PoSt Committee: Proposal for PoSTs - New challenge methods & removing VDFs #61
Comments
Brian, thanks for writing this up.
I think we should think about this assumption. As Jeromy pointed out in this issue https://github.com/filecoin-project/research-private/issues/113
I can be wrong, but it seems to me that as it is the seed assumption (taking the seed from block round r-1) could lead to the first problem mentioned by @whyrusleeping . on the other hand, even going some time back in the chain could be a not that smart alternative, as stated in https://github.com/filecoin-project/research-private/issues/113
The miner
I say that because one of the reason why we were using VDF (concatenating them) was that we wanted to prevent a malicious miner to be able to wait until the last time-slot and generate all the challenges in one shot. |
Hey @bvohaska quick note here:
I really like the intuition behind this. Look forward to discuss this more! |
Extension to the above solutionThe previous solution only works for PoSTs where the total proving period is less than the expected SEAL time. An extended construction is presented here. Additions to the security modelSuppose a miner enters a contract where they must prove the existence of
ClarificationsThis protocol uses the term In step (1),
Between steps (2) and (3) there should be three additional steps, (2b) (2c) (2d) Updated Protocol
Additional assumptions:
For a given block round
For each
Once
If all PoST messages are to be sent together,
ConclusionFor a sufficiently small proving period (see notes above), a miner Since each PoST relies on a pseudo-random sampling of the Filecoin network, This construction is fairly general and should be modifiable to include other requirements and constraints as needed. ##Additional Protocol Notes:
|
|
Hi Brian,
You are 100% right when saying that it's impractical for an attacker to guess This attack would not be viable if any subset of 10 strings out of 15 gives the same result (and so the challenge generation is kind of deterministic, once you have 10 strings [basically no matter which 10 strings you have, you'll get the same Moreover, it seems to me that either we have a PoST/we go on chain every As an additional note, we could also make Seal-Stamp to go on-chain every I'm wondering if this can be overcome somehow, but it seems kind of inherent (if we don't use VDFs) Minor details:
I guess in 5. we are using |
Idea on the updated protocol@bvohaska and I discussed the updated protocol (find it below)
two considerations:
we would add also a verification of a proof made at the former step (sent along with strings used to get the challenges and their signatures). In this. If the proof does not verify/is missing or The intuition we had is that, if In this way (we have to double check), it seems that the only proof that need to be verified is the one at the very end. |
Progress on Committee sampling during research week in Madrid. We came up with a new method for sampling a seed in a committee. Writing up the new construction in the overleaf doc, next step is proving security |
Issues with this construction so far: Nodes must be paid or rewarded somehow (this can happen either through a payment or through power), this means that the list of elected committee must be reported on chain and for each there must be some form of status update. Considering ~20 users per committee every 10 mins, it would result in (20624 = 2,880) 2800 state updates per miner per day.. Next steps
|
@nicola: good point. One if the things we've been exploring is letting a committee vote on more than one challenge and reduce the number of updates. A small technical point, all updates happen at the end of the protocol and only once. So while there are quite a few state updates they happen only at the end of the protocol. This immediately spawns the question: "Then how do I get rewarded with Power if this reward is tied to a specific deal?". The best answer swe have so far are (1) a Power reward from participating in this committee should have a finite and constant TTL OR (2) perhaps the reward is a psudeo-FIL that allows the recipient to use the reward to reduce ping @zixuanzh and @whyrusleeping for a sanity check. |
For updates, @lucaniz, I, at al. were recently inspired to explore new threshold schemes that (1) don't need to particularly scalable beyond 30 participants. We're pretty excited about this. |
I don't have clear how your solution (1 and 2) and threshold schemes that can scale beyond 30 participants can solve the problem of having to pay/update power table for thousand of users |
@nicola: In short, we are trying to reduce the number of participants needed to make such a committee protocol work. In (1), we are making assumptions about the implementation for practicality. In (2), we are making assumptions about security for practicality. (1) Shrink the number of times an update is needed (but not the total amount of updates). This assumes that it is easier and faster to batch update any table. Given the assumed speed of updates to actors, a single batched update to 2k users should not be particularly expensive. (@frrist, @dignifiedquire: is this true in implementation?). The underlying assumption is that individual updates will be taxing on caching. (2) Shrink the total number of updates. Thresholding allows us to assume a 1-honest member security model. This changes the total number of participants needed to make the protocol robust against malicious activity. In this case, our new Chernoff bound would represent P(X > 1 honest) > 0.95. |
@nicola hoping to have something published internally by Friday. Publish externally a week or two later to allow for comments. |
Goals
Provide PoST with a reliable and verifiably-random challenge. This challenge must be verifiably random and uninfluenceable by some threshold of participants given by the security parameter
s
. i.e. a challenge can not be simulated or chosen by the miner generating the PoST or some threshold of miners who might collude with the PoST miner.Provide PoST a mechanism with which to provide time-boxing without the need for a VDF.
