1. 首页
  2. 技术分享

算力挖矿的存储币 — Sia白皮书(中英对照版)

去中心化存储 —— Sia白皮书中英对照版)

David Vorick and Luke Champine
Nebulous Inc.
david@nebulouslab.com
luke@nebulouslab.com
(Dated: November 29, 2014)

Abstract: The authors introduce Sia, a platform for decentralized storage.Sia enables the formation of storage contracts between peers.Contracts are agreements between a storage provider and their client, defining what data will be stored and at what price.They require the storage provider to prove, at regular intervals, that they are still storing their client’s data.Contracts are stored in a blockchain, making them publicly auditable.In this respect, Sia can be viewed as a Bitcoin derivative that includes support for such contracts.Sia will initially be implemented as an altcoin, and later financially connected to Bitcoin via a two-way peg.

摘要:作者介绍了去中心化存储平台Sia。 Sia能够在对等节点之间形成存储合约。 合约是存储提供商与其客户之间的协议,定义将以何种价格存储数据。 他们要求存储提供商定期证明他们仍在存储客户的数据。

合约存储在区块链中,使其公开可审计。 在这方面,Sia可以被视为比特币衍生品,新增的功能包括对这些合约的支持。 Sia最初将作为Altcoin(这里的Altcoin是指参考BTC的实现)实施,后来通过双向挂钩与比特币进行了交易上的连接。

1. 简介 (Introduction)

Sia is a decentralized cloud storage platform that intends to compete with existing storage solutions, at both the P2P and enterprise level.Instead of renting storage from a centralized provider, peers on Sia rent storage from each other.Sia itself stores only the storage contracts formed between parties, defining the terms of their arrangement.A blockchain, similar to Bitcoin[1,12] , is used for this purpose.

By forming a contract, a storage provider (also known as a host) agrees to store a client’s data, and to periodically submit proof of their continued storage until the contract expires. The host is compensated for every proof they submit, and penalized for missing a proof.Since these proofs are publicly verifiable (and are publicly available in the blockchain), network consensus can be used to automatically enforce storage contracts.Importantly, this means that clients do not need to personally verify storage proofs; they can simply upload their file and let the network do the rest.

We acknowledge that storing data on a single untrusted host guarantees little in the way of availability, bandwidth, or general quality of service.Instead, we recommend storing data redundantly across multiple hosts.In particular, the use of erasure codes can enable high availability without excessive redundancy.

Sia will initially be implemented as a blockchain-based altcoin.Future support for a two-way peg with Bitcoin is planned, as discussed in “Enabling Blockchain Innovations with Pegged Sidechains”[5].The Sia protocol largely resembles Bitcoin except for the changes noted below.

Sia是一个去中心化的云存储平台,倾向于在P2P和企业级领域与现有存储解决方案进行竞争。 Sia 不是从集中供应商处租用存储,而是从彼此租用存储。 Sia本身只存储各方之间形成的存储合同,定义其安排条款。用于此目的区块链与比特币[1,12]类似。

通过签订合约,存储提供商(也称为主机)同意存储客户数据,并定期提交其持续存储的证明,直至合约到期。主机补偿他们提交的每一份证据,并因缺少证据而受到处罚。由于这些证据是公开可验证的(并且可以在区块链中公开获得),因此可以使用网络共识来自动执行存储合约。重要的是,这意味着客户不需要亲自验证存储证明;他们可以简单地上传文件,然后让网络完成剩下的工作。

我们承认,将数据存储在单个不可信任的主机上几乎无法确保可用性,带宽或服务质量的一致性。相反,我们建议在多个主机上冗余存储数据。特别是,使用纠删码可以实现高可用性,而不会出现过多冗余。

Sia最初将实施为基于区块链的Altcoin。未来计划支持与比特币进行双向挂钩,详见“使用侧链促进区块链创新”[5]。 Sia协议在很大程度上与比特币相似,除了下面所述的变化。

2. 总体结构 (General Structure)

Sia’s primary departure from Bitcoin lies in its transactions.Bitcoin uses a scripting system to enable a range of transaction types, such as pay-to-public-key-hash and pay-to-script-hash.Sia opts instead to use an M–of–N multi-signature scheme for all transactions, eschewing the scripting system entirely.This reduces complexity and attack surface.

Sia also extends transactions to enable the creation and enforcement of storage contracts.Three extensions are used to accomplish this: contracts, proofs, and contract updates.Contracts declare the intention of a host to store a file with a certain size and hash.They define the regularity with which a host must submit storage proofs.Once established, contracts can be modified later via contract updates.The specifics of these transaction types are defined in sections 4 and 5.

