Creator

Nicola

Created

Oct 25, 2023 11:33 PM

WIP

In this document we present a new security model for PoSt, the Hybrid PoSt model. The Hybrid model depends on both the cost and the latency model to be secure (differently from the status quo, which depends on either or the cost or the latency model to be secure).

Although at first, it could seem less secure, we show that it will lead to a much simpler protocol (no winningpost and no need to query every sector at windowpost) and to tunable security (without re-sealing).

Note: this is just an informational document, there is no plan to implement this.

Goals of Hybrid PoSt:

Separate the consensus step from the PoSt process for better modularity
Remove expensive WinningPoSt process
Avoid reading every sector at WindowPoSt

Doubly-Secure PoSt model

We call the current PoSt security model Doubly-Secure PoSt: PoSt is secure under either of the two: in other words, as long as either the cost assumptions or the latency assumptions are secure, then PoSt is secure.

SDR-PoRep secures the network in two different ways:

SDR in the Cost Model: The cost of regenerating an SDR sector is several orders of magnitude more expensive than storing, so it is rational to store the sector rather than regenerate in order to reply to the challenges at WindowPoSt.
SDR in the Latency Model: The time to regenerate an SDR sector is longer than the time to generate a block, so it is rational to store the sector rather than not in order to reply to challenges at WinningPoSt.

Hybrid PoSt model

We now present a stronger model (more assumptions!), the Hybrid PoSt: PoSt is secure only if both the cost assumption and the latency assumptions are correct.

The benefit of Hybrid PoSt model are that: (1) we can avoid running WinningPoSt and (2) we can avoid spinning disks for every sector at WindowPoSt.

Assumptions

Cost assumption: Assume that the regeneration attack for a sector is $R_{cost}$ , which is equivalent to the time to store a file for time $T$ (times a security parameter)
Latency assumption: Assume that regeneration attack takes at least $R_{lat}$

Hybrid WindowPoSt

Protocol

Enforce a minimum storage provider (SP) size of at least $S$ sectors
Once every $T$ a storage provider is queried on a constant number of sectors $C$ and must reply in time less than $R_{lat}$

Security

An adversary that deletes $D$ sectors:

The adversary will now succeed $(1-\frac{D}{S})^C$
(latency security) If challenged on those missing sectors, they will not be able to reply the challenges on time (since regeneration will take longer than the reply time).
(cost security) they could regenerate their sectors before seeing the challenges, but since they do not know which sector will be challenged, they must regenerate all of them - or most of them $D*R_{cost}$ .

Other considerations

This way of querying the sectors loses per-sector security (in other words, it not possible to know how many and which sectors are missing), and in order to get around this, we can still introduce an “all sectors proof”, similar to today’s windowpost, but with a different cadence (e.g. longer than once a day).
Since we are not spinning every sector, we can increase the challenge window to more often than once a day
$R_{lat}$ must be larger than it is today if we plan to use block-inclusion

Related work