Papers
Topics
Authors
Recent
Search
2000 character limit reached

Split Tallies: A Discrete Certificate Calculus for Auditing Dynamic Ordered Sets in Constant Memory

Published 11 Jun 2026 in cs.DS and cs.CR | (2606.13272v1)

Abstract: We study retrospective auditing for dynamic ordered sets maintained by an untrusted party. A passive auditor watches insert, delete, membership, predecessor, successor, min, and max operations, stores five machine words and a flag, and receives a constant-size public tally record per operation. At audit time the maintainer discloses the claimed live vacant intervals. The method represents order semantics by maximal gaps: gaps are born, cited, consumed, and timestamped, while two hidden field accumulators test equality of the birth and consumption ledgers. Honest executions are accepted with probability one. If any answer in a T-operation session is wrong, acceptance occurs with probability at most (4T+1)/p over one secret field element, against computationally unbounded maintainers. We prove that deterministic and visible-coin auditors require linear state, and that removing the timestamp rule permits an exact replay forgery. A leaf-oriented (2,4)-tree implements the maintainer in O(log n) worst-case time per operation with one extra word per element, and its rebalancing events admit an auditable O(m) envelope over m updates. Checkpoint audits compose with additive error.

Authors (2)

Summary

  • The paper presents an information-theoretic, constant-memory audit protocol using a gap calculus to certify dynamic ordered sets.
  • It employs combinatorial path normal form and deterministic code assignments to efficiently verify insertions, deletions, and queries with minimal verifier state.
  • The work establishes optimal lower bounds, emphasizing hidden randomness and temporal constraints to prevent undetectable forgeries in untrusted environments.

Split Tallies: Discrete Certificate Calculus for Auditing Dynamic Ordered Sets

Problem Setting and Motivation

The paper introduces a certificate calculus for post-hoc auditing of dynamic ordered sets, providing rigorous, information-theoretic guarantees against adversarial maintainers. In settings where dynamic dictionaries and ordered sets are accessed remotely or in untrusted execution environments, correctness of answers (to insertions, deletions, membership, predecessor/successor, and extremal queries) is critical. Conventional certification mechanisms (e.g., program testing, cryptographic digests) either do not bind proofs to particular executions or require substantial verifier state and computational assumptions. The contribution here is a constant-memory, information-theoretic audit protocol—Split Tallies—that operates on transcripts of operations and answers, requiring only minimal append-only records (tallies) from the maintainer and a small, secret-valued certificate (the “stock”) on the auditor side.

Methodology: The Gap Calculus and Certificate Construction

Central to the protocol is the combinatorial “gap calculus,” which regards the ordered set as a partition of the universe into maximal vacant intervals (gaps). All ordered-set operations correspond to local rewrites on these gaps: insertions split a gap, deletions merge adjacent gaps, and queries map canonically to gaps, forced by uniqueness properties. The main technical insight is the path normal form: the set of gaps at any state form a unique unit path in an acyclic interval graph. Insert and delete are, respectively, the only one-vertex path refinements and coarsenings, enforcing a constrained operation semantics that precludes ambiguity in justifying receiver-claimed answers.

Certificates are constructed as follows:

  • Code Assignment: Every newly-born gap receives a deterministic code issued by incrementing a public counter, making its assignment a function of the public transcript.
  • Notches: For each operation, the maintainer emits a notch, a short record encoding consumed and born gaps and their codes, subject to rigid constraints (including a critical temporal rule disallowing citations of not-yet-issued codes).
  • Audit Stock: The auditor keeps two accumulators (AA and RR) over a secret random field element, incrementally updated via hash products over all created and consumed gaps (with codes), and a small number of auxiliary words.
  • Disclosure: At audit time, the maintainer produces the current family of live gaps with codes, which must “mesh” (form an interlocking chain) and match the auditor's calculated state.

Acceptance is contingent on the final accumulator values coinciding, with the protocol achieving perfect completeness for honest maintainers and soundness error upper-bounded by (4T+1)/p(4T+1)/p (where TT is session length and pp the prime field size), independent of any computational assumptions on the maintainer.

