Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
WITNESS BLOCKS IN BLOCKCHAIN APPLICATIONS
Document Type and Number:
WIPO Patent Application WO/2019/083658
Kind Code:
A1
Abstract:
Techniques are disclosed for managing data of an application. One embodiment presented herein includes a computer-implemented method, which includes scanning a distributed system to identify one or more blocks comprising data associated with the application. The method further includes generating a witness block based on the one or more blocks. The witness block may comprise a state of the data from the one or more blocks. The method further includes adding the witness block to the distributed system.

Inventors:
SCOTT, Glenn (2700 Coast Avenue, Mountain View, California, 94043, US)
GABRIEL, Michael R. (2700 Coast Avenue, Mountain View, California, 94043, US)
Application Number:
US2018/052344
Publication Date:
May 02, 2019
Filing Date:
September 24, 2018
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
INTUIT INC. (2700 Coast Avenue, Mountain View, California, 94043, US)
International Classes:
H04L29/08; H04L9/06
Domestic Patent References:
WO2000025235A12000-05-04
Foreign References:
US9774578B12017-09-26
US20170264428A12017-09-14
US20090228454A12009-09-10
US20080229037A12008-09-18
Attorney, Agent or Firm:
PATTERSON, B. Todd (PATTERSON + SHERIDAN, LLP24 Greenway Plaza, Suite 160, Houston Texas, 77046, US)
Download PDF:
Claims:
WHAT IS CLAIMED IS:

1. A computer-implemented method for managing data of an application, comprising:

scanning a distributed system to identify one or more blocks comprising data associated with the application;

generating a witness block based on the one or more blocks, wherein the witness block comprises a state of the data from the one or more blocks;

adding the witness block to the distributed system.

2. The computer-implemented method of claim 1 , further comprising: deleting the one or more blocks.

3. The computer-implemented method of claim 1 , further comprising: archiving the one or more blocks in a remote data store.

4. The computer-implemented method of claim 3, further comprising:

requesting the state of the data from the distributed system; and

receiving the state of the data and a proof from the distributed system.

5. The computer-implemented method of claim 4, wherein the proof comprises a root hash from the witness block.

8. The computer-implemented method of claim 5, further comprising:

confirming that the proof was received from the witness block;

computing a hash tree based on information associated with the state of the data; and

determining whether a root hash of the hash tree matches the proof.

7. The computer-implemented method of claim 1 , further comprising: replacing the one or more blocks with one or more null blocks, wherein the one or more null blocks comprise cryptographic link information from the one or more blocks, and wherein the one or more null blocks do not comprise the data from the one or more blocks.

8. The computer-implemented method of claim 7, further comprising:

identifying a plurality of null blocks; and

collapsing the plurality of null blocks into a single null block, wherein the single null block contains at least a portion of the cryptographic link information from the plurality of null blocks.

9. A computing device for managing data of an application, the computing device comprising:

a memory comprising computer-executable instructions; and

a processor configured to execute the computer-executable instructions and to cause the computing device to:

scan a distributed system to identify one or more blocks comprising data associated with the application;

generate a witness block based on the one or more blocks, wherein the witness block comprises a state of the data from the one or more blocks; and add the witness block to the distributed system.

10. The computing device of claim 9, wherein the processor is further configured to cause the computing device to: delete the one or more blocks.

1 1. The computing device of claim 9, wherein the processor is further configured to cause the computing device to: archive the one or more blocks in a remote data store.

The computing device of claim 1 1 , wherein the processor is further configured to the computing device to: request the state of the data from the distributed system; and

receive the state of the data and a proof from the distributed system.

13. The computing device of claim 12, wherein the proof comprises a root hash from the witness block.

14. The computing device of claim 13, wherein the processor is further configured to cause the computing device to:

confirm that the proof was received from the witness block;

compute a hash tree based on information associated with the state of the data; and

determine whether a root hash of the hash tree matches the proof.

15. The computing device of claim 9, wherein the processor is further configured to cause the computing device to: replace the one or more blocks with one or more null blocks, wherein the one or more null blocks comprise cryptographic link information from the one or more blocks, and wherein the one or more null blocks do not comprise the data from the one or more blocks.

