Distributed Secure Storage Scheme Based on Sharding Blockchain

Jin Wang,Chenchen Han,Xiaofeng Yu,Yongjun Ren and R.Simon Sherratt

1School of Computer Science and Mathematics,Fujian University of Technology,Fuzhou,350118,China

2School of Computer&Communication Engineering,Changsha University of Science&Technology,Changsha,410004,China

3School of Business,Nanjing University,Nanjing,210093,China

4School of Computer,School of Software,School of Cyberspace Security,Engineering Research Center of Digital Forensics,Ministry of Education,Nanjing University of Information Science&Technology,Nanjing,210044,China

5Department of Biomedical Engineering,University of Reading,RG6 6AY,UK

Abstract: Distributed storage can store data in multiple devices or servers to improve data security.However, in today’s explosive growth of network data, traditional distributed storage scheme is faced with some severe challenges such as insufficient performance, data tampering, and data lose.A distributed storage scheme based on blockchain has been proposed to improve security and efficiency of traditional distributed storage.Under this scheme,the following improvements have been made in this paper.This paper first analyzes the problems faced by distributed storage.Then proposed to build a new distributed storage blockchain scheme with sharding blockchain.The proposed scheme realizes the partitioning of the network and nodes by means of blockchain sharding technology,which can improve the efficiency of data verification between nodes.In addition,this paper uses polynomial commitment to construct a new verifiable secret share scheme called PolyVSS.This new scheme is one of the foundations for building our improved distributed storage blockchain scheme.Compared with the previous scheme, our new scheme does not require a trusted third party and has some new features such as homomorphic and batch opening.The security of VSS can be further improved.Experimental comparisons show that the proposed scheme significantly reduces storage and communication costs.

Keywords: Blockchain; distributed storage; verifiable secret share polynomial commitment

1 Introduction

Traditional centralized storage systems use centralized storage servers to store all data, which places high requirements on server performance, including reliability and security.At the same time, with the explosive growth of network data, centralized storage systems cannot satisfy the needs of large-scale applications.As a peer-to-peer storage method, distributed storage is gradually replacing traditional storage methods [1,2].Distributed storage is to distribute data to multiple data storage servers to share the load to improve data security and storage efficiency.Nowadays,distributed storage has been widely used and favored by many companies.Common distributed storage systems, such as an efficient and scalable distributed file storage system called GFS proposed by Google.

However, distributed storage still has some problems in data security and system performance:

1)Data security.Data security is always a hot topic.When network failure or equipment abnormality occurs, data may be lost.The user may lose part or all of the data.In addition, some malicious attackers will also steal or tamper with the stored data.

2)Data management.Usually, the data is stored in different devices or servers.Different servers may have different data types, which is inconvenient for data management.In addition, because the update is not timely, the software version number may be different.

3)Performance issues.The performance of distributed storage mechanisms is equally important.Such as capacity expansion and network optimization.

The combination of blockchain and distributed storage technology in the database provides a way to solve the above problem.The distributed storage system based on the blockchain can be used to securely store all kinds of data, and can be applied to fields such as smart grid, smart home, and Internet of Vehicles.As the underlying technology of Bitcoin, blockchain has received widespread attention due to its strong security characteristics [3].Blockchain was originally used to construct cryptocurrency.Because the blockchain has the characteristics of anti-tampering,openness and transparency, it was subsequently regarded as one of the methods to construct a secure data storage scheme [4-6].The blockchain itself is a distributed setting, but because of the Merkle tree structure used in data storage, it needs to pay more storage costs when dealing with large-scale applications.

Secret share combined with blockchain has some applications such as electronic voting,consensus algorithms, and P2P storage scheme [7-10].Such a scheme usually requires the participation of a Dealer, and we cannot guarantee that the Dealer is credible.This paper proposes an improved verifiable secret share scheme based on polynomial commitment without Dealer to replace the secret share scheme in distributed storage blockchain.

The specific contributions of this paper are as follows:

(1) This paper proposes a verifiable secret share scheme based on polynomial commitment(PolyVSS, for short).Compared with the previous scheme, our new scheme does not require a trusted third party and has homomorphic characteristics.

(2) Use PolyVSS to construct a distributed storage scheme based on blockchain.This scheme uses sharding technology to realize the partitioning of nodes and transactions.Experimental comparisons show that the proposed scheme can reduce storage and communication costs.

