stoRNA: Stateless Transparent Proofs of Storage-time

Abstract

Proof of Storage-time (PoSt) is a cryptographic primitive that enables a server to demonstrate non-interactive continuous availability of outsourced data in a publicly verifiable way. This notion was first introduced by Filecoin to secure their Blockchain-based decentralized storage marketplace, using expensive SNARKs to compact proofs. Recent work [2] employs the notion of trapdoor delay function to address the problem of compact PoSt without SNARKs. This approach however entails statefulness and non-transparency, while it requires an expensive pre-processing phase by the client. All of the above renders their solution impractical for decentralized storage marketplaces, leaving the stateless trapdoor-free PoSt with reduced setup costs as an open problem. In this work, we present stateless and transparent PoSt constructions using probabilistic sampling and a new Merkle variant commitment. In the process of enabling adjustable prover difficulty, we then propose a multi-prover construction to diminish the CPU work each prover is required to do. Both schemes feature a fast setup phase and logarithmic verification time and bandwidth with the end-to-end setup, prove, and verification costs lower than the existing solutions.

Appendices

A Theorem 1 Proof

(i: Completeness): Directly follows from the completeness of the \(\textsf{PoR}\) and \(\textsf{PoEt}\) schemes.

(ii: Soundness): Let an adversary \(\mathcal {A}\) be against the soundness of the \(\textsf{stoRNA}\) scheme. Let the extractor \(\textsf{PoSt}.\textsf{Ext}= (\textsf{Ext}_{\textsf{PoSt}, 1}, \textsf{Ext}_{\textsf{PoSt}, 2})\) recover the data F from the prover. Where \(\textsf{Ext}_{\textsf{PoSt}, 1}\) on input the description of the prover, outputs the configurations, the epoch (a randomly chosen time slot) and the transition function, and \(\textsf{Ext}_{\textsf{PoSt}, 2}\) is a PoR extractor that recovers the data from the configurations, the epoch and the transition function. Intuitively, we first show that the prover executes “one PoR” in a randomly chosen epoch and then by invoking the \(\textsf{PoR}\) extractor, we recover the data from the configurations the epoch and the transition function (extraction phase).

We first argue about the sequenciality in Algorithm 1. A potentially malicious prover \(\textsf{PoSt}\).\(\textsf{P}'\), making the verifier accept (in relation to \(G_n^{{\textsf{Com}}}\) in Algorithm 2) with high probability must have queried \(\textsf{H}\) “almost” N times sequentially. The proof of sequentiality follows Cohen and Pietrzak [7]. We use the outputs of \(\textsf{PoR}\).\(\textsf{Prove}\) as the input nodes of the specified tree construction of [7]. Thus, the sequentiality proof of Algorithm 1 follows the sequentiality proof of [7]. Formally we have that,

Lemma 1

[Theorem 1 of [7]]. Consider the scheme in Algorithm 1, with parameters c, w, N and a “soundness gap” \(\alpha > 0\). If \(\textsf{PoSt}\).\(\textsf{P}'\) makes at most \((1 - \alpha )N\) sequential queries to \(\textsf{H}\), and at most q queries in total, then \(\textsf{PoSt}\).\(\textsf{V}\) will output reject with probability \( 1 - (1 - \alpha )^c - (2 \cdot n \cdot w \cdot q^2)/ 2^w \).

Where N is assumed to be number of sequential steps of the form \(N = 2^{n+1} - 1\) for an integer \(n \in \textsf{N}\), and c is a statistical security parameter (the size of the subset \(I^*\) in which the larger the c the better the soundness), and w is the output range of \(\textsf{H}\), which we need to be collision-resistant and sequential. \(w = 256\) is a typical value. The proof follows the proof of Theorem 1 in [7].

In general, the verification algorithm of the \(\textsf{stoRNA}\) requires the prover to compute all \(\textsf{PoR}\) challenges and responses and evaluate the \(\textsf{PoEt}\)s. Thus the PoR responses are valid and the \(\textsf{PoEt}\) are evaluated as expected with probability \((1 - \alpha )^c - (2 \cdot n \cdot w \cdot q^2)/ 2^w\) based on Lemma 1. Because of the unpredictability of \(\textsf{PoR}\) and the sequentiality of \(\textsf{PoEt}\), the \(\textsf{PoR}\) proofs must be generated sequentially.