16. The computing device of claim 15, wherein the processor is further configured to cause the computing device to:

identify a plurality of null blocks; and

collapse the plurality of null blocks into a single null block, wherein the single null block contains at least a portion of the cryptographic link information from the plurality of null blocks,

17. A non-transitory computer-readable medium comprising instructions that when executed by a computing device cause the computing device to perform a method for managing data of an application, comprising: scanning a distributed system to identify one or more blocks comprising data associated with the application;

generating a witness block based on the one or more blocks, wherein the witness block comprises a state of the data from the one or more blocks;

adding the witness block to the distributed system.

18. The non-transitory computer-readable medium of claim 17, wherein the method further comprises: deleting the one or more blocks.

19. The non-transitory computer-readable medium of claim 7, wherein the method further comprises: archiving the one or more blocks in a remote data store.

20. The non-transitory computer-readable medium of claim 19, wherein the method further comprises:

requesting the state of the data from the distributed system; and

receiving the state of the data and a proof from the distributed system.

21. The non-transitory computer-readable medium of claim 20, wherein the proof comprises a root hash from the witness block.

22. The non-transitory computer-readable medium of claim 21 , wherein the method further comprises:

confirming that the proof was received from the witness block;

computing a hash tree based on information associated with the state of the data; and

determining whether a root hash of the hash tree matches the proof.

23. The non-transitory computer-readable medium of claim 17, wherein the method further comprises: replacing the one or more blocks with one or more null blocks, wherein the one or more null blocks comprise cryptographic link information from the one or more blocks, and wherein the one or more null blocks do not comprise the data from the one or more blocks.

24. The non-transitory computer-readable medium of claim 23, wherein the method further comprises:

identifying a plurality of null blocks; and

collapsing the plurality of null blocks into a single null block, wherein the single null block contains at least a portion of the cryptographic link information from the plurality of null blocks.

Description:
WITNESS BLOCKS IN BLOCKCHAIN APPLICATIONS

Field

[0001] The present disclosure relates generally to techniques for improving the efficiency of storing and accessing application data in distributed systems, and more particularly to using witness blocks to represent the state of ail data related to an application that precedes the witness block in a distributed system.

Background

[00023 Distributed systems may comprise hash chains (e.g., blockchains), which are data structures that record data in a fashion analogous to a chain. Each update to the chain creates a new block containing the data and each block is linked to the previous block by a cryptographic function. Blocks are generally appended to the end of the chain and, once in the chain, resist modification so that the cryptographic links in the chain are preserved. Entities (e.g., applications) that receive data from blocks of the chain may check the cryptographic links to test the validity of the chain. Any modification of a block is detected and subject to remedial or other action. Hash chains are generally managed by peer-to-peer networks, which collectively adhere to an established protocol for validating each new block and are designed to be inherently resistant to modification of data. Once recorded, the data in any given block cannot be modified without the alteration of subsequent blocks and the involvement of the network.

[0003] A chain generally has no upper limit in its storage requirements. This means that, as blocks are appended, the chain grows without bound. As a result, a chain consumes an increasing amount of storage resources as it is updated. Furthermore, while chains may exist forever, applications and application execution do not, and, as a consequence, applications that store data on the chain may be required to scan the entire chain at least once (e.g., when they start) to establish with certainty the complete content or context of data relevant to the application. As chains increase in length, this process requires a corresponding increase in resources, including time and processing power.

SUMMARY

[0004] One embodiment presented herein includes a computer implemented method for managing data of an application. The method generally includes scanning a distributed system to identify one or more blocks comprising data associated with the application. The method further includes generating a witness block based on the one or more blocks, wherein the witness block comprises a state of the data from the one or more blocks. The method further includes adding the witness block to the distributed system.

[ooos] Additional embodiments include a computing device having a processor and a memory storing one or more application programs configured to perform the methods disclosed herein and a non-transitory computer-readable storage medium storing instructions, which when executed on a processor perform the methods disclosed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[ooos] Figure 1 illustrates an example of a computing environment used for managing application data with witness blocks, according to one embodiment.

[0007] Figure 2 illustrates components of a data manager, according to one embodiment.

[ooos] Figure 3 illustrates example operations for managing application data with witness blocks, according to one embodiment.

[0009] Figure 4 illustrates additional example operations for managing application data with witness blocks, according to one embodiment. [0010] Figure 5 illustrates example operations for retrieving application data attested to by witness blocks, according to one embodiment.

[0011] Figure 6 illustrates an example computing system used for managing application data with witness blocks, according to one embodiment.