The structure of this paper is as follows.In Section 2, we introduce the related work of this paper.In Section 3, we first give the structure of a distributed storage blockchain based on PolyVSS.Section 4 introduces the proposed PolyVSS and analyzes its security.In Section 5, we analyzed the performance of the distributed storage blockchain and summarized in Section 6.

2 Related Work

2.1 Verifiable Secret Share

Secret share is one of the important research directions of modern cryptography.The earliest secret share scheme was proposed by Shamir.In their scheme, there is a dealer who is responsible for dividing a secret intonparts and distributing them tonmembers.After knowing anytor more shares (t≤n), these members can reconstruct the secret.

Due to the excessive trust given to the dealer, we cannot guarantee that the dealer will not have malicious behavior.To prevent the dealer from malicious behavior, verifiable secret share(VSS) is proposed [11].Verifiable secret share is based on secret share, adding a step of share verification.To put it simply, members verify the legitimacy of the secret distributed by the dealer.An important feature of VSS is unconditional privacy.This feature prevents the shared information from being obtained by a collection of members without permission.In addition to VSS, some practical variants of VSS schemes have been proposed, such as verifiable multi-secret share [12], non-interactive verifiable secret share, and public verifiable secret share.

Harin et al.[13,14] gave the formal definition of (n, t, n) secret share.In this scheme,nshare-holders participate in sharing a master secret together, and everyone can randomly select a sub-secret and use an algorithm to generate sub-shares.Then using the homomorphic feature,each shareholder can combine all the sub-shares into the master share.Finally, the master share can be restored to the master secret through the reconstruction algorithm.

2.2 Polynomial Commitment

The concept of commitment is at the core of almost all modern cryptographic protocol constructions.In this case, making a commitment simply means that a participant in the protocol can choose a value from a certain (limited) set and commit to his choice so that he can no longer change his mind.However, he does not have to reveal his choice (although he may choose to reveal it at some point in the future).Cryptography commitment has been applied to the blockchain.Zerocoin [15] uses Pedersen commitment to bind a series of numberssto Zerocoinz.The commitment C is as follows:

wherepis unknown.Given the generatorsgandh, the user randomly selects the random numberssandz, and the commitment C can be calculated.It is difficult to calculate the random numberssandzwhen only knowing the commitment C, even if one of them is revealed.In addition to this, Kate et al.[16] proposed the first efficient polynomial commitment, which was subsequently used to construct a blockchain-based zero-knowledge proof protocol.Their scheme has the characteristics of a static accumulator.Next, we will introduce the construction of polynomial commitment:

The polynomial commitment scheme is constructed based on bilinear pairing.First, we useG=〈e,G,GT〉to represent the generation of bilinear groups (see Definition 6).The algorithm of polynomial commitment can be divided into four phases:

1) Initialization phase:

This step mainly generates a public-private key pair 〈pk,sk〉, where the public key is expressed aspk=〈G,g,gϑ,gϑ2...,gϑn〉.The private keysk=ϑcannot be used in the next steps.

2) Commit phase:

Calculate the corresponding commitmentC=gF(ϑ)∈G.Since the polynomial can be expressed asx=the commitment can also be written as:

3) Open phase:

This step opens the committed polynomialC.

4) Verify phase:

At this phase, the verifier first needs to verify the legitimacy of the commitment:

If the equation holds, the verification passes.Otherwise, it fails.Then output a triple〈α,F(α),ωα〉, whereωα=gfα(ϑ)is the witness in the indexα.gfi(ϑ)satisfies:

Finally, verify the evaluation in the indexα:

If the equation holds, the verification passes.Otherwise, it fails.

Suppose there is an adversaryΘ.The polynomial commitment satisfies the three characteristics of polynomial binding, evaluation binding, and computational hiding:

Polynomial Binding.We say that the polynomial commitment is polynomial binding if it is satisfied:

Evaluation Binding.We say that the polynomial commitment is evaluation binding, if it is satisfied:

Computational Hiding.Assuming there is an adversaryΘ, given 〈pk,C〉 and 〈iυ,F(iυ),ωFαυ〉.Where 1 ≤υ≤deg(F), and for eachυ, the verify phase can be verified successfully.No adversaryΘcan determineF(ˆυ)with non-negligible probability for any un-queried index ˆυ.

In addition, the polynomial commitment also satisfies strong correctness, the proof of which has been given in the paper [16].

