Due to limited computing and storage resources, light clients and full nodes coexist in a typical blockchain system. Any query from light clients must be forwarded to full nodes for execution, and light clients verify the integrity of query results returned. Since existing verifiable queries based on an authenticated data structure (ADS) suffer from significant network, storage and computing overheads by virtue of verification objects (VOs), an alternative way turns to the trusted execution environment (TEE), with which light clients do not need to receive or verify any VO. However, state-of-the-art TEEs cannot deal with large-scale applications conveniently due to the limited secure memory space (e.g., the size of the enclave in Intel SGX (software guard extensions), a typical TEE product, is only 128 MB). Hence, we organize data hierarchically in trusted (enclave) and untrusted memory, along with hot data buffered in the enclave to reduce page swapping overhead between two kinds of memory. The cost analysis and empirical study validate the effectiveness of our proposed scheme. The VO size of our scheme is reduced by one to two orders of magnitude compared with that of the traditional scheme.

由于计算和存储资源有限，典型的区块链系统中轻客户端和全节点共存。来自轻客户端的任何查询都必须转发到全节点执行，轻客户端会验证返回的查询结果的完整性。由于现有的基于经过身份验证的数据结构（ADS）的可验证查询由于验证对象（VO）而遭受巨大的网络、存储和计算开销，因此另一种方法转向可信执行环境（TEE），而轻客户端则不需要使用可信执行环境（TEE）。需要接收或验证任何 VO。然而，由于安全内存空间有限，最先进的TEE无法方便地处理大规模应用（例如，典型的TEE产品Intel SGX（软件防护扩展）中的Enclave大小仅为128） MB）。因此，我们在可信（飞地）和不可信内存中分层组织数据，并在飞地中缓冲热数据，以减少两种内存之间的页面交换开销。成本分析和实证研究验证了我们提出的方案的有效性。与传统方案相比，我们方案的 VO 大小减少了一到两个数量级。