DETAILED DESCRIPTION

[0012] Embodiments presented herein provide techniques for managing application data in distributed systems. More specifically, embodiments presented herein involve the use of witness blocks in distributed systems to manage appiication data,

[0013] Application data may be maintained in a distributed system, such as a hash chain, which comprises a plurality of blocks. In some embodiments, the distributed system may maintain data associated with a single application, while in other embodiments the distributed system may maintain data associated with a plurality of applications. Every time an application writes a data update to the chain, it is appended as a new block. Each block may be resistant to modification and may contain cryptographic information that links to the preceding block and/or the subsequent block. Over time, it may become inefficient for an application to manage and access its data on the chain, as this may require frequently scanning through a very long chain to identify relevant data. As such, embodiments of the present disclosure involve the use of witness blocks that represent the state of some or all previous data on the chain relating to a particular application. References herein to the "state" of the data may be understood to refer to the current value(s) of the data associated with an application (e.g., the most current value of a user's home address stored on the chain, and the like).

[0014] According to one embodiment, an appiication may identify all blocks on a distributed system (e.g., a hash chain or blockchain) containing data related to the application. Based on these identified blocks, the application may then create a "witness block" that represents the state of all previous data related to the application on the chain. For example, the witness block may comprise all of the data from the identified blocks or, alternatively, may contain references to the identified blocks that contain the data. The application may then append the witness block to the end of the chain. The application may then be able to more efficiently access its data on the distributed system by retrieving the data from the witness block, and it will not have to search the entire chain to determine the state of relevant data.

[0015] In some embodiments, the previous blocks from which a witness block was created may be deleted, archived (e.g., in a storage location separate from the distributed system), or replaced (e.g., with null blocks, as described below) in order to improve storage efficiency. When multiple applications store data on the chain, for example, it may not be possible to delete blocks once a witness block has been created, as the blocks may be needed to verify the validity of other blocks in the chain (e.g., using the cryptographic link information that is stored in every block). As such, the blocks may instead be replaced with null blocks that do not contain the data from the original blocks, but only contain the cryptographic link information (e.g., a cryptographic function, such as a hash, in each block linking to the previous block in the chain) from the original blocks. In some embodiments, when a series of continuous blocks on the chain are attested to by witness blocks and/or have been replaced with null blocks, the blocks may be removed, archived, or collapsed (e.g., into a single null block containing cryptographic link information).

[0016] Creating a witness block may involve the creation of a hash tree (e.g., erkie tree) based on the blocks from which the witness block is generated. For example, each block may be hashed to form the bottom leaves of a tree structure. Each leaf pair may then be then combined and hashed to form the next tree layer. This may be repeated until a single root hash is created at the top. The root hash may then be stored in the witness block for the chain. To prove that a block was in the chain, the distributed system may send the block along with the adjacent leaves that lead up to the root hash. This may involve sending just two leaves (hashes) per level in the tree. The recipient (e.g., an application) can then confirm the block is correct by computing the block hash and re-computing the hash tree for the provided leaves. It the root hash matches the final hash, the block is proven to be correct, and a member of the witnessed chain. Other techniques for security and verification may be employed as well without departing from the scope of the present disclosure.

[0017] One of ordinary skill in the art will recognize that the techniques described herein may be adapted for use by a broad variety of software applications, online or web services, software features, or support services where data may be stored in a distributed system. Additionally, it should be noted that although, in certain examples described herein, particular computing devices or components are described as performing certain tasks (e.g., storing and identifying data, generating witness blocks, retrieving and validating data, etc.), such tasks may be performed by one or more additional local or remote computing devices or components (e.g., connected via a wired or wireless network).

[0018] Figure 1 illustrates an example of a computing environment 100 used to manage application data with witness blocks, according to embodiments of the present disclosure. As shown, the computing environment 100 includes device 120, distributed system 130, and data store 140, connected via network 10. The network 1 10, in general, may be a wide area network (WAN), local area network (LAN), wireless LAN (WLAN), personal area network (PAN), a cellular network, etc. in a particular embodiment, the network 1 10 is the Internet.

[0019] Device 120 is representative of a computing system, such as a desktop or laptop computer, tablet, mobile phone, Internet of Things (loT) device, other smart device, or the like, which executes one or more applications that maintain data on distributed system 130 (which may, for example, comprise a hash chain or biockchain). For example, device 120 includes an application 122. The application 122 may be representative of a component of a client server application (or other distributed application), which can communicate with distributed system 130 over network 1 10. Application 122 may be a conventional software application (e.g., a tax preparation application) installed on device 120, and may communicate with distributed system 130 over network 1 10 in order to store, manage, and retrieve application data 134 stored in blocks 132a-n.

