Matt Whitlock [ARCHIVE] on Nostr: 📅 Original date posted:2015-03-26 📝 Original message:Maybe I'm overlooking ...
📅 Original date posted:2015-03-26
📝 Original message:Maybe I'm overlooking something, but I've been watching this thread with increasing skepticism at the complexity of the offered solution. I don't understand why it needs to be so complex. I'd like to offer an alternative for your consideration...
Challenge:
"Send me: SHA256(SHA256(concatenation of N pseudo-randomly selected bytes from the block chain))."
Choose N such that it would be infeasible for the responding node to fetch all of the needed blocks in a short amount of time. In other words, assume that a node can seek to a given byte in a block stored on local disk much faster than it can download the entire block from a remote peer. This is almost certainly a safe assumption.
For example, choose N = 1024. Then the proving node needs to perform 1024 random reads from local disk. On spinning media, this is likely to take somewhere on the order of 15 seconds. Assuming blocks are averaging 500 KiB each, then 1024 blocks would comprise 500 MiB of data. Can 500 MiB be downloaded in 15 seconds? This data transfer rate is 280 Mbps. Almost certainly not possible. And if it is, just increase N. The challenge also becomes more difficult as average block size increases.
This challenge-response protocol relies on the lack of a "partial getdata" command in the Bitcoin protocol: a node cannot ask for only part of a block; it must ask for an entire block. Furthermore, nodes could ban other nodes for making too many random requests for blocks.
On Thursday, 26 March 2015, at 7:09 pm, Sergio Lerner wrote:
>
> > If I understand correctly, transforming raw blocks to keyed blocks
> > takes 512x longer than transforming keyed blocks back to raw. The key
> > is public, like the IP, or some other value which perhaps changes less
> > frequently.
> >
> Yes. I was thinking that the IP could be part of a first layer of
> encryption done to the blockchain data prior to the asymetric operation.
> That way the asymmetric operation can be the same for all users (no
> different primers for different IPs, and then the verifiers does not
> have to verify that a particular p is actually a pseudo-prime suitable
> for P.H. ) and the public exponent can be just 3.
>
> >
> >> Two protocols can be performed to prove local possession:
> >> 1. (prover and verifier pay a small cost) The verifier sends a seed to
> >> derive some n random indexes, and the prover must respond with the hash
> >> of the decrypted blocks within a certain time bound. Suppose that
> >> decryption of n blocks take 100 msec (+-100 msec of network jitter).
> >> Then an attacker must have a computer 50 faster to be able to
> >> consistently cheat. The last 50 blocks should not be part of the list to
> >> allow nodes to catch-up and encrypt the blocks in background.
> >>
> >
> > Can you clarify, the prover is hashing random blocks of *decrypted*,
> > as-in raw, blockchain data? What does this prove other than, perhaps,
> > fast random IO of the blockchain? (which is useful in its own right,
> > e.g. as a way to ensure only full-node IO-bound mining if baked into
> > the PoW)
> >
> > How is the verifier validating the response without possession of the
> > full blockchain?
>
> You're right, It is incorrect. Not the decrypted blocks must be sent,
> but the encrypted blocks. There correct protocol is this:
>
> 1. (prover and verifier pay a small cost) The verifier sends a seed to
> derive some n random indexes, and the prover must respond with the the
> encrypted blocks within a certain time bound. The verifier decrypts
> those blocks to check if they are part of the block-chain.
>
> But then there is this improvement which allows the verifier do detect
> non full-nodes with much less computation:
>
> 3. (prover pays a small cost, verifier smaller cost) The verifier asks
> the prover to send a Merkle tree root of hashes of encrypted blocks with
> N indexes selected by a psudo-random function seeded by a challenge
> value, where each encrypted-block is previously prefixed with the seed
> before being hashed (e.g. N=100). The verifier receives the Markle Root
> and performs a statistical test on the received information. From the N
> hashes blocks, it chooses M < N (e.g. M = 20), and asks the proved for
> the blocks at these indexes. The prover sends the blocks, the verifier
> validates the blocks by decrypting them and also verifies that the
> Merkle tree was well constructed for those block nodes. This proves with
> high probability that the Merkle tree was built on-the-fly and
> specifically for this challenge-response protocol.
