đ
Original date posted:2015-03-24
đ Original message:On Mon, 16 Mar 2015 09:29:03 -0700, Sergio Lerner
<sergiolerner at certimix.com> wrote:
> I proposed a (what I think) is better protocol for Proof of Storage that
> I call "Proof of Local storage" here
> https://bitslog.wordpress.com/2014/11/03/proof-of-local-blockchain-storage/
Thanks so much for publishing this. It could be useful in any application
to try to prove a keyed copy of some data.
If I understand correctly, transforming raw blocks to keyed blocks takes
512x longer than transforming keyed blocks back to raw. The key is public,
like the IP, or some other value which perhaps changes less frequently.
The verifier keeps blocks in the keyed format, and can decrypt quickly to
provide raw data, or use the keyed data for hashing to try to demonstrate
they have a pre-keyed copy.
>
> Two protocols can be performed to prove local possession:
> 1. (prover and verifier pay a small cost) The verifier sends a seed to
> derive some n random indexes, and the prover must respond with the hash
> of the decrypted blocks within a certain time bound. Suppose that
> decryption of n blocks take 100 msec (+-100 msec of network jitter).
> Then an attacker must have a computer 50 faster to be able to
> consistently cheat. The last 50 blocks should not be part of the list to
> allow nodes to catch-up and encrypt the blocks in background.
>
Can you clarify, the prover is hashing random blocks of *decrypted*, as-in
raw, blockchain data? What does this prove other than, perhaps, fast
random IO of the blockchain? (which is useful in its own right, e.g. as a
way to ensure only full-node IO-bound mining if baked into the PoW)
How is the verifier validating the response without possession of the full
blockchain?
> 2. (prover pay a high cost, verified pays negligible cost). The verifier
> chooses a seed n, and then pre-computes the encrypted blocks derived
> from the seed using the prover's IP. Then the verifier sends the seed,
> and the prover must respond with the hash of the encrypted blocks within
> a certain time bound. The proved does not require to do any PH
> decryption, just take the encrypted blocks for indexes derived from the
> seed, hash them and send the hash back to the verifier. The verifier
> validates the time bound and the hash.
The challenger requests a hash-sum of a random sequence of indices of the
keyed data, based on a challenge seed. So in a few bytes round-trip we can
see how fast the computation is completed. If the data is already keyed,
the hash of 1,000 random 1024-bit blocks should come back much faster than
if the data needs to be keyed on-the-fly.
To verify the response, the challenger would have to use the peer's
identity key and perform the slower transforms on those same 1,000 blocks
and see that the result matches, so cost to challenger is higher than
prover, assuming they actually do the computation.
Which brings up a good tweak, a full-node challenger could have to do the
computation first, then also include something like HMAC(identityKey,
expectedResult). The prover could then know if the challenger was honest
before returning a result, and blacklist them if not.
>
> Both protocols can me made available by the client, under different
> states. For instance, new nodes are only allowed to request protocol 2
> (and so they get an initial assurance their are connecting to
> full-nodes). After a first-time mutual authentication, they are allowed
> to periodically perform protocol 1. Also new nodes may be allowed to
> perform protocol 1 with a small index set, and increase the index set
> over time, to get higher confidence.
I guess a new-node could see if different servers all returned the same
challenge response, but they would have no way to know if the challenge
response was technically correct, or sybil.
I also wonder about the effect of spinning disk versus SSD. Seek time for
1,000 random reads is either nearly zero or dominating depending on the
two modes. I wonder if a sequential read from a random index is a possible
trade-off,; it doesn't prove possession of the whole chain nearly as well,
but at least iowait converges significantly. Then again, that presupposes
a specific ordering on disk which might not exist. In X years it will all
be solid-state, so eventually it's moot.