[0020] In one embodiment, application 122 communicates with distributed system 130 at run-time (e.g., over network 1 10 using a protocol such as TCP/IP). For example, application 122 may store its associated application data 134 in blocks 132a-n. Application data 134 may, for example, comprise data associated with the execution of application 122, such as user data. For example, block 132a may comprise a user's name, block 132b may comprise the user ' s address, block 132c may comprise the user's date of birth, block 132d may comprise an update to the user's address, and so on. Application 122 may then access application data 134 (e.g., the user ' s name, address, date of birth, etc.) as needed during execution (e.g., when application 122 is first launched, it may retrieve the state of all of its application data 134 from distributed system 130).

[0021] Application 122 comprises a data manager 124, which performs operations related to managing application data 134 using witness blocks, according to embodiments of the present disclosure. For example, data manager 124 may scan through blocks 132a-n in order to identify which blocks contain application data 134 (e.g., data relevant to application 122 rather than data associated with other applications). Data manager 124 may then create a witness block based on the identified blocks. For example, the witness block may comprise the state of all the application data 134 that was stored on the identified blocks of blocks 132a-n, which contain application data 134. In some embodiments, the application data 134 from the identified blocks is included in the witness block, while in other embodiments the witness block only contains references to the identified blocks containing application data 134.

[0022] In some embodiments, after creating a witness block based on one or more blocks, data manager 124 may move the one or more blocks to a separate remote storage (e.g., archiving the one or more blocks in data store 140) and use a hash tree to confirm the authenticity of the one or more blocks stored separately from distributed system 130. For example, data manager 124 may compute a hash free at the time of storage based on the one or more blocks, and store the root hash in the witness block. Later, when application data 134 is requested (e.g., by application 122), distributed system 130 may provide (e.g., through a service which retrieves data from separate storage such as data store 140) the data from the one or more blocks on data store 140 along with the root hash from the witness block as a "proof, so that data manager 124 may compute the hash tree from the one or more blocks and verify that it matches the root hash from the witness block. This allows for data stored separately from distributed system 130 to be verified using data known to be located on distributed system 130 (which is therefore trustworthy). In certain embodiments, if only a single block of the one or more blocks is returned to data manager 124 in response to a request for data (e.g., distributed system 130 only retrieves and returns a single block from data store 140 containing the requested data), distributed system 130 may retrieve and return the adjacent "leaves" leading up to the root hash in the hash tree (e.g., the two blocks adjacent to the single block, each of which includes a hash). Data manager 124 may then compute the root hash using the adjacent leaves and verify that it matches the root hash received from the witness block. This allows for improved efficiency, as distributed system 130 does not have to retrieve ail of the blocks, but only the block containing the requested data and the blocks comprising the two adjacent "leaves " from the hash tree.

[0023] In certain embodiments, data manager 124 may perform actions to clean up the chain after creating a witness block and appending it to the chain. For example, if the chain only stores data associated with one application (e.g., application 122), then data manager 124 may delete or archive (e.g., to data store 140 as described above) the identified blocks (which may comprise all previous blocks in the chain), as they would all be attested to by the witness block. In other embodiments, such as when the chain stores data associated with multiple applications, data manager 12 may leave the identified blocks in place or, alternatively, replace them with null blocks including only the cryptographic link information from the identified blocks for security and verification purposes. In some embodiments, when a segment of the oldest part of the chain is attested to by witness blocks, that portion of the chain is superfluous and eligible for removal or archival. Furthermore, in certain embodiments, a continuous series of null blocks and/or other blocks, which are attested to by witness blocks (without any interstitial blocks that are not attested to by witness blocks, such as blocks comprising data related to other applications which have not been used to create witness blocks), may be collapsed into a single null block that contains cryptographic link information from all of the collapsed blocks, or at least cryptographic link information from the first and last block of the continuous series for security and verification purposes.

