| fip | title | author | discussions-to | status | type | category | created | spec-sections | |
|---|---|---|---|---|---|---|---|---|---|
0061 |
WindowPoSt Grindability Fix |
@cryptonemo @Kubuxu @DrPeterVanNostrand @Nicola @porcuquine @vmx @arajasek |
Final |
Technical (Core) |
Core |
2023-03-09 |
|
This proposal makes the generation of WindowPoSt challenges independent of the order of the provided sectors, improving network security.
It's been recognised that WindowPoSt challenge generation depends on the order of the provided sectors. This is inherent to the specified challenge generation algorithm, which had been audited but can be viewed as a bug in the protocol. If exploited by a Storage Provider, it would reduce the security guarantees of WindowPoSt.
This proposal eliminates this concern by making the generation of WindowPoSt challenges independent of the order of the provided sectors.
In short, challenge generation is the process by which node (i.e. sector data) challenges are selected for each sector. Ideally, the challenges are random and equally distributed (both across sector data and across all sealed sectors), so that each sector is challenged uniquely to ensure that all sector data has integrity over time.
Given that there is a relationship between challenge generation and the sector order provided in WindowPoSt, it is feasible for malicious Storage Providers to gain influence over the challenges during WindowPoSt by re-ordering the provided sectors in a way that provides benefits beyond what is allowed in the protocol.
This proposal aims to change WindowPoSt challenge generation so that the derivation of each sector's set of challenges is independent of the other sectors challenged during WindowPoSt.
This prevents all avenues of grinding WindowPoSt challenges as long as the sector stays within one deadline.
We propose adding the following types to the defined Registered Proofs types:
StackedDrgWindow2KiBV1_1
StackedDrgWindow8MiBV1_1
StackedDrgWindow512MiBV1_1
StackedDrgWindow32GiBV1_1
StackedDrgWindow64GiBV1_1
These new types will signal to Proofs via the API to use the updated WindowPoSt behaviour.
Differences between the currently deployed WindowPoSt challenge generation and the proposed updated challenge generation are as follows:
Current algorithm for generating a sector's WindowPoSt challenges:
- Note that
sector_indexandchallenge_indexare across all partitions and sectors of a WindowPoSt.
let sector_index = partition_index * num_sectors_per_partition + sector_index_in_partition;
let first_challenge_index = sector_index * challenge_count_per_sector + challenge_index_in_sector;
let sector_challenge_indexes = first_challenge_index..first_challenge_index + challenge_count_per_sector;
for challenge_index in sector_challenge_indexes {
let rand_int = u64::from_le_bytes(sha256(chain_randomness || sector_id || challenge_index)[..8]);
let challenge = rand_int % sector_nodes;
}Updated algorithm:
- Note that
challenge_indexis now relative to a sector (as opposed across all WindowPoSt partitions and sectors).
let sector_challenge_indexes = 0..challenge_count_per_sector;
for challenge_index in sector_challenge_indexes {
let rand_int = u64::from_le_bytes(sha256(chain_randomness || sector_id || challenge_index)[..8]);
let challenge = rand_int % sector_nodes;
}The version of actors that introduces this FIP will support 2 network versions, N and N+1.
The actors Runtime Policy will consider both StackedDrgWindow<Size>V1 and StackedDrgWindow<Size>V1_1 as valid proof types for this actors version.
The next actors version will not consider V1 as valid in its Runtime Policy.
At the N upgrade, all MinerInfos are updated to their V1_1 PoSt Proof Type.
All claims in the Power Actor are updated to be based on V1_1 Proof Types.
For network version N:
- Miner construction: New miners with
V1Proof types can NOT be created, onlyV1_1types are allowed. - PoSt submission: A submitted PoSt must match the
MinerInfo'sV1_1Proof Type, OR the correspondingV1Proof Type.
For network version N+1:
- Miner construction: New miners with
V1Proof types can NOT be created, onlyV1_1types are allowed. - PoSt submission: A submitted PoSt must match the
MinerInfo'sV1_1Proof Type.
The ability to prove and verify WindowPoSt with the new challenge generation algorithm will be exposed. Since this is a breaking change, a new ApiVersion flag is introduced to specify which challenge generation algorithm is used. A new WindowPost proof type will be defined at the proofs API layer, which will use the new challenge generation.
This is a subtractive change, removing information about where the sector is placed within the proof from challenge generation, and thus removing a degree of freedom. This additional degree of freedom is what allows for possible grinding on challenges for a given sector.
As it is a subtractive change, it is necessary to explore why challenge_index was originally taken to be across all WindowPoSt sectors. The initial design goal of challenge generation was to guarantee uniqueness of challenges; this design also left open the possibility of enforcing WindowPoSt sector ordering at the protocol-level. In addition to challenge_index, challenge generation depends on chain randomness and the challenged sector's SectorID. As SectorID is guaranteed to be unique within the scope of a Storage Provider (and consequently within the scope of a WindowPoSt), this FIP's proposed change preserves uniqueness of challenges via the maintained inclusion of SectorID in the challenge generation algorithm.
The new proof type itself is not backwards compatible with the old one. However, this change is introduced to the network in a two-phase network upgrade, with a rollover period in which both proof types are accepted.
Test cases of proofs are included in the Proofs code. Test cases for Actors are TBD.
While we believe this issue cannot be successfully exploited for gain due to limitations imposed by other parts of the Filecoin system, the security of individual system components (e.g. WindowPoSt) is important for maintaining a secure network.
This proposal does not affect the current incentive system of the Filecoin network.
This proposal has no product implications.
Proofs: TODO Actors: TODO
Clients are recommended to start generating V1_1 Proof types as soon as the network
upgrades to the first phase of the two-stage network upgrade proposed here.
Copyright and related rights waived via CC0.