Jeremy Spilman [ARCHIVE] /
npub10eâŚjc727
2023-06-07 15:32:01
in reply to nevent1qâŚdczs
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727Published at
2023-06-07 15:32:01Event JSON
{
"id": "3b6086a66a2c59f2731354b64f29ae48e786347d21dbb1d5d0c2a85ff521abac",
"pubkey": "7e57666cff7c86f9410d33d4d34ef3e5105395b3c74af472541dbeeb743f9de3",
"created_at": 1686151921,
"kind": 1,
"tags": [
[
"e",
"aec2e2b18209ddcfa5d1a18863a1af4d14b80da9d7f8b7d06dfabe62f3ba4546",
"",
"root"
],
[
"e",
"802220a3ae71e1a7df1c8416cd9d73a9e44144dd883d827eecab9f434882d1fc",
"",
"reply"
],
[
"p",
"60f7a1f85420f38fa26db24af48330bd1800ed3bef3168454263dcfcef62a8ce"
]
],
"content": "đ
Original date posted:2015-03-24\nđ Original message:On Mon, 16 Mar 2015 09:29:03 -0700, Sergio Lerner \n\u003csergiolerner at certimix.com\u003e wrote:\n\u003e I proposed a (what I think) is better protocol for Proof of Storage that\n\u003e I call \"Proof of Local storage\" here\n\u003e https://bitslog.wordpress.com/2014/11/03/proof-of-local-blockchain-storage/\n\nThanks so much for publishing this. It could be useful in any application \nto try to prove a keyed copy of some data.\n\nIf I understand correctly, transforming raw blocks to keyed blocks takes \n512x longer than transforming keyed blocks back to raw. The key is public, \nlike the IP, or some other value which perhaps changes less frequently.\n\nThe verifier keeps blocks in the keyed format, and can decrypt quickly to \nprovide raw data, or use the keyed data for hashing to try to demonstrate \nthey have a pre-keyed copy.\n\n\u003e\n\u003e Two protocols can be performed to prove local possession:\n\u003e 1. (prover and verifier pay a small cost) The verifier sends a seed to\n\u003e derive some n random indexes, and the prover must respond with the hash\n\u003e of the decrypted blocks within a certain time bound. Suppose that\n\u003e decryption of n blocks take 100 msec (+-100 msec of network jitter).\n\u003e Then an attacker must have a computer 50 faster to be able to\n\u003e consistently cheat. The last 50 blocks should not be part of the list to\n\u003e allow nodes to catch-up and encrypt the blocks in background.\n\u003e\n\nCan you clarify, the prover is hashing random blocks of *decrypted*, as-in \nraw, blockchain data? What does this prove other than, perhaps, fast \nrandom IO of the blockchain? (which is useful in its own right, e.g. as a \nway to ensure only full-node IO-bound mining if baked into the PoW)\n\nHow is the verifier validating the response without possession of the full \nblockchain?\n\n\u003e 2. (prover pay a high cost, verified pays negligible cost). The verifier\n\u003e chooses a seed n, and then pre-computes the encrypted blocks derived\n\u003e from the seed using the prover's IP. Then the verifier sends the seed,\n\u003e and the prover must respond with the hash of the encrypted blocks within\n\u003e a certain time bound. The proved does not require to do any PH\n\u003e decryption, just take the encrypted blocks for indexes derived from the\n\u003e seed, hash them and send the hash back to the verifier. The verifier\n\u003e validates the time bound and the hash.\n\nThe challenger requests a hash-sum of a random sequence of indices of the \nkeyed data, based on a challenge seed. So in a few bytes round-trip we can \nsee how fast the computation is completed. If the data is already keyed, \nthe hash of 1,000 random 1024-bit blocks should come back much faster than \nif the data needs to be keyed on-the-fly.\n\nTo verify the response, the challenger would have to use the peer's \nidentity key and perform the slower transforms on those same 1,000 blocks \nand see that the result matches, so cost to challenger is higher than \nprover, assuming they actually do the computation.\n\nWhich brings up a good tweak, a full-node challenger could have to do the \ncomputation first, then also include something like HMAC(identityKey, \nexpectedResult). The prover could then know if the challenger was honest \nbefore returning a result, and blacklist them if not.\n\n\u003e\n\u003e Both protocols can me made available by the client, under different\n\u003e states. For instance, new nodes are only allowed to request protocol 2\n\u003e (and so they get an initial assurance their are connecting to\n\u003e full-nodes). After a first-time mutual authentication, they are allowed\n\u003e to periodically perform protocol 1. Also new nodes may be allowed to\n\u003e perform protocol 1 with a small index set, and increase the index set\n\u003e over time, to get higher confidence.\n\nI guess a new-node could see if different servers all returned the same \nchallenge response, but they would have no way to know if the challenge \nresponse was technically correct, or sybil.\n\nI also wonder about the effect of spinning disk versus SSD. Seek time for \n1,000 random reads is either nearly zero or dominating depending on the \ntwo modes. I wonder if a sequential read from a random index is a possible \ntrade-off,; it doesn't prove possession of the whole chain nearly as well, \nbut at least iowait converges significantly. Then again, that presupposes \na specific ordering on disk which might not exist. In X years it will all \nbe solid-state, so eventually it's moot.",
"sig": "b59d978da0f243ea7eb0fe41ac44421c7a473928199c37e332519f693f51071ac4c1559f3b848c9aad05f1e4c16331ede2d76dce7b94717c3f4f30fb3c863f67"
}