Sia从比特币的主要出发点在于它的交易。 比特币使用脚本系统来启用一系列交易类型,例如pay-to-public-key-hash和pay-to-script-hash。 Sia选择在所有交易中使用M-N多重签名方案,完全避开了脚本系统。 这减少了复杂性和攻击可能性。

Sia还扩大交易范围,以创建和执行仓储合约。 有三个扩展用于完成这项工作:合约,证明和合约更新。 合约声明主机的存储空间以存储具有特定大小和散列的文件。 它们定义了主机必须提交存储证据的规则。 一旦建立,合约可以稍后通过合约更新进行修改。 这些交易类型的细节在第4节和第5节中定义。

3. 交易 (Transactions)

算力挖矿的存储币 — Sia白皮书(中英对照版)

交易包含以下字段:

算力挖矿的存储币 — Sia白皮书(中英对照版)

3.1 输入输出(Inputs and Outputs)

An output comprises a volume of coins.Each output has an associated identifier, which is derived from the transaction that the output appeared in.The ID of output i in transaction t is defined as:

H(t || “output” || i)

where H is a cryptographic hashing function, and “output” is a string literal.The block reward and miner fees have special output IDs, given by:

H(H(Block Header) || “blockreward”)

Every input must come from a prior output, so an input is simply an output ID.

Inputs and outputs are also paired with a set of spend conditions.Inputs contain the spend conditions themselves, while outputs contain their Merkle root hash [2].

输出包括一定量的加密币。 每个输出都有一个关联的标识符,它是从输出中出现的交易派生而来的。输出i 在交易t中的标识定义为:

H(t ||“output”|| i)

其中H是密码哈希函数,“output”是字符串文字。 块奖励和矿工费用有特殊的输出ID,由下式给出:

H(H(Block Header)||“blockreward”)

每个输入必须来自先前的输出,所以输入只是一个输出ID。

输入和输出也与一组支出条件配对。 输入包含消费条件本身,而输出包含它们的Merkle根散列[2]。

3.2 支出条件(Spend Conditions)

Spend conditions are properties that must be met before coins are “unlocked” and can be spent.The spend conditions include a time lock and a set of public keys, and the number of signatures required.An output cannot be spent until the time lock has expired and enough of the specified keys have added their signature.

The spend conditions are hashed into a Merkle tree, using the time lock, the number of signatures required, and the public keys as leaves.The root hash of this tree is used as the address to which the coins are sent.In order to spend the coins, the spend conditions corresponding to the address hash must be provided.The use of a Merkle tree allows parties to selectively reveal information in the spend conditions.For example, the time lock can be revealed without revealing the number of public keys or the number of signatures required.

It should be noted that the time lock and number of signatures have low entropy, making their hashes vulnerable to brute-forcing.This could be resolved by adding a random nonce to these fields, increasing their entropy at the cost of space efficiency.

支出条件是在加密币“解锁”并且可以花费之前必须满足的属性。支出条件包括时间锁定和一组公共密钥以及所需签名的数量。直到时间锁定已经超时并且足够的指定密钥添加了他们的签名,才能使用输出。

支出条件被散列到Merkle树中,使用时间锁定,所需签名的数量以及公钥作为叶子。该树的根散列用作加密币发送的地址。为了消费加密币,必须提供与地址散列对应的花费条件。 Merkle树的使用允许各方在消费条件中选择性地揭示信息。例如,可以揭示时间锁而不揭示公钥的数量或所需签名的数量。

应该指出的是,时间锁定和签名数量具有较低的熵,使得它们的哈希容易受到暴力威胁。这可以通过给这些字段添加一个随机的随机数来解决,以空间效率为代价增加它们的熵。

3.3 签名(Signatures)

Each input in a transaction must be signed. The cryptographicsignature itself is paired with an input ID,a time lock, and a set of flags indicating which partsof the transaction have been signed. The input ID indicateswhich input the signature is being applied to.The time lock specifies when the signature becomesvalid. Any subset of fields in the transaction can besigned, with the exception of the signature itself (asthis would be impossible). There is also a flag to indicatethat the whole transaction should be signed,except for the signatures. This allows for more nuancedtransaction schemes.

The actual data being signed, then, is a concatenationof the time lock, input ID, flags, and everyflagged field. Every such signature in the transactionmust be valid for the transaction to be accepted.

交易中的每个输入都必须签名。 密码签名本身与一个输入ID,一个时间锁和一组指示交易的哪些部分已被签名的标志配对。 输入ID指示正在应用签名的输入。 时间锁定指定签名何时生效。 交易中的任何字段子集都可以签名,但签名本身除外(因为这是不可能的)。 还有一个标志,表示整个交易除了签名都应该签名。 这允许更多的交易方案。

然后,正在签名的实际数据是时间锁定,输入ID,标志和每个标记字段的串联。 交易中的每一个这样的签名都必须有效,以便交易被接受。

4. 文件合约(File Contracts)

A file contract is an agreement between a storageprovider and their client. At the core of a file contract is the file’s Merkle root hash. To construct this hash,the file is split into segments of constant size andhashed into a Merkle tree. The root hash, along withthe total size of the file, can be used to verify storageproofs.

File contracts also specify a duration, challenge frequency,and payout parameters, including the rewardfor a valid proof, the reward for an invalid or missingproof, and the maximum number of proofs that canbe missed. The challenge frequency specifies how oftena storage proof must be submitted, and createsdiscrete challenge windows during which a host mustsubmit storage proofs (one proof per window). Submittinga valid proof during the challenge windowtriggers an automatic payment to the “valid proof”address (presumably the host). If, at the end of thechallenge window, no valid proof has been submitted,coins are instead sent to the “missed proof” address(likely an unspendable address in order to disincentivizeDoS attacks; see section 7.1). Contracts definea maximum number of proofs that can be missed;if this number is exceeded, the contract becomes invalid.

