When will a rational player choose to unseal the PoS instead of simply storing an extra copy of the data in the clear?
Question: When is it cheaper to unseal in order to access the data instead of simply storing a second copy of the data?
To answer this question, we can use inequalities between cost of storage and cost of computation that we have to ensure in order to guarantee security of WindowPoST. Recall that $A_{\max{}}$ is the ratio between the cost of computation for our providers and the cost of computation for a hypothetical adversary.
- If we follow the result by Fisch: to be secure in the cost model, we must have $67 \cdot A_{\max{}} \cdot \mathit{Cost}T < \mathit{Cost}{\mathit{unseal}}$. Therefore, storing a copy of the data in the clear for time $67 \cdot A_{\max{}} \cdot T$ is definitely cheaper than unsealing. So unsealing rather than simply storing a copy of the data in the clear is not worth it, unless the sector is accessed less frequently than once in $67 \cdot A_{\max{}}\cdot T$. With $T$ equal 24hrs and $A_{\max{}}=3$ (which is our current security margin), it’s definitely cheaper to store a second copy unless the data is accessed less frequently than once every six months.
- If we follow the result submitted to Eurocrypt: same reasoning as the previous bullet, but replace $67$ by $6$. So it’s definitely cheaper to store a second copy unless the data is accessed less frequently than once every 18 days.
- If we follow the more recent result described here. Again the same reasoning, but replace 6 by 1.1. So it’s definitely cheaper to store a second copy unless the data is accessed less frequently than once every 3.3 days.
Recall that $A_{\max{}}=3$ is just an assumption about the gap between our costs and the costs of the adversary. There is no reason to believe that the adversary can hash for 3 times cheaper. A smaller $A_{\max{}}$ will allow us to lower the cost of computation and thus will allow these time intervals to drop.
However, the entire above discussion is informed only by assumptions we must make on costs, rather than actual costs. There are real costs to computation and storage, and we cannot change them by changing the analysis, unless we change the design. According to the analysis by Luca and Irene (section 5.1.3), we have $265\cdot \mathit{Cost}T \approx \mathit{Cost}{\mathit{unseal}}$. If that is indeed the ratio between the costs, then it is cheaper to keep a second copy in the clear if the data is accessed more frequently than once every 9 months.
- Project name: New PoRep Research
- Description:
- The PoRep research WG has been researching a new PoRep and to ensure that it is secure
- In 2023/24 we rebooted research effort for designing a new proof of replication that could substitute SDR with the primary goal of achieving fast retrieval and secondary goal of achieving simpler proof system with lower hardware requirements.
- Outcomes from this work:
- First, we de-risked the SDR to be secure in the cost model (after the Supranational improvement, the security margin was thought to be 2x - which would make SDR with current parameters only secure in the cost model for a few more years). We showed that there are tighter bounds which lead to a more concrete cost calculation, showing that the current security margin is instead 168x (this is a 84x improvement!). This means not only that SDR is secure for many years, but also that there is a large margin of improvement for new PoReps.
- Second, we wrote the first summarized paper about SDR and designed SPR, a tighter construction with better bounds, which could be a stepping stone for future PoRep
- Third, we produced several design documents for potential constructions
- People: Leo, Carla, Anca, Matteo with help from Nicola, Irene, Luca
- Link to project:
Contact Info:
[email protected]