A privacy-preserving decentralized storage with payments based on a blockchain

Abstract

Recently, the paradigm of cloud storage has seen wide acceptance in industry and for personal use. One of its core principles is to outsource storage, such that users can be billed flexibly by their actual demand. However, outsourcing storage such as private data or business secrets leads to privacy problems, as control over the data is lost to the storage provider. This is intensified by the fact that often privacy is considered only as an afterthought in these systems and not integrated into the design from the beginning. Privacy-preserving alternatives to these centralized cloud storage providers are peer-to-peer systems like Freenet or GNUnet. In these systems, participants can donate storage to other users of the system. Privacy plays a vital role in these systems, as, e.g., participants are unable to access data of other users if they are not authorized to do so, even if the data of the other users resides on their own hard disk. However, these decentralized systems suffer from limited contribution due to a lack of incentives to participate. Naively enhancing these systems with the possibility of payments such that storage providers can earn money, infringes privacy, since tracing of payment flows provides links between users and their storage providers. Consequently, a form of anonymous payment needs to be considered when enhancing such storage systems with remuneration. A very similar problem of providing incentives for protocol adoption is solved by the digital currency Bitcoin which rewards participants by uncloneable currency units which are themselves called bitcoins. Although Bitcoin is not privacy-preserving, the scenario of such blockchain architectures is very similar to a peer-to-peer storage platform and thus provides a good starting point. We provide two designs of a decentralized storage system with incentives for the participants to contribute. Our first design exchanges the proof of work mining process of a blockchain by publicly verifiable proofs of storage. These are cryptographic proofs that allow a storage provider to convince a verifier that it has stored some data of another participant. While this approach leads to a working system, it is not able to provide the envisioned privacy and security guarantees. Although the link between storage provider and user is severed, the link between a storage provider and its stored file is still observable. Further, the sender and receiver are revealed for transfers of digital cash which are unrelated to a file, as in Bitcoin. Improving on our first design, we provide a second design of a privacy-preserving storage. Here, the senders and receivers of transactions are anonymous due to our use of linkable ring signatures and one-time payment addresses. The storage is managed via smart storage contracts which are special transactions that grant the storage provider a financial reward if the storage provider is able to provide proofs of storage at predetermined times. Since storage contracts constitute a special form of transactions, linkable ring signatures and one-time payment addresses are applicable to storage smart contracts as well, where they provide anonymity of the user and storage provider. After introducing our two designs of a privacy-preserving storage system, we focus on selected building blocks of our architecture. We provide a thorough comparison between different publicly verifiable proof of storage schemes. Further, we design a new publicly verifiable proof of storage scheme from a modification of the Guillou-Quisquater identification protocol whose security is based on the RSA-assumption. We implemented all discussed proof of storage schemes and provide benchmarks regarding their real-world performance. Since our second storage system design relies on the wasteful proof of work mining process of Bitcoin, we propose a novel mining algorithm based on proofs of human work. These are solutions to problems that only humans are able to solve efficiently and thus prove cryptographically that an amount of human work has been performed. In contrast to a CAPTCHA, these proofs of human work are publicly verifiable. Our construction of a proof of human work relies on secure multiparty computation, which is a well-known cryptographic primitive with multiple known feasible instantiations. The only other instantiation of a proof of human-work known to date relies on indistinguishability obfuscation---a cryptographic primitive that is only speculated to exist and where no secure instantiation is currently known. As a third building block, we turn our attention to routing in payment channels. Payment channels are widely regarded as a solution to the low transaction throughput of blockchains. As an example, Bitcoin allows for around 7 transactions per second globally. Payment channels are bilateral channels, which include a balance that can be updated. Only the opening and the closing of the channel is written to the blockchain. Inside the channel, there can be multiple updates to the payment which are not written to the blockchain. The design of payment channels guarantees that no participant can cheat by persisting older transaction states to the blockchain. A network of payment channels operates as an overlay network to the blockchain and allows for routing of transactions over multiple hops. Up to now, routing algorithms in this setting have only been discussed from a purely technological perspective without taking into account the economical impact, like capacity constraints, routing fees, cost of locked capital, and the focus on the cheapest route (as opposed to the shortest route). Our treatment provides the first economic-technical analysis of routing in payment channels. We provide measurements of the cheapest route and the number of failed transactions due to capacity constraints using our custom simulator. In summary, our results show that it is possible to design a decentralized privacy-preserving storage system with remuneration for it participants. With the addition of anonymous payments we hope to increase participation beyond that of traditional decentralized storage systems.