If the contract is still valid at the end of the contractduration, it successfully terminates and any remainingcoins are sent to the valid proof address.Conversely, if the contract funds are exhausted beforethe duration elapses, or if the maximum numberof missed proofs is exceeded, the contract unsuccessfullyterminates and any remaining coins are sent tothe missed proof address.

Completing or missing a proof results in a newtransaction output belonging to the recipient specifiedin the contract. The output ID of a proof dependson the contract ID, defined as:

H(transaction||“contract”||i)

where i is the index of the contract within the transaction.The output ID of the proof can then be determinedfrom:

H(contract ID||outcome||Wi)

Where Wiis the window index, i.e. the number ofwindows that have elapsed since the contract wasformed. The outcome is a string literal: either “validproof”and “missedproof”, corresponding to the validityof the proof.

The output ID of a contract termination is definedas:

H(contract ID||outcome)

Where outcome has the potential values “successfultermination”and “unsucessfultermination”, correspondingto the termination status of the contract.

File contracts are also created with a list of “editconditions,” analogous to the spend conditions of atransaction. If the edit conditions are fulfilled, thecontract may be modified. Any of the values can bemodified, including the contract funds, file hash, andoutput addresses. As these modifications can affectthe validity of subsequent storage proofs, contract editsmust specify a future challenge window at whichthey will become effective.

Theoretically, peers could create “micro-edit channels”to facilitate frequent edits; see discussion ofmicropayment channels, section 7.3.

文件合约是存储提供商与其客户之间的协议。文件合约的核心是文件的Merkle根哈希。为了构造这个散列,文件被分割成大小不变的段并散列到Merkle树中。根散列以及文件的总大小可用于验证存储证据。

文件合约还规定了持续时间,挑战频率和支付参数,包括有效证明的奖励,无效或缺少证据的奖励以及可以错过的最大证明数量。挑战频率指定必须提交存储证明,并创建离散挑战窗口,在此期间主机必须提交存储证明(每个窗口一个证明)。在挑战窗口中输入有效的证明会触发对“有效证明”地址(推测为主机)的自动付款。如果在挑战窗口结束时没有提交有效的证明,加密币将被发送到“错过的证明”地址(可能是一个不可靠的地址以抑制DoS攻击;请参阅7.1节)。合约定义了可以错过的最大证明数量;如果超过这个数字,合同变得无效。

如果合约在合约期限结束时仍然有效,则合约成功终止,并将剩余的加密币奖励发送到有效的证明地址。相反,如果在持续时间过去之前合约资金已经用完,或者超过了最大错过证明数量,合约就不会终止,剩余的加密币将被发送到错过的证明地址。

完成或缺少证明会导致属于合约中指定的收件人的新交易输出。证明的输出ID取决于合约ID,定义为:

H(transaction || “contract” || i)

i是交易中合约的索引。证明的输出ID可以从以下方面确定:

H(contract ID || outcome || Wi)

其中Wi是窗口索引,即自合约形成以来经过的窗口数。outcome是一个字符串文字:无论是“valid-proof” 还是“missedproof”,都与证明的有效性相对应。

合约终止的输出ID定义为:

H(contract ID ||outcome)

其中,outcome具有预定义的值“success-fultermination”和“unsucessfultermination”,则与合约的终止状态相对应。

文件合约也是通过“编辑条件”列表创建的,类似于交易的支出条件。如果编辑条件满足,合约可能会被修改。任何值都可以修改,包括合约基金,文件散列和输出地址。由于这些修改可能会影响后续存储证明的有效性,因此合约编辑必须指定一个未来的挑战窗口,以使其生效。

从理论上讲,对等节点可以创建“微编辑渠道”以促进频繁编辑;请参阅小额支付渠道的讨论,第7.3节。

5. 存储证明(Proof of Storage)

Storage proof transactions are periodically submittedin order to fulfill file contracts. Each storage prooftargets a specific file contract. A storage proof doesnot need to have any inputs or outputs; only a contractID and the proof data are required.

定期提交存储证明交易以履行文件合约。 每个存储证明都针对特定的文件合约。 存储证明不需要任何输入或输出; 只需要一个合约ID和证明数据。

5.1 算法(Algorithm)

Hosts prove their storage by providing a segment ofthe original file and a list of hashes from the file’sMerkle tree. This information is sufficient to provethat the segment came from the original file. Becauseproofs are submitted to the blockchain, anyone canverify their validity or invalidity. Each storage proofuses a randomly selected segment. The random seedfor challenge window Wiis given by:

H(contract ID||H(Bi−1))

where Bi−1 is the block immediately prior to the beginningof Wi.

If the host is consistently able to demonstrate possessionof a random segment, then they are very likelystoring the whole file. A host storing only 50% of thefile will be unable to complete approximately 50% ofthe proofs.