3 The Proposed Distributed Storage Scheme Based on Sharding Blockchain

3.1 System Model of Distributed Storage Scheme Based on Blockchain

Before introducing the system model of DSB, we first introduce a few related notions.LetBtdenote the t-th block,Htdenote the hash value stored with the(i+1)th transaction, andhi=h(ψi).ψt=(hi-1,h′(Bi)),hi-1is the hash of the previous block.handh′are two hash functions respectively.The specific structure is shown in Fig.1.Thei-th block is hashed and stored together with the hash of the previous block.

Figure 1: Hash chain in distributed storage scheme based on blockchain

As we can see from the Fig.1, the DSB scheme is to hash the entire block.Below we give the definition of DSB.

Definition 1Distributed Storage Based on Blockchain (DSB).DSB consists of three phases.

First give a node partition:

wherenrepresents the total number of nodes.indicates that the nodes are divided intoRsubsets of sizer+1.The specific stages are as follows.

1) Initial phase

2) Encryption phase

There is an encryption algorithm denoted asφ, and the block can be encrypted with a key:

3) Storage phase

Distribute and storeamongr+ 1 nodes in partitionχ, and then use secret share algorithm to storeandψt.

3.2 The Structure of Distributed Storage Scheme Based on Blockchain

We constructed our storage scheme based on the blockchain, and introduce some of the corresponding concepts are related to the blockchain in this section [17-19].First, we will introduce the components of the framework of our scheme:

1)Data management center (DMC): The data management center is responsible for sending data verification requests and distributing data to nodes in designated shard.

2)Node: The node is responsible for the maintenance of the ledger and the verification of the data.

3)Shard: With the help of blockchain sharding technology [20,21], the nodes in our scheme are randomly divided into a specified number of shards, and the number of nodes in each shard is the same.

4)Blockchain database: The blockchain database is used to store data that has been verified by the nodes.

5)P2P network: P2P networks have advantages in building distributed applications [22-24].Our scheme uses a distributed P2P network without central node, and a network is randomly established between nodes.

First, the DMC sends a request to the nodes.After receiving the request, each node runs PolyVSS three-phase algorithm to distribute and store data.Fig.2 shows the structure of a sharding-based blockchain storage system (assuming that all nodes are divided into three shards).It should be noted that the structure is the same regardless of the number of shard.Each dashed box in the figure represents a shard, and each shard has the same number of nodes.The nodes in each shard are independent of each other, do not affect each other, and can communicate with each other when necessary.This can prevent malicious nodes in different shards from colluding with each other and prevent double-spending attacks.Of course, in order to prevent all malicious nodes from being divided into the same shard, we refer to the technique of the paper [20], so that the node allocation is completely random.

The number of nodes is not as many as possible.With reference to the practical Byzantine fault-tolerant algorithm, we generally limit the number of nodes in each shard to no more than 100.When the number of nodes exceeds 100, the efficiency of reaching consensus among nodes will become low.Of course we can increase the number of shard.In our scheme, there are a total of three shards and we assume that the number of nodes in each shard is 50.

Let the total number of nodes beNub,Frepresents the number of shards, we havewherer+1 is the size of each shard.The specific scheme is given in the next section.

3.3 The Proposed Scheme Based on Sharding Blockchain

Our scheme is based on sharding blockchain, and can process multiple data in parallel, which theoretically improves the efficiency of data verification.Our scheme is divided into three phases:request phase, secret share phase and storage phase.

Figure 2: Data storage scheme based on sharding blockchain

1) Request phase

When a piece of data needs to be added to the chain, the Data Management Center (DMC)will send a request to all nodes in a shard.

2) Data verification phase

Each nodeNiindependently selects a sub-secretSi, and the master secret can be expressed as

For each sub-secretSi,Nirandomly selects a t-degree polynomialFi(x), and the corresponding sub-secret isFi(0)=Si.

Niuses the Commit algorithm to generate the commitmentCand broadcast it throughout the P2P network.

Forj∈[1,n],Nirespectively calculates a witnesswjand the sub-share:

and then sends 〈j,Fi(xj),wj〉to otherNiin the network through a trusted channel.

After receiving 〈j,Fi(xj),wj〉, eachNistarts to run the evaluation verification algorithm in the polynomial commitment.

After the verification is passed, all nodes accept the corresponding sub-secret, and use the Lagrange interpolation to restore the corresponding sub-secret.

3) Data storage stage

After PolyVSS is executed, the verified data is uploaded to the blockchain.The specific process is shown in Fig.3.

