Proving data belongs to a set

EP4754669A1Pending Publication Date: 2026-06-10NCHAIN LICENSING AG

Patent Information

Authority / Receiving Office
EP · EP
Patent Type
Applications
Current Assignee / Owner
NCHAIN LICENSING AG
Filing Date
2024-07-15
Publication Date
2026-06-10

Smart Images

  • Figure EP2024070049_06022025_PF_FP_ABST
    Figure EP2024070049_06022025_PF_FP_ABST
Patent Text Reader

Abstract

A computer-implemented of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; generating a public key; for one or more of the data items: generating a respective proof of inclusion based on the respective data item, and the second private key; and making the data item and / or a commitment thereof, the public key, and the respective proof of inclusion available to a verifying party for verifying that the data item belongs to the set of data items.
Need to check novelty before this filing date? Find Prior Art

Description

[0001]PROVING DATA BELONGS TO A SET TECHNICAL FIELD The present disclosure relates to methods of proving that a data item (e.g. a blockchain transaction) belongs to a set of data items (e.g. a block of blockchain transactions). BACKGROUND The Elliptic Curve Digital Signature Algorithm (ECDSA) is a digital signature scheme whose public parameters are: • An elliptic curve ^^ over ^^^(a field of characteristic ^^). • A generator ^^ for a subgroup of ^^ of prime order. A private key for the ECDSA algorithm is an integer ^^, the associated public key is an elliptic curve point ^^ = ^^ ^^. The signature of a message ^^ using the private key ^^ is computed as follows. 1. Calculate the hash of the message ℎ. 2. Generate a random ephemeral key ^^. 3. Calculate ^^ = ^^ ^^ =(^^ா, ^^ா), and let ^^ ≡ ^^ா^^ ^^ ^^ ^^. If ^^ = 0 return to point 2. 4. Calculate ^^ = ^^ି^(ℎ + ^^ ^^)^^ ^^ ^^ ^^. If ^^ = 0 return to point 2, if not, the signature is ( ^^, ^^). The signature is verified as follows. 1. Calculate the hash of the message ℎ.2. Calculate(^^’, ^^’)= ^^ି^(ℎ ^^ + ^^ ^^), where the inverse of ^^ is computed modulo ^^.3. Check ^^ ≡ ^^′ ^^ ^^ ^^ ^^. Threshold signatures are digital signatures where signers can establish groups such that only certain subsets of the group can produce signatures on behalf of the group. Different schemes require different types of interactions between signers. Threshold signatures may require multiple rounds of interactions between signers. We call non-interactive scheme a threshold signature scheme where the generation of the signature require a single round. This single round may require pre-processing (FROST) or not (BLS). BLS is a deterministic, non-malleable, and efficient digital signature scheme with aggregation properties that relies on elliptic curve bilinear pairing. Aggregation can also be done on secret keys and public keys. Its simplicity and cryptographic properties allow it to be useful in a variety of use-cases, specifically when minimal storage space or bandwidth are required. FROST is a threshold signature scheme based on EdDSA (a variant of Schnorr signature scheme). FROST can be used as either a two-round protocol, where signers send and receive two messages in total, or optimized to a single-round signing protocol with a pre-processing stage. SUMMARY According to one aspect disclosed herein, there is provided a computer-implemented method of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; generating a public key based on each of the first private keys; for one or more of the data items: generating a respective proof of inclusion based on the respective data item, and the respective first private key; and making the data item and / or a commitment thereof, the public key, and the respective proof of inclusion available to a verifying party for verifying that the data item belongs to the set of data items. According to another aspect disclosed herein, there is provided a computer-implemented method of verifying that a data item is included in a set of data items, wherein the method is performed by a verifying party and comprises: obtaining a data item and / or a commitment thereof, a public key, and a proof of inclusion for the data item, wherein the public key is based on a plurality of respective first private keys, each respective first private key based on a respective data item of the set, wherein the proof of inclusion is based on the data item and the respective first private key; and using the public key and proof of inclusion to verify that the data item is included in the set. According to another aspect disclosed herein, there is provided a computer-implemented method of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; aggregating the respective first private keys to generate a second private key; generating a public key corresponding to the second private key; for one or more of the data items: generating a respective fourth private key, and wherein together the respective first private key and respective fourth private key are useable to generate a threshold signature for the second private key; generating a respective first signature using the respective first private key, wherein the respective signature signs a hash of the respective data item; and making the following available to a verifying party for verifying that the respective data item belongs to the dataset: the respective first signature and the public key. Embodiments of the present disclosure enable a proving party to generate (and provide to a verifying party) a proof of inclusion for a given data structure that utilises private keys obtained by aggregating fingerprints (e.g. hashes) of the data contained in the data structure. The proof of inclusion is especially suitable for overlay networks and blockchains that are maintained by trusted servers or nodes, but can be applied more generally in all situations where data is aggregated, and each piece of data requires a unique, independent, and unforgeable proof of inclusion in the data structure. BRIEF DESCRIPTION OF THE DRAWINGS To assist understanding of embodiments of the present disclosure and to show how such embodiments may be put into effect, reference is made, by way of example only, to the accompanying drawings in which: Figure 1 is a schematic block diagram of a system for implementing a blockchain, Figure 2 schematically illustrates some examples of transactions which may be recorded in a blockchain, Figure 3 schematically illustrates the generation of an aggregated key, Figure 4 schematically illustrates an elliptic curve tree with three leaves, Figure 5 schematically illustrates a tulip tree aggregating four data blocks, and Figure 6 schematically illustrates an alternative implementation of a tulip tree. DETAILED DESCRIPTION OF EMBODIMENTS 1. PROOF OF INCLUSION Embodiments of the present disclosure provide for the generation of inclusion proofs – proofs that prove that a data item belongs (i.e. forms part of) a set of data items (or a dataset). Whilst some examples may be described in terms of the data items being transactions belonging to a block 151 of a blockchain 150, this is merely for illustrative purposes. Even more so, the described embodiments may be implemented completely independently from the blockchain 150. For instance, the data items may be emails of an inbox, records / entries in a database, entries in an account (such as a bank account), etc. Similarly, whilst the proving party may be referred to as Alice 103a and the verifying party as Bob 103b, this is merely for convenience and the proving and verifying parties need not be configured to perform the actions described below as being performed by Alice 103a and Bob 103b, though that is an option. More generally, each of the proving and verifying parties may be an individual user, a group of users, a company, an organisation, a government, a blockchain node, etc. In some examples, the proving and verifying parties may be the same party. Whilst described as being performed by Alice 103a and Bob 103b, it will be appreciated that the actions they perform are implemented by a computing device (e.g. user terminal, server, etc.) operated by Alice 103a and Bob 103b respectively. Alice 103a obtains the set of data items. One or more of the data items may have been generated by Alice 103a. One or more of the data items may have been sent to Alice 103a. E.g. Alice 103a may be a blockchain node 104 who receives transactions from users 103 and other nodes 104. One or more of the data items may be extracted from a database (or other type of record), such as a block 151. In some examples, one of the data items may be a secret value (or other type of data item) known only to Alice 103a. Alice 103a generates a first value for each data item by applying a function to that data item. That is, a first value is generated per data item. The function may be a one-way function. The first value may be generated by hashing the data item and, optionally, a salt, e.g. a combination (such as a concatenation) of the data item and the salt. The hash function may be a SHA-based hash function, such as SHA256. Functions other than hash functions may be used. The salt may be the same or different for each data item. Each first value may be considered to be a private key. Alice 103a aggregates (i.e. combines) each of the first values to generate a second value. The first values may be combined by summing the first values in order to generate the second value. Other types of aggregation (e.g. a combination of concatenating and hashing the first values) may be used. The second value may be considered to be a private key. Alice 103a generates a third value based on the second value by applying a function to the second value. The function may be a one-way function. The third value may be a public key corresponding to the second value. For instance, the function applied to the second value may be point multiplication with an elliptic curve generator point. In some examples, a salt value is also input to the function to generate the third value. The third value is published or otherwise made available to (e.g. sent directly to) Bob 103b for verification purposes. The third value is used to generate a fourth value for each data item (or at least the data items which Alice 103a wants to prove as belonging to the set). For a given data item, the fourth value is generated based on (i.e. is a function of) the third value and the data item. The function may be a one-way function, such as a hash function. The fourth value may be considered to be a private key. A proof of inclusion (or fifth value) is then generated for each data item (or at least the data items which Alice 103a wants to prove as belonging to the set). For a given data item, the proof of inclusion is generated based on (i.e. is a function of) the fourth value generate for that data item. The function may be a one-way function. In some examples, the function is a signature generating function. The signature may be an ECDSA signature. The proof of inclusion is published or otherwise made available to (e.g. sent directly to) Bob 103b for verification purposes. Alice 103a may also send the data item or a commitment (e.g. a hash) of the data item to Bob 103b. In some examples it is not necessary to send the data item or commitment if Bob 103b already has access to the data item. Bob 103b obtains the data item or the commitment (e.g. hashed data item), the third value (e.g. a public key corresponding to aggregated private keys) and a proof of inclusion for the data item. Bob 103b uses the third value and proof of inclusion to verify that the data set contains the