Benjamin_Loison/Variable_MLS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update on Overleaf.

Browse Source
This commit is contained in:
loic.miller
2023-06-19 14:45:06 +00:00
committed by node
parent 3f54358e58
commit fbce7cbcf9
1 changed files with 99 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
ccs-body.tex
View File

@@ -159,6 +159,105 @@ However, the adversary remains computationally bounded. Hence, it cannot, in a p
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Non-Interactive~Proofs-of-Proof-of-Works}
\label{sec:kiayias}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\subsection{Intuition}
The proof-of-work system requires each party to generate a ``proof" of investment of a limited resource such as hash power, which takes time to generate but can be quickly verified by other parties.
Every party that wants to append a block to the blockchain is required to provide a \emph{nonce} along with the contents of the block, that hashes to a value below a given target. The hash function $\mathcal{H}$ is modelled as a random oracle~\cite{random-oracle}, i.e., behaves likes an ideal random function, and produces constant length output. Since the distribution of hash values is stochastic, some blocks end up with hash values significantly below the target.
\begin{definition}[$\ell$-superblock (\cite{10.1145/3460120.3484784})]
A block that hashes to a value less than $T/(2^{\ell})$ is said to be a $\ell$-superblock, where $T$ is the current target value and $\ell \geq 1$.
\end{definition}
Note that every $\ell$-superblock is also a $\ell'$-superblock for any $\ell' \leq \ell$ and the genesis block is considered to have a hash value of $\texttt{0x00}\ldots\texttt{0}$ and hence, is a superblock of the highest level.
{Non-Interactive Proofs-of-Proof-of-Works} ({NIPoPoWs}) compress a PoW-based blockchain by subsampling its blocks~\cite{10.1007/978-3-662-53357-4_5}. The working principle behind this compression lies in the assumption that a sub-sample of the blocks, i.e., the $\ell$-superblocks, can be sufficient to estimate the size of the original distribution of block headers~\cite{karantias2020compact,10.1145/3460120.3484784,10.1007/978-3-030-51280-4_27}.
The key idea is to sub-sample the blocks in the blockchain such that the sub-sampled chain represents the original chain; any difference in the original blockchain results in different sub-sampled blockchains. In more details, in a long enough execution of a PoW blockchain, on average, $1/2^{\ell}$ of the blocks are $\ell$-superblocks. A NIPoPoW samples the $\ell$-superblocks to prove that the original blockchain contained $2^\ell$ blocks. In order to convince honest parties, the NIPoPoW contains a constant number $m$ of superblocks at each level (see Figure~\ref{fig:kiayias_diagram}).
%
The scheme requires every block header to store pointers to the last superblock at every level in order to ensure that the subsampled blocks also form a valid chain. A chain of $n$ blocks will contain superblocks at $O(\log(n))$ levels. Hence, the space and communication complexity of NIPoPoW is $O(\polylog(n))$.
The proposal by Kiayias et al.~\cite{10.1145/3460120.3484784} offers the best-known compression of PoW blockchains so far. It achieves $O(\polylog(n)c + kd + a)$ storage and communication costs while allowing parties to mine new blocks based on this compressed blockchain, where $k$ is the common prefix parameter, $d$ is the size of application data per block, and $a$ is the size of application data. % in the blockchain.
%However, their solution reduces the security of the protocol by guaranteeing resilience to only a third Byzantine adversary. Improving these security guarantees in NIPoPoW is the primary focus of the work.
\subsection{Algorithmic ingredients of the NIPoPoW}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Any scheme for operating and compressing blockchains requires to design (i) a \emph{chain compression} algorithm and (ii) a \emph{compressed chain comparison} algorithm to determine which compressed chain to be retained in the case of forks.
%\begin{figure}
%\centering
% \begin{subfigure}{0.4\textwidth}
% \includegraphics[width=\textwidth]{S&P/figures/figure-1.pdf}
% \caption{The probabilistic hierarchical blockchain. Higher levels have achieved a higher difficulty during mining. All blocks are connected to the genesis block $G$.}
% \label{fig:first}
% \end{subfigure}
% \vfill
% \begin{subfigure}{0.45\textwidth}
% \includegraphics[width=\textwidth]{S&P/figures/figure-2.pdf}
% \caption{View of the blockchain after compression at time $t$.}
% \label{fig:second}
% \end{subfigure}
% \vfill
% \begin{subfigure}{0.45\textwidth}
% \includegraphics[width=\textwidth]{S&P/figures/figure-3.pdf}
% \caption{View of the same portion of the blockchain at time $t' > t$, i.e., as time elapses, only $3$-superblocks are kept among the ``old" blocks of the blockchain.}
% \label{fig:third}
% \end{subfigure}
%\caption{Illustration of Kiayias et al.'s~\cite{10.1145/3460120.3484784} compression scheme. }
%\label{fig:kiayias_diagram}
%\end{figure}
\subsection{Chain Compression Algorithm}
Kiayias et al.'s chain compression algorithm (from~\cite{10.1145/3460120.3484784}, Algorithm 1) is parameterized by a security parameter $m$ and the common prefix parameter $k$. System parameter $m$ represents the number of blocks that a party wishes to receive to feel safe. The algorithm compresses the blockchain except for the $k$ most recent blocks, called \emph{unstable} blocks. The compression works as follows: For the highest level $\ell$ that contains more than $2m$ blocks, keep all the blocks but for every level $\mu$ below $\ell$, only keep the last $2m$ blocks and all the blocks after the $m^\text{th}$ block at the $\mu+1$ level. $\Pi$ is used to represent an instance of NIPoPoW proof.
\subsection{Compressed Chain Comparison Algorithm}
Let $\Pi_1, \Pi_2, \ldots, \Pi_n$ be the different compressed blockchains that a new party receives. To compare any two compressed blockchains $\Pi$ and $\Pi'$, the compression algorithm selects the minimum level $\mu$ that contains a block present in both $\Pi$ and $\Pi'$. If no such block is found, it necessarily implies that the greatest level (compression level $\ell$) in the two compressed blockchains is not the same, and thus simply, the algorithm selects the one with the greatest level. If block $b$ is found in both $\Pi$ and $\Pi'$ at the same level $\mu$, then the blockchain with the greatest number of blocks after $b$ wins the comparison.
% \section{Mining in Logarithmic Space}
% Prior to presenting our scheme, we briefly describe Kiayias~\textit{et al.}' solution.
% Kiayias~\textit{et al.}~\cite{kiayias2021mining} present a scheme to compress a blockchain, retaining only a poly-logarithmic number of blocks.
% Such a scheme requires both a compression algorithm and a compressed chain comparison algorithm.
% The former compresses a chain, while the latter allows a verifier bootstrapping to determine which compressed chain it must keep.
% This scheme relies on the notion of superblocks.
% \begin{definition}[$\mu$-superblock]
% Block satisfying the proof of work for a hash value $H(ctr||x||s) \leq \frac{T}{2^\mu}$.
% \end{definition}
% \subsection{Compression algorithm}
% The compression algorithm is parameterized by a security (or inversely, compression) parameter $m$ and the common prefix parameter $k$~\cite{garay2015bitcoin}.
% The chain is first separated into a stable and an unstable part.
% The most recent $k$ blocks of the chain constitute the unstable part we call $\chi$, and set aside for now.
% The stable part is then divided into levels, each level containing the set of superblocks of level $\mu$.
% We keep all blocks from the highest level $\ell$ containing at least $2m$ superblocks.
% For each level $\mu$ below $\ell$, we keep the last $2m$ blocks.
% In addition, we keep all blocks after the $m^{th}$ block of level $\mu + 1$.
% We call those blocks $\pi$.
% The compressed chain $\Pi = \pi\chi$ constitutes an instance of the NIPoPoW proof.
% \subsection{Comparison algorithm}
\subsection{Properties}
%\section{Variable difficulty setting}