主机通过从文件的Merkle树中提供一段原始文件的碎片和一系列哈希来共同拼接成原来的merkle树来证明它们提供了有效的p存储。 这些信息足以证明该段来自原始文件。 由于证明提交给区块链,任何人都可以验证其有效性或无效性。 每个存储证明使用随机选择的段。 挑战窗口 Wi 的随机种子由下式给出:

H(contract ID || H( Bi-1 ))

其中 Bi–1 是紧接在 Wi 开始之前的块。

如果主机始终能够证明拥有一个随机段,那么他们很可能会存储整个文件。 只存储50%文件的主机将无法完成大约50%的证明。

5.2 阻止扣留攻击(Block Withholding Attacks)

The random number generator is subject to manipulationvia block withholding attacks, in which theattacker withholds blocks until they find one thatwill produce a favorable random number. However,the attacker has only one chance to manipulate therandom number for a particular challenge. Furthermore,withholding a block to manipulate the randomnumber will cost the attacker the block reward.

If an attacker is able to mine 50% of the blocks,then 50% of the challenges can be manipulated. Nevertheless,the remaining 50% are still random, so theattacker will still fail some storage proofs. Specifically,they will fail half as many as they would without thewithholding attack.

To protect against such attacks, clients can specifya high challenge frequency and large penalties formissing proofs. These precautions should be sufficientto deter any financially-motivated attacker that controlsless than 50% of the network’s hashing power.Regardless, clients are advised to plan around potentialByzantine attacks, which may not be financiallymotivated.

随机数发生器可以通过分块攻击来进行操作,在分块攻击中,攻击者阻止分块,直到他们找到一个能产生有利随机数的分块为止。然而,攻击者只有一次机会操纵随机数进行特定挑战。此外,扣留一个块来操纵随机数会使得攻击者获得块奖励。

如果攻击者能够挖掘50%的块,那么可以操纵50%的挑战。但是,其余的50%仍然是随机的,所以攻击者仍然会失败一些存储证据。具体来说,他们将失败的一半,他们会没有扣压的攻击。

为了防止这种攻击,客户可以指定很高的挑战频率,并对丢失的证据进行大量处罚。这些预防措施应足以阻止任何经济动机的攻击者控制网络散列能力的50%以下。无论如何,建议客户围绕潜在的拜占庭攻击进行规划,这可能不会有经济动机。

5.3 关闭窗口攻击(Closed Window Attacks)

Hosts can only complete a storage proof if their prooftransaction makes it into the blockchain. Minerscould maliciously exclude storage proofs from blocks,depriving themselves of transaction fees but forcinga penalty on hosts. Alternatively, miners could extorthosts by requiring large fees to include storageproofs, knowing that they are more important thanthe average transaction. This is termed a closed windowattack, because the malicious miner has artificially“closed the window.”

The defense for this is to use a large window size.Hosts can reasonably assume that some percentage ofminers will include their proofs in return for a transactionfee. Because hosts consent to all file contracts,they are free to reject any contract that they feelleaves them vulnerable to closed window attacks.

如果证明交易进入区块链,主机只能完成存储证明。 矿工可能会恶意排除大量存储证据,剥夺交易费用,但会对主机施加惩罚。 另外,矿工可以通过要求大笔费用来包含存储证据来侵占主机,因为他们知道它比平均交易更重要。 这被称为封闭的窗户攻击,因为恶意矿工人为地“关闭了窗户”。

防御措施是使用大窗口大小。 主机可以合理地假设,有一定比例的矿工将包括他们的证明以换取交易费用。 由于主机同意所有文件合约,他们可以自由拒绝任何他们认为容易受到封闭窗口攻击的合约。

6. 任意交易数据(Arbitrary Transaction Data)

Each transaction has an arbitrary data field whichcan be used for any type of information. Nodes will berequired to store the arbitrary data if it is signed byany signature in the transaction. Nodes will initiallyaccept up to 64 KB of arbitrary data per block.

This arbitrary data provides hosts and clients witha decentralized way to organize themselves. It canbe used to advertise available space or files seeking ahost, or to create a decentralized file tracker.

Arbitrary data could also be used to implementother types of soft forks. This would be done by creatingan “anyone-can-spend” output but with restrictionsspecified in the arbitrary data. Miners that understandthe restrictions can block any transactionthat spends the output without satisfying the necessarystipulations. Naive nodes will stay synchronizedwithout needing to be able to parse the arbitrarydata.

每笔交易都有一个任意数据字段,可用于任何类型的信息。 如果任意数据由交易中的任何签名签名,节点将被要求存储任意数据。 节点最初将接受每块最多64 KB的任意数据。

这种随意的数据为主机和客户提供了一种分散的方式来组织自己。 它可用于宣传可用空间或寻找主机的文件,或创建分散的文件跟踪器。

任意数据也可以用来实现其他类型的软分叉。 这可以通过创建“任何人都可以花费”的输出来完成,但是在任意数据中指定了限制。 理解这些限制的矿工可以阻止在不满足必要条件的情况下花费输出的任何交易。 单纯功能的节点将保持同步,而不需要能够解析任意数据。

7. 存储生态系统 (Storage Ecosystem)

Sia relies on an ecosystem that facilitates decentralizedstorage. Storage providers can use the arbitrarydata field to announce themselves to the network.This can be done using standardized template thatclients will be able to read. Clients can use these announcementsto create a database of potential hosts,and form contracts with only those they trust.