>
> > I also wonder about the effect of spinning disk versus SSD. Seek time
> > for 1,000 random reads is either nearly zero or dominating depending
> > on the two modes. I wonder if a sequential read from a random index is
> > a possible trade-off,; it doesn't prove possession of the whole chain
> > nearly as well, but at least iowait converges significantly. Then
> > again, that presupposes a specific ordering on disk which might not
> > exist. In X years it will all be solid-state, so eventually it's moot.
> >
> Good idea.
>
> Also we don't need that every node implements the protocol, but only
> nodes that want to prove full-node-ness, such as the ones which want to
> receive bitnodes subsidy.
Published at
2023-06-07 15:32:02Event JSON
{
"id": "9717063b7de4e5a15d598d0c0496654f56e48d2e63815a58cf6fb6b3109f5ed2",
"pubkey": "f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91",
"created_at": 1686151922,
"kind": 1,
"tags": [
[
"e",
"aec2e2b18209ddcfa5d1a18863a1af4d14b80da9d7f8b7d06dfabe62f3ba4546",
"",
"root"
],
[
"e",
"f7ce4608b4ebac0b3a4fc8c982ffcf6e34a2b66550000e2bbcf1492bf2342754",
"",
"reply"
],
[
"p",
"60f7a1f85420f38fa26db24af48330bd1800ed3bef3168454263dcfcef62a8ce"
]
],
"content": "📅 Original date posted:2015-03-26\n📝 Original message:Maybe I'm overlooking something, but I've been watching this thread with increasing skepticism at the complexity of the offered solution. I don't understand why it needs to be so complex. I'd like to offer an alternative for your consideration...\n\nChallenge:\n\"Send me: SHA256(SHA256(concatenation of N pseudo-randomly selected bytes from the block chain)).\"\n\nChoose N such that it would be infeasible for the responding node to fetch all of the needed blocks in a short amount of time. In other words, assume that a node can seek to a given byte in a block stored on local disk much faster than it can download the entire block from a remote peer. This is almost certainly a safe assumption.\n\nFor example, choose N = 1024. Then the proving node needs to perform 1024 random reads from local disk. On spinning media, this is likely to take somewhere on the order of 15 seconds. Assuming blocks are averaging 500 KiB each, then 1024 blocks would comprise 500 MiB of data. Can 500 MiB be downloaded in 15 seconds? This data transfer rate is 280 Mbps. Almost certainly not possible. And if it is, just increase N. The challenge also becomes more difficult as average block size increases.\n\nThis challenge-response protocol relies on the lack of a \"partial getdata\" command in the Bitcoin protocol: a node cannot ask for only part of a block; it must ask for an entire block. Furthermore, nodes could ban other nodes for making too many random requests for blocks.\n\n\nOn Thursday, 26 March 2015, at 7:09 pm, Sergio Lerner wrote:\n\u003e \n\u003e \u003e If I understand correctly, transforming raw blocks to keyed blocks\n\u003e \u003e takes 512x longer than transforming keyed blocks back to raw. The key\n\u003e \u003e is public, like the IP, or some other value which perhaps changes less\n\u003e \u003e frequently.\n\u003e \u003e\n\u003e Yes. I was thinking that the IP could be part of a first layer of\n\u003e encryption done to the blockchain data prior to the asymetric operation.\n\u003e That way the asymmetric operation can be the same for all users (no\n\u003e different primers for different IPs, and then the verifiers does not\n\u003e have to verify that a particular p is actually a pseudo-prime suitable\n\u003e for P.H. ) and the public exponent can be just 3.