Figure 3: Data creation, distribution, verification and storage process based on PolyVSS protocol

4 The Proposed Verifiable Secret Sharing Scheme Based on Polynomial Commitment

In this section, we will first introduce the formal definition of VSS and some cryptographic assumptions.Then, the specific construction is given.We also conduct security and performance analysis of the scheme.

4.1 Preliminary

First of all, we give the formal definition of VSS scheme and several security features that it needs to satisfy.

Definition 2Verifiable secret share (VSS).A VSS scheme is divided into two phases:

Share phase: At the beginning of the phase, the Shareholder holds an inputs, and the corresponding share can be calculated usings.

Reconstruction phase: With anytshares, users can use Lagrangian interpolation formulas to reconstruct the secret value.

To facilitate the description of the application later, in the following text we will use node instead of Shareholder.Usually, a VSS scheme needs to satisfy two security features: Secrecy and Correctness.Below we give their definitions.

Definition 3Secrecy.The adversary cannot calculate the correct sharingsduring the share phase.

Definition 4Correctness.The reconstructed value should be equal to the shared secretsor every honest node will reach a result and accuse the node of maliciousness by outputting ⊥.

Some VSS schemes have introduced cryptographic commitment, such as Pedersen commitment with homomorphic characteristics.Cryptographic commitment generally consists of two phases:commit and open, which are respectively to commit and open the message.Polynomial commitment is also a kind of homomorphic commitment, which can be constructed based on discrete logarithm and Pedersen commitment.The polynomial commitment algorithm is based on the two traditional commitment algorithms, combined with the characteristics of the accumulator to add a verification algorithm.The existing research points of verifiable secret share scheme based on polynomial commitments are mainly in the scheme construction of asynchronous and synchronous models [25-27].

Here are a few cryptographic assumptions used for the security proof of our scheme.

Definition 5Discrete Logarithm Assumption (DLA).Given a groupG*of generating elementsg,G*=G, and a random numberϑ∈ZP, the probability thatgϑis computed byϑisϵκfor each adversary.

Definition 6Bilinear Pairing.LetG1,G2be the additive cyclic group of orderp,GTis the multiplicative group of the same order, ande:G1,G2→GTis expressed as a bilinear mapping.

AssumingM∈G1,N∈G2,α,β∈the bilinear pairs satisfy three properties:

(1) Bilinear:e(Mα,Nβ)=e(M,N)αβ;

(2) Non-degenerate: There existsMandNsatisfye(M,N)1;

(3) For anyMandN, there exists an efficient algorithm that allows the result ofe(M,N)to be derived in polynomial time (PPT).

4.2 The Proposed Scheme Based on Polynomial Commitment

Our scheme is an improvement on the (n, t, n) verifiable secret sharing scheme [13].In the(n, t, n) scheme, the firstnrepresentsnsub-shares,trepresents the threshold, the knowledge of the threshold cryptography is used here, and the lastnrepresents n participants.One advantage of such a scheme is that it does not require a trusted third party, which is not completely trusted.Scheme without a trusted third party can improve security.

On the basis of the previous scheme, polynomial commitment is introduced.Our scheme is divided into two phases: share phase and reconstruction phase.At the beginning of the scheme,the node runs the initial algorithm in the polynomial commitment, randomly selects a generatorg, a random numberα∈and then generates a public keypk=〈g,g,gα,...,gαt〉.

1) Share phase

Master secret generation algorithm: Each nodePiindependently chooses a sub-secretSi, the master secret can be expressed as=S1+...+Sn.

Verification algorithm: After receiving 〈j,Fi(xj),wj〉, eachPistarts to run the verify algorithm in the polynomial commitment.If the verification of a share holderPi′fails, other nodes will return an accusation message to opposePi′.If more thantnodes accusePi′, obviously,Pi′is wrong and disqualified.On the contrary,Pi′broadcasts the corresponding share and 〈i,Fi(x),wi〉to the accusing party.If the revealed share fails to be verified again, thenPi′is unqualified and the agreement ends, otherwise, eachPiacceptssij.

2) Reconstruction phase:

In the reconstruction phase, whent+1 shared holders pass the verification algorithm, eachPiinterpolation pair 〈i,Fi(x)〉to determineSi=Fi(0), and then calculates the master secretS.

4.3 Analysis of the Proposed PolyVSS Scheme

4.3.1 Security Analysis

First, we give the adversary model.We consider a networkP={P1,P2,...,Pn}composed ofnparticipants.Our adversaryΘis t-bounded and adaptive and can compromise and coordinate the actions of up totofnparties.It can damage any party under any circumstances during the execution of the protocol, as long as the amount of damage is bounded byt.

