πŸ˜Άβ€πŸŒ«οΈ

Proposal: Hybrid WindowPoSt - Remove WinningPoSt and avoid challenging all sectors at WindowPoSt

Creator
Nicola
Created
Oct 25, 2023 11:33 PM

WIP

In this document we present a new security model for PoSt, the Hybrid PoSt model. The Hybrid model depends on both the cost and the latency model to be secure (differently from the status quo, which depends on either or the cost or the latency model to be secure).

Although at first, it could seem less secure, we show that it will lead to a much simpler protocol (no winningpost and no need to query every sector at windowpost) and to tunable security (without re-sealing).

Note: this is just an informational document, there is no plan to implement this.

Goals of Hybrid PoSt:

  • Separate the consensus step from the PoSt process for better modularity
  • Remove expensive WinningPoSt process
  • Avoid reading every sector at WindowPoSt

Doubly-Secure PoSt model

We call the current PoSt security model Doubly-Secure PoSt: PoSt is secure under either of the two: in other words, as long as either the cost assumptions or the latency assumptions are secure, then PoSt is secure.

SDR-PoRep secures the network in two different ways:

  • SDR in the Cost Model: The cost of regenerating an SDR sector is several orders of magnitude more expensive than storing, so it is rational to store the sector rather than regenerate in order to reply to the challenges at WindowPoSt.
  • SDR in the Latency Model: The time to regenerate an SDR sector is longer than the time to generate a block, so it is rational to store the sector rather than not in order to reply to challenges at WinningPoSt.

Hybrid PoSt model

We now present a stronger model (more assumptions!), the Hybrid PoSt: PoSt is secure only if both the cost assumption and the latency assumptions are correct.

The benefit of Hybrid PoSt model are that: (1) we can avoid running WinningPoSt and (2) we can avoid spinning disks for every sector at WindowPoSt.

Assumptions

  • Cost assumption: Assume that the regeneration attack for a sector is RcostR_{cost}, which is equivalent to the time to store a file for time TT (times a security parameter)
  • Latency assumption: Assume that regeneration attack takes at least RlatR_{lat}

Hybrid WindowPoSt

Protocol

  • Enforce a minimum storage provider (SP) size of at least SS sectors
  • Once every TT a storage provider is queried on a constant number of sectors CC and must reply in time less than RlatR_{lat}

Security

  • An adversary that deletes DD sectors:
    • The adversary will now succeed (1βˆ’DS)C(1-\frac{D}{S})^C
    • (latency security) If challenged on those missing sectors, they will not be able to reply the challenges on time (since regeneration will take longer than the reply time).
    • (cost security) they could regenerate their sectors before seeing the challenges, but since they do not know which sector will be challenged, they must regenerate all of them - or most of them Dβˆ—RcostD*R_{cost}.

Other considerations

  • This way of querying the sectors loses per-sector security (in other words, it not possible to know how many and which sectors are missing), and in order to get around this, we can still introduce an β€œall sectors proof”, similar to today’s windowpost, but with a different cadence (e.g. longer than once a day).
  • Since we are not spinning every sector, we can increase the challenge window to more often than once a day
  • RlatR_{lat} must be larger than it is today if we plan to use block-inclusion

Related work

  • This document presents a WindowPoSt only proof with a constant number of challenges, if instead we are ok with WinningPoSt only, the Filecoin Theory paper has a write up for that construction, which is also in the Hybrid PoSt model (although I believe not defined there)

CryptoNet is a Protocol Labs initiative.