Let \(D_0\) and \(D_k\) be the start and end time points for running \(\mathcal {A}\). For i from 1 to \(k - 1\), we set each time point \(D_{i + 1}\) to be the first time when \(\mathcal {A}\) queries the random oracle \(\textsf{H}\) on \((\textsf{st} \mathbin \Vert l_{\epsilon })\) (Alg.1 step 17). Similarly, we set each time point \(\hat{D}_i\) as the start when \(\mathcal {A}\) queries the \(\textsf{H}\) on \(\textsf{st}\) (Alg.1 step 13). Then we prove that the random time epoch with length \(T > T' + 2\delta D\) chosen by \(\textsf{Ext}_{\textsf{PoSt}, 1}\) must contain at least one interval \([D_i, \hat{D}_i)\) for some i. To this aim, we prove the following lemmas 2, 3, 4, and 5:

Lemma 2

The time point \(D_i\) must precede \(D_{i+1}\).

Proof

we show that each \(\textsf{PoEt}\)’s output \(\textsf{st}_{i-1}\) must be firstly queried to the random oracle \(\textsf{H}\) before \(\textsf{st}_i\). To prove it we use the contradiction in a way that, if not, then \(\mathcal {A}\) must be able to either generate the \(\textsf{PoEt}\) output \(\textsf{st}_i\) before \(\textsf{st}_{i-1}\), which violates the sequentiality of \(\textsf{PoEt}\); or generate the \(\textsf{PoEt}\) input \(\textsf{st}_{i-1}\) before the output of \(\textsf{H}\) (step 17, Algorithm 1), which violates the unpredictability of the random oracle \(\textsf{H}\); or generate the \(\textsf{PoR}\) challenge \(c_i\) before \(\textsf{st}_{i-1}\), which violates the unpredictability of the random oracle \(\textsf{H}\) (step 13, Algorithm 1); or generate the \(\textsf{PoR}\) response \(\pi _i\) before \(c_i\), which violates the unpredictability of \(\textsf{PoR}\);

Lemma 3

\(T'\) is shorter than the length of each time slot \([D_i, D_{i+1})\).

Proof

By the unpredictability of the random oracle, the output of the \(\textsf{PoEt}\), \(\textsf{st}_i\) must be generated before the time point \(D_{i+1}\). On the other hand, the \(\textsf{PoR}\) response \(\pi _i\) must be generated via the \(\textsf{PoR}\) on the challenge \(\textsf{st}_i\) after the time point \(D_i\). Thus, a \(\textsf{PoEt}\) function must be evaluated within the time slot \([D_i, D_{i+1})\). By the sequentiality of \(\textsf{PoEt}\), the length of \([D_i, D_{i+1})\) must be longer than \(T'\).

Lemma 4

\(T' + \delta D\) is bigger than the length of each time slot \([D_i, D_{i+1})\).

Proof

Let \(D'\) be the execution time of \(\textsf{PoSt}\).\(\textsf{P}'\). By the correctness of the verification algorithm, \(D' < (1 + \delta )D\). Based on the result of Lemma 3 , we have that the length of each time slot \([D_i, D_{i+1})\) is longer than \(T'\), thus, the longest slot should be shorter than \((1 + \delta )D - (k - 1)T' = \delta D + T'\).

Lemma 5

Each \(\hat{D}_i \in [D_i, D_{i+1})\) and the time slot \([D_i, \hat{D}_i)\) is shorter than \(\delta D\).

Proof

Finally, we show the \(\textsf{PoEt}\) response \(\textsf{st}_i\) must be queried to the random oracle \(\textsf{H}\) (Algorithm1 step 13) within this time slot \([D_i,D_{i+1})\) and that the time slot \([D_i,\hat{D}_i)\) is shorter than \(\delta T\). The output of the \(\textsf{PoR}\) \(\pi _i\) is queried at the time point \(D_{i + 1}\), hence the input of the \(\textsf{PoR}\), \(c_i\) must be generated by \(\textsf{PoSt}\).\(\textsf{P}'\) before the time \(D_{i+1}\) according to the sequentiality of \(\textsf{PoR}\). Due to the unpredictability of the random oracle, \(\textsf{H}\) must be queried on input \(\textsf{st}_i\) before the time \(D_{i+1}\). On the other hand, according to the unpredictability of \(\textsf{PoEt}\), \(\textsf{PoSt}\).\(\textsf{P}'\) can not figure out the \(\textsf{PoEt}\) proof \(\textsf{st}_i\) before the time point \(D_i\), when the \(\textsf{PoEt}\) input is generated. Given this, \(\textsf{st}_i\) must be queried to the random oracle \(\textsf{H}\) in time slot \([D_i, D_{i+1})\). Furthermore, since the maximum length of \([D_i, D_{i+1})\) and the evaluation time of \(\textsf{PoEt}\) is longer than \(T'\), the slot \([D_i, \hat{D}_i) < \delta D\).