Theorem 1:The proposed VSS scheme based on polynomial commitment satisfies correctness and secrecy.

Proof: We will prove that our scheme satisfies the correctness and secrecy features.

Correctness.Compared with other VSS schemes, our scheme does not have dealers.That is to say, in our scheme, we do not need to consider whether the dealer is honest.Suppose that the node uses the polynomialF(x)to share a secretsand remains honest throughout the execution of the sharing phase.LetCbe the commitment sent to each node.Considering the strong correctness of the polynomial commitment, all honest nodes will get the correct share of the secretsconsistent withC.Suppose a malicious node is allowed to broadcast its triplet 〈i′,Fi′(x),wi′〉, but the final verified value is not equal.Since polynomial commitment is computational binding, only honest nodes can reconstruct the secret.

Secrecy.The secrecy of our scheme comes from the hiding feature of polynomial commitment.Regardless of whether the node is malicious or honest, it is difficult for an adversary to obtain secret-related information.Suppose there is a t-bounded adversaryΘ, which can obtaintmessages〈i,Fi(x),wi〉.Since polynomial commitment is constructed based on discrete logarithms, it has hiding features.Below we first prove hiding.

Suppose there is an algorithmEconstructed by adversary that can break the DLA.Let 〈g,gϑ〉as an instance of the discrete logarithm problem that algorithmEneeds to solve.AlgorithmErandomly chooses a numberϑ∈o generate a public keypk=〈G,g,gϑ,gϑ2,...,gϑn〉 to the adversaryΘ.AlgorithmEsets 〈τ,φ(τ)〉as the index of polynomialφ(x)at indexτ.Then supposeφ(0)=u, which is the answer to the DL instance, and usen+1 exponential evaluation to calculategφ(x), 〈0,gϑ〉and other selected pairs 〈τ,gφ(τ)〉.Finally,Ecalculates the testimony 〈τ,F(τ)〉:

And sendpkand witness tuple 〈τ,φ(τ),ωτ〉to the adversaryΘ.Once the adversaryΘreturns the polynomialφ(x),Ereturns the constant termφ(0)as the solution of the DLA instance.

It is easy to see that the success probability of solving the DLA instance is the same as the success probability ofΘ, and the time required is larger than the time required byΘby a small constant.That is, it is impossible to reconstruct the polynomialF(x)and the corresponding secret by only revealing suchtmessages.

4.3.2 PolyVSS Performance Analysis

This section compares the computational costs and functions of the six schemes in the four stages of parameter setting, reconstruction, verification, and recovery.

The polynomial commitment scheme given in Section 2.2 can only open and verify the evaluation of one index and is not suitable when multiple guidelines need to be opened.A batch polynomial commitment was proposed to open and verify the evaluation of multiple indexes.The batch polynomial commitment mainly modifies the verify phase.Let all the indexesτto be opened form a setW⊂Zp, that isτ∈W.Wsatisfies |W|＜t.Algorithm output triples〈W,r(x),ωW〉, whereωW=gfw(α)is the witness of all indexes.h(x)is expressed as the remainder of.fw(x)is expressed as:

Finally, the verifier verifies the correctness of the following equation:

With the aid of batch polynomial commitment, whennindexes need to be opened, the burden of witness calculation is reduced fromnto 1.

We compared the computational cost and functions of several VSS schemes [28-32].The specific comparison is shown in Tab.1, wherenrepresents how many operations are done, andtcan be represented as the number of nodes.The function comparison is shown in Tab.2.

5 Performance Analysis of Our Proposed Distributed Storage Scheme

5.1 Security Analysis

Denial of service (DoS) attack is a method used to disrupt legitimate users’access to the target network or website resources [33-35].Usually this is achieved by overloading a target with a large amount of traffic (usually a web server), or by sending malicious requests that cause the target resource to malfunction or completely collapse [36-41].

Table 1: Computational costs

Table 2: Function comparison

Blockchain will also suffer from DoS attacks.In the traditional blockchain, when a node is attacked, it needs to visit other nodes (because each node stores the entire ledger) to recover local data.In our scheme, when a node in the network is attacked, the node can use the reconstruction algorithm of the PolyVSS scheme to recover the corresponding data by accessing otherr+1 nodes.Therefore, our scheme can effectively deal with single point of failure.

Theorem 2:The proposed distributed storage scheme can reconstruct secret by accessing anyr+1 nodes.

