Proofs of Catalytic Space February 17, 2018 Abstract Proofs of space (PoS) [DFKP15] are proof systems where a prover can convince a verifier that he \wastes" disk space. PoS were introduced as a more ecological and economical replacement for proofs of work which are currently used to secure blockchains like Bitcoin. In this work we investigate extensions of PoS which allow the prover to embed useful data into the dedicated space, which later can be recovered. The first contribution of this paper is a security proof for the PoS from [DFKP15] in the random oracle model (the original proof only applied to a restricted class of adversaries which can store a subset of the data an honest prover would store). When this PoS is instantiated with recent constructions of maximally depth robust graphs, our proof implies basically optimal security. As a second contribution we introduce and construct proofs of cat- alytic space (PoCS), which are defined like classical PoS, but most of the space required by the prover can at the same time be used to store useful data. Our first construction has almost no overhead (i.e., the useful data is almost as large as the dedicated space), whereas our second con- struction has a slightly larger overhead, but allows for efficient updates of the data. Our constructions are extensions of the [DFKP15] PoS, and our tight proof for the PoS extends (non-trivially) to the PoCS. As our last contribution we construct a proof of replication (PoR), coming up with such an object has recently been stated as an open prob- lem in the Filecoin paper. Also this construction (and its proof) are extensions of the [DFKP15] PoS. Contents 1 Introduction 2 1.1 Proofs of Space (PoS) . .2 1.2 An Uncoditional Security Proof for the [DFKP15] PoS . .4 1.3 Embedding Useful Data into a PoS . .4 2 Comparison With Previous Work 6 1 3 Basic Notation and Definitions 9 3.1 Notation . .9 3.2 Random Oracles . .9 3.3 Commitments . 10 3.4 Random Strings are Incompressible . 10 4 Overview of Our Modes and Protocols 10 4.1 The Mode EPoS◦ ........................... 11 4.2 The Mode EPoR ............................ 11 4.3 The Mode EPoCSφ ........................... 11 4.4 The Mode EPoCSF ........................... 12 4.5 The Protocols PoS◦; PoCSφ and PoR ................ 13 5 The Main Proof Ideas 15 6 The Graph Pebbling Game Φ and its Hardness 17 6.1 The Pebbling Game Φ(G;VC ).................... 17 6.2 Depth Robust Graphs . 18 6.3 Φ(G;VC ) is Hard if G is Depth Robust . 18 7 PoS Security of PoS◦ 19 7.1 The Labelling Game ΛPoS◦ (G;VC ; w)................ 19 7.2 Φ Hardness Implies ΛPoS◦ Hardness . 20 8 PoS Security of PoCSφ and PoR 24 8.1 The Labelling Games ΛPoCSφ and ΛPoR ............... 24 8.2 Φ Hardness Implies ΛPoR and ΛPoCSφ Hardness . 25 A Discussion and Motivation 29 A.1 The Quest for a Sustainable Blockchain . 29 A.2 Proofs of Space (PoS) . 30 B PoCSF, a PoCS with Efficient Updates 31 B.1 The Protocol PoCSF ......................... 31 B.2 The Labelling Game ΛPoCSF (G;VC ; w; κ).............. 32 B.3 Φ Hardness Implies ΛPoCSF Hardness . 33 1 Introduction 1.1 Proofs of Space (PoS) A proof of space (PoS) [DFKP15, RD16, AAC+17] is an interactive proof system in which a prover P can convince a verifier V that it \wastes" a large amount of disk-space. PoS were suggested as an alternative to proofs of work (PoW), which are currently used for securing blockchains including Bitcoin and Ethereum. PoS-based proposals include Spacemint [PPK+15] and the chia network [chi17]. 2 Some more discussion on sustainable blockchains and PoS which is not crucial for following this work is given in the Appendices xA.1 and xA.2. The core of the pebbling-based PoS [DFKP15, RD16] is a mode of operation EPoS◦ which is specified by a directed acyclic graph (DAG) G = (V; E) with a dedicated set VC ⊆ V of jVC j = N \challenge nodes". The constructions in [DFKP15, RD16] mostly differ in what type of graphs are used. The only input EPoS◦ takes is a short statement χ which is used to sample a hash function Hχ (modelled as random oracle in all our proofs), and it outputs a large file ` = f`igi2VC which P must store. P sends a commitment φ` to ` to V. To check the prover really stores this file, the verifier can occasionally send a random challenge i 2 VC to the prover, who then must open the label `i 2 ` of this file. If such audits happen sufficiently often, the rational thing for P to do is to store `, and not recompute labels as they are requested. The high level proof structure of this PoS, denoted PoS◦, is illustrated in Figure 1, the underlying mode of operation, denoted EPoS◦ , is illustrated in Figure 2. parameters: block size w, data/waste ratio κ (only in PoCSF), µ controlling soundness of exectution phase. shared inputs: a DAG G = (V; E);VC ⊆ V; jV j = N, of indegree δ. random oracle H : f0; 1g∗ ! f0; 1gw κ·w data d = (d1; : : : ; dN ); di 2 f0; 1g initialization phase Prover P Verifier V statement χ χ f0; 1gw ` := EPoXX(χ) (cf. Figure 2) + commitment φ` (φ`; φ` ) := commit(`) prove that φ`"mostly correct" store cf. Remark 3 store w 0 N·λ w w χ 2 f0; 1g ; ` = f`igi2VC 2 f0; 1g χ 2 f0; 1g ; φ` 2 f0; 1g + (N−1)·w φ` 2 f0; 1g (cf. Remark 4) execution phase challenge c µ c VC + answer o o := open(`; φ` ; c) accept if verify(φ`; c; o) = 1 Figure 1: Illustration of protocol structure of the proof of space PoS◦, our proofs of catalytic space PoCSF; PoCSφ and the proof of replication PoR (replace PoXX in the figure with any of those). In PoCSF κ is a parameter, in PoCSφ; PoR set κ = 1 and for PoS◦ set κ = 0 (i.e., d is empty) in the figure. The label size λ is w(κ + 1) in PoCSF and w in PoS◦; PoR and PoCSφ. 3 1.2 An Uncoditional Security Proof for the [DFKP15] PoS Informally, the security we want from a PoS is as follows: if a malicious prover P~ dedicates slightly less space than the honest prover would after the initializa- tion phase, say (1 − ) · N instead N for some small > 0, then it should be \expensive" for him to pass the audit. Note that P~ can always pass the audit by simply recomputing the entire ` right before the audit, so the best we can hope for is that passing the audit is almost as expensive for P~ as it is to compute the entire `. The first contribution in this paper is a security proof that shows PoS◦ is a secure PoS in the random oracle model (Corollary 11 in x7.2). The existing proof from [DFKP15] only showed security against restricted adversaries who store a subset of the data ` an honest prover would store, but didn't imply anything against more general adversaries who can store an arbitrary function of this data. We discuss this in more detail in x5. When we instantiate EPoS◦ with recent constructions of depth-robust graphs, the security we get is basically optimal. Informally, for any > 0, we can chose parameters such that any cheating prover who dedicates only an 1−α fraction of the required space will fail to efficiently answer an α− fraction of the challenges (which simply ask to open some blocks in the file ` the prover is committed to). Thus, if say α = 2, the prover fails on an fraction, and we can amplify this to be overwhelmingly close to 1 by using O(1/) challenges in parallel. Above, with ”efficiently recover", we mean it needs parallel time N,1 this is basically optimal in terms of time complexity, as running the entire initialization phase takes only (sequential) time 4N. We will discuss how our proof compares with existing results in more detail in x2. The efficiency of our schemes (i.e., proof size, proof generation time, proof verification time) are all in O(log N), where the hidden constant depends on the above mentioned (i.e., the constant grows as goes to 0). 1.3 Embedding Useful Data into a PoS The file ` := EPoS◦ (χ) the prover is supposed to store just wastes disk space, and cannot be used for anything useful. This makes sense, as after all a PoS is supposed to prove the dedicated space is \wasted". In this paper we investigate the setting where the space dedicated towards the PoS can at the same time be used to encode some useful data d. We iden- tify two applications for such objects, \proofs of replication" (PoR), which were (informally) introduced in the Filecoin paper [Lab17] and \proofs of catalytic space" (PoCS), which we introduce and motivate in this work. The naming of the latter is inspired by \catalytic space computations" [BCK+14, BKLS16], which are computations that can be done in small space, but only if one is additionally given \catalytic space". This space is initially filled with arbitrary 1Our proof is in the random oracle model, and parallel time N means N rounds of queries, where in each round one can make many queries in parallel. In sequential time just one query is allowed. 4 E : Our efficiently updatable proof of EPoS◦ : The proof of space from [DFKP15] PoCSF instantiated with (a toy example of) a depth- catalytic space where the catalytic data com- robust graph.