0

I just came across a blockchain concept called "Proof of Space-Time" in which participants compete to verify blocks by generating and storing essentially random data to answer essentially random cryptographic challenges. The more data they can afford to store, the higher their probability of winning a challenge.

The difference between "Proof of Space" and "Proof of Space-Time" is that the latter incorporates some way of determining when an answer was generated, and the result is that participants must continuously overwrite their storage with current random data (... which is, as a practical matter, less efficient than only generating and storing random answers one time for a given storage block).

I gather that there is some attack that makes "Proof of Space" alone insufficient, but what is it?

I.e., how can participants game the system to make it seem like they have dedicated more storage to the challenge than they actually have?

My first guess is that all computer storage – even that dedicated to other productive uses – can be sliced up to look random enough for the purposes of a proof-of-space challenge. But my first response it that could be mitigated by requiring that the answers be salted with specific data that would prevent completely arbitrary storage blocks from serving as valid answers.

The second page of the linked paper alludes to an adversarial strategy in which work (i.e., computing capacity) can be substituted for space (i.e., storage capacity). Space-Time answers can reduce the capacity for substitution, but I don't understand how that really applies.

Here's how I have tried to understand this:

  1. Network participants generate random "proofs," which are data blocks that satisfy some network parameters that make them useless for other purposes.
  2. The network issues a challenge in the form of a random number x.
  3. Each participant answers with the hash of its proof that is closest to x. The winning participant is the one with the hash closest to x, and is verified by publishing its full proof.

The security of the network depends on honest participants controlling a majority of the network's storage resources.

Substituting computing capacity for storage capacity would be an attack on this security mechanism. As I understand it: A computing attack would wait to see the challenge and would then generate proofs and then store only the best proof for the particular challenge. But how meaningful is this attack? No matter how much greater the computing capacity than the storage capacity of the network, the time to answer can be reduced so that the probability of a computing attack overwhelming stored answers is negligible.

What am I missing?

feetwet
  • 117
  • 1
  • 6
  • They explain their reasoning in the introduction of the paper, and highlight examples of what could go wrong with PoS -- whether you want to consider that an attack or not is up to you.... – D.W. Jul 31 '21 at 05:40
  • @D.W. I don't understand those explanations. I just elaborated the question accordingly. – feetwet Jul 31 '21 at 20:56

1 Answers1

0

Here is a practical way to "attack" (i.e., substitute computation for storage) a static proof-of-space network: Use a deterministic random-number-generator (RNG).

Here's an example based on a RNG that produces deterministic results based on a "seed."

  1. Generate proofs using random seeds. Store each proof's hash (i.e., "answer") value. So instead of storing long proofs, only store the seed-hash pair.
  2. If a full proof is requested then regenerate it based on the seed.
feetwet
  • 117
  • 1
  • 6
  • isn't this the normal way to run Proof-of-Space? – user253751 Apr 08 '22 at 15:18
  • @user253751 if the full proof doesn't have to be stored (i.e., using the Space) then it is not a Proof-of-Space. – feetwet Apr 08 '22 at 17:15
  • The way proof-of-space works is that you calculate some extremely difficult thing and then access it quickly. You are saying that instead of storing <K,V> you can cheat by storing only . Which... is simply how it's supposed to work. The proof of space is the fact that you were able to store the V. You can't generate V on demand because going from K to V is extremely slow. – user253751 Apr 08 '22 at 17:17
  • Your job as a miner is to find the K that matches the "best" V, and the proof-of-space is the fact you were able to find a good V without spending weeks on end. (what constitutes a "good" V has to change with each puzzle, else miners can multiply their effective space by only storing the good ones) – user253751 Apr 08 '22 at 17:19
  • @user253751 I think you're confusing Space with Work. Proof-of-Space requires a mechanism to ensure that Space is being spent (meaning tied up, not used as a scratch pad for calculation) by the miner. If the mechanism depends on significant computational power being spent then it's a Proof-of-Work mechanism. A pure Proof-of-Space blockchain doesn't try to burn computing power, it tries to burn storage. (Of course it's possible to construct a blockchain that requires both, but we would properly characterize that as something else, perhaps "Proof-of-Work-and-Space.") – feetwet Apr 08 '22 at 17:29
  • Proof-of-Space requires a bunch of work to be done once (arbitrarily slowly), as many results stored as possible, and the results sifted through repeatedly. That's how it works. If that's not what you're thinking of, then you're arguing about a straw man. – user253751 Apr 08 '22 at 17:39
  • note that the difficulty of the upfront work is set ludicrously high, to prevent the system from degrading into a proof-of-work system, thus initializing new drives may take weeks or months. This may be the motivation for proof-of-spacetime – user253751 Apr 08 '22 at 17:43