Lower Bounds and Necessity Results

The paper not only proves the protocol's guarantees but establishes their optimality:

  • Deterministic Auditor Impossibility: Any deterministic auditor with soundness and completeness for ordered sets of size nn must maintain at least log2(2nn)\log_2\binom{2n}{n} bits of private state, which is exponential in nn. Thus, randomness and state-hiding are indispensable for efficient certificates.
  • Necessity of Hidden Randomness: If the auditor’s randomness is publicly visible to the maintainer, soundness collapses—the maintainer can forge answers undetectably.
  • Temporal Rule Is Critical: Dropping the constraint that notches may only cite codes already issued enables explicit forgeries that the audit cannot detect, demonstrating the necessity of integrating a temporal discipline alongside balance constraints.

Practical Implementation and Maintainer Efficiency

The protocol is decoupled from any particular ordered-set implementation. However, the authors exhibit a concrete realization using a leaf-oriented (2,4)(2,4)-tree (i.e., a B-tree with well-controlled node degrees and doubly-linked leaves), augmented only by storing one code per gap. This implementation:

  • Supports all operations in O(logn)O(\log n) time,
  • Emits and updates notches, codes, and tallies with RR0 overhead per operation,
  • Enables audit disclosures in RR1 time,
  • Is accompanied by an audited attestation scheme for rebalancing costs: structural events (splits, fusions, etc.) are attested at most RR2 times for RR3 updates, and the auditor can validate this comprehensive amortization claim through one-word attestations.

Audit Protocol Features: Composability, Checkpoints, and Tally Boundedness

Audits can be performed at arbitrary checkpoints (epochs) throughout the execution, and rejected epochs halt the protocol. Accepted epochs reset accumulators, re-binding live codes to fresh values, and the error bound composes additively with epoch lengths. This design enables explicit control over the exposure latency and audit overhead via adjustable audit frequency. The per-operation, per-query, and per-disclosure tally size remains constant, tightly parametric in set and universe size and execution length.

Numerical Demonstration

A six-operation session over a small universe with concrete parameters is executed, illustrating all protocol mechanisms: code assignments, notch semantics, accumulator values, and disclosure meshings. A forged twin trace, differing in only a single false answer, is also shown, where the protocol deterministically exposes the forged ledger on audit while maintaining full efficiency in all honest runs.

Implications, Limitations, and Future Directions

The theoretical implications are significant. The Split Tallies calculus transforms the problem of dynamic ordered-set auditing from an implementation- or cryptography-heavy burden into a path rewriting and multiset equivalence task, efficiently checkable with constant verifier state and rigorous soundness. The protocol is agnostic to the complexity of the maintainer, requires no cryptographic assumptions (thus no dependence on intractability or computational limits), and delivers post-hoc, epochal auditability with explicit controls on auditing granularity and error.

Retrospective auditing, rather than instantaneous detection, is information-theoretically necessary—real-time detection for small-memory auditors would require cryptographic assumptions at least as strong as one-way functions, and the work situates these boundaries in the context of classical lower bounds for memory checking. The scope is precisely the class of operations whose correctness is a function of local arrangement (membership, predecessor/successor, extrema)—aggregate or global queries (e.g., rank) lie outside the calculus as their correctness cannot be locally forced by two-word citations.

Extensions to support more complex queries or probabilistic online detection would necessarily involve either higher verifier state or move the protocol into the cryptographic setting. The methods introduced—particularly the path/interval graph normal form, accumulator architecture, and explicit amortization attestation—may inform further research on information-theoretic certification for other classes of dynamic data structures, transcript-based proof systems, or certification in distributed, asynchronous, or multi-party computation settings.

Conclusion

The paper delivers a mathematically explicit, information-theoretic protocol for auditing ordered sets, with provably minimal auditor resources, tight lower and upper bounds, and a combinatorial calculus connecting structure rewriting, hash-based fingerprinting, and ledger balancing. The construction, analysis, and impossibility results collectively delineate the landscape of feasible transcript certifiers for dynamic ordered sets, providing both a practical protocol for high-assurance certification in untrusted environments and a foundation for extending certificate calculus to other dynamic data abstractions.


Reference: "Split Tallies: A Discrete Certificate Calculus for Auditing Dynamic Ordered Sets in Constant Memory" (2606.13272)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.