data item. The third value and proof of inclusion may be obtained directly from Alice 103a. The data item (or commitment) may be obtained from Alice 103a or Bob 103b may already have access to it. In these examples, each fourth value for each data item may be generated by subtracting the respective third first value (e.g. the hash of the data item) from the second value (i.e. the aggregation of the respective first values). The proof of inclusion may then be generated by converting the fourth value (which can be considered to be a private key) to a public key. Bob 103b may generate a public key corresponding to a hash of the data item (i.e. a private key) and verify that a combination of the public key and the proof of inclusion (i.e. a public key corresponding to a fourth value) corresponds to the third value (i.e. a public key corresponding to the aggregated private keys). Alice 103a may generate a signature (e.g. an ECDSA signature) using the respective fourth value for the respective data item. The signature may sign the first value, e.g. a hash of the data item. Alice 103a publishes the signature and / or sends the signature to Bob 103b. The signature may be included as part of the proof of inclusion. Bob 103b may verify that the signature is valid for the proof of inclusion (i.e. a public key corresponding to the fourth value). In some examples, an RSA scheme (or at least some properties thereof) may be used to generate the proof of inclusions. Alice 103a determines a value n which is the product of two prime numbers p and q. Alice 103a also determines two integers e and d, such that ^^ ^^ ≡ 1 ^^ ^^ ^^ ^^( ^^). In these examples, the first value may be generated by hashing the data item and then taking a modulus over n (i.e. return the remainder after dividing the hashed data item by n). In some examples, the first value may be generated by taking a modulus of the data item itself. The third value is generated by aggregating (e.g. summing) the second values and then taking a modulus over n. Alice 103a may publish the values e and n, e.g. as part of the third value. For each data item, the fourth value is generated by subtracting the respective first value from the second value and then taking the modulus over n. Finally, the proof of inclusion is generated by raising the fourth value to the power of d, and taking the modulus over n. Bob 103b may combine (e.g. sum) a hash of the data item and the proof of inclusion raised to the power of e. Bob 103b may take a modulus of the second value over n, and verify that the result is equal to the previously mentioned combination. Alternatively, the first value may be generated by hashing the data item twice (i.e. applying the same hash function twice) and taking a modulus over n. The third value is generated by aggregating (e.g. summing) the second values and a salt value, and then taking a modulus over n. Alice 103a may publish the values e and n, e.g. as part of the third value. For each data item, the fourth value is generated by aggregating (e.g. summing) the respective hashes of the other data items and subtracting the hash of the data item, and then taking a modulus over n. Bob 103b may combine (e.g. sum) a double-hash of the data item (i.e. hashing the data item twice) and a hash of the proof of inclusion raised to the power of e. Bob 103b may take a modulus of the second value over n, and verify that the result is equal to the previously mentioned combination. An alternative mechanism for proving that a data item belongs to the dataset is now described. Similar to the embodiments described above, a first value is generated for each data item, e.g. by hashing the data item. The first value is a private key. The first values are aggregated to form a second value (also a private key), e.g. by summing the first values. A third value (a public key) is generated based on the second value. A fourth value is generated for each data item that Alice 103a wants to prove belongs to the set. The fourth value is a private key such that a combination of the first value and fourth value corresponds to the second value. Put another way, the first and fourth values can be used to generate a threshold signature valid for the second value. Alice 103a generates a first signature using the fourth value that signs a message comprising the data item and / or a hash of the data item. The signature is provided to Bob 103b. Alice 103a may also generate and provide a second signature using the first value that signs a message comprising the data item and / or a hash of the data item. Alice 130a may send to Bob 103b one or more of the following public keys: the third value (i.e. the public key corresponding to the aggregated private keys), the public key corresponding to the first value, and the public key corresponding to the fourth value. Bob 103b uses the first signature and the second signature to verify that they generate a valid signature for the third value. Bob 103b may generate the second signature himself if he has access to the required data. Bob 103b may also verify that the first signature is valid for the public key corresponding to the fourth value. Similarly, Bob 103b may verify that the second signature is valid for the public key corresponding to the first value. 1.1 Proof of inclusion for aggregated keys This section describes how the embodiments described above may be used to aggregate chunks of data ^^^in a single block of data ^^ and then provide, for each ^^^, a proof of inclusion in ^^. Each party knowing ^^^and the proof produced by the aggregator can verify that ^^^has been included in ^^ using some publicly available information on ^^ provided by the aggregator. It will be appreciated that this is a specific implementation of the described embodiments and not all of the examples described in this section are essential for implementing the described embodiments. The described process assumes at least one fingerprint of data contained in ^^ is unknown to any other party besides the aggregator (e.g., private blockchains, and overlay network on public blockchains). If that is not the case (e.g., a public blockchain) the aggregator generates some secret value ^^^that is added to ^^ to prevent users from falsifying proofs of inclusions. In this latter scenario, since the aggregator is using a secret ^^^to salt the data, it would be possible for him to sign using ^^^(or some secure value generated from it). As a motivating example, the chunk of data ^^^can be transactions, the block of data ^^ a block in a blockchain or an overlay network that is run and maintained by trusted servers. This is – for instance – the case for blockchain or overlay network run by private companies or governmental entities. Each chunk of data is linked to some information that is used to label leaves of a tree. The root is labelled by an aggregation of these leaves; while Merkle tree enforces an order of all leaves, our solutions offer the flexibility of having order or not. The root, or some derived information is publicly available, and parties wishing to verify the proof of inclusion can check the consistency of all these data. 1.1.1 General key aggregation For the purposes of this section, key aggregation denotes the creation of a single value that depends on multiple data points. This section provides a high-level discussion of key aggregation. This discussion is agnostic on the specific choices of cryptographic schemes. 1. Each ^^^is associated to a value ^^^; i.e., ^^^= ^^^( ^^^) for some ^^^. 2. The values ^^^are aggregated in the private block value ^^^. 3. The aggregator publishes the value ^^^= ^^ଶ( ^^^) for some ^^ଶ. From ^^^, it is not possible to recover ^^^. The value ^^^may be salted to enhance security. The relationship between ^^^, ^^^, ^^^and ^^^is shown in Figure 3. 4. For each chunk of data ^^^, the aggregator computes the value ^^^= ^^ଷ( ^^^, ^^^), for some ^^ ଷ. 5. The aggregator computes the proof of inclusion ^^^= ^^ସ( ^^^), for some ^^ସ. The aggregator sends ^^ to the relevant parties. From ^ ^ ^^it is not ^^^. 6. Any party knowing ^^^, ^^^and ^^^(or some fingerprint of ^^^), can prove that ^^^was included in the block of data ^^. The protocol can be specialized to a wide variety of cases, and some are explored in the following sections. Some additional comments on the proposed protocol are below. • The function ^^^in Step 1 is going to be a hash function in all the examples discussed in this section, this is not a requirement. • In all the examples, the aggregation in Step 2 is going to be the sum. While the sum is a convenient aggregation function (easy to invert and to compute), there is no limitation to using it over any other aggregation. • Commutative and associative aggregation functions have some advantages, mostly they are agnostic of any order of the data ^^^. • Depending on the choice of the function ^^ଶ, the published value ^^^may need to be salted or masked before publication. • The proof of inclusion specifics and the method to verify the proof of inclusion depends on the specific choices made when implementing the protocol. • If additional data can be added to the initial ones, it is possible to modify the algorithm to keep track data history when computing the private block value. As an example, assume the data are blockchain transaction ^^ ^^^,^, included in the block ^^^. When computing ^^^ೕ, it is possible to have it depends also on all the transactions already included in the blockchain. 1.1.2 ECDSA aggregation This section describes the key aggregator protocol in the case of ECDSA signature. The concept of an elliptic curve tree is used in this approach and is used to compute the various private and public values described in the protocol. Elliptic curve trees are labelled trees whose leaves are labelled by points of an elliptic curve and whose internal nodes are labelled by the sum of the labels of their children. Since elliptic curve point addition is commutative and associative, the label of the root does not depend on the structure of the tree nor on the order of the leaves. The label of the root of an elliptic curve tree is the sum of the labels of all the leaves. An example elliptic curve tree is shown in Figure 4. Let ^^ be an elliptic curve and ^^ the generator of a subgroup. Let ^^ be a hash function. The protocol become: 1. Each ^^^is associated to the value ^^^= ^^( ^^^), the label of the corresponding leaf is ^^^^^. 2. The private block value is ^^^= ∑^^^ ^ ^^ is some secret value known only by the aggregator. 3. The label of the root is the publicly known value ^^^= ^^^^^. 4. For each ^^^, the value ^^^= ^^^− ^^^, is computed by the aggregator. 5. The aggregator generates ^^^= ( ^^^^^, ^^ ^^ ^^௧^( ^^( ^^^))) and distributes these values. Any party knowing ^^^and ^^^can verify that ^^^is included in ^^ as follows: first they check that ^^( ^^^) ^^ + ^^^^^ = ^^^, then verifies that the signature ^^ ^^ ^^௧^( ^^( ^^^)) is a valid signature. The must be included in the proof of inclusion to prevent malicious actors from falsifying it. As the private root value ^^^is not publicly known and not discoverable, the signature ^^ ^^ ^^௧^( ^^( ^^^)) is unforgeable. If the data are blockchain transactions from an overlay network, ECDSA aggregation can easily support the proof of inclusion mechanism not only for transactions but also for blocks with a single setup. Each transaction ^^ ^^^,^in block ^^^is represented by a point ^^^,^, the point ^^^is the sum of all the points in the block ^^^. The point ^^௧is the sum of all the ^^^up to a certain point in time ^^ and resents the entire blockchain at the time ^^. • The proof of inclusion of a transaction ^^ ^^^,^is a signature with respect to the public key ^^௧− ^^^,^. • A proof of inclusion of a block ^^^is a signature with respect to the public key ^^௧− ^^^. 