On the Viability of Distributed Consensus by Proof of Space
Total Page:16
File Type:pdf, Size:1020Kb
On the Viability of Distributed Consensus by Proof of Space Vivek Bhupatiraju John Kuszmaul Vinjai Vale March 3, 2017 Abstract In this paper, we present our implementation of Proof of Space (PoS) and our study of its viabil- ity in distributed consensus. PoS is a new alternative to the commonly used Proof of Work, which is a protocol at the heart of distributed consensus systems such as Bitcoin. PoS resolves the two major drawbacks of Proof of Work: high energy cost and bias towards individuals with special- ized hardware. In PoS, users must store large “hard-to-pebble” PTC graphs, which are recursively generated using subgraphs called superconcentrators. We implemented two types of superconcen- trators to examine their differences in performance. Linear superconcentrators are about 1:8 times slower than butterfly superconcentrators, but provide a better lower bound on space consumption. Finally, we discuss our simulation of using PoS to reach consensus in a peer-to-peer network. We conclude that Proof of Space is indeed viable for distributed consensus. To the best of our knowledge, we are the first to implement linear superconcentrators and to simulate the use of PoS to reach consensus on a decentralized network. 1 Introduction and Motivation Proof of Space [2] is a new and promising cryptographic primitive. One of its most important potential applications lies in distributed consensus on a decentralized network, which is essential for cryptocurrencies such as Bitcoin. This paper demonstrates experimentally that Proof of Space is effective in this context, and provides the first performance analysis for its use to reach consensus. Proof of Space was created to improve on its predecessor Proof of Work [4], which originated more than twenty years ago as a technique to increase the difficulty of Distributed Denial of Service (DDoS) attacks on websites and spamming of emails. The purpose of Proof of Work is to allow a prover P to demonstrate to a verifier V that P has spent a significant amount of computational resources on solving some problem. Proofs of Work can be required to increase the difficulty of performing certain tasks to dissuade attackers. For example, if ten seconds of computational time were required to send an email, then spammers could not send millions of emails in a day. Proof of Work is traditionally implemented using cryptographic hashes. A cryptographic hash is a function that accepts a string as input and returns as output a long, seemingly random string of fixed length. For example, SHA-512(“1234”) returns the 512 bit (64 byte) string: d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db285 12f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db Using a cryptographic hash function H(), a Proof of Work can be designed as follows. The verifier V sends to P a string r along with a non-negative integer n, which dictates the computational complexity of the Proof of Work. The prover P is tasked with finding a string e such that H(rjje) (where || represents concatenation) begins with n zeroes. Since cryptographic hash functions are non-invertible, P must perform an expected 2n hashes to solve this Proof of Work. After P sends his solution e to V, V can verify the solution by checking that H(rjje) begins with at least n zeroes, which requires only a single cryptographic hash computation. Ease of verification is critical to the practicality of Proof of Work. For example, if Google implemented the Proof of Work requirement 1 to send emails to Gmail users, then Google would have to verify tens of billions of Proofs of Work every day [11], which is only practical if each verification is very fast. In recent years, one of the most important applications of Proof of Work has become distributed consensus protocol for blockchains on cryptocurrencies such as Bitcoin. The blockchain acts as a public ledger detailing transfers of Bitcoins between users. Bitcoin users use Proof of Work to reach consensus on the blockchain. In particular, Proof of Work is used to allow community members to make contributions to the blockchain without any single community member having the ability to dominate. Because a large amount of work has been used to create the blockchain, users can be fairly certain that it is accurate. The probability of a block’s accuracy also increases with its age. Distributed consensus along with other applications of Proof of Work have brought to light a number of major weaknesses of traditional Proof of Work implementations. Against modern attackers, traditional implementations of Proof of Work are vulnerable to the usage of highly spe- cialized hardware, which may be able to compute cryptographic hashes a hundred times faster, and ten thousand times more energy-efficiently than standard machines [12]. What the verifier may believe to be a ten-second Proof of Work may actually take an attacker only a tenth of a second. Moreover, current