Context:
The goal of a Proof-of-SpaceTime (PoST) is to provide cryptographic assurance that a miner
m_i
has faithfully stored some dataDATA
for a period of timetime
. As part of the current Proof-of-Replication security model, it is assumed that there is no method by whichm_i
could have generated a PoST forDATA
without having continuously stored threshold percentage of that data; ideally this threshold percentagethres_store
would be 100%. In practice,thres_store
is tuned by some security parameters
and is related to the cryptographic internals of PoST. As such PoST, can be represented as a blackbox functionPoST
that takes a representation ofDATA
and a challengeC
,Out_post = PoST(C,DATA)
Either the
PoST
method or the challengeC
should provide a mechanism via which each PoST that minerm_i
generates is time-dependent. This should ensure thatm_i
should not be able to generate a valid PoST forDATA
outside of some time box. This is directly tied to storage contract that minerm_i
and some clientc_j
have agreed to on-chain as well as the amount of reward thatm_i
will receive over time from the aforementioned contract. An example of this might look like:Additionally, we require that
C
be randomly generated. This prevents a miner from exploiting the cryptographic internals of the PoST method.Current Method:
In order to generate a PoST a miner must
Out_vdf
of a VDF seeded with some on-chain value calledseed
Out_post = PoST(Out_vdf, DATA)
This method assumes that the VDF can not be cheated and
seed
was generated fairly.##Potential Issues:
C
. If a miner were able to manipulateC
, they might gain some advantage in generating a PoST. This would lead to that miner having an advantage in receiving rewards for successful PoSTs.##Solution:
Suppose,
m_i
inM
:M
is the set of miners who have been active in the lastw
block roundspk_i
in PK :PK
is the set of all public keys andpk_i
is the public key ofm_i
seed
is a value stored on-chainVRF_ski(pk_i, seed)
is a Verifiable Random Function generated fromseed
andpk_i
and committed tom_i
throughsk_i
map_k(x)
is a function that maps a stringx
to a set of minersM_k
:|M_k|
=k
and there exists some canonical ordering ofm_i
.thresh_k(s)
is a function that returns an integer less thank
given a security parameters
rounds_min(s)
Sign_sk_i(x)
is a signature ofx
using the secret keysk_i
of minerm_i
Assume,
seed
was generated verifiably randomly at block roundr-1
2/3
of miners inM
are honestThen,
For a given block round
r
with associatedseed
and PoST generating minerm_i
compute,(l, pi) = VRF_ski(pk_i, seed) : l is a random string generated by the VRF and pi is the VRF proof
M_k = {m_l0, m_l1, ..., m_lk} = map_k(l)
For each
m_li
inM_k
, request a random string returned as a tuple,(r_li, Sign_sk_li(r_li))
Once
m_i
has received greater thant = thresh_k(s)
responses, m_i computesH_i = H(r_l0 || r_l1 || ... || r_lt)
S_i = Sign_sk_li(H_i)
H_i
is now the random challenge used to generate a PoST of some data for block roundr
. Minerm_i
will now compute the PoST and compute,pi_post = PoST(H_i, DATA)
AggSig
= BLS Aggregation ofwith
Sign_ski(pi_post)`msg_onchain = {(r_li, ...,r_lt), Recvover,AggSig, pi_post}
Where
Recover
is a bit string that mapsm_li
to a bit inRecover
. If a bit inRecover
is set thenm_li
was included inH_i
in that order.Size(Recover) = Ceil(log2(t))
. Note thatr_li
can be small given some security parameters
.M_k
can be determined by verifiers by validating(l, pi)
and calculatingmap_k(l)
.By using a VRF in (1) to generate
M_k
via proxy (2), we can ensure that the minerm_i
can not choose which group of miners will participate in generating a random challengeH_i
. We have stated that at least2/3
of miners are honest by assumption. We must also state thatt
be sufficiently close tok
andk
be sufficiently large to ensure thatm_i
can not chooset
entities that could collude together to givem_i
and advantage. Note that it follows that if at lease of of thet
miners represented in (4) is honest, thenm_i
should not gain a sufficient advantage in choosing a PoST random challenge as the PoST could not be generated before the honestr_li
was received.Note on ensuring solution attacks are unsuccessful. Unlike Algorand, we may not wish to sort this partition (
sortition
in Algorand) via the Filecoin Power Table as high weight miners would receive disproportionately many requests for anr_li
. Instead we insist thatM
be chosen from the set of miners who (1) have nonzero power and (2) have participated in at least one of the lastrounds_min(s)
block rounds.Using the above construction for generating PoST challenges, we can utilize most of the security model from Algorand and apply it to a much smaller consensus-like problem for challenge generation. In this new model, we need to ensure with probability
p_thresh
that least one of the miners used inH_i
is honest. Given that2/3
miners are assumed to be honest andM_k
was sampled uniformly across a pool of miners with at least this level of honesty, we require that ,thresh_k(s) > 2/3*|M_k| + 1
This ensures that for any set of miners
M_thresh_k < M_k
, there will be at least one minerm_li
that is honest with a probabilityp_min
. This probability is to be explored in another document.Conclusion
thresh_k(s)
*len(r_i)
bits on-chain per PoST.r_i
is generated via (1). Each minerm_li
will usel
asr_i
. As a result, the block leader can perform compression of eachr_i
and store eachr_i
as a pointer to any PoSTs that minerm_li
may have generated at block roundr
. Furthermore, we could require thatM_k
be extracted from the list of miners who are expected to provide PoSTs at block roundr
. Though this list could be much smaller than theM_k
described in this document and may present issues in tuning the security parameters
.Related issues:
The text was updated successfully, but these errors were encountered: