Salt `StorageMap` keys

[PhilippGackstatter]

What should be done?

Useres can currently use StorageMaps in accounts to authenticate many key-value pairs in a single storage slot. The keys of the Smt underlying the StorageMap are taken directly from user input. This means users or an attacker could insert many key-value pairs that end up in the same subtree. However, a uniform distribution of keys across an Smt is important for storage optimizations, so it would be desirable for us to ensure keys are uniformly distributed and not entirely user-controlled.

How should it be done?

To that end, we can add a salt to the user keys, like the account ID. So in essence, the actual key in an Smt should be the hash of the tuple (KEY || [account_id_prefix, account_id_suffix, 0, 0]) or something similar.

When is this task done?

When user input can no longer affect the distribution of keys in a StorageMap.

Additional context

No response

[bobbinth]

One additional consideration: by looking at the salted keys it would not be possible to reconstruct the original key values. This may be fine in some cases, but may be problematic in others. For example, if we have some kind of a "storage explorer" which lets people visualize the contents of the storage, then such storage explorer would not be able to show the original keys and this may be confusing to users.

[PhilippGackstatter]

I wonder if a way to get both uniform distributions across storage as well as support explorers is by salting the keys just before insertion into storage. For example in the node we have this table:

CREATE TABLE account_storage_map_updates (
    account_id  BLOB NOT NULL,
    block_num   INTEGER NOT NULL,
    slot        INTEGER NOT NULL,
    key         BLOB    NOT NULL,
    value       BLOB    NOT NULL,

    PRIMARY KEY (account_id, block_num, slot, key),
    FOREIGN KEY (account_id, block_num) REFERENCES account_deltas (account_id, block_num)
) STRICT, WITHOUT ROWID;

(I don't think salting is really necessary here, since this reflects just an update of a map, but I'm taking this as an example to make a larger point.)

We could set key = hash(storage_map_key, account_id) and set value = (storage_map_key, storage_map_value).
When retrieving from the DB, we rebuild the original key-value pair from the value.

That way, what gets into the DB is salted and uniformly distributed but any layer above the DB works with the original keys, which should be fine. If we're concerned about in-memory uniformity, we can use a HashMap which applies its own hash function to each key, conceptually in the same way as the DB approach I described.

The downside is the extra work needed before and after every DB operation, but if we do salting in general, then we'll have to do that work somewhere. And this way, the salting is closer to where we actually need it, i.e. when storing maps on disk.

[bobbinth]

I think this makes sense, but one concrete question: how would we define the StorageMap struct now? I think the simplest approach could be:

pub struct StorageMap {
    map: Smt,
    salt: AccountId,
    entries: BTreeMap<RpoDigest, Word>, // key-value map using the original keys
}

But having entries there seems a bit "redundant" and also not sure if having the account ID be a part of it is a good idea (mostly because of extra serialization overhead).

[PhilippGackstatter]

how would we define the StorageMap struct now?

What I meant was that the struct would stay exactly the same, because at that level we wouldn't salt the keys. The keys would only be salted when inserted into the DB, and upon retrievel, the original key-value pairs are restored from the value, and so the original StorageMap can be reconstructed as well.
I imagine we always store a StorageMap next to the account ID it belongs to, so the salt can just be the account ID that is stored in the same table, without having to duplicate it.

[bobbinth]

What I meant was that the struct would stay exactly the same, because at that level we wouldn't salt the keys. The keys would only be salted when inserted into the DB, and upon retrievel, the original key-value pairs are restored from the value, and so the original StorageMap can be reconstructed as well.
I imagine we always store a StorageMap next to the account ID it belongs to, so the salt can just be the account ID that is stored in the same table, without having to duplicate it.

Ah, I see - but then the value needs to be 2 words, right? (vs. the single word that we currently assume for it). And this would affect the StorageMap.

[PhilippGackstatter]

The value in the DB is defined as value BLOB NOT NULL so whether we store just the original value of the storage map or the key and the value shouldn't matter that much. And if we look up a key in the DB we can also hash it, and then reconstruct the original key-value pair which then shouldn't affect the storage map, or am I missing something? I thought the main point was to make the key in the DB, which is a primary key, uniformly distributed which the hash achieves.

[bobbinth]

I think that maybe I didn't explain the intent of the original issue clearly: what we really care about is which SmtLeaf they key-value pairs end up in. It would be a bad outcome if keys 0 and 1 end up in the same leaf of the Smt because this would result in a multi-key leaf and these are expensive (this would happen because 0 and 1 share the same 64-bit prefix). So, before inserting a key-value pair into StorageMap we need to compute hash(0) and hash(1) and use these ask keys. This way hash(0) and hash(1), with very high probability, will end up in different leaves of Smt (we could also use salted hashes to make key distribution unique for each account).

Given the above, we need to modify the transaction kernel to first hash the user-provided key, and then to use this hashed key as the key with which to make the request to the SMT.

This works fine if we know user-provided keys (e.g., in the transaction kernel), but it won't work when we don't have these keys. So, somewhere we need to keep track of them, and most likely this somewhere needs to be the StorageMap struct. The reason for this is that when we serialize accounts, we also serialize storage maps. And if the user-specified keys are not serialized together with the account somehow, we won't be able to get them when we de-serialize the struct.

[PhilippGackstatter]

I see, thanks for explaining.

In that case, I agree we have to deal with it in StorageMap itself. If we do want to retain the original keys, there doesn't seem to be a way around duplicating them in the map.

I pretty much went with your approach, except I thought that hashing the keys should be good enough and that salting them is not necessary. Storage maps of different accounts do not affect each other's trees so if multiple storage maps have the same layout then having the same keys shouldn't be a problem for efficiency, afaict.

[Mirko-von-Leipzig]

I see, thanks for explaining.

In that case, I agree we have to deal with it in StorageMap itself. If we do want to retain the original keys, there doesn't seem to be a way around duplicating them in the map.

I pretty much went with your approach, except I thought that hashing the keys should be good enough and that salting them is not necessary. Storage maps of different accounts do not affect each other's trees so if multiple storage maps have the same layout then having the same keys shouldn't be a problem for efficiency, afaict.

I thought maybe the concern was that without salting you can still find a bad ordering/hash set. And salting restricts this "attack" to one per account/salt. But maybe I was reading too much into it.

[bobbinth]

I thought maybe the concern was that without salting you can still find a bad ordering/hash set. And salting restricts this "attack" to one per account/salt. But maybe I was reading too much into it.

Yes, definitely was thinking about this - but more out of abundance of caution then any real reason. One the one hand, I think it is good to use salting "just in case" - but also, if this complicates the code too much, maybe it is not worth it.

[PhilippGackstatter]

Good point, thanks!

I looked into it, but adding the AccountId to StorageMap results in a circular dependency during account creation. We have to instantiate AccountStorage to get its commitment which is used to grind an account ID. But if the account storage should contain a map with the ID as the salt, we can't initialize the map with the account ID yet. So we'd have to do awkward work arounds like making the salt an Option<AccountId> and inserting it after the account has been instantiated, or disallowing storage maps at account creation and requiring them to be inserted in a subsequent account update. Not sure this is worth it.

[Mirko-von-Leipzig]

Good point, thanks!

I looked into it, but adding the AccountId to StorageMap results in a circular dependency during account creation. We have to instantiate AccountStorage to get its commitment which is used to grind an account ID. But if the account storage should contain a map with the ID as the salt, we can't initialize the map with the account ID yet. So we'd have to do awkward work arounds like making the salt an Option<AccountId> and inserting it after the account has been instantiated, or disallowing storage maps at account creation and requiring them to be inserted in a subsequent account update. Not sure this is worth it.

Are there alternatives to account ID for the salt?

• block hash -- though this cannot be the latest hash and would instead be the reference block hash iiuc? So that this is doable locally.
• ... 🤷