Proof: Sincedeg(F)≤t, the polynomialF(x)can be interpolated by accessing anyr+1 nodes.

Below we analyze the cost of restoring communication.For convenience, we use DSB and LSS-DSB respectively to replace the name of the scheme in the paper [42-45].The data of the corresponding schemes are given in Tab.3.We use symbolsStorto represent recovery communication cost, and symbolsComto represent storage cost.

Table 3: Comparison of storage scheme

The core of our scheme is the secret sharing scheme, which is also an important tool to achieve recovery.The Shamir secret share used in DSB is one of the most classic schemes.Local secret share is based on Shamir secret share, introducing two new concepts: global secret and local secret.Among them, information as global secret is more important than a local secret.Global secrets are maintained by all users, while local secrets are maintained by individuals.Unlike their two schemes, our scheme does not have a central party, such as the dealer in the Shamir’s scheme.In addition, participants in our scheme will mutually verify the legality of share, thereby improving security.

Blockchain.Due to the characteristics of traditional blockchains, each node needs to store the entire ledger.When a single point of failure occurs, it is necessary to access all other nodes to restore all transaction data.AssumingBt∈Fτ,ψt∈Fp, whereFτ,Fpare two prime number domains, so the recovery communication cost is:

The symbol ∝means proportional.Once the size of the prime number field is determined,the storage cost of the blockchain is fixed.

DSB.Nodes need to visitr+1 other subsets of nodes to recover all data in DSB.Assumingso the recovery communication cost is:

γrepresents the additional cost of accessing other subsets and its value is fixed.Obviously, the recovery communication cost is related tor, and asrincreases, the communication recovery cost also increases.

LSS-DSB.The node can recover the entire data by accessing r subsets locally.Compared with DSB, no additional recovery communication cost is required.The recovery communication cost is:

Our scheme.In our scheme, the node also needs to accessr+1 other nodes to recover data.The recovery communication cost is:

Assumingp=2400,τ=240, the recovery communication cost is shown in Fig.4.Our scheme is superior to DSB in terms of communication cost, similar to LSS-DSB.

5.2 Storage Analysis

In this section, we will compare the storage cost of several schemes when storing a transaction.The data of the corresponding schemes are given in Tab.3, here is a brief analysis of several schemes.

Blockchain.In traditional blockchains based on Bitcoin, nodes usually store the entire transaction ledger.The storage overhead for each node of the blockchain to store a transaction is:

Figure 4: Comparison of recovery communication cost

DSB.Different from traditional blockchain, DSB uses coding technology to reduce storage overhead, but the node needs to store a private key.The storage overhead for each node of DSB to store a transaction is:

LSS-DSB.Local secret share (LSS) divides secrets into one global secret and many local secrets.The most important information will be treated as global secrets.The LSS-based DSB scheme can efficiently store private keys and hash values, which can further reduce storage overhead.The storage overhead for each node of LSS-DSB to store a transaction is:

Our scheme.In our scheme, the node does not need to store additional private keys.The storage overhead of each node storing a transaction is:

Assumingp=2400,τ=240andγ=200, the comparison of storage overhead is shown in Fig.5.From the figure, we can see that as the size of shard increases, the storage cost of the blockchain is constant, and our scheme becomes smaller and tends to be constant as the size of the shard increases.Compared with several other schemes, our scheme is the best.

Figure 5: Comparison of storage cost

6 Conclusion

Distributed storage is one of the important directions of future storage system development and blockchain provides solutions to the security and performance problems of distributed storage.This paper first uses polynomial commitment to improve verifiable secret share and constructs a new VSS scheme.Then use the new VSS scheme to construct a distributed storage mechanism based on blockchain.Compared with the previous scheme, the scheme proposed in this paper also achieves low storage cost, and is also superior to the DSB scheme in terms of recovery communication cost.Future research directions mainly include the following points: (1) Replace transaction and network with state sharding to further optimize storage cost; (2) Realize efficient communication across partitions.

Funding Statement:This work was supported by the National Natural Science Foundation of China under Grant 62072249, 61772280, 61772454, 62072056.J.Wang and Y.Ren received the grants, and the URL of the sponsors’website is http://www.nsfc.gov.cn/.This work was also supported by the Project of Transformation and Upgrading of Industries and Information Technologies of Jiangsu Province (No.JITC-1900AX2038/01).X.Yu received the grant, and the URL of the sponsors’website is http://gxt.jiangsu.gov.cn/.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.