[0024] Distributed system 130 may comprise one or a plurality of devices (e.g., separate computing systems such as servers) sharing resources and capabilities in order to provide users with a single and integrated coherent network comprising blocks 132a-n. In some embodiments, distributed system 130 comprises a hash chain, such as a blockchain. Blocks 132a-n may, for example, comprise blocks in a blockchain. Application data 134 may, for example, comprise data associated with application 122, and is stored on one or more of blocks 132a-n. Distributed system 130 may manage the addition and removal of blocks 132a-n from the chain using any number of techniques known in the art, such as a consensus protocol or trusted authority, in certain embodiments, for example "miners" may be employed, as is known in the art, to ensure the integrity of modifications to the chain. Distributed system 130 may return application data 134 in response to requests (e.g., from application 122), and may also include cryptographic link information from one or more blocks 132 that were the source of requested data in the response for security and verification purposes. Distributed system 130 may also include root hashes, hash trees, and other relevant information in a response.

[0025] Data store 140 may comprise a physical or virtual storage entity, and may comprise one or more local or remote components. In certain embodiments, for example, data manager 124 may store one or more of blocks 132a-n in data store 140 (e.g., for the purpose of archiving the blocks so that they may be removed or replaced on distributed system 130) after creating a witness block based on the one or more of blocks 132a-n. As described herein, data manager 124 may compute a hash tree based on the one or more of blocks 132a-n and thereafter store the roof hash in the witness block. When, for example, application 122 retrieves the archived blocks from data store 140 (e.g., through a service of distributed system 130), distributed system 130 will also return the root hash from the witness block so that the application may compute the hash tree from the archived blocks and determine whether the root hash of the computed hash tree matches the root hash received from the witness block. As such, application 122 (or another requesting entity) is able to determine the authenticity of archived blocks which are stored separately from distributed system 130 using information stored on distributed system 130.

[0026] Embodiments of the present disclosure improve the functioning of computing devices, such as Device 120, and applications running on those devices by reducing the processing power and time required to locate and retrieve relevant application data as needed during execution of applications, which may beneficially increase the battery life and other performance characteristics of such devices. In fact, such devices may be able to use lower-power and less expensive processing hardware or may run faster using standard hardware. Furthermore, the ability to optimize a distributed system (e.g., a hash chain) by, for example, removing, archiving, collapsing, or replacing blocks in the distributed system with null blocks, may improve storage efficiency and thereby lower storage requirements for the device. Additionally, reducing the amount of distributed system data (e.g., the number of blocks) that may need to be accessed via Network 1 10 may improve the utilization of network resources (e.g., data used by the device). Advantageously, by "cleaning up" a distributed system (e.g., a hash chain), embodiments of the present disclosure may result in fewer cryptographic calculation operations, thereby improving both processing and power efficiency of computing devices involved. Techniques described herein may therefore allow for distributed systems to more effectively maintain data associated with one or more applications. [0027] Figure 2 illustrates components of data manager 124 described relative to Figure 1 , according to one embodiment. As shown, the data manager 124 comprises a block searcher 210, a witness generator 220, a block manager 230, and a block validator 240. Each of these components may perform functions of data manager 124 associated with techniques described above. In other embodiments, the functions of data manager 124 may alternatively by performed by any number of local or remote components.

[0028] For example, block searcher 210 may search through blocks 132a-n of distributed system 130 in order to identify blocks containing application data 134 relating to application 122. This may be done, for example, when application 122 is first launched or at some other time during execution of application 122. In certain embodiments, block searcher 210 may identify one or more existing witness blocks containing application data 134, and may include these existing witness blocks as identified blocks for the creation of the new witness block. Once block searcher 210 has identified blocks containing application data 134, block searcher 210 may then provide the identified blocks to witness generator 220, which may generate one or more witness blocks that represent the state of the application data 134 from the identified blocks. For example, witness generator 220 may include ail of the application data 134 from the identified blocks in one or more witness blocks. Alternatively, witness generator 220 may include references to the identified blocks in a witness block, in alternative embodiments, witness generator 220 may generate more than one witness block based on the identified blocks (e.g., the identified blocks may be broken up into groups, and each group may be attested to by a witness block). In some embodiments, witness generator 220 may also generate a hash tree based on the identified blocks, storing the root hash in the witness block so that the identified blocks can be moved to separate storage (e.g., data store 140) and still be authenticated. Once the witness block has been generated, witness generator 220 may provide the witness block to distributed system 130 to be appended to the chain. [0029] Block manager 230 may manage identified blocks after they have been used to generate a witness block that has been appended to the chain of distributed system 130. For example, block manager 230 may remove, archive, collapse, or replace the identified blocks with null blocks (e.g., containing only cryptographic link information) as appropriate under the circumstances (e.g., based on whether distributed system 130 maintains data associated with other applications and/or whether there is a series of continuous blocks that are represented by witness blocks or replaced by null blocks).