1.1.3 RSA aggregation This section describes a variant of the key aggregation that uses ideas in line with the RSA scheme. Let ^^ = ^^ ^^ be a product of two prime numbers and ^^, ^^ ∈ ℤ^be a couple of integers such that ^^ ^^ ≡ 1 ^^ ^^ ^^ ^^( ^^). Let ^^ be a hash function, in is a homomorphism, the scheme can be strengthened. In case ^^ is a standard hash function, the protocol become the following. 1. Each ^^^is associated to the value ^^^≡ ^^( ^^^) ^^ ^^ ^^ ^^. 2. The block value is ^^ ≡ ∑ ^^ ^^ ^^ ^ ^^ ^^ ^^. 3. The aggregator publishes ^^^= ( ^^^, ^^, ^^). 4. The aggregator computes ^^^≡ ^^^− ^^^^^ ^^ ^^ ^^. 5. The aggregator distributes the values ^^^≡ ^^ௗ^ ^^ ^^ ^^ ^^. Any party knowing ^^^and ^^^can verify ^^( ^^^) + ^^^^≡ ^^^^^ ^^ ^^ ^^. Inverting ^^ is a hard problem, so the value ^^^cannot be falsified.If the function ^^ is a cryptographic homomorphic hash function (i.e., ^^(^^ + ^^)= ^^(^^)+^^(^^)) the proposed scheme can be modified as following.1. Each ^^^is associated to the value ^^^≡ ^^ଶ( ^^^) ^^ ^^ ^^ ^^. 2. The block value is ^^^≡∑^^^^+ ^^ ^^ ^^ ^^ ^^, where ^^ is some secret value known only by the aggregator. 3. The aggregator publishes ^^^ =(^^^, ^^, ^^).4. The aggregator computes ^^^ ≡∑^ ^^൫ ^^^൯ − ^^(^^^)^^ ^^ ^^ ^^.5. The aggregator distributes ^^^≡ ^^^ௗ^^ ^^ ^^ ^^.Any party knowing ^^^ and ^^^ can verify ^^ଶ(^^^)+ ^^(^^^^)≡ ^^^ ^^ ^^ ^^ ^^. The advantage of thisversion over the previous one is that it since falsifying ^^^requires also inverting ^^. 1.1.42-2 threshold signature aggregation The two cases discussed above both require disclosure of the original data, which is something that may not be desirable in all use cases. Using a 2-2 non-interactive threshold signature schemes such as BLS or FROST it is possible to generate proofs of inclusion that do not required disclosing the original data. The specifics of the aggregation and verification protocol depend on the choice of the threshold scheme used. This section provide a high-level description of the general case. The value ^^^in Step 3 is a public key associated to a private key ^^^, known only by the aggregator. The values ^^^and ^^^are two private keys that can be used to produce a 2-2 threshold signature for the key ^^^. The information ^^^depends on the specific 2-2 threshold signature scheme. This requires a signature of a message (e.g., ^^ଶ( ^^^)) using the private key ^^ and possibly some addit ^ ional information. The owner of ^^^signature, generate a signature for the same message using the value ^^^and checks that the two signatures generate a valid signature for ^^^. If the aggregator is honest, some interactive threshold signature schemes may be simplified and adapted to this protocol. The described scheme is not limited to cryptographic schemes relying on elliptic curves cryptography, for instance, it may be used for variants of Schnorr signature different from EdDSA. In case the aggregator is willing to communicate with verifying parties (directly or via a trusted verification service), a wider spectrum of cryptographic schemes can be adapted. Allowing verifying parties to freely communicate with the aggregator can be a liability, since it exposes to denial-of-service attacks. Having the verification being a payment service can mitigate this exposure. 1.2 Chained data The proof of inclusion discussed in section 1.1 is suitable for an overlay network or blockchain run and maintained by trusted nodes. The reason nodes need to be trusted is that the aggregator – if dishonest – can manipulate freely the information circulating in the network. While required trusted nodes can be a restriction for standard public blockchains, private blockchains and overlay network run by corporations or public entities may find this assumption suitable to their interest. Blockchain have data divided in blocks that are linked together, and the aggregation protocol can be adapted to track these links. In the case of overlay networks, the blocks of data can be isolated from each other, in this case, the aggregation protocol just consider each block of data separately and proceed as described in section 1.1. The rest of the section focuses on how the protocol is be modified to link the block of data to the previous ones. By ^^ we mean either a blockchain or an overlay network, but in principle can be any structure where data are added and aggregated in batches. 1.2.1 Tulip Tree Tulip tree is a name given to a data structure introduced herein to link blocks of data. Each of these blocks is associated a labelled tree ^^^whose root label is obtained by aggregating the leaf’s labels (this can be a Merkle tree, an elliptic curve tree, …). These trees ^^^are recursively combined in the tulip trees ^^^that contains information not only on the block ^^^, but also on all the previous data blocks. More precisely, ^^^= ^^^, and ^^^is the tree whose root has as left subtree (the subtree generating from the left child) the tree ^^^ି^and as right subtree ^^ . The label of the root i ^ s obtained aggregating the label of the two subtrees. An example tree is shown in Figure 5. When an aggregator adds a new block of data ^^ to ^^, it proceeds as follows. 1. It retrieves the root of the tulip tree. 2. It computes the tree associated to ^^. 3. It updates the root of the tulip tree. 4. It signs the root (more details discussed below). 5. It publishes the root of the tree associated to ^^ and the new root of the tulip tree (for verification purposes). The tulip tree data structure main advantage come from validation efficiency. The signature generated from the aggregator allows fast validation of the entire chained structure ^^. Indeed, instead of needing validation of each single block of data, it is enough to validate the last block. This validates the previous blocks as well. An alternative possible implementation of a tulip tree consists of having the root of the previous block as a leaf (e.g., the first leaf) in the new block. This implementation can generate the same (e.g., for elliptic curve trees) or different (e.g., for Merkle trees) root value. The figure below shows an example of a tulip tree created in this way: a new block which contains two chunks of data ^^^and ^^ଶis added to ^^. The values of ^^^and ^^ଶare labels of internal nodes that are of to our current work. An example tree is shown in Figure 6. 1.2.2 Comparison with PoW blockchain In a blockchain, the Merkle tree contains only information on the current block, and a block is linked to the previous one via the hash of previous block header. The root of a tulip tree links blocks together without relying on other structures, as it combines information on both the current block and on the past blocks. If the aggregation function has some additional properties (e.g., commutativity and associativity), verifying the proof of inclusion of older data can become easier for the verifier, as they do not need to have stored all the history of the data. This can be done on existing blockchains (e.g., Bitcoin SV) without changing their protocol. Overlay networks can create blocks that mirrors the blockchain blocks but are limited to the transactions relevant to the overlay network. Instead of relying on Merkle proofs for their inclusion, they can use the embodiments described herein to prove the inclusion of specific transactions to the overlay network. 1.2.3 Aggregated signature for linked block This subsection focus on the generation of the signature of that is used to validate the new block of data ^^ added to ^^. The private value associated to ^^ is ^^^, and the block ^^ contains chunks of data ^^^, associated to ^^^. If ^^ is maintained by a single aggregator. Since the aggregator has access to all the information on the data in ^^, it can compute the private value ^^^+∑^^^^+ ^^ (the secret value can be omitted), and it uses this private value to sign the root of the tulip tree. This protects users from being deceived in trusting fake blocks. Indeed, a malicious party that wants to falsify a block ^^, would need to recover information on ^^^. If there is more than one aggregator, blocks are not always published by the same one. It is possible to distinguish 2 cases. • If there is no secret value added or the aggregators communicate to each other the value ^^^, they can compute the value ^^^+ ∑^^^^and this value can be used to sign the root of the tulip tree. • Otherwise, the aggregator proceed as follows. A certain fixed message is signed using the key ^^^using a signature scheme that supports signature and key aggregation (e.g., a 2-2 non-interactive threshold signature). The aggregator computes∑^^^^, and uses it to compute a signature for chosen message using that is compatible with ^^^+∑^^^^. 1.2.4 Proof of inclusion As new blocks are added to ^^, instead of asking whether ^^^is in ^^, it may be required to prove that ^^^is included in ^^ instead. In general, this requires more work than to prove that ^^^is in ^^, as up-to-date information have to be computed whenever a new block is added. Nevertheless, this can be done. Alice has the data ^^^and the proof of inclusion ^^^, and wants to prove to Bob that ^^^is in ^^ (or before a certain block ^^^^௫). Some examples of ways Alice can achieve this are: • Alice shares ^^^, ^^^and the point ^^, the sum of the public block values from ^^ to the end of ^^ (to the block ^^^^௫). • Alice uses ^^^, ^^^and the signature used in the blocks from ^^ to the end (to the block ^^^^௫) to generate a valid signature. 1.3 Example use cases 1.3.1 GOvNet The key aggregation protocol using ECDSA may be used by an overlay network run by a government or a company. The overlay network uses the blockchain to generate and store fingerprints (e.g. hashes) of the data packets circulating in the overlay network and relies on ECDSA aggregation protocol to provide users with proof of inclusion in the overlay network. Fingerprints of the data packets are extracted from blockchain blocks, the corresponding data packets are aggregated in blocks of overlay data. Each data packet is linked to an elliptic curve point and the aggregated point is published by the authority maintaining the overlay network. These blocks of data in the overlay network may rely on the proof of inclusion protocol described in section 1.2 to provide users a proof of inclusion. A government overlay network provides a natural framework to implement CBDC. CBDC transactions are just a type of data packet, and CBDC transactions can be implemented ensuring that they share the same properties as cash transactions. GOvNet is agnostic to the design choices regarding the CBDC system. CBDC-type data packets have a lifecycle similar to the lifecycle of document-type data packets, with the main difference being the check for correctness. Indeed, the correctness of a CBDC data packet also includes a check that the spending party owns enough asset to support the transaction. Spending the fingerprint transaction associated to a CBDC-type data packet can be used as a means for the paid party to acknowledge they received the payment. Embodiments of the present disclosure may be used to prove the storage or knowledge of tax-related data. For instance, companies and / or individuals may use GOvNet to file tax returns, submit invoices, provide evidence of tax payments, etc. For individuals, GOvNet may perform checks to ensure that the