Proofs of Space 徐昊 2017/5/31
1 Introduction
Proofs of Work(PoW)
Proofs of Space(PoS) The general principle of PoW is showing that one invested a non-trivial amount of effort. In PoS, the resource is disk space. Users often have some free disk space available, and in this case using a PoS is essentially for free. A PoS is protocol between a prover P and a verifier V Two phases: initialization phase and execution phase
Example The verifier V is an organization that offers a free email service. To prevent spamming, V requires users to dedicate 100GB disk space for every address registered. V will run a PoS to verify that the user really dediacates this space.
The Simplest Solution V sends a pseudorandom file F of size 100GB to P during the initialization phase. V asks P to send back some bits of F at random positions, making sure P stores(at least a large fraction of)F. Unfortunately, let V send 100GB file to P is impractical, cause the communication complexity is too large
Proofs of Space
Defining Proofs of Space 𝒐𝒖𝒕 𝑽 , 𝒐𝒖𝒕 𝑷 ← 𝑽 𝒊𝒏 𝑽 ,𝑷 𝒊𝒏 𝑷 (𝒊𝒏) Denote the execution of an interactive protocol between P and V. 𝑖𝑛:shared inputs 𝑖𝑛 𝑉 , 𝑖𝑛 𝑃 :local inputs 𝑜𝑢𝑡 𝑉 , 𝑜𝑢𝑡 𝑃 :local outputs
Defining Proofs of Space Initialization is an interactive protocol with shared input parameters. prm=(id,N,…) 𝜱,𝑺 ← 𝑽,𝑷 (𝒑𝒓𝒎) 𝛷 is short. S is of size N. V can output 𝛷=Ʇ ,means that it aborts.(cheating prover) Execution is an interactive protocol during which P and V have access to the values stored during the initialization phase. {𝒂𝒄𝒄𝒆𝒑𝒕, 𝒓𝒆𝒋𝒆𝒄𝒕},∅ ← 𝑽(𝜱),𝑷(𝑺) (𝒑𝒓𝒎)
PoS from Graphs Consider a directed acyclic graph 𝐺=(𝑉,𝐸) The graph has 𝑉 =𝑁 vertices labelled with number from the set [N]={1,…,N}. Every vertex 𝑣∈𝑉 is associated with a value 𝑤(𝑣)∈ 0,1 𝐿 For V ′ =( 𝑣 1 ,…, 𝑣 𝑛 ), define 𝑤 V ′ =(𝑤( 𝑣 1 ),…,𝑤( 𝑣 𝑛 )) Let 𝜋 𝑣 ={ 𝑣 ′ :( 𝑣 ′ ,𝑣)∈𝐸} denote 𝑣 ′ 𝑠 predecessors. 𝑤 𝑣 =ℋ(𝑣,𝑤(𝜋 𝑣 )) If 𝑣 is a source(𝜋 𝑣 =∅), then 𝑤 𝑣 is simply ℋ(𝑣)
A Simple Basic PoS The PoS doesn’t satisfy the efficiency requirement because in Step 3 of execution, the verifier needs to compute 𝑤 𝐶 locally.
Using Hash Trees for Committing
Using Hash Trees for Committing Add a step during initialization phase where P commits to 𝑥 1 =𝑤 𝑣 1 ,…, 𝑥 𝑁 =𝑤 𝑣 𝑁 by computing hash tree and send its root φ to V. In the execution phase, the prover must answer a challenge c not only with 𝑥 𝑐 =𝑤 𝑐 , but also open c by sending (𝑥 𝑐 ,𝑜𝑝𝑒𝑛(𝒯,𝑐)).
Our Main Construction prm=(id,2N,ϒ,G,Λ)
Our Main Construction prm=(id,2N,ϒ,G,Λ)
Our Main Construction prm=(id,2N,ϒ,G,Λ)
Thank you for listening !