn , ΠUpd
t ): Auditors will audit the
t=t1
commitments and proofs to make sure that no entries ever
get deleted in either aZKS. They do so by verifying the
update proofs ΠUpd output by the server. They also check
that at each epoch both aZKS commitments are added to
the hash chain. Note that, while the Audit interface gives
a monolithic audit algorithm, our audit is just checking the
updates between each adjacent pair of aZKS commitments,
so it can be performed by many auditors in parallel.
I. Storage
In the next two subsections we go over specific storage
requirements of SEEMless and our solution Parakeet, respec-
tively. We first provide high-level statistics about a world-
scale key transparency solution based on compressed Merkle
 Parakeet 21.36
Reliable

Storage (TB)
Verifiable Broadcast
Random & SEEMless Parakeet
Function Witness
Commitment Quorum
oZKS
Scheme 0.87
Fig. 11: Schematic of the building blocks for Parakeet. Note that the shaded 1 10 24 144
components are different from the corresponding components of SEEMless, Number of epochs per day
which are shaded in Figure 10.
Fig. 12: Comparison of storage costs of Parakeet and SEEMless in the first
year with varying number of epochs per day ranging from daily to every 10
minutes.
trees and use WhatsApp (the most popular E2EE messaging
app) discussed in section I, as an example. We assume that 110.9 SEEMless Parakeet
WhatsApp has about two billion existing keys (KI ), and
88.1

roughly ten million daily key updates (KD ). To simplify our
current calculations, we assume that after initially setting up
the key transparency solution, the server only receives requests
to update keys for existing users. Note that updates to keys for
existing users require more values to be inserted into the tree
(to mark old version numbers as stale), so our assumptions
are closer to a worst case scenario. This means that:
• The total number of keys added to the system in the first
year is KT = 2 × 109 + 365 × 107 = 5.65 billion keys.
• In both SEEMless [16] and Parakeet which are based on
a (compressed) Patricia Merkle Trie, the number of nodes
needed for key transparency is roughly NT = 2 × KI + 4 ×
KD = 18.6 billion by the following reasoning
– Adding a leaf node results in additional one node (i.e.,
two nodes in total) for the longest common prefix parent.
– When initially setting up, all keys are treated as a users
initial version and hence require only one leaf of the form
uname|1, for each user name.
– For all subsequent updates, two leaves must be added for
each key: one of the form uname|i + 1, to add the new
key and, the other of the form uname|i|stale, to mark the
old key as stale.
• Number of nodes initially is NI = 2 × KI = 4 billion.
• Number of nodes created daily is ND = 4 × KD = 40
million.
• Number of nodes that need to be updated for a new leaf node
is upper-bounded by the depth of the tree. The amortized
depth of any inserted node is log(n) where n is the number
of leaves in the tree before this insertion.
1) SEEMless Storage
SEEMless relies on saving the state of a node every time the
node is updated. This makes the storage cost highly dependent
on the number of epochs and the number of nodes in the tree.
Let us use the number of leaves in the tree initially as a
lower bound on how many node states need to be updated;
and we assume there is one epoch per-day. Total number of
nodes that SEEMless needs to store states for in this case is
NI nodes initially and ND ∗ log NI daily. In total 2 × 109 +
365 × 4 × 108 × log2 (4 × 109 ) is approximately 470 billion in
the first year.
Storage (TB)
65.5
43.2
21.4
3.4
1 2 3 4 5
Years
Fig. 13: Comparison of storage costs of Parakeet and SEEMless in the first
five years.
With 64-byte node states, for hash function output (32-byte)
along with other node info (32-byte) such as the parent and
children, the total storage requirement is around 27TBs.
2) Parakeet Storage
Parakeet’s main advantage is that only the latest state of a
node needs to be stored. Essentially the final cost depends on
the number of total nodes in the tree at the end of the year.
The total cost considering 64-byte node states – same as
SEEMless, NT ∗ 64B = 1.1TBs. Since to allow concurrent
proof generation and Parakeet stores a previous node state,
the final cost is 2.2TBs – an order of magnitude more efficient
than the previous best solution. Furthermore, our compaction
mechanism (See Section III) can further reduce the storage
requirements for Parakeet.
In comparison, the storage cost of actual keys and their
owners’ information (e.g., phone number) is around 360GB
(considering 64B record sizes). An efficient key transparency
solution with Parakeet is highly feasible.

26