Sia依赖于一个促进分散存储的生态系统。 存储提供商可以使用任意数据字段向网络宣布他们自己。 这可以使用标准化的模板完成,客户可以阅读。 客户可以使用这些公告创建潜在主机的数据库,并仅与他们信任的人签订合同。

7.1 主机保护 (Host Protections)

A contract requires consent from both the storageprovider and their client, allowing the provider to rejectunfavorable terms or unwanted (e.g. illegal) files.The provider may also refuse to sign a contract untilthe entire file has been uploaded to them.

Contract terms give storage providers some flexibility.They can advertise themselves as minimally reliable, offering a low price and a agreeing to minimalpenalties for losing files; or they can advertisethemselves as highly reliable, offering a higher priceand agreeing to harsher penalties for losing files. Anefficient market will optimize storage strategies.

Hosts are vulnerable to denial of service attacks,which could prevent them from submitting storageproofs or transferring files. It is the responsibility ofthe host to protect themselves from such attacks.

合约需要存储提供商及其客户的同意,允许提供商拒绝不利条款或不需要的(例如非法)文件。 提供者也可能拒绝签署合约,直到整个文件上传给他们。

合约条款为存储提供商提供了一些灵活性。 他们可以宣传自己为最低限度可靠,价格低廉,并同意对丢失文件采取最低限度的处罚; 或者他们可以宣传自己是高度可靠的,提供更高的价格并同意对丢失文件进行更严厉的处罚。 有效的市场将优化存储策略。

主机容易受到拒绝服务攻击,这可能会阻止他们提交存储证明或传输文件。 主机有责任保护自己免受此类攻击。

7.2 客户端保护 (Client Protections)

Clients can use erasure codes, such as regeneratingcodes [4], to safeguard against hosts going offline.These codes typically operate by splitting a file inton pieces, such that the file can be recovered fromany subset of m unique pieces. (The values of n andm vary based on the specific erasure code and redundancyfactor.) Each piece is then encrypted andstored across many hosts. This allows a client to attainhigh file availability even if the average networkreliability is low. As an extreme example, if only 10out of 100 pieces are needed to recover the file, thenthe client is actually relying on the 10 most reliablehosts, rather than the average reliability. Availabilitycan be further improved by rehosting file pieceswhose hosts have gone offline. Other metrics benefitfrom this strategy as well; the client can reduce latencyby downloading from the closest 10 hosts, orincrease download speed by downloading from the 10fastest hosts. These downloads can be run in parallelto maximize available bandwidth.

客户可以使用纠删码,例如重新生成代码[4],以防止主机脱机。这些方法通常通过将文件分成n个片段来操作,使得文件可以从m个独特片段的任何子集中恢复。(n和m的值根据特定的纠删码和冗余度因素而有所不同。)然后,每个部分都被加密并存储在多个主机中。即使平均网络可靠性较低,这也允许客户端获得较高的文件可用性。作为一个极端的例子,如果只需要100件中的10件来恢复文件,那么客户端实际上依赖于10个最可靠的主机,而不是平均可靠性。通过重新托管主机已脱机的文件,可以进一步提高可用性。其他指标也受益于此策略;客户端可以通过从最近的10台主机下载来降低延迟,或者通过从10台最快的主机下载来提高下载速度。这些下载可以并行运行以最大化可用带宽。

7.3 正常运行时间奖励 (Uptime Incentives)

The storage proofs contain no mechanism to enforceconstant uptime. There are also no provisions thatrequire hosts to transfer files to clients upon request.One might expect, then, to see hosts holding theirclients’ files hostage and demanding exorbitant feesto download them. However, this attack is mitigatedthrough the use of erasure codes, as described in section7.2. The strategy gives clients the freedom toignore uncooperative hosts and work only with thosethat are cooperative. As a result, power shifts fromthe host to the client, and the “download fee” becomesan “upload incentive.”

In this scenario, clients offer a reward for being senta file, and hosts must compete to provide the bestquality of service. Clients may request a file at anytime, which incentivizes hosts to maximize uptime inorder to collect as many rewards as possible. Clientscan also incentivize greater throughput and lower latencyvia proportionally larger rewards. Clients couldeven perform random “checkups” that reward hostssimply for being online, even if they do not wish todownload anything. However, we reiterate that uptimeincentives are not part of the Sia protocol; theyare entirely dependent on client behavior.

Payment for downloads is expected to be offeredthrough preexisting micropayment channels [11]. Micropaymentchannels allow clients to make many consecutivesmall payments with minimal latency andblockchain bloat. Hosts could transfer a small segmentof the file and wait to receive a micropaymentbefore proceeding. The use of many consecutive paymentsallows each party to minimize the risk of beingcheated. Micropayments are small enough and fastenough that payments could be made every few secondswithout having any major effect on throughput.