Extraction Phase. In this phase, we show that given the bunch of configurations for \(\textsf{PoSt}\).\(\textsf{P}'\) for time slot \([D_i, \hat{D}_i)\) (or \([D_{i-1}, \hat{D}_{i-1}))\) and the code of the transition function, \(c_i\) and \(\textsf{st}_i\) can be accessed by the \(\textsf{PoSt}\).\(\textsf{Ext}\). Indeed, since both random oracles \(\textsf{H}\) are maintained by the extractor, a cheating prover of \(\textsf{PoR}\).\(\textsf{P}'\) can be constructed by manipulating the output of the random oracle \(\textsf{H}\) (step 13, Algorithm 1) as the \(\textsf{PoR}\) challenge, rewinding the part of the \(\textsf{PoSt}\).\(\textsf{P}'\) corresponding to time segment \([D_i, \hat{D}_i)\) and collecting the queries of the random oracle \(\textsf{H}\) (step 17, Algorithm 1) as the \(\textsf{PoR}\) response. Since there is a \(\textsf{PoR}\) extractor to recover the storage data from \(\textsf{PoR}\).\(\textsf{P}'\), the soundness proof of \(\textsf{PoSt}\) is complete.

B Stateless Multi-prover PoSt Construction

In this section we show improvement options to the concrete efficiency of prover algorithm by proposing an extended multi-prover PoSt construction \( \textsf{mstoRNA}=(\textsf{Store}, \textsf{Prove},\textsf{Verify})\) (see Algorithm 3 for details). More precisely, we assume any arbitrary number of “Time Nodes” and “Storage Nodes” can freely join the DSN by respectively providing “CPU work” and “storage-time” resources to the network. \(\mathsf {mstoRNA.Store}\) algorithm is executed to output file \( F_j\) and tag \( \textsf{tg}_j \) which are outsourced to Storage Node j. In \(\mathsf {stoRNA.Prove}\) algorithm, (i) Time Node, every T time units, shares the \( \textsf{PoEt} \) state and waits for a time gap determined by network latency. (ii) Storage Node j hosting file \( F_j\), generates a challenge based on the freshly advertised \( \textsf{PoEt} \) state, serving as the \( \textsf{PoR} \) challenge, and submits \( \pi _{ij}\leftarrow \mathsf {PoR.Prove} \). (iii) Time Node collects all \( \textsf{PoR} \) proofs from all Storage Nodes and creates a Merkle tree \(\mathsf {MT_i}\) with root \({r_i} \). (iv) Time Node inputs \({r_i} \) together with \( \textsf{PoEt} \) proof to update the commitment graph \( G_n^{\textsf{Com}} \), and (v) Time Node timestamps the updated \( G_n^{\textsf{Com}} \) root, \( l_{\epsilon } \), into the shared \( \textsf{PoEt} \) state for the next \( \textsf{PoEt} \) execution. At the end of the deposit period D, the Time Node returns \( l_{\epsilon } \) together with the final \( \textsf{PoEt} \) state as a commitment to all proofs sequentially generated during D. Upon receiving the commitment, in \(\mathsf {mstoRNA.Verify}\) algorithm, (i) the verifier challenges a randomly sampled subset of time slots (ii) for every challenged time slot, the Time Node provides openings for both \(G_n^{\textsf{Com}}\) and Merkle tree \(\mathsf {MT_i}\) together with all the \( \mathsf {(PoEt,PoR)} \) proofs on the path from this challenged node to the root, (iii) the verifier, verifies commitment openings of both \(\mathsf {MT_i}\) and \(G_n^{\textsf{Com}}\), and (iv) runs \(\mathsf {PoEt.Verify},\mathsf {PoR.Verify}\) algorithms to respectively verify the returned \( \textsf{PoEt,PoR} \) proofs. As the number of Storage Nodes connected to a Time Node increases, the overall computational complexity of the prover algorithm diminishes. This enables even personal resource-constrained devices to partake in DSNs by dedicating some amount of disk-space, resulting in more decentralization. Besides, a PoSt sequence in \( \textsf{mstoRNA} \) can migrate to any other Time Node, who can continue where the previous prover left off. This is particularly important considering real nodes susceptible to Failure.

Theorem 2

Let \(\textsf{PoR}\) be a stateless PoR scheme with \(\epsilon \)-soundness and unpredictability. Let \(\textsf{PoEt}\) be a PoEt scheme with \(\delta \)-evaluation time. The time cost of \(\textsf{PoR}\) and hash function evaluation are negligible w.r.t. T. The time cost of \(s_0\) sequential steps on the server processor is \(T'\). If \(T' + 2\delta D < T\), the proposed \(\textsf{mstoRNA}\) scheme in Algorithm 3 is stateless, complete, and \(\epsilon \)-sound.