implementations of Proof of Work consume large amounts of energy on stan- dard machines, posing a problem for the large scale usage of cryptocurrencies such as Bitcoin [9]. Another major vulnerability of Proof of Work lies in the context of Botnets, which are groups of infected computers that can be utilized by hackers for email spamming or DDoS attacks. One recently proposed solution to these issues is Proof of Space. Whereas Proof of Work requires computational effort, Proof of Space requires space consumption. Proof of Space allows a prover P to demonstrate to a verifier V that P has devoted a certain amount of space (in memory or in persistent storage) to completing a task. Again, V should be able to verify this Proof of Space easily (devoting few computational resources and little space). Proof of Space addresses all of the major vulnerabilities of Proof of Work. Proof of Space puts users with different hardware on a more level playing field. Although customized hardware 2 exists to optimize for cryptographic hashes, memory and persistent storage cannot easily be further optimized for Proof of Space. As was recently demonstrated in SpaceMint [9], Proof of Space can use several orders of magnitude less energy than Proof of Work. Unlike Proof of Work, hackers cannot covertly complete Proofs of Space on botnet machines without ever using a significant amount of resources at once, making it easier for infected users to detect that their device has been compromised. Proof of Space can also replace Proof of Work in preventing DDoS attacks and email spamming. This paper studies the performance characteristics of Proof of Space in the context of distributed consensus. We discuss our implementation of a full working prover and verifier interface for Proof of Space, as well as our simulated consensus protocol by Proof of Space on a peer-to-peer network. Because verification for Proof of Space may be slower than for Proof of Work, one concern is that Proof of Space would be slow to reach consensus. Our first main contribution is the simulation of consensus protocol with PoS. We find that after 41 seconds, 90% of 150 users in a network reached consensus. This suggests that Proof of Space is an effective tool for distributed consensus, as our simulation for Proof of Space is only around two times slower than the equivalent simulation for Proof of Work, and both take time well under the ten minutes Bitcoin takes to reach consensus [8]. Proof of Space involves the prover storing large PTC graphs [10], which are recursively defined with superconcentrators. The second main contribution of this paper is to provide experimental data on the differences between using butterfly and linear superconcentrators. Running Proofs of Space on a solid state drive, we find that, in practice, the use of linear superconcentrators is only around 1.8 times slower than the use of butterfly superconcentrators in terms of pebbling time. Interestingly, this suggests that linear superconcentrators are more practical than butterfly super- concentrators for Proof of Space. In particular, the theoretical lower bounds for space consumption ( ) with linear superconcentrators is Ω n , while the lower bound for space consumption with but- ( log) n terfly superconcentrators is Ω n [12]. Therefore, the multiplicative difference between the log2 n 3 lower bound for space consumption and the actual performance is significantly better for linear superconcentrators for essentially all sizes of Proof of Space. Prior to our work, relatively little has been done in the direction of experimental evaluation of Proof of Space. Most notably, the recent paper SpaceMint [9] created a complete prover and verifier environment for Proof of Space, using PTC graphs recursively defined with butterfly superconcen- trators. One key difference between our work and their work is that we investigate both butterfly superconcentrators [5] and linear superconcentrators [13]. We also implemented a simulation of distributed consensus on a network and experimentally analyzed the time to consensus by Proof of Space. To the best of our knowledge, we are the first to implement linear superconcentrators, and the first to simulate consensus on a peer-to-peer network for Proof of Space. The rest of this paper proceeds as follows. In Section 2, we describe the protocols used in Proof of Space, distributed consensus, and the graphs used for implementations of Proof of Space. In Section 3, we discuss our implementations, focusing on the difference between linear and butterfly superconcentrators and our simulation of consensus on networks. In Section 4, we present experi- mental data for pebbling time, Merkle tree generation time, and time to reach consensus. Finally, in Section 5, we provide conclusions and discuss future work. 2 Background and Technical Discussion In this section, we begin by discussing distributed consensus and blockchain, which are used in cryptocurrencies such as Bitcoin. We then consider the details of a complete PoS implementation.