[0030] Block validator 240 may validate data received from distributed system 130 (e.g., in response to a request sent from application 122 for application data 134, such as when application 122 is first launched or at another time during execution of application 122). For example, block validator 240 may compute a hash tree based on information received from distributed system 130 and use it to determine whether a root hash received from distributed system 130 is accurate.

[0031] Figure 3 illustrates example operations 300 for managing application data with witness blocks, according to one embodiment. Operations 300 may be performed, for example, by data manager 124 of device 120.

[0032] At 310 data manager 124 identifies blocks of distributed system 130 containing data associated with application 122. For example, operation 310 may be performed by data manager 124 when application 122 is launched or at some other time during execution of application 122.

[0033] At 320, data manager 124 creates a witness block based on the blocks identified at 310. For example, data manager 124 may generate a witness block containing the application data 124 from the identified blocks or, alternatively, references to the identified blocks, in some embodiments, data manager 124 may further generate a hash tree based on the identified blocks, and store the root hash in the witness block to be used later for security and verification purposes when data from the witness block is requested from distributed system 130. [0034] At 330, data manager 124 provides the witness block to distributed system 130 to be appended to the chain. In some embodiments, for example, the witness block may be signed by an entity entrusted with creating witness blocks in order to confirm its authenticity. In other embodiments, the witness block may be ratified by a consensus protocol that governs content on the chain of distributed system 140. This consensus protocol may, for example, ensure that the witness block represents the state of all application data 134 from ail previous blocks in the chain that relate to the application 122, and that any distributed copies of the chain are updated at the same time (e.g., using techniques known in the art).

[0035] At 340, data manager 124 determines how to handle the identified blocks. For example, data manager 124 may determine whether to remove, archive, collapse, leave the blocks alone, and/or replace the identified blocks with null blocks. Operation 340 will be described in more detail below with respect to Figure 4.

[0036] Figure 4 illustrates additional example operations 400 for managing application data with witness blocks, according to one embodiment. Operations 400 may be performed, for instance, by data manager 124 after operations 300 have been completed (or as part of operation 340).

[0037] At 410, data manager 124 determines whether distributed system 130 contains data from other applications besides application 122. For example, data manager 124 may scan distributed system 130 to identify blocks containing data associated with other applications. If distributed system 130 does not contain data from other applications (e.g., the chain on distributed system 130 only includes application data 134 from application 122), then operations continue at 450. Otherwise, operations continue at 420.

[0038] At 420, data manager 124 determines whether the identified blocks (e.g., the blocks identified at step 310 in Figure 3) and the witness block are continuous (e.g., whether there are any interstitial blocks associated with other applications), if the identified blocks and witness block are continuous, then operations continue at 450. Otherwise, operations continue at 430.

[0039] At 430, data manager 124 replaces the identified blocks with null blocks containing only the cryptographic link information from the identified blocks. This allows for the integrity of the chain to be verified by requesting entities, but frees up some storage space by removing the data previously stored in the identified blocks. Alternatively, the identified blocks may be left alone. In both cases, the integrity of the chain will be attested to by cryptographic link information.

[0040] At 440, data manager 124 collapses any continuous null blocks (e.g., any series of null blocks not interrupted by interstitial blocks) into a single null block. For example, the single null block may contain the cryptographic link information from some or all of the null blocks that are collapsed. This allows for improved storage efficiency (e.g., of distributed system 130) while still maintaining the integrity of the chain's cryptographic link information for security and verification purposes.

[0041] At 450 (following either 410 or 420 above), data manager 124 removes, archives, replaces, and/or collapses the identified blocks. This step is reached only if distributed system 130 only contains data from one application (e.g., "no" at 410) or if the identified blocks and the witness block are continuous (e.g., "yes" at 420). In these cases, the identified blocks do not need to be left on the chain (or replaced with null blocks) to preserve the integrity of the chain, as there are no interstitial blocks that would rely on cryptographic link information from the identified blocks. As such, the identified blocks can be handled in a plurality of different ways as appropriate (e.g., removal, archival, replacement, or collapse). This may improve the storage efficiency of the chain by reducing the number of blocks storing application data 134 and removing redundancy.

