Commit 926a2639 authored by kklein's avatar kklein

begin proof of PoS

parent 83042f16
......@@ -34,6 +34,8 @@
......@@ -82,6 +84,7 @@
\section{Security Proof}
To proof that our construction indeed is a proof of space, we argue via pebbling. More precisely, we show that the DAG corresponding to the skiplist can only be pebbled using either large space in the initial configuration or a large amount of time. In other words, any prover who didn't store (a large fraction of) the whole output file needs a very long time to answer challenges correctly.
Let $\Gsk$ denote the DAG corresponding to the skiplist of length $k\cdot S$ on data of size $S=2^s$, see Figure \ref{fig:DAG}.
node distance=2.5em,
\node[vertex] (v00) {};
\foreach \i/\j in {0/1,1/2,2/3,3/4,4/5,5/6,6/7,7/8,8/9,9/10,10/11,11/12,12/13,13/14,14/15,15/16,16/17}{
\node[vertex,right of=v0\i] (v0\j) {};
\draw[sedge] (v0\i) -> (v0\j);
\foreach \i/\j/\k in {1/3/2,3/5/4,5/7/6,7/9/8,9/11/10,11/13/12,13/15/14,15/17/16}{
\node[vertex,above of=v0\i,yshift=0.3em] (v1\i) {};
\node[vertex,above of=v0\j,yshift=0.3em] (v1\j) {};
\draw[sedge] (v1\i) -> (v1\j);
\draw[sedge] (v1\i) -> (v0\j);
\draw[sedge] (v0\k) -> (v1\j);
\foreach \i/\j in {1/5,5/9,9/13,13/17}{
\node[vertex,above of=v1\i,yshift=0.3em] (v2\i) {};
\node[vertex,above of=v1\j,yshift=0.3em] (v2\j) {};
\draw[sedge] (v2\i) -> (v2\j);
\node[vertex,above of=v2\i,yshift=0.3em] (v3\i) {};
\node[vertex,above of=v2\j,yshift=0.3em] (v3\j) {};
\draw[sedge] (v3\i) -> (v3\j);
\foreach \k/\l in {3/4,4/5,5/6,6/7}{
\foreach \i/\j in {1/9,9/17}{
\node[vertex,above of=v\k\i,yshift=0.3em] (v\l\i) {};
\node[vertex,above of=v\k\j,yshift=0.3em] (v\l\j) {};
\draw[sedge] (v\l\i) -> (v\l\j);
\foreach \i in {1,2,3,4,5,6,7}{
\node[vertex,left of=v\i1] (v\i0) {};
\draw[sedge] (v\i0) -> (v\i1);
\foreach \i/\j in {0/4,1/3,2/1,3/1}{
\foreach \k in {0,...,3}{
\draw[sedge] (v\i\j) -> (v\k5);
\foreach \i/\j in {0/12,1/11,2/9,3/9}{
\foreach \k in {0,...,3}{
\draw[sedge] (v\i\j) -> (v\k13);
\foreach \i/\j in {0/8,1/7,2/5,3/5,4/1,5/1,6/1,7/1}{
\foreach \k in {0,...,7}{
\draw[sedge] (v\i\j) -> (v\k9);
\foreach \i/\j in {0/16,1/15,2/13,3/13,4/9,5/9,6/9,7/9}{
\foreach \k in {0,...,7}{
\draw[sedge] (v\i\j) -> (v\k17);
\caption{The DAG $\Gsk$ corresponding to our construction for data of size $S=8$ $w$-blocks and length $k\cdot S$ with $k=2$.}
For any $k\in\mathbb{N}$, $k>1$, any $\epsilon\in [0,1)$, the graph $\Gsk$ has the following property: Whenever one removes $\epsilon\cdot S$ nodes from $\Gsk$, for any remaining output node there exists a path of length $>k\cdot S-2\epsilon\cdot S$ which starts at some input node. In particular, $\Gsk$ is $(\epsilon\cdot S, k\cdot S-2\epsilon\cdot S)$-depth robust. For $k=1$, the claim holds for $\epsilon\in [0,\frac{1}{2})$.
For $S=1$, the claim is trivially true; thus we only consider the case $S=2^s\geq 2$. First we show that it is enough to prove the claim for $k=2$.\\
For the case $k=1$, note that the graph $\G_{S,1}$ contains $\G_{S/2,2}$ as a subgraph such that the input (output) nodes of $\G_{S/2,2}$ are also input (output) nodes of $\G_{S,1}$. Let $\epsilon\in[0,\frac{1}{2})$. By assumption, there are $\epsilon S=(2\epsilon)\cdot S/2$ pebbles on $\G_{S/2,2}\subset\G_{S,1}$. Thus, if the claim holds for $k=2$, there exists a path from some input node of $\G_{S/2,2}$ to any unpebbled output node of length $>2\cdot S/2-2(2\epsilon)\cdot S/2=S-2\epsilon\cdot S$.\\
For arbitrary integers $k=2\ell+m$ with $\ell\in\mathbb{N}$, $m\in\bin$, the graph $\Gsk$ can be considered as a chain of graphs $\{\G_{S,2}^{(i)}\}_{i=1}^\ell$ and $\G_{S,m}$ where the output and input nodes of two subsequent subgraphs are glued together, respectively.
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment