POPS-VRF

[lrettig]

Motivation:

• in order to make it costly for an adversary to grind on smesher IDs (to prevent attacks against the beacon and concentration attacks more generally), we want to make it costly to generate a new smesher ID
• we need a way to bind genesis ID to a smesher ID so that the same smesher ID cannot be used on multiple chains that do not share a common genesis

Proposed solution:

Add a step to the "smesher initialization" process by which a smesher begins smeshing:

1. generate a new keypair (arbitrary, smesher is free to choose this)
2. use this to generate the initial PoST data (which commits to genesis ID) and initial PoET challenge
3. submit PoET challenge and wait for result
4. new step: run a short PoW to find a nonce on this PoET output
5. include this nonce in all future VRF messages f(x) = vrf(nonce, x)

See this thread for more.

Note: because finding the nonce involves PoW, it's theoretically possible that, if the adversary performs enough work, they could find a single nonce that validates multiple genesis IDs. Due to the extra work involved, we don't think this is a problem.

Note: this thread and #146 refer to additional, related work to make this ID generation/nonce scheme robust against a certain class of DoS attack, but that's less important for genesis and is scheduled for a later upgrade.

[dshulyak]

run a short PoW to find a nonce on this PoET output

i guess this will be using post library. maybe @moshababo recalls what we should use

[moshababo]

As a result of this thread, the following feature was implemented: https://github.com/spacemeshos/SMIPS/issues/45. It was already fully integrated, yet remained turned off (see here).

Later, Tal mentioned it's unusable for this specific attack.

[moshababo]

Closing in favor of https://github.com/spacemeshos/pm/issues/172.