tax-related data satisfies certain criteria. For example, a user submitting a tax return may be required to provide entries for different types of taxable income: salary, bonuses, dividends, investment returns, rent, etc. Similarly, GOvNet may be used for recording licenses. For instance, a node of the network may specialise in recording television licences, or business licenses (e.g. licenses to trade certain goods). A business may use a storage proof of their license to prove to regulators and the like that they have indeed been granted a license. Other types of licenses may be stored on the network, such as intellectual property licenses. The overlay servers may verify that a license for the same piece of IP has not already been granted (in the case of exclusive licenses, at least). GOvNet may be used to store data related to ownership of land and / or vehicles and any change in said ownership. For instance, each data packet may contain a separate land or vehicle registration, or a transfer of ownership of a piece of land or vehicle. GOvNet may perform validation steps, e.g. to ensure that a piece of land is not being (inadvertently or fraudulently) sold twice. To do so GOvNet may verify that the same land is not already on the overlay network indicated as being owned by someone else. A user may use the proof of inclusion (storage proof) to verify that a seller of land or vehicle is the rightful owner of that land / vehicle. GOvNet may also be used to prove something about a document (e.g. that a document exists, or that a document contains certain data or fulfils certain requirements) without revealing the document itself. In the example of age check to a venue (such a pub, night club, etc.), one might what to prove they are over 18 without revealing their actual age or any other information which happens to be included on their ID document. In this context, one could give an overlay proof at the entrance to the venue, the security may use the proof to check with GOvNet that GOvNet has accepted the document and GOvNet may confirm that the user is over 18, without revealing any details. Since the security staff trust GOvNet, there is no need for any additional checks. Other similar uses cases include visas that permit the owner to enter a country. 1.3.2 Training set The use case described in this section is related to training of AI. It is a way to document and certify modification in the training set. Using the notation of section 1.1 each training instance is a ^^^and the training set is ^^. Alice is training an AI and sends the training set to Bob, a trusted certifying entity. Bob aggregates the data using any aggregation scheme and publish the public block value on a blockchain. Bob sends to Alice the proof of inclusion of the single training data ^^^. Alice can now use proof of inclusion to show that a certain ^^^was included in ^^. This use case requires that the moment Alice train her AI, a fingerprint of the training set is made public (e.g., published on the blockchain). If Alice need to add training data, she can repeat the process, asking Bob to add the new set of data to the previous ones. The new data can be linked to the old data or being independent from them. Similarly (in case the aggregation function is commutative and associative) Alice can also have proof of exclusion from the training set. Proof of exclusion of ^^^would be a proof of inclusion of ^^^using as ^^^the opposite value. 2. EXAMPLE SYSTEM OVERVIEW A blockchain refers to a form of distributed data structure, wherein a duplicate copy of the blockchain is maintained at each of a plurality of nodes in a distributed peer-to-peer (P2P) network (referred to below as a “blockchain network”) and widely publicised. The blockchain comprises a chain of blocks of data, wherein each block comprises one or more transactions. Each transaction, other than so-called “coinbase transactions”, points back to a preceding transaction in a sequence which may span one or more blocks going back to one or more coinbase transactions. Coinbase transactions are discussed further below. Transactions that are submitted to the blockchain network are included in new blocks. New blocks are created by a process often referred to as “mining”, which involves each of a plurality of the nodes competing to perform “proof-of-work”, i.e. solving a cryptographic puzzle based on a representation of a defined set of ordered and validated pending transactions waiting to be included in a new block of the blockchain. It should be noted that the blockchain may be pruned at some nodes, and the publication of blocks can be achieved through the publication of mere block headers. The transactions in the blockchain may be used for one or more of the following purposes: to convey a digital asset (i.e. a number of digital tokens), to order a set of entries in a virtualised ledger or registry, to receive and process timestamp entries, and / or to time- order index pointers. A blockchain can also be exploited in order to layer additional functionality on top of the blockchain. For example, blockchain protocols may allow for storage of additional user data or indexes to data in a transaction. There is no pre-specified limit to the maximum data capacity that can be stored within a single transaction, and therefore increasingly more complex data can be incorporated. For instance this may be used to store an electronic document in the blockchain, or audio or video data. In an “output-based” model (sometimes referred to as a UTXO-based model), the data structure of a given transaction comprises one or more inputs and one or more outputs. Any spendable output comprises an element specifying an amount of the digital asset that is derivable from the proceeding sequence of transactions. The spendable output is sometimes referred to as a UTXO (“unspent transaction output”). The output may further comprise a locking script specifying a condition for the future redemption of the output. A locking script is a predicate defining the conditions necessary to validate and transfer digital tokens or assets. Each input of a transaction (other than a coinbase transaction) comprises a pointer (i.e. a reference) to such an output in a preceding transaction, and may further comprise an unlocking script for unlocking the locking script of the pointed-to output. So consider a pair of transactions, call them a first and a second transaction (or “target” transaction). The first transaction comprises at least one output specifying an amount of the digital asset, and comprising a locking script defining one or more conditions of unlocking the output. The second, target transaction comprises at least one input, comprising a pointer to the output of the first transaction, and an unlocking script for unlocking the output of the first transaction. In such a model, when the second, target transaction is sent to the blockchain network to be propagated and recorded in the blockchain, one of the criteria for validity applied at each node will be that the unlocking script meets all of the one or more conditions defined in the locking script of the first transaction. Another will be that the output of the first transaction has not already been redeemed by another, earlier valid transaction. Any node that finds the target transaction invalid according to any of these conditions will not propagate it (as a valid transaction, but possibly to register an invalid transaction) nor include it in a new block to be recorded in the blockchain. An alternative type of transaction model is an account-based model. In this case each transaction does not define the amount to be transferred by referring back to the UTXO of a preceding transaction in a sequence of past transactions, but rather by reference to an absolute account balance. The current state of all accounts is stored by the nodes separate to the blockchain and is updated constantly. Figure 1 shows an example system 100 for implementing a blockchain 150. The system 100 may comprise a packet-switched network 101, typically a wide-area internetwork such as the Internet. The packet-switched network 101 comprises a plurality of blockchain nodes 104 (often referred to as “miners”) that may be arranged to form a peer-to-peer (P2P) network 106 within the packet-switched network 101. Whilst not illustrated, the blockchain nodes 104 may be arranged as a near-complete graph. Each blockchain node 104 is therefore highly connected to other blockchain nodes 104. Each blockchain node 104 comprises computer equipment of a peer, with different ones of the nodes 104 belonging to different peers. Each blockchain node 104 comprises processing apparatus comprising one or more processors, e.g. one or more central processing units (CPUs), accelerator processors, application specific processors and / or field programmable gate arrays (FPGAs), and other equipment such as application specific integrated circuits (ASICs). Each node also comprises memory, i.e. computer-readable storage in the form of a non-transitory computer-readable medium or media. The memory may comprise one or more memory units employing one or more memory media, e.g. a magnetic medium such as a hard disk; an electronic medium such as a solid-state drive (SSD), flash memory or EEPROM; and / or an optical medium such as an optical disk drive. The blockchain 150 comprises a chain of blocks of data 151, wherein a respective copy of the blockchain 150 is maintained at each of a plurality of blockchain nodes 104 in the distributed or blockchain network 106. As mentioned above, maintaining a copy of the blockchain 150 does not necessarily mean storing the blockchain 150 in full. Instead, the blockchain 150 may be pruned of data so long as each blockchain node 150 stores the block header (discussed below) of each block 151. Each block 151 in the chain comprises one or more transactions 152, wherein a transaction in this context refers to a kind of data structure. The nature of the data structure will depend on the type of transaction protocol used as part of a transaction model or scheme. A given blockchain will use one particular transaction protocol throughout. A blockchain node 104 may be configured to forward transactions 152 to other blockchain nodes 104, and thereby cause transactions 152 to be propagated throughout the network 106. A blockchain node 104 may be configured to create blocks 151 and to store a respective copy of the same blockchain 150 in their respective memory. A blockchain node 104 may also maintain an ordered set (or “pool”) 154 of transactions 152 waiting to be incorporated into blocks 151. The ordered pool 154 is often referred to as a “mempool”. This term herein is not intended to limit to any particular blockchain, protocol or model. It refers to the ordered set of transactions which a node 104 has accepted as valid and for which the node 104 is obliged not to accept any other transactions attempting to spend the same output. In a given present transaction 152j, the (or each) input comprises a pointer referencing the output of a preceding transaction 152i in the sequence of transactions, specifying that this output is to be redeemed or “spent” in the present transaction 152j. Spending or redeeming does not necessarily imply transfer of a financial asset, though that is certainly one common application. More generally spending could be described as consuming the output, or assigning it to one or more outputs in another, onward transaction. In general, the preceding transaction could be any transaction in the ordered set 154 or any block 151. The preceding