\n\u003e \n\u003e \u003e\n\u003e \u003e\u003e Two protocols can be performed to prove local possession:\n\u003e \u003e\u003e 1. (prover and verifier pay a small cost) The verifier sends a seed to\n\u003e \u003e\u003e derive some n random indexes, and the prover must respond with the hash\n\u003e \u003e\u003e of the decrypted blocks within a certain time bound. Suppose that\n\u003e \u003e\u003e decryption of n blocks take 100 msec (+-100 msec of network jitter).\n\u003e \u003e\u003e Then an attacker must have a computer 50 faster to be able to\n\u003e \u003e\u003e consistently cheat. The last 50 blocks should not be part of the list to\n\u003e \u003e\u003e allow nodes to catch-up and encrypt the blocks in background.\n\u003e \u003e\u003e\n\u003e \u003e\n\u003e \u003e Can you clarify, the prover is hashing random blocks of *decrypted*,\n\u003e \u003e as-in raw, blockchain data? What does this prove other than, perhaps,\n\u003e \u003e fast random IO of the blockchain? (which is useful in its own right,\n\u003e \u003e e.g. as a way to ensure only full-node IO-bound mining if baked into\n\u003e \u003e the PoW)\n\u003e \u003e\n\u003e \u003e How is the verifier validating the response without possession of the\n\u003e \u003e full blockchain?\n\u003e \n\u003e You're right, It is incorrect. Not the decrypted blocks must be sent,\n\u003e but the encrypted blocks. There correct protocol is this:\n\u003e \n\u003e 1. (prover and verifier pay a small cost) The verifier sends a seed to\n\u003e derive some n random indexes, and the prover must respond with the the\n\u003e encrypted blocks within a certain time bound. The verifier decrypts\n\u003e those blocks to check if they are part of the block-chain.\n\u003e \n\u003e But then there is this improvement which allows the verifier do detect\n\u003e non full-nodes with much less computation:\n\u003e \n\u003e 3. (prover pays a small cost, verifier smaller cost) The verifier asks\n\u003e the prover to send a Merkle tree root of hashes of encrypted blocks with\n\u003e N indexes selected by a psudo-random function seeded by a challenge\n\u003e value, where each encrypted-block is previously prefixed with the seed\n\u003e before being hashed (e.g. N=100). The verifier receives the Markle Root\n\u003e and performs a statistical test on the received information. From the N\n\u003e hashes blocks, it chooses M \u003c N (e.g. M = 20), and asks the proved for\n\u003e the blocks at these indexes. The prover sends the blocks, the verifier\n\u003e validates the blocks by decrypting them and also verifies that the\n\u003e Merkle tree was well constructed for those block nodes. This proves with\n\u003e high probability that the Merkle tree was built on-the-fly and\n\u003e specifically for this challenge-response protocol.\n\u003e \n\u003e \u003e I also wonder about the effect of spinning disk versus SSD. Seek time\n\u003e \u003e for 1,000 random reads is either nearly zero or dominating depending\n\u003e \u003e on the two modes. I wonder if a sequential read from a random index is\n\u003e \u003e a possible trade-off,; it doesn't prove possession of the whole chain\n\u003e \u003e nearly as well, but at least iowait converges significantly. Then\n\u003e \u003e again, that presupposes a specific ordering on disk which might not\n\u003e \u003e exist. In X years it will all be solid-state, so eventually it's moot.\n\u003e \u003e\n\u003e Good idea.\n\u003e \n\u003e Also we don't need that every node implements the protocol, but only\n\u003e nodes that want to prove full-node-ness, such as the ones which want to\n\u003e receive bitnodes subsidy.",
"sig": "139ca99134988a725f61eda408f8683ef75a9993ed9f7ab7db5e9fbc73fe2e60733ae663a0a1facc3926645969e67d1ea7abfed3f92d702b19beab5bd10ae975"
}