Non Interactive PoRep

Non Interactive PoRep

Creator
Luca
Created
Aug 28, 2023 7:44 AM
Project
Storage on-boarding
Stage
Draft
A new proof type which removes on-chain interaction simplifying the whole sealing pipeline and allowing for a real separation between storage and proving, without compromising security.

Quick Links

📊 Motivation

PoRep is currently interactive and it is composed by two steps: PreCommit and ProveCommit. At PreCommit SP put down a collateral and wait 150 epochs in order to receive a challenge seed from the chain which enables the ProveCommit step. This means that

  • Mining pipeline is not flexible. In order to add a sector to the network, that sector needs to be first precommited and ProveCommit needs to happen within a time window lasting MaxSectorDuration epochs.
  • Given PreCommit needs a collateral, there is no real possible trustless separation between the entity which stores the sector and the entity which actually proves it. This means that if anyone wants to outsource the task of proving a sector, then the entity which proves and the entity which outsource the task need to agree on who puts down the collateral (trusting the other part).

A first step to mitigate PoRep bottlenecks was the introduction of Synthetic PoRep. Nevertheless, if we really want to remove the aforementioned limitations, NI-PoRep is the way to go: indeed,

non interactive PoRep would remove the PreCommit step, without compromising security, allowing for a simplified pipeline which can reduce costs and enable a full separation between storage and proving. Note that this is particularly relevant now that we have SaaS and SN sealing software (see below).

🗺️ How to get there

There are two ways we can get NI-PoRep

♻️ Re-using existing circuits

🟢 Pros:

  • No new trusted setup needed ⇒ Fastest way to ship NI-PoRep

⚠️ Cons:

  • We have a linear blowup in public inputs which could result in 8x on-chain footprint
    • A way to de-risk input blowup effects is needed
✴️ Building new ad-hoc circuits

🟢 Pros:

  • We can try to use recursion to prevent input blowup effects

⚠️ Cons:

  • New trusted setup needed
  • More engineering work to build and audit the new circuits

as a result, this approach would require much more time to ship

In this doc, we assume to re-use existing circuits.

🚀 Impact on Filecoin

Why NI-PoRep in Filecoin?

Improvements of NI-PoRep vs status quo

⭐️ Cost Reduction: removing complexity reduces costs and enables the full potential of SN improvements
  • Removing interaction translates into a simplified pipeline
    • No PreCommit method and message, only ProveCommit will stay (only one method and one message needed to add sectors to the network);
    • No PCD (PreCommit Deposit)
      • In general, no ad-hoc deposit will be required for the PoRep step (InitialPledge will remain);
    • No waiting time between PreCommit and ProveCommit
  • Removing interaction translates into much more flexible pipeline
    • Sectors can se sealed and proved in a flexible way
      • SP can prove how many sector they want, whenever they are ready to do so
        • No fixed schedule to add sectors to the network
        • SP can follow their own sealing schedule according to their setup and prove sectors on-chain when ready

SN Improvements at full potential

  • Simplification of the pipeline and more flexible ProveCommit Step (i.e. “prove when you are ready”) would allow for maximizing sealing throughput
⭐️ Trustless SaaS Enabled
  • Removal of PCD allows for Proving and Storing to be now decoupled
    • SaaS would be possible in a trustless manner (low risk-low trust: sealer does not need to put down collateral that will need to be re-paid by buyers or buyer does not need to pre-pay this amount)
    • SaaS providers can delegate proving tasks. In particular, proving can be split into specialized subtasks which get outsourced to specialized entities (labeling the graph, Snarks, …)
    • Enabling HDD wholesale: it would be possible to receive brand new drives with Sector-Keys pre-generated in your name
⭐️ PoRep now secured Cryptographically and not Rationally
  • Chain cryptographic security gets increased: NI-PoRep would make misbehaving cryptographically infeasible rather than irrational
    • We can get more flexible/longer sector extensions. Nevertheless, we need to determine a good trade off.
      • It is true that as long as cryptographic assumption holds, PoRep is cryptographically secure, so in principle we could extend sectors lifetime for very long time window
      • On the other hand, it would not be a safe move to have sectors with a too long lifetime (like 10y) since technology advancement could make assumption which are currently solid to get weaken in such a long time window

⭐️ PoRep Security now independent from Consensus (i.e. consensus attacks are not a concern for PoRep anymore)
  • Current PoRep is interactive and needs to get randomness form the chain. Moreover, in order to be secure, 150 epochs are needed between PreCommit and ProveCommit. This is due to the fact that some Consensus attacks need to be infeasible (as putting those attacks in place would allow for faking storage). In NI-PoRep, since randomness is derived locally, there is no link anymore between PoRep and consensus attacks. This mean that
    • Consensus attacks are not a concern anymore for PoRep security
    • PoRep can now work “agnostically” with any consensus mechanism
    • L2 Filecoin protocol can use NI-PoRep independently from consensus
      • Can we enable other protocol to check in with Filecoin now?000
⭐️ Backward compatibility
  • NI-PoRep would be a separate proof type with a different on-chain flow as current PoRep
  • No need for a new trusted setup

🔥 Current Risks

(High) Resulting Gas costs should be analyzed and de-risked
  • Per sector resulting gas costs are likely to be higher than today (more inputs, more challenges, more snarks needed).
(Medium) Proving overhead can be a blocking factor for NI-PoRep
  • In order to preserve security NI-PoRep needs 8x challenges and a massive usage of Snarkpack. This translates to a ~8.7x proving overhead compared to today. Verification cost and proof size would be comparable to today.

Possible mitigations

  • SN improvements on C2 seem to get a 10x cost savings wrt today.If this is the case, we’d have NI-PoRep to have a similar cost cost as current PoRep (it would actually be a bit cheaper)
  • We know there is a market of Ethereum miners providing snark computation at competitive price (some entities in the community are already profiting by this fact).
(Medium) BatchBalancer need not to be applied to batching operations within the same sector
  • If BatchBalancer applies to the proof aggregation within the same sector (as we’d to with NI-PoRep), then NI-PoRep gas cost per sector would be 10x the current one
    • We need to be sure batch balancer only depends on the total number of different sectors and not on the number of aggregated proofs
(Low) Some proof parameters and the way they are employed need to be checked and eventually adjusted to NI-PoRep
  • Current PoRep comes with a set of parameters which with NI-Porep would become
    • Unnecessary, like MaxSectorDuration
    • Difficult to validate, like SectorRandomness, which anchors the sector with consensus

      • Given those parameters are used and checked in the protocol, we need to be sure that

    • We can guarantee the same functionalities we have today
    • We make the adjustment which are needed in order for NI-PoRep to work properly

🥜 NI PoRep Protocol in a nutshell

NI-PoRep protocol can be summarized as follows:

Graph Labelling and commitments (similar to the current PC1 and PC2 computation)

  1. Using ReplicaID (which contains CommD), SP computes the labels for all layers and the replica R;
  2. SP compute the column commitments CommC , CommRLast and finally computes CommR=Poseidon_2(CommC, CommRLast);

Storage Provider locally generates NI_ChallengesNumber challenges and vanilla proofs;

  1. Each challenge is of the form ch_i = H(prefix, commR, tag, i);
  2. SP computes responses for all the NI_ChallengesNumber challenges, which result in  NI_ChallengesNumber vanilla proofs;

Storage Provider publishes the new NI_ProveCommitSector proof

  1. SP takes the NI_ChallengesNumber vanilla proofs and computes the corresponding SNARK proofs for these challenges.
  2. SP publishes the snark and commitment CommR (either in individual or aggregated form).
    1. Note in this step the SP will, by default, use the SnarkPack aggregation technique to prove even only one sector (see “product considerations” section for the motivation).

Chain verifies proof

  1. Using CommR as a seed, the chain generates NI_ChallengesNumber challenges and this are fed into proof verification

🛑 NI-PoRep Security Considerations

NI-PoRep is based on the well-known Fiat-Shamir Heuristic, which allows for having a non interactive protocol starting from any 3-message interactive protocol. However, the heuristic requires the interactive protocol to have at least 80 bits of security (instead of the current 10). This means that for NI-PoRep we need 8x challenges compared to the current interactive PoRep protocol to ensure no loss in security with respect to the status quo. Therefore NI_ChallengesNumber = 1408.

🔀 Which Proof System for NI-PoRep? Groth16 Vs Nova

Dealing with NI-PoRep Challenges using Groth16

Using Groth16 to prove NI-PoRep’s 1408 challenges requires generating 79 Groth16 PoRep proofs; each proof having 18 public inputs dedicated to challenges (resulting in a 1422 total challenge public inputs per NI-PoRep). Using SnarkPack, these 79 proofs can be aggregated into a single proof (see a more detailed analysis in

).

Dealing with NI-PoRep Challenges using Nova

Using Nova to prove NI-PoRep would produce a single Nova proof per NI-PoRep (this proof may or may not be smaller than 79 Groth16 proofs, but not smaller than a single SnarkPack proof) and would require the generation of slightly fewer challenge public inputs (1408, versus Groth16’s 1422) by the verifier. Because Nova does not require a trusted setup, the PoRep circuit can be augmented to include in-circuit challenge generation, thus reducing the out-of-circuit challenge generation work performed by the verifier.

If challenges are computed in-circuit using  a circuit-friendly hash function (e.g. Poseidon), the increase in Nova’s proving/verifying time would be marginal (according to FilCrypto Intuition) and would remove almost all challenge public inputs (the tag and challenge_index used in NI-PoRep challenge generation may each require a public input, thus reducing the number of challenge public inputs from 1408 to 2).

Nova Pros and Cons

Nova proving is faster than the current (i.e. non-SupraSeal) Groth16, whereas its verification time is slower than both Groth16 and SnarkPack (however verifying a single Nova proof may be on-par with, or faster than, verifying 79 Groth16 proofs). Nova’s proving time versus SupraSeal has yet to be benchmarked.

A drawback to Nova is that it uses different curve groups and fields than Groth16, thus any sector sealed using Nova NI-PoRep would require also using Nova for PoSt.

🎯 Workplan (TBD)

📈 Progress so far

👥 People

  • Research:
    • Luca
    • TBD
  • Engineering:
    • FilCrypto
  • PM
    • Jennifer (?)

Technical Analysis

🛢️
Interactive/Non Interactive-PoRep Gas Cost Comparison

Meeting Notes

Meeting Notes Sept 12 Kuba, Luca
Meeting notes Sept 19th

CryptoNet is a Protocol Labs initiative.