存储证明不包含执行持续正常运行时间的机制。也没有规定要求主机根据请求将文件传输到客户端。然后,人们可能会看到主机把他们客户的档案作为人质并要求高昂的费用来下载它们。但是,如7.2节所述,通过使用删除码可以减轻这种攻击。该策略使客户可以自由地忽略不合作的主机,只与那些合作的主机合作。结果,电力从主机转移到客户,而“下载费用”成为“上传激励”。

在这种情况下,客户为发送文件提供奖励,主机必须竞争以提供最佳的服务质量。客户可随时要求提供文件,以激励主机以最大限度地延长正常运行时间,以尽可能多地收集奖励。客户还可以通过比例更大的奖励激励更大的吞吐量和更低的延迟。客户甚至可以执行随机的“检查”,即使他们不希望下载任何东西,也只是为了上网而奖励主机。但是,我们重申,时间激励不是Sia协议的一部分;他们完全依赖于客户的行为。

预计下载付款将通过预先存在的微支付渠道提供[11]。微型支付渠道允许客户以最小的延迟和区块链膨胀进行连续的小额支付。主机可以传输一小段文件,然后等待接收微支付后再继续。连续多次付款的使用可以让每一方减少被骗的风险。微支付足够小,速度足够快,可以在几秒钟内完成支付,而不会对吞吐量产生任何重大影响。

7.4 基本声誉系统 (Basic Reputation System)

Clients need a reliable method for picking qualityhosts. Analyzing their history is insufficient, becausethe history could be spoofed. A host could repeatedlyform contracts with itself, agreeing to store large“fake” files, such as a file containing only zeros. Itwould be trivial to perform storage proofs on suchdata without actually storing anything.

To mitigate this Sybil attack, clients can requirethat hosts that announce themselves in the arbitrarydata section also include a large volume of time lockedcoins. If 10 coins are time locked 14 days into thefuture, then the host can be said to have created alock valued at 140 coin-days. By favoring hosts thathave created high-value locks, clients can mitigate therisk of Sybil attacks, as valuable locks are not trivialto create.Each client can choose their own equation for pickinghosts, and can use a large number of factors, in5cluding price, lock value, volume of storage being offered,and the penalties hosts are willing to pay forlosing files. More complex systems, such as those thatuse human review or other metrics, could be implementedout-of-band in a more centralized setting.

客户需要一个可靠的方法来选择质量主机。分析他们的历史是不够的,因为历史可能被欺骗。主机可以重复地与自己签订合同,同意存储大量的“假”文件,例如只包含零的文件。在没有实际存储任何内容的情况下对这些数据执行存储证明将是微不足道的。

为了防止女巫攻击,客户可以要求在任意数据部分宣布自己的主机也包含大量时间锁定加密币。如果10 个加密币在未来14天内被锁定时间,则主人可以说已经创建了一个价值为140 个币日的锁。通过支持创建高价值锁的主机,客户可以降低女巫攻击的风险,因为有价值的锁并非微不足道。

每个客户可以选择他们自己的拣选主机公式,并且可以使用大量因素,包括价格,锁定值,存储容量以及主机为丢失文件而愿意支付的处罚。更复杂的系统,比如那些使用人工评估或其他指标的系统,可以在更集中的环境中实现带外。

8. Sia基金 (Siafunds)

Sia is a product of Nebulous Incorporated. Nebulousis a for-profit company, and Sia is intended to becomea primary source of income for the company.Currency premining is not a stable source of income,as it requires creating a new currency and tetheringthe company’s revenue to the currency’s increasingvalue. When the company needs to spend money, itmust trade away portions of its source of income. Additionally,premining means that one entity has controlover a large volume of the currency, and thereforepotentially large and disruptive control over the market.

Instead, Nebulous intends to generate revenue fromSia in a manner proportional to the value added bySia, as determined by the value of the contracts setup between clients and hosts. This is accomplishedby imposing a fee on all contracts. When a contractis created, 3.9% of the contract fund is removed anddistributed to the holders of siafunds. Nebulous Inc.will initially hold approx. 88% of the siafunds, and theearly crowd-fund backers of Sia will hold the rest.

Siafunds can be sent to other addresses, in the sameway that siacoins can be sent to other addresses. Theycannot, however, be used to fund contracts or minerfees. When siafunds are transferred to a new address,an additional unspent output is created, containingall of the siacoins that have been earned by the siafundssince their previous transfer. These siacoins aresent to the same address as the siafunds.

Sia是Nebulous Incorporated的产品。 Nebulous是一家盈利性公司,Sia旨在成为公司的主要收入来源。货币预挖并不是一个稳定的收入来源,因为它需要创造一种新货币并将公司的收入与该货币的增值联系起来。当公司需要花钱的时候,它必须交换部分收入来源。另外,预分险意味着一个实体控制了大量货币,因此可能对市场产生巨大的破坏性控制。

相反,Nebulous打算按照与Sia增加的价值成比例的方式从Sia获得收入,这取决于客户和主机之间的合同价值。这是通过对所有合同征收费用来实现的。合同成立后,合同基金的3.9%将被清除并分配给合资基金的持有人。 Nebulous公司最初将持有约。 88%的Siafunds和Sia的早期众筹基金支持者将持有其余的股份。

Sia基金会可以发送到其他地址,就像siacoins可以发送到其他地址一样。但是,它们不能用于资助合同或矿工费。当Sia基金会转移到新地址时,会创建一个额外的未支出输出,其中包含自上次转帐后Sia基金会所赚取的所有siacoins。这些siacoins发送到与Sia基金会相同的地址。

9. Sia的经济学设计 (Economics of Sia)

The primary currency of Sia is the siacoin. Thesupply of siacoins will increase permanently, andall fresh supply will be given to miners as a blocksubisdy. The first block will have 300,000 coinsminted. This number will decrease by 1 coin perblock, until a minimum of 30,000 coins per block isreached. Following a target of 10 minutes betweenblocks, the annual growth in supply is:

算力挖矿的存储币 — Sia白皮书(中英对照版)

There are inefficiencies within the Sia incentivescheme. The primary goal of Sia is to provide ablockchain that enforces storage contracts. The miningreward, however, is only indirectly linked to thetotal value of contracts being created.