[0042] Figure 5 illustrates additional example operations 500 for retrieving and verifying application data attested to by witness blocks when the application data is stored separately from distributed system 130, according to embodiments of the present disclosure. Operations 500 may be performed, for instance, by data manager 124 when application data 134 is needed by application 122 (e.g., at startup or at some other point during runtime).

[0043] At 510, data manager 124 requests application data 134 from distributed system 130. This may, for example, comprise a request for some or ail of application data 134 as applicable under the circumstances.

[0044] At 520, data manager 124 receives the requested application data 134, retrieved by distributed system 130 from one or more archived blocks on data store 140, as a response from distributed system 130. The response may also include a root hash (e.g., from the witness block) as a "proof of the authenticity of the one or more archived blocks which are stored separately from distributed system 130.

[0045] At 530, data manager 124 confirms that the root hash is from a witness block on distributed system 130. This may be accomplished, for example, using a binary or O(n) search, as is known in the art, or any other method of searching distributed system 130 to confirm that the root hash is present in the witness block.

[0048] At 540, data manager 124 computes a hash tree based on the one or more archived blocks, comparing the root hash of the computed hash free to the root hash (e.g., the proof) received from the witness block to confirm that the one or more archived blocks are valid. For example, data manager 124 may calculate the hash tree using adjacent leaf information of the one or more archived blocks received from distributed system 130 (e.g., the one or more archived blocks may be retrieved by distributed system 130 from data store 140 and provided to data manager 124 by distributed system 130) and determine whether the results of the calculation match the root hash (e.g., the proof) received from the witness block, if data manager 124 determines that the root hashes match, then the received application data 134 can be trusted for use by application 122. Otherwise, the received application data 134 may, for example, be discarded. [0047] Figure 6 illustrates an example development system in which data management using witness blocks may be performed, according to embodiments of the present disclosure. As shown, the system 600 includes, without limitation, a central processing unit (CPU) 602, one or more I/O device interfaces 604, which may allow for the connection of various I/O devices 614 (e.g., keyboards, displays, mouse devices, pen input, touch screens, microphones, cameras, etc.) to the system 600, network interface 606, a memory 608, storage 610, and an interconnect 612 (e.g., a bus).

[0048] CPU 602 may retrieve and execute programming instructions stored in the memory 608. Similarly, the CPU 602 may retrieve and store application data residing in the memory 608. The interconnect 612 transmits programming instructions and application data, among the CPU 602, I/O device interface 604, network interface 606, memory 608, and storage 610. CPU 602 is included to be representative of a single CPU, multiple CPUs, a single CPU having multiple processing cores, and the like. Additionally, the memory 608 is included to be representative of a random access memory. Furthermore, the storage 610 may be a disk drive, solid state drive, or a collection of storage devices distributed across multiple storage systems. Although shown as a single unit, the storage 610 may be a combination of fixed and/or removable storage devices, such as fixed disc drives, removable memory cards or optical storage, network attached storage (NAS), or a storage area-network (SAN).

[0049] As shown, memory 608 includes an application 630, which may comprise a software application (e.g., local or distributed) which manages data remotely maintained on a distributed system, such as a hash chain (e.g., functionality described above with respect to Figures 1 -5). Application 630 may use witness blocks to manage its application data in order to improve efficiency as described herein. The application 630 in memory 608 may communicate with other devices (e.g., one or more devices associated with distributed system 130) over network 1 10 through network interface 606 (e.g., in order to store, manage, retrieve, and validate application data from blocks 132a-n). [0050] In the preceding, reference is made to embodiments presented in this disclosure. However, the scope of the present disclosure is not limited to specific described embodiments, instead, any combination of the following features and elements, whether related to different embodiments or not, is contemplated to implement and practice contemplated embodiments. Furthermore, although embodiments disclosed herein may achieve advantages over other possible solutions or over the prior art, whether or not a particular advantage is achieved by a given embodiment is not limiting of the scope of the present disclosure. Thus, the following aspects, features, embodiments and advantages are merely illustrative and are not considered elements or limitations of the appended claims except where explicitly recited in a claim(s).

[0051] Aspects of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit," "module" or "system." Furthermore, aspects of the present disclosure may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.

[0052] Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples a computer readable storage medium include: an electrical connection having one or more wires, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the current context, a computer readable storage medium may be any tangible medium that can contain, or store a program.

[0053] While the foregoing is directed to embodiments of the present disclosure, other and further embodiments of the disclosure may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow.