| |
|
开发:
C++知识库
Java知识库
JavaScript
Python
PHP知识库
人工智能
区块链
大数据
移动开发
嵌入式
开发工具
数据结构与算法
开发测试
游戏开发
网络协议
系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程 数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁 |
-> 区块链 -> Aleo的PoSW共识 -> 正文阅读 |
|
[区块链]Aleo的PoSW共识 |
1. 引言Aleo系列,前序博客有:
Aleo采用Proof of Succinct Work共识。 Proof of Succinct Work为SNARK-based Proof of Work算法,旨在激励对SNARKs的硬件加速。 具体为: puzzle的difficulty rate会动态调整,以反映Aleo上的miners在每秒贡献的proof数量。
解决该puzzle的miner address将的激励为:base block reward + 该区块所包含的交易的手续费。 2. Aleo中所用的曲线Aleo中使用pairing-friendly 曲线来生成和验证proof:
相关参数为:
3. Proof of Succinct Work (PoSW)PoSW为比特币SHA-based difficulty adjusting算法的变种,最关键的不同之处在于:
使得PoSW:
PoSW采用异步模式,假设大多数miners(Provers)是诚实的。 PoSW中对于relation R \mathcal{R} R 的SNARK ( G , P , V ) (G,P,V) (G,P,V) 流程为:
4. PoSW共识securityPoSW设计为满足传统PoW guarantees,要求其具有a time-lock puzzle安全属性。 为了实现time-lock,要求PoSW满足:
4.1 Amortization Resistance(PoSW的不可batch性)任何PoW系统的最重要特性是non-batchability,是指:
Aleo采用的是Generic Group Model (GGM),其中miners have access to an oracle O O O performing a given hard computation in the random encoding of some group G G G。计算难度取决于miner访问oracle O O O的次数。 在setup时,定义了
?
\epsilon
?-amortization resistance 作为 the ratio of oracle queries performed by the optimal algorithm
A
O
(
P
,
n
)
A^O(P,n)
AO(P,n) computing
n
=
p
o
l
y
(
n
)
n=poly(n)
n=poly(n) proofs simultaneously versus the algorithm
A
O
(
P
,
1
)
A^O(P,1)
AO(P,1) computing each
n
n
n proof individually。其中
n
n
n为proof size,
Q
u
e
r
i
e
s
(
A
O
)
Queries(A^O)
Queries(AO)为the number of queries
A
O
A^O
AO makes to
O
O
O,
x
i
x_i
xi?为the (randomly sampled)
i
i
i-th problem instance: ? \epsilon ?为the advantage that a large miner receives due to the amortizability of the underlying puzzle。若 ? = 0 \epsilon=0 ?=0,则没有算法可attain speedup from batching and the puzzle is perfectly amortizable。 4.2 Quantization Error & Forking Probability与其它PoW scheme不同,PoSW底层计算可能solution (a single proof)所需时间要长于其它puzzles。因为NIZK生成proof是计算密集型的,若其与产块时间相当,会影响底层链的安全性。 4.2.1 Quantization Error设置proof生成时间 为 a significant fraction of 产块时间,slow miner可在其finish current attempt之前 hear of a new solution,然后放弃当前其所计算的部分proof,直接开始mine新的区块。这种放弃的部分算力浪费对应为quantization error
?
Q
\epsilon_Q
?Q?: 注意 τ ← 0 \tau\leftarrow 0 τ←0意味着 ? Q ← 0 \epsilon_Q\leftarrow 0 ?Q?←0。即意味着miner放弃的work趋近为0。生成proof的时间 τ p \tau_p τp?与产块时间 τ b \tau_b τb?之间的ratio r = τ p / τ b r=\tau_p/\tau_b r=τp?/τb?应最小化。 4.2.2 Forking Probability以上quantum effects将增加the number of observed collisions。若miner未同步,当收到一个区块时,会选择继续完成其当前effort。若所有miner都这么做,将影响整个网络同步。 一个mining round所期待的solution数量为一个随机变量 X ~ P o ( τ ) X\sim Po(\tau) X~Po(τ)。 将分叉的概率上线表示为
?
F
\epsilon_F
?F?: 对于固定的block time,任何对proving time的改进(如硬件加速,或circuit size调整),都将降低分叉概率。 5. PoSW PredicatePoSW circuit中的predicate用于验证the inclusion of transactions in a given block。 5.1 System StateAleo中的system state定义为:
其中 G G G为SHA-256, k = 512 k=512 k=512。 Aleo中的system state也可称为“state tree”,其每个leaf为the unique ID of a transaction to be processed,变量 PoSW circuit取 state tree中的 q < = d q<=d q<=d subtree,然后计算a Merkle tree of depth q q q。 The leaves of the tree are the depth q q q elements of the state tree Tree H ( h ) \text{Tree}_H(h) TreeH?(h), instantiated over k k k-bit leaves with a different CRT function H : { 0 , 1 } k → { 0 , 1 } ( k / 2 ) H: \{0, 1\}^k \rightarrow \{0, 1\}^{(k/2)} H:{0,1}k→{0,1}(k/2) as a new PoSW tree Tree H ( q ) \text{Tree}_H(q) TreeH?(q). This layout is illustrated in the diagram on the left. For example, for KaTeX parse error: Expected '}', got '_' at position 16: G = \text{BLS12_?377} we set H H H as the 512-bit Pedersen CRH with output truncated to 256 bits. 对 H H H的circuit implementation将mask the witness variables based on a pseudorandom seed,这将作为predicate statement的一部分。这需要满足non-amortization要求。Aleo中设置 q = 3 q=3 q=3。 5.2 Pedersen Primitives
k
k
k-bit Pedersen hash function over
G
G
G CRT hash函数定义为: 其中 G i G_i Gi?为 G G G中的randomly sampled generator, x i x_i xi?为input x x x的第 i i i个bit。 该函数的CRT security可reduce为 the hardness of the DLP over group G G G。 5.2.1 Symmetric Pedersen Gadget
k
k
k-bit symmetric Pedersen hash定义为: 定义 ( F p 2 ) k (F_{p^2})^k (Fp2?)k内的group variable Q = ( Q x , Q y ) , h i = ( h x i , h y i ) Q=(Q_x,Q_y), h_i=(h^i_x,h^i_y) Q=(Qx?,Qy?),hi?=(hxi?,hyi?),check如下evaluations:
这需要 k k k Edwards multiplications (6 constraints each),且需要a bit lookup for each of the h i h_i hi? in addition to k k k booleanity checks。 具体见 5.2.2 Masked Pedersen Gadget
k
k
k-length masked Pedersen hash function over
G
G
G 为 CRT hash function
H
mask
:
{
0
,
1
}
k
×
{
0
,
1
}
k
×
G
→
G
H_\text{mask}:\{0,1\}^k\times\{0,1\}^k\times G\rightarrow G
Hmask?:{0,1}k×{0,1}k×G→G: 其中 x i x_i xi?和 ρ i \rho_i ρi?分别为 x x x和 ρ \rho ρ的第 i i i个bit,而 G i G_i Gi?为randomly sampled generators of G G G, ( + ) (+) (+)为bitwise XOR operation。附加 P P P变量来实现demasking操作。 定义 ( F p 2 ) k (F_{p^2})^k (Fp2?)k内的group variable Q = ( Q x , Q y ) , g i = ( g x i , g y i ) Q=(Q_x,Q_y), g_i=(g^i_x,g^i_y) Q=(Qx?,Qy?),gi?=(gxi?,gyi?) 以及 F p k F_{p}^k Fpk?内布尔变量 z z z,执行如下evaluations:
这需要 k k k Edwards multiplications (6 constraints each),且需要a 2 2 2-bit lookup for each of the g i g_i gi? (2 constraints each) in addition to k k k booleanity checks。 具体见 5.2.3 Pedersen Hash GadgetAleo instantiate a circuit verifying
M
M
M evaluations of
H
G
H^G
HG using circuit for
H
mask
G
,
H
H_{\text{mask}}^{G,H}
HmaskG,H? and
H
sym
H
H_{\text{sym}^H}
HsymH? over
G
G
G。注意,这些变量在
F
p
F_p
Fp?内,而
(
z
x
,
z
y
)
(z_x,z_y)
(zx?,zy?)变量在
F
p
2
F_{p^2}
Fp2?域,可解析为elliptic curve point in
G
G
G。
5.2.4 实例化Aleo中的Pedersen Primitives采用BLS12-377作为底层group,相应的output length(point压缩格式)为
256
+
1
=
257
256+1=257
256+1=257,Aleo 将其truncate为
256
256
256 bits。基于的安全假设为ECDLP,相应的security level 为
λ
~
=
128
\lambda\sim=128
λ~=128 bits。 5.3 PoSW CircuitPoSW tree
Tree
H
(
q
)
\text{Tree}_H(q)
TreeH?(q)的叶子为:subroots of the state tree’s
q
q
q-depth nodes。 5.3.1 Seed Generation在每个Predicate 生成seed的流程为: 这些都是在circuit之外完成的。且需要input format for every valid instance。 5.3.2 Circuit Size5.3.2.1 Statement-Witness Definitiona valid statement
?
=
<
state
i
,
n
>
∈
{
0
,
1
}
512
\phi=<\text{state}_i,n>\in\{0,1\}^{512}
?=<statei?,n>∈{0,1}512 为 a subset of
F
p
512
F_p^{512}
Fp512?,其中: 以上statement的witness w w w包含:
5.3.2.2 Evaluations对于root state i \text{state}_i statei?和 Tree H ( q ) \text{Tree}_H(q) TreeH?(q)的所有内部nodes,运行a computation of the H H H gadget with the node value as output and its children as inputs。 PoSW circuit会验证 Tree H ( q ) \text{Tree}_H(q) TreeH?(q) 正确生成的。需要的计算量为 2 q ? 1 + 1 2^{q-1}+1 2q?1+1 instances of H H H。 6. Aleo的mining流程PoSW共识中的mining算法为:modular exponentiation over some group
G
G
G。 6.1 Modular MultiexponentiationPoSW将PoW process reduce为 the hardness of exponentiation,需要计算
q
q
q instances of exponentiating
k
k
k random indices
x
i
,
j
x_{i,j}
xi,j? in
Z
p
Z_p
Zp?,
(
i
,
j
)
∈
[
q
]
×
[
k
]
(i,j)\in[q]\times [k]
(i,j)∈[q]×[k] for prime
p
p
p of size
n
=
l
o
g
(
p
)
n=log(p)
n=log(p) by some random bases
G
i
G_i
Gi? in
G
G
G: 算法 A = ( A 1 , A 2 ) A=(A_1,A_2) A=(A1?,A2?)分为2个阶段:
对于每个bases
G
i
G_i
Gi?,计算
S
/
k
S/k
S/k exponents,并将其存入precomputation string中。这些exponents为the radix decomposition bases for
Z
p
Z_p
Zp? at the maximal permissible depth
c
c
c。 6.2 Security & Miner Size对于具有 S = k ? ( n / c ) ? ( 2 c ? 1 ) S=k*(n/c)*(2^c-1) S=k?(n/c)?(2c?1)个group elements的precomputation table,每个exponentiation平均计算量为 n / c n/c n/c次multiplication。但是,某些point a maximal c ? c^* c? is obtained that balances the communication cost of sending more precomputed elements with the cost of performing additional multiplications。因此,可假设miners work at around the level, and look at the security it implies。 Aleo评估了不同values of c ∈ N + c\in {N_+} c∈N+?的proof生成时间。在constant block frequency场景下,可用于project what the minimal table size S S S is for a predicate involving k k k exponentiations to achieve sufficiently low quantization error and collision probability。 We fix S S S and k k k and investigate proof generation times for fixed table size. Proving times in the GM17 and Marlin provers alongside the corresponding quantization error and collision probabilities are provided below for a single-threaded desktop machine. Security is with respect to 1 minute blocks and a circuit with k ≈ 2 13 k\approx 2^{13} k≈213 exponentiations per proof.
6.2.1 Security Implications of Hardware Acceleartion采用硬件加速的miner的proof生成时间将大幅缩短,因此,更多更快的miner将有助于降低quantization error和collision probabilities。也有助于网络更安全的运行。 7. PoSW 实例化Aleo的PoSW中的proof system采用的Marlin架构。Marlin架构与non-interactive Random Oracle setting下的属性一致。 7.1 Simulation Extractabilitysimulation-extractable (SE) proof system 具有 a unique encoding for every valid instance-witness pair ? ? , w ? \langle \phi, w\rangle ??,w?。即意味着valid proofs cannot be rerandomized without explicit knowledge of a different witness for ? \phi ?。否则an adversarial prover would be able to change the encoding of a proof after computation until it satisfies difficulty, which would violate the non-amortization requirement。 7.2 Reduction to an Average-Case Hard ProblemA non-amortizable prover should reduce in difficulty to a problem known (or postulated) to be non-batchable (or ‘hard’) on average。 由于当前大多数proof system采用的都是Kate commitment。因此Aleo中致力于 reduce proof computation to the problem of multi-exponentiation of a set of given (random) bases
G
i
i
=
1
m
∈
G
m
{G_i}_{i = 1}^m \in \mathbb{G}^m
Gi?i=1m?∈Gm by a set of random indices
x
i
i
=
1
m
∈
Z
p
m
{x_i}_{i =1}^m \in \mathbb{Z}_p^m
xi?i=1m?∈Zpm?。此时,hardness is measured in the number of queries to a multiplication oracle
O
m
\mathcal{O}_m
Om? in the given group’s encoding。 7.3 Predicate Designpredicate的选择对于确保以上security也至关重要。
7.4 Error BoundsWe set the desirable error bounds for quantization and forking error to 3 % 3\% 3% and 1.5 % 1.5\% 1.5% respectively. For a protocol with 1 1 1-minute block times, this implies that average proof generation times need to be upper bounded by τ = 1.8 ≈ 2 \tau = 1.8 \approx 2 τ=1.8≈2 seconds. 8. PoSW并行化PoSW circuit支持并行化 in each of the bases that need to be exponentiated。即意味着使用并行硬件可降低proving time,也意味着更高的chain security。但是带来的问题是需要能支持large parallel computing instances的larger miners。 8.1 RecursionRecursion computation可将PoSW circuit转换为sequential computation。将circuit切分为sequential proofs that ‘pass’ an intermediate set of witnesses through many sub-circuit: 通过recursion,每个proof都是下一proof的输入,让subcircuit足够小,将保证最终生成的proof为几乎sequential。 8.2 Towards a VDF Construction尽管当前的设计倾向于non-parallelizabilit,这将带来high efficiency costs due to the requirement for recursive computation。 但是,需要设计a parallelizable instance,使得可开发相应的硬件,来提供有意义的security guarantee(low collision probability due to lower proof generation times)。 参考资料[1] Aloe Proof of Succinct Work |
|
|
上一篇文章 下一篇文章 查看所有文章 |
|
开发:
C++知识库
Java知识库
JavaScript
Python
PHP知识库
人工智能
区块链
大数据
移动开发
嵌入式
开发工具
数据结构与算法
开发测试
游戏开发
网络协议
系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程 数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁 |
360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年12日历 | -2024/12/28 19:56:30- |
|
网站联系: qq:121756557 email:121756557@qq.com IT数码 |
数据统计 |