The siacoin, especially initially, is likely to havehigh volatility. Hosts can be adversely affected if thevalue of the currency shifts mid-contract. As a result,we expect to see hosts increasing the price oflong-term contracts as a hedge against volatility. Additionally,hosts can advertise their prices in a morestable currency (like USD) and convert to siacoin immediatelybefore finalizing a contract. Eventually, theuse of two-way pegs with other crypto-assets will givehosts additional means to insulate themselves fromvolatility.

Sia的主要货币是siacoin。 siacoins的供应将永久增加,所有新鲜的供应将作为一个块补贴给予矿工。第一个区块将有30万个siacoin产生。这个数字每块会减少1个siacoin,直到达到每块至少30,000个siacoin。在各区块之间达到10分钟的目标之后,供应年增长率为:

算力挖矿的存储币 — Sia白皮书(中英对照版)

Sia奖励计划内效率低下。 Sia的主要目标是提供强化存储合同的区块链。但是,最低报酬与所创建合约的总价值间接相关。

特别是最初,siacoin可能具有较高的波动性。如果货币价值在合约中移动,主机可能会受到不利影响。因此,我们预计主机将增加长期合约的价格作为对冲波动的对冲。此外,主机可以以更稳定的货币(如美元)宣传其价格,并在签订合约前立即转换为siacoins。最终,与其他加密资产一起使用双向绑定将为主机提供额外的手段,使自己免于波动。

10. 总结 (Conclusion)

Sia is a variant on the Bitcoin protocol that enablesdecentralized file storage via cryptographic contracts.These contracts can be used to enforce storage agreementsbetween clients and hosts. After agreeing tostore a file, a host must regularly submit storageproofs to the network. The host will automaticallybe compensated for storing the file regardless of thebehavior of the client.

Importantly, contracts do not require hosts totransfer files back to their client when requested. Instead,an out-of-band ecosystem must be created toreward hosts for uploading. Clients and hosts mustalso find a way to coordinate; one mechanism wouldbe the arbitrary data field in the blockchain.  Various precautions have been enumerated which mitigateSybil attacks and the unreliability of hosts.

Siafunds are used as a mechanism of generatingrevenue for Nebulous Inc., the company responsiblefor the release and maintenance of Sia. By using Siafunds instead of premining, Nebulous more directlycorrelates revenue to actual use of the network, andis largely unaffected by market games that maliciousentities may play with the network currency. Minersmay also derive a part of their block subsidy fromsiafunds, with similar benefits. Long term, we hopeto add support for two-way-pegs with various currencies,which would enable consumers to insulate themselvesfrom the instability of a single currency.

We believe Sia will provide a fertile platform fordecentralized cloud storage in trustless environments.

Sia是比特币协议的一个变体,通过密码合约实现分散的文件存储。这些合约可以用来执行客户和主机之间的存储协议。同意存储文件后,主机必须定期向网络提交存储证据。无论客户端的行为如何,主机将自动获得存储文件的补偿。

重要的是,合约不要求主机在请求时将文件传回客户端。相反,必须创建一个带外生态系统来奖励主机进行上传。客户和主机也必须找到协调的方式;一种机制是区块链中的任意数据字段。已经列举了各种预防措施,有助于缓解Sybil攻击和主机的不可靠性。

Siafunds被用作为负责释放和维护Sia的公司Nebulous Inc.创造收入的机制。通过使用Sia-funds而不是预先分配,Nebulous更直接地将收入与网络的实际使用相关联,并且基本上不受恶意实体可能使用网络货币玩的市场游戏的影响。矿工也可以从siafunds获得部分区块补贴,具有类似的收益。长期来看,我们希望增加对各种货币双向挂钩的支持,这将使消费者能够隔离单一货币的不稳定性。

我们相信Sia将为无信任环境中的去中心化云存储提供一个强大的平台。

参考文献

References

[1]Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System.

[2]R.C. Merkle, Protocols for public key cryptosystems, In Proc. 1980 Symposium on Security and Privacy,IEEE Computer Society, pages 122-133, April 1980.

[3]Hovav Shacham, Brent Waters, Compact Proofs of Retrievability, Proc. of Asiacrypt 2008, vol. 5350, Dec
2008, pp. 90-107.

[4]K. V. Rashmi, Nihar B. Shah, and P. Vijay Kumar, Optimal Exact-Regenerating Codes for Distributed
Storage at the MSR and MBR Points via a Product-Matrix Construction.

[5]Adam Back, Matt Corallo, Luke Dashjr, Mark Friedenbach, Gregory Maxwell, Andrew Miller, Andrew Peolstra, Jorge Timon, Pieter Wuille, Enabling Blockchain Innovations with Pegged Sidechains.

[6]Andrew Poelstra, A Treatise on Altcoins.

[7]Gavin Andresen, O(1) Block Propagation, https://gist.github.com/gavinandresen/e20c3b5a1d4b97f79ac2

[8]Gregory Maxwell, Deterministic Wallets, https://bitcointalk.org/index.php?topic=19137.0

[9]etotheipi, Ultimate blockchain compression w/ trust-free lite nodes, https://bitcointalk.org/index.php?topic=88208.0

[10]Gregory Maxwell, Proof of Storage to make distributed resource consumption costly. https://bitcointalk.org/index.php?topic=310323.0

[11]Mike Hearn, Rapidly-adjusted (micro)payments to a pre-determined party, https://en.bitcoin.it/wiki/Contracts# Example 7: Rapidly-adjusted .28micro.29payments to a pre-
determined party

[12]Bitcoin Developer Guide, https://bitcoin.org/en/developer-guide

后记

值得关注的是,Burst和Sia作为存储项目纷纷选择了算力挖矿作为币产出的方式。如果说Burst采用POC机制的硬盘挖矿还算是为了收集硬盘空间而开创的新的挖矿机制的话,Sia的挖矿利用算力打包区块则显得有一些无厘头了,结合现在正在所有Filecoin矿工中逐渐升温的BHD,我们来看一组数据:

算力挖矿的存储币 — Sia白皮书(中英对照版)

算力挖矿的存储币 — Sia白皮书(中英对照版)

上下两张图分别是Burst和BHD的全网容量和HPool矿池容量的数据,可以看到目前两个POC项目的全网总硬盘空间预计超过了300PB(部分有重合)。

算力挖矿的存储币 — Sia白皮书(中英对照版)

Sia目前全网所拥有的存储量到达了4.5PB,然而真正被使用的只有206TB。作为声称要成为亚马逊云存储的竞争对手的Sia,目前的容量相比于POC机制的项目还是有相当大的差距。

算力挖矿的存储币 — Sia白皮书(中英对照版)

可以说,这些存储项目在技术上的实现都有其过人之处,但区块链带来的自成体系的经济闭环却设计的并不完美:

Storj的市场化不够,定价还是中心化的;Sia将奖励大部分给了算力矿工,对存储矿工来说不公平;

算力挖矿的存储币 — Sia白皮书(中英对照版)

Burst在官网中表示接下来的POC3将引入数据存储功能,但大量的币已经分发掉,显然对存储矿工而言是不公平的:因为存储的收益不仅仅只和存储空间大小相关;但想要在币已经快要挖完的时候推出新的机制,就必然会有例如分叉之类的大动作……

分布式的存储项目在没有区块链之前就已经如雨后春笋般浮现,IPFS更是在14年的时候就已经问世,但有效的激励机制的缺乏导致其一直难以发展。区块链所带来的Token经济激励让这些存储项目重新焕发了活力。但我们不得不承认,相比于成熟的互联网和云技术,现在基于区块链的分布式存储技术虽然概念足够新颖但想要和云服务形成竞争关系甚至取而代之还需要很多努力。

这些努力不仅仅在代码的改进上,还有硬件设施的建设。云服务商租用的或者自建的机房通常都是非常专业的,可以提供长时间稳定的服务;而一旦这些物理主体变成了千家万户的电脑,不稳定因素就会大大增加,这也是很多大型企业至今还是选择云服务的最主要因素之一。

当然,我们对Storj即将到来的V3,对于Sia在2020年正式成为亚马逊的竞争者,对于Burst的POC3都抱有很大的期待。18年已经渐渐进入尾声,在公链和DAPP都大力发展的这一年,人们发现了分布式存储作为底层基础的价值,也期望现在的这些存储项目可以带来更多惊艳的表现。

算力挖矿的存储币 — Sia白皮书(中英对照版)

算力挖矿的存储币 — Sia白皮书(中英对照版)

原创文章,作者:Tang,如若转载,请注明出处:https://ipfsdrop.com/tech/suanliwakuangdecunchubi-siabaipishuzhongyingduizhaoban/

发表评论

电子邮件地址不会被公开。 必填项已用*标注

评论列表(3条)

  • tonyhzj
    tonyhzj 2018年10月9日 08:56

    这个sia,跟hbd有什么区别?

  • tonyhzj
    tonyhzj 2018年10月9日 08:57

    这个sia,跟bhd有什么区别?还有sia有没有开源

    • Eric
      Eric 回复 tonyhzj 2018年10月15日 13:20

      BHD是一种POC机制挖矿的币。POC机制挖矿本质上也是算力挖矿,只是机制设置的是利用硬盘,能耗比比特币等算力挖矿小了非常非常多。所以BHD虽然是用硬盘挖矿但是并不是存储数据用的。
      Sia是一种存储币,但是是利用显卡挖矿产出币的,不过Sia是存储有意义的数据的,但目前我还并不了解它具体的运作模式,如果我了解清楚了可以来回答你

联系我们

(+86)18301922335

在线咨询:点击这里给我发消息

邮件:haskell@freechains.cn

工作时间:7×24小时

QR code