transaction 152i need not necessarily exist at the time the present transaction 152j is created or even sent to the network 106, though the preceding transaction 152i will need to exist and be validated in order for the present transaction to be valid. Hence “preceding” herein refers to a predecessor in a logical sequence linked by pointers, not necessarily the time of creation or sending in a temporal sequence, and hence it does not necessarily exclude that the transactions 152i, 152j be created or sent out-of-order (see discussion below on orphan transactions). The preceding transaction 152i could equally be called the antecedent or predecessor transaction. Due to the resources involved in transaction validation and publication, typically at least each of the blockchain nodes 104 takes the form of a server comprising one or more physical server units, or even whole a data centre. However in principle any given blockchain node 104 could take the form of a user terminal or a group of user terminals networked together. The memory of each blockchain node 104 stores software configured to run on the processing apparatus of the blockchain node 104 in order to perform its respective role or roles and handle transactions 152 in accordance with the blockchain node protocol. It will be understood that any action attributed herein to a blockchain node 104 may be performed by the software run on the processing apparatus of the respective computer equipment. The node software may be implemented in one or more applications at the application layer, or a lower layer such as the operating system layer or a protocol layer, or any combination of these. Any given blockchain node may be configured to perform one or more of the following operations: validating transactions, storing transactions, propagating transactions to other peers, performing consensus (e.g. proof-of-work) / mining operations. In some examples, each type of operation is performed by a different node 104. That is, nodes may specialise in particular operation. For example, a nodes 104 may focus on transaction validation and propagation, or on block mining. In some examples, a blockchain node 104 may perform more than one of these operations in parallel. Any reference to a blockchain node 104 may refer to an entity that is configured to perform at least one of these operations. Also connected to the network 101 is the computer equipment 102 of each of a plurality of parties 103 in the role of consuming users. These users may interact with the blockchain network 106 but do not participate in validating transactions or constructing blocks. Some of these users or agents 103 may act as senders and recipients in transactions. Other users may interact with the blockchain 150 without necessarily acting as senders or recipients. For instance, some parties may act as storage entities that store a copy of the blockchain 150 (e.g. having obtained a copy of the blockchain from a blockchain node 104). Some or all of the parties 103 may be connected as part of a different network, e.g. a network overlaid on top of the blockchain network 106. Users of the blockchain network (often referred to as “clients”) may be said to be part of a system that includes the blockchain network 106; however, these users are not blockchain nodes 104 as they do not perform the roles required of the blockchain nodes. Instead, each party 103 may interact with the blockchain network 106 and thereby utilize the blockchain 150 by connecting to (i.e. communicating with) a blockchain node 106. Two parties 103 and their respective equipment 102 are shown for illustrative purposes: a first party 103a and his / her respective computer equipment 102a, and a second party 103b and his / her respective computer equipment 102b. It will be understood that many more such parties 103 and their respective computer equipment 102 may be present and participating in the system 100, but for convenience they are not illustrated. Each party 103 may be an individual or an organization. Purely by way of illustration the first party 103a is referred to herein as Alice and the second party 103b is referred to as Bob, but it will be appreciated that this is not limiting and any reference herein to Alice or Bob may be replaced with “first party” and “second “party” respectively. The computer equipment 102 of each party 103 comprises respective processing apparatus comprising one or more processors, e.g. one or more CPUs, GPUs, other accelerator processors, application specific processors, and / or FPGAs. The computer equipment 102 of each party 103 further comprises memory, i.e. computer-readable storage in the form of a non-transitory computer-readable medium or media. This memory may comprise one or more memory units employing one or more memory media, e.g. a magnetic medium such as hard disk; an electronic medium such as an SSD, flash memory or EEPROM; and / or an optical medium such as an optical disc drive. The memory on the computer equipment 102 of each party 103 stores software comprising a respective instance of at least one client application 105 arranged to run on the processing apparatus. It will be understood that any action attributed herein to a given party 103 may be performed using the software run on the processing apparatus of the respective computer equipment 102. The computer equipment 102 of each party 103 comprises at least one user terminal, e.g. a desktop or laptop computer, a tablet, a smartphone, or a wearable device such as a smartwatch. The computer equipment 102 of a given party 103 may also comprise one or more other networked resources, such as cloud computing resources accessed via the user terminal. The client application 105 may be initially provided to the computer equipment 102 of any given party 103 on suitable computer-readable storage medium or media, e.g. downloaded from a server, or provided on a removable storage device such as a removable SSD, flash memory key, removable EEPROM, removable magnetic disk drive, magnetic floppy disk or tape, optical disk such as a CD or DVD ROM, or a removable optical drive, etc. The client application 105 comprises at least a “wallet” function. This has two main functionalities. One of these is to enable the respective party 103 to create, authorise (for example sign) and send transactions 152 to one or more bitcoin nodes 104 to then be propagated throughout the network of blockchain nodes 104 and thereby included in the blockchain 150. The other is to report back to the respective party the amount of the digital asset that he or she currently owns. In an output-based system, this second functionality comprises collating the amounts defined in the outputs of the various 152 transactions scattered throughout the blockchain 150 that belong to the party in question. Note: whilst the various client functionality may be described as being integrated into a given client application 105, this is not necessarily limiting and instead any client functionality described herein may instead be implemented in a suite of two or more distinct applications, e.g. interfacing via an API, or one being a plug-in to the other. More generally the client functionality could be implemented at the application layer or a lower layer such as the operating system, or any combination of these. The following will be described in terms of a client application 105 but it will be appreciated that this is not limiting. The instance of the client application or software 105 on each computer equipment 102 is operatively coupled to at least one of the blockchain nodes 104 of the network 106. This enables the wallet function of the client 105 to send transactions 152 to the network 106. The client 105 is also able to contact blockchain nodes 104 in order to query the blockchain 150 for any transactions of which the respective party 103 is the recipient (or indeed inspect other parties’ transactions in the blockchain 150, since in embodiments the blockchain 150 is a public facility which provides trust in transactions in part through its public visibility). The wallet function on each computer equipment 102 is configured to formulate and send transactions 152 according to a transaction protocol. As set out above, each blockchain node 104 runs software configured to validate transactions 152 according to the blockchain node protocol, and to forward transactions 152 in order to propagate them throughout the blockchain network 106. The transaction protocol and the node protocol correspond to one another, and a given transaction protocol goes with a given node protocol, together implementing a given transaction model. The same transaction protocol is used for all transactions 152 in the blockchain 150. The same node protocol is used by all the nodes 104 in the network 106. An alternative type of transaction protocol operated by some blockchain networks may be referred to as an “account-based” protocol, as part of an account-based transaction model. In the account-based case, each transaction does not define the amount to be transferred by referring back to the UTXO of a preceding transaction in a sequence of past transactions, but rather by reference to an absolute account balance. The current state of all accounts is stored, by the nodes of that network, separate to the blockchain and is updated constantly. In such a system, transactions are ordered using a running transaction tally of the account (also called the “position” or “nonce”). This value is signed by the sender as part of their cryptographic signature and is hashed as part of the transaction reference calculation. In addition, an optional data field may also be signed the transaction. This data field may point back to a previous transaction, for example if the previous transaction ID is included in the data field. Some account-based transaction models share several similarities with the output-based transaction model described herein. For example, as mentioned above, the data field of an account-based transaction may point back to a previous transaction, which is equivalent to the input of an output-based transaction which references an outpoint a previous transaction. Thus both models enable linking between transactions. As another example, an account-based transaction contains a “recipient” field (in which a receiving address of an account is specified) and a “value” field (in which an amount of digital asset may be specified). Together the recipient and value fields are equivalent to the output of an output- based transaction which may be used to assign an amount of digital asset to a blockchain address. Similarly, an account-based transaction has a “signature” field which includes a signature for the transaction. The signature is generated using the sender's private key and confirms the sender has authorized this transaction. This is equivalent to an input / unlocking script of an output-based transaction which, typically, includes a signature for the transaction. When both types of transaction are submitted to their respective blockchain networks, the signatures are checked to determine whether the transaction is valid and can be recorded on the blockchain. On an account-based blockchain, a “smart contact” refers to a transaction that contains a script configured to perform one or more actions (e.g. send or “release” a digital asset to a recipient address) in response to one or more inputs (provided by a transaction) meeting one or more conditions defined by the smart contact’s script. The smart contract exists as a transaction on the blockchain, and can be called (or triggered) by subsequent transactions. Thus, in some examples, a smart contract may be considered equivalent to a locking script of an output-based transaction, which can be triggered by a subsequent transaction, and checks whether one or more conditions defined by the locking script are met by the input of the subsequent transaction. 3. UTXO-BASED MODEL Figure 2 illustrates an example transaction protocol. This is an example of a UTXO-based protocol. A transaction 152 (abbreviated “Tx”) is the fundamental data structure of the blockchain 150 (each block 151 comprising one or more transactions 152). The following will be described by reference to an output-based or “UTXO” based protocol. However, this is not limiting to all possible embodiments. Note that while the example UTXO-based protocol is described with reference to bitcoin, it may equally be implemented on other example blockchain networks. In a UTXO-based model, each transaction (“Tx”) 152 comprises a data structure comprising one or more inputs 202, and one or more outputs 203. Each output 203 may comprise an unspent transaction output (UTXO), which can be used as the source for the input 202 of another new transaction (if the UTXO has not already been redeemed). The UTXO includes a value specifying an amount of a digital asset. This represents a set number of tokens on the distributed ledger. The UTXO may also contain the transaction ID of the transaction from which it came, amongst other information. The transaction data structure may also comprise a header 201, which may comprise an indicator of the size of the input field(s) 202 and output field(s) 203. The header 201 may also include an ID of the transaction. In embodiments the transaction ID is the hash of the transaction data (excluding the transaction ID itself) and stored in the header 201 of the raw transaction 152 submitted to the nodes 104. Say Alice 103a wishes to create a transaction 152j transferring an amount of the digital asset in question to Bob 103b. In Figure 2 Alice’s new transaction 152j is labelled “Tx1”. It takes an amount of the digital asset that is locked to Alice in the output 203 of a preceding transaction 152i in the sequence, and transfers at least some of this to Bob. The preceding transaction 152i is labelled “Tx0” in Figure 2. Tx0and Tx1are just arbitrary labels. They do not necessarily mean that Tx0is the first transaction in the blockchain 151, nor that Tx1is the immediate next transaction in the pool 154. Tx1could point back to any preceding (i.e. antecedent) transaction that still has an unspent output 203 locked to Alice. The terms “preceding” and “subsequent” as used herein in the context of the sequence of transactions refer to the order of the transactions in the sequence as defined by the transaction pointers specified in the transactions (which transaction points back to which other transaction, and so forth). They could equally be replaced with “predecessor” and “successor”, or “antecedent” and “descendant”, “parent” and “child”, or such like. It does not necessarily imply an order in which they are created, sent to the network 106, or arrive at any given blockchain node 104. Nevertheless, a subsequent transaction (the descendent transaction or “child”) which points to a preceding transaction (the antecedent transaction or “parent”) will not be validated until and unless the parent transaction is validated. A child that arrives at a blockchain node 104 before its parent is considered an orphan. It may be discarded or buffered for a certain time to wait for the parent, depending on the node protocol and / or node behaviour. One of the one or more outputs 203 of the preceding transaction Tx0 comprises a particular UTXO, labelled here UTXO0. Each UTXO comprises a value specifying an amount of the digital asset represented by the UTXO, and a locking script which defines a condition which must be met by an unlocking script in the input 202 of a subsequent transaction in order for the subsequent transaction to be validated, and therefore for the UTXO to be successfully redeemed. The locking script (aka scriptPubKey) is a piece of code written in the domain specific language recognized by the node protocol. A particular example of such a language is called “Script” (capital S) which is used by the blockchain network. The locking script specifies what information is required to spend a transaction output 203, for example the requirement of Alice’s signature. Locking scripts appear in the outputs of transactions. The unlocking script (aka scriptSig) is a piece of code written the domain specific language that provides the information required to satisfy the locking script criteria. For example, it may contain Bob’s signature. Unlocking scripts appear in the input 202 of transactions. So in the example illustrated, UTXO0in the output 203 of Tx0comprises a locking script [Checksig PA] which requires a signature Sig PAof Alice in order for UTXO0to be redeemed (strictly, in order for a subsequent transaction attempting to redeem UTXO0to be valid). [Checksig PA] contains a representation (i.e. a hash) of the public key PAfrom a public- private key pair of Alice. The input 202 of Tx1comprises a pointer pointing back to Tx1(e.g. by means of its transaction ID, TxID0, which in embodiments is the hash of the whole transaction Tx0). The input 202 of Tx1comprises an index identifying UTXO0within Tx0, to identify it amongst any other possible outputs of Tx0. The input 202 of Tx1further comprises an unlocking script <Sig PA> which comprises a cryptographic signature of Alice, created by Alice applying her private key from the key pair to a predefined portion of data (sometimes called the “message” in cryptography). The data (or “message”) that needs to be signed by Alice to provide a valid signature may be defined by the locking script, or by the node protocol, or by a combination of these. When the new transaction Tx1 arrives at a blockchain node 104, the node applies the node protocol. This comprises running the locking script and unlocking script together to check whether the unlocking script meets the condition defined in the locking script (where this condition may comprise one or more criteria). Note that the script code is often represented schematically (i.e. not using the exact language). For example, one may use operation codes (opcodes) to represent a particular function. “OP_...” refers to a particular opcode of the Script language. As an example, OP_RETURN is an opcode of the Script language that when preceded by OP_FALSE at the beginning of a locking script creates an unspendable output of a transaction that can store data within the transaction, and thereby record the data immutably in the blockchain 150. E.g. the data could comprise a document which it is desired to store in the blockchain. Typically an input of a transaction contains a digital signature corresponding to a public key PA. In embodiments this is based on the ECDSA using the elliptic curve secp256k1. A digital signature signs a particular piece of data. In some embodiments, for a given transaction the signature will sign part of the transaction input, and some or all of the transaction outputs. The particular parts of the outputs it signs depends on the SIGHASH flag. The SIGHASH flag is usually a 4-byte code included at the end of a signature to select which outputs are signed (and thus fixed at the time of signing). The locking script is sometimes called “scriptPubKey” referring to the fact that it typically comprises the public key of the party to whom the respective transaction is locked. The unlocking script is sometimes called “scriptSig” referring to the fact that it typically supplies the corresponding signature. However, more generally it is not essential in all applications of a blockchain 150 that the condition for a UTXO to be redeemed comprises authenticating a signature. More generally the scripting language could be used to define any one or more conditions. Hence the more general terms “locking script” and “unlocking script” may be preferred. 4. FURTHER REMARKS Other variants or use cases of the disclosed techniques may become apparent to the person skilled in the art once given the disclosure herein. The scope of the disclosure is not limited by the described embodiments but only by the accompanying claims. For instance, some embodiments above have been described in terms of a bitcoin network 106, bitcoin blockchain 150 and bitcoin nodes 104. However it will be appreciated that the bitcoin blockchain is one particular example of a blockchain 150 and the above description may apply generally to any blockchain. That is, the present invention is in by no way limited to the bitcoin blockchain. More generally, any reference above to bitcoin network 106, bitcoin blockchain 150 and bitcoin nodes 104 may be replaced with reference to a blockchain network 106, blockchain 150 and blockchain node 104 respectively. The blockchain, blockchain network and / or blockchain nodes may share some or all of the described properties of the bitcoin blockchain 150, bitcoin network 106 and bitcoin nodes 104 as described above. In preferred embodiments of the invention, the blockchain network 106 is the bitcoin network and bitcoin nodes 104 perform at least all of the described functions of creating, publishing, propagating and storing blocks 151 of the blockchain 150. It is not excluded that there may be other network entities (or network elements) that only perform one or some but not all of these functions. That is, a network entity may perform the function of propagating and / or storing blocks without creating and publishing blocks (recall that these entities are not considered nodes of the preferred bitcoin network 106). In other embodiments of the invention, the blockchain network 106 may not be the bitcoin network. In these embodiments, it is not excluded that a node may perform at least one or some but not all of the functions of creating, publishing, propagating and storing blocks 151 of the blockchain 150. For instance, on those other blockchain networks a “node” may be used to refer to a network entity that is configured to create and publish blocks 151 but not store and / or propagate those blocks 151 to other nodes. Even more generally, any reference to the term “bitcoin node” 104 above may be replaced with the term “network entity” or “network element”, wherein such an entity / element is configured to perform some or all of the roles of creating, publishing, propagating and storing blocks. The functions of such a network entity / element may be implemented in hardware in the same way described above with reference to a blockchain node 104. Some embodiments have been described in terms of the blockchain network implementing a proof-of-work consensus mechanism to secure the underlying blockchain. However proof- of-work is just one type of consensus mechanism and in general embodiments may use any type of suitable consensus mechanism such as, for example, proof-of-stake, delegated proof-of-stake, proof-of-capacity, or proof-of-elapsed time. As a particular example, proof- of-stake uses a randomized process to determine which blockchain node 104 is given the opportunity to produce the next block 151. The chosen node is often referred to as a validator. Blockchain nodes can lock up their tokens for a certain time in order to have the chance of becoming a validator. Generally, the node who locks the biggest stake for the longest period of time has the best chance of becoming the next validator. It will be appreciated that the above embodiments have been described by way of example only. More generally there may be provided a method, apparatus or program in accordance with any one or more of the following Statements. Statement 1. A computer-implemented method of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; generating a public key based on each of the respective first private keys; for one or more of the data items: generating a respective proof of inclusion based on the respective data item, and the respective first private key; and making the data item and / or a commitment thereof, the public key, and the respective proof of inclusion available to a verifying party for verifying that the data item belongs to the set of data items. In some embodiments, the respective first private keys are aggregated and the public keys are generated based on the aggregated private key. In other embodiments, a public key is generated for each respective first private key and those public keys are aggregated to form the public key. Statement 2. The method of statement 1, wherein the set of data items comprises a data item known only to the proving party. Statement 3. The method of any preceding statement, wherein the public key is generated based on a salt value. Statement 4. The method of any preceding statement, wherein the public key is generated based on a second private key, the second private key being based on each of the respective first private keys. Statement 5. The method of statement 4, wherein the second private key is generated by aggregating each of the respective first private keys. Statement 6. The method of any of statements 1 to 3, wherein the public key is generated by: generating respective first public keys based on the respective first private keys; and generating the public key based on the respective first public keys. Statement 7. The method of any preceding statement, wherein the public key is a root of a tree structure, wherein the respective first private keys or corresponding respective first private keys are leaf nodes of the tree structure. Statement 8. The method of any preceding statement, wherein the respective proof of inclusion is based on the respective data item. Statement 9. The method of statement 4 or any statement dependent thereon, comprising: generating a respective fourth value based on the respective data item and the second private key, wherein the respective proof of inclusion is based on the respective fourth value. Statement 10. The method of any preceding statement, wherein at least one: the respective first private key is generated by applying a one-way function to the respective data item, and the public key is generated by applying a one-way function to the second private key. Statement 11. The method of statement 9 or any statement dependent thereon, wherein the respective proof of inclusion is generated by applying a one-way function to the fourth value. Statement 12. The method of statement 10 or statement 11, wherein at least one of: the one-way function used to generate the respective first private key comprises a hash function, the one-way function used to generate the public key comprises a hash function. Statement 13. The method of statement 10 or any statement dependent thereon, wherein the respective fourth value is generated based on a subtraction of the respective first private key from the second private key, and wherein the one-way function used to generate the respective proof of inclusion is a multiplication of the respective fourth value with an elliptic curve generator. Statement 14. The method of statement 13, comprising making a respective signature available to the verifying party, wherein the respective signature signs a respective message comprising the respective first private key and is generated using the respective fourth value. Statement 15. The method of any of statements 1 to 12 when dependent on statement 9, wherein the one-way function used to generate the respective first private key comprises a hash function modulo n, wherein n is a product of two prime numbers, wherein the second value is generated by aggregating the respective first private keys over modulo n, wherein the public value comprises the second value, n and e, wherein e is an integer, wherein the respective fourth value is generated by subtracting the respective first private key from the private key value over modulo n, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer. Statement 16. The method of any of statements 1 to 12 when dependent on statement 9, wherein the one-way function used to generate the respective first private key comprises a double hash function modulo n, wherein n is a product of two prime numbers, wherein the second private key is generated by aggregating the respective first private keys and a secret value over modulo n, wherein the public value comprises the second value, n and e, wherein e is an integer, wherein the respective fourth value is generated by aggregating respective hashes of the respective data items over modulo n, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer. Statement 17. The method of any preceding statement, wherein one or more of the data items are blockchain transactions belonging to a block of the blockchain. Statement 18. The method of statement 17, wherein each blockchain transaction comprises respective data associated with an overlay network and / or an application. Statement 19. The method of any of statements 1 to 17, wherein one or more of the data items are entries in a database. Statement 20. The method of any of statements 1 to 17, wherein one or more of the data items are elements of a data set for training a neural network. Statement 21. A computer-implemented method of verifying that a data item is included in a set of data items, wherein the method is performed by a verifying party and comprises: obtaining a data item and / or a commitment thereof, a public key, and a proof of inclusion for the data item, wherein the public key is based on a plurality of respective first private keys, each respective first private key based on a respective data item of the set, wherein the proof of inclusion is based on the data item and the respective first private key; and using the public key and proof of inclusion to verify that the data item is included in the set. Statement 22. The method of statement 21, wherein the respective first private key is generated by applying a hash function to the respective data item, wherein a respective fourth value is generated based on a subtraction of the respective first private key from a second private key generated based on each respective first private key, the respective proof of inclusion being based on the respective fourth value, and wherein a one-way function used to generate the respective proof of inclusion is a multiplication of the respective fourth value with an elliptic curve generator, and wherein said using comprises: generating a first public key based on a hash of the data item and the elliptic curve generator; and verifying that a combination of the first public key and the proof of inclusion corresponds to the public value. Statement 23. The method of statement 21, comprising: obtaining a signature that signs a respective message comprising the respective first private key; and verifying that the signature is a valid signature for the proof of inclusion. Statement 24. The method of statement 21, wherein the respective first private key is generated by applying a one-way function to the respective data item, wherein the one-way function used to generate the respective first private key comprises a hash function modulo n, wherein n is a product of two prime numbers, wherein a second private key is generated by aggregating the respective first private keys over modulo n, wherein the public key comprises the second value, n and e, wherein e is an integer, wherein a respective fourth value is generated by subtracting the respective first value from the second private key over modulo n, the respective proof of inclusion being based on the respective fourth value, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer, and wherein the method comprises: verifying that a combination of i) a hash of the data item and ii) the proof of inclusion raised to the power of e, corresponds to the second private key modulo n. Statement 25. The method of statement 21, wherein the respective first private key is generated by applying a one-way function to the respective data item, wherein the one-way function used to generate the respective first private key comprises a double hash function modulo n, wherein n is a product of two prime numbers, wherein a second private key is generated by aggregating the respective first private keys and a secret value over modulo n, wherein the public key comprises the second private key, n and e, wherein e is an integer, wherein a respective fourth value is generated by aggregating respective hashes of the respective data items over modulo n, wherein a respective fourth value is generated by subtracting the respective first private key from the second value over modulo n, the respective proof of inclusion being based on the respective fourth value, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer, and wherein the method comprises: verifying that a combination of i) a double-hash of the data item and ii) a hash of the proof of inclusion raised to the power of e, corresponds to the second private key modulo n. Statement 26. A computer-implemented method of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; aggregating the respective first private keys to generate a second private key; generating a public key corresponding to the second private key; for one or more of the data items: generating a respective fourth private key, and wherein together the respective first private key and respective fourth private key are useable to generate a threshold signature for the second private key; generating a respective first signature using the respective first private key, wherein the respective signature signs a hash of the respective data item; and making the following available to a verifying party for verifying that the respective data item belongs to the set of data items: the respective first signature and the public key. Statement 27. The method of statement 26, comprising: generating a respective first signature using the respective first private key, wherein the respective signature signs a hash of the respective data item. Statement 28. The method of statement 26 or statement 27, comprising make the following available to the verifying party: a public key corresponding to the respective first private key and / or a public key corresponding to the respective fourth private key. Statement 29. Computer equipment comprising: memory comprising one or more memory units; and processing apparatus comprising one or more processing units, wherein the memory stores code arranged to run on the processing apparatus, the code being configured so as when on the processing apparatus to perform the method of any of statements 1 to 28. Statement 30. A computer program embodied on computer-readable storage and configured so as, when run on one or more processors, to perform the method of any of statements 1 to 28. According to another aspect disclosed herein, there may be provided a method comprising the actions of the proving party and the verifying party. According to another aspect disclosed herein, there may be provided a system comprising the computer equipment of the proving party and the verifying party.

Claims

CLAIMS 1. A computer-implemented method of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; generating a public key based on each of the respective first private keys; for one or more of the data items: generating a respective proof of inclusion based on the respective data item, and the respective first private key; and making the data item and / or a commitment thereof, the public key, and the respective proof of inclusion available to a verifying party for verifying that the data item belongs to the set of data items.

2. The method of claim 1, wherein the set of data items comprises a data item known only to the proving party.

3. The method of any preceding claim, wherein the public key is generated based on a salt value.

4. The method of any preceding claim, wherein the public key is generated based on a second private key, the second private key being based on each of the respective first private keys.

5. The method of claim 4, wherein the second private key is generated by aggregating each of the respective first private keys.

6. The method of any of claims 1 to 3, wherein the public key is generated by: generating respective first public keys based on the respective first private keys; and generating the public key based on the respective first public keys.

7. The method of any preceding claim, wherein the public key is a root of a tree structure, wherein the respective first private keys or corresponding respective first private keys are leaf nodes of the tree structure.

8. The method of claim 4 or any claim dependent thereon, comprising: generating a respective fourth value based on the respective data item and the second private key, wherein the respective proof of inclusion is based on the respective fourth value.

9. The method of any preceding claim, wherein at least one: the respective first private key is generated by applying a one-way function to the respective data item, and the public key is generated by applying a one-way function to the second private key.

10. The method of claim 8 or any claim dependent thereon, wherein the respective proof of inclusion is generated by applying a one-way function to the fourth value.

11. The method of claim 9 or claim 10, wherein at least one of: the one-way function used to generate the respective first private key comprises a hash function, the one-way function used to generate the public key comprises a hash function.

12. The method of claim 9 or any claim dependent thereon, wherein the respective fourth value is generated based on a subtraction of the respective first private key from the second private key, and wherein the one-way function used to generate the respective proof of inclusion is a multiplication of the respective fourth value with an elliptic curve generator.

13. The method of claim 12, comprising making a respective signature available to the verifying party, wherein the respective signature signs a respective message comprising the respective first private key and is generated using the respective fourth value.

14. The method of any of claims 1 to 11 when dependent on claim 8, wherein the one- way function used to generate the respective first private key comprises a hash function modulo n, wherein n is a product of two prime numbers, wherein the second value is generated by aggregating the respective first private keys over modulo n, wherein the public value comprises the second value, n and e, wherein e is an integer, wherein the respective fourth value is generated by subtracting the respective first private key from the private key value over modulo n, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer.

15. The method of any of claims 1 to 11 when dependent on claim 8, wherein the one- way function used to generate the respective first private key comprises a double hash function modulo n, wherein n is a product of two prime numbers, wherein the second private key is generated by aggregating the respective first private keys and a secret value over modulo n, wherein the public value comprises the second value, n and e, wherein e is an integer, wherein the respective fourth value is generated by aggregating respective hashes of the respective data items over modulo n, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer.

16. The method of any preceding claim, wherein one or more of the data items are blockchain transactions belonging to a block of the blockchain.

17. The method of claim 16, wherein each blockchain transaction comprises respective data associated with an overlay network and / or an application.

18. The method of any of claims 1 to 16, wherein one or more of the data items are entries in a database.

19. The method of any of claims 1 to 16, wherein one or more of the data items are elements of a data set for training a neural network.

20. A computer-implemented method of verifying that a data item is included in a set of data items, wherein the method is performed by a verifying party and comprises: obtaining a data item and / or a commitment thereof, a public key, and a proof of inclusion for the data item, wherein the public key is based on a plurality of respective first private keys, each respective first private key based on a respective data item of the set, wherein the proof of inclusion is based on the data item and the respective first private key; and using the public key and proof of inclusion to verify that the data item is included in the set.

21. The method of claim 20, wherein the respective first private key is generated by applying a hash function to the respective data item, wherein a respective fourth value is generated based on a subtraction of the respective first private key from a second private key generated based on each respective first private key, the respective proof of inclusion being based on the respective fourth value, and wherein a one-way function used to generate the respective proof of inclusion is a multiplication of the respective fourth value with an elliptic curve generator, and wherein said using comprises: generating a first public key based on a hash of the data item and the elliptic curve generator; and verifying that a combination of the first public key and the proof of inclusion corresponds to the public value.

22. The method of claim 20, comprising: obtaining a signature that signs a respective message comprising the respective first private key; and verifying that the signature is a valid signature for the proof of inclusion.

23. The method of claim 20, wherein the respective first private key is generated by applying a one-way function to the respective data item, wherein the one-way functionused to generate the respective first private key comprises a hash function modulo n, wherein n is a product of two prime numbers, wherein a second private key is generated by aggregating the respective first private keys over modulo n, wherein the public key comprises the second value, n and e, wherein e is an integer, wherein a respective fourth value is generated by subtracting the respective first value from the second private key over modulo n, the respective proof of inclusion being based on the respective fourth value, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer, and wherein the method comprises: verifying that a combination of i) a hash of the data item and ii) the proof of inclusion raised to the power of e, corresponds to the second private key modulo n.

24. The method of claim 20, wherein the respective first private key is generated by applying a one-way function to the respective data item, wherein the one-way function used to generate the respective first private key comprises a double hash function modulo n, wherein n is a product of two prime numbers, wherein a second private key is generated by aggregating the respective first private keys and a secret value over modulo n, wherein the public key comprises the second private key, n and e, wherein e is an integer, wherein a respective fourth value is generated by aggregating respective hashes of the respective data items over modulo n, wherein a respective fourth value is generated by subtracting the respective first private key from the second value over modulo n, the respective proof of inclusion being based on the respective fourth value, and wherein the respective proof of inclusion is generated based on the respective fourth value raised to the power d over modulo n, where d is an integer, and wherein the method comprises: verifying that a combination of i) a double-hash of the data item and ii) a hash of the proof of inclusion raised to the power of e, corresponds to the second private key modulo n.

25. A computer-implemented method of providing proof that a data item is included in a set of data items, wherein the method is performed by a proving party and comprises: for each data item, generating a respective first private key based on the respective data item; aggregating the respective first private keys to generate a second private key;generating a public key corresponding to the second private key; for one or more of the data items: generating a respective fourth private key, and wherein together the respective first private key and respective fourth private key are useable to generate a threshold signature for the second private key; generating a respective first signature using the respective first private key, wherein the respective signature signs a hash of the respective data item; and making the following available to a verifying party for verifying that the respective data item belongs to the set of data items: the respective first signature and the public key.

26. The method of claim 25, comprising: generating a respective first signature using the respective first private key, wherein the respective signature signs a hash of the respective data item.

27. The method of claim 25 or claim 26, comprising make the following available to the verifying party: a public key corresponding to the respective first private key and / or a public key corresponding to the respective fourth private key.

28. Computer equipment comprising: memory comprising one or more memory units; and processing apparatus comprising one or more processing units, wherein the memory stores code arranged to run on the processing apparatus, the code being configured so as when on the processing apparatus to perform the method of any of claims 1 to 27.

29. A computer program embodied on computer-readable storage and configured so as, when run on one or more processors, to perform the method of any of claims 1 to 27.