Lucas-PoST: A Secure, Efficient, and Robust Proof of Storage-Time Protocol Based on Lucas Sequences

Abstract

Proof of Storage-Time (PoST) is the core verification mechanism for blockchain data storage, ensuring the integrity and continuous availability of data throughout the storage period. Although the current mainstream Compact Proofs of Storage-Time (cPoST) and Practical and Client-Friendly Proof of Storage-Time (ePoST) solutions have seen significant progress in engineering implementation, their security fundamentally relies on the algebraic structure assumptions underlying their verifiable delay function (VDF) components. In addition, if there are small-order elements that can be efficiently calculated in the underlying group structure, it will directly lead to the failure of the soundness properties of the VDF; thus, the entire PoST system will face systemic security risks. To address the above issues, we propose an innovative PoST protocol based on the modular Lucas sequence. By constructing a delay function through the modular Lucas sequence, the security condition is transferred from the strong security assumption to the weak security assumption, which enhances the security of the protocol: when the protocol encounters an algorithmic breakthrough that causes the modular square security assumption to fail, the soundness of the protocol can still be guaranteed. Secondly, we map all elements to the target $\lambda$-strong groups through homomorphic mapping technology, a domain input restriction mechanism, and a non-unique representation strategy of elements, effectively avoiding the security risks caused by small-order elements in the group structure. Compared with traditional protocols, our protocol achieves significant improvements in security and reliability, providing a more robust framework for decentralized storage and data verification.

1. Introduction

With the rapid development of blockchain technology [1,2], decentralized storage [3], as an important application branch, is gradually reshaping the data storage and management landscape.

For many industries that are highly dependent on data storage, such as medical care, finance, and scientific research [4], the integrity and continuous availability of data during the storage cycle are crucial in maintaining the normal operation of the business. However, under the traditional centralized storage model, there is a serious trust asymmetry problem between users and storage service providers: users find it difficult to effectively verify whether the service provider has truly fulfilled its storage commitment. When users outsource their data to the storage party, they generally have deep concerns about the availability and integrity of the data.

This is because the data may face risks such as loss, damage, or leakage due to system failures, operational errors, security vulnerabilities, or even malicious tampering by the storage provider. These potential risks not only cause great concern among users but also seriously hinder the widespread application and in-depth development of cloud storage services [5,6].

In order to effectively address this challenge and improve the security and reliability of cloud storage systems, academia and industry have been constantly exploring, and various innovative technologies and solutions have emerged [7]. The introduction of Proof of Data Possession (PDP) [8] and Proof of Retrievability (PoR) [9] has opened up new research directions in the field of data storage security [10]. These two theoretical methods provide data owners with complementary mechanisms to ensure data integrity and availability. PDP allows clients to efficiently verify data possession without full download. Building on this foundation, PoRs incorporate erasure-coding techniques such as Reed–Solomon codes to enable robust recovery from partial data damage—allowing full reconstruction from surviving fragments and thus directly addressing physical corruption risks. Importantly, as demonstrated in distributed storage systems [11], the value of erasure coding extends beyond mere damage recovery to fundamentally enhance the overall storage reliability. By strategically dispersing data fragments across geographic locations, it mitigates correlated failures while allowing tunable redundancy levels that balance robustness against the storage overhead. Furthermore, these techniques provide probabilistic guarantees against data loss even in adversarial environments with Byzantine node behaviors. Critically, though, both mechanisms remain constrained by the interactive verification model: data owners can only audit availability during active challenges, and they lack insights into storage continuity between interactions. This fundamental limitation means that providers could temporarily discard data after verification and restore them before the next audit, undermining true continuous availability guarantees. Consequently, even with robust damage recovery mechanisms, the storage model’s inherent trust asymmetry persists: during interactions, owners can verify integrity, yet, during inter-audit intervals, they cannot determine if providers continuously maintain data availability.

The limitations of this interaction model mean that data owners always face uncertainty regarding data security risks when outsourcing data; thus, it is difficult to establish full trust in the storage party. To solve this problem, Ateniese et al. [12] introduced PoST. This cryptographic protocol enables verifiers to confirm that a storage server has continuously reserved designated space for client data throughout an agreed duration, guaranteeing persistent data accessibility.

In the actual application of PoST, cPoST, and ePoST [13] are two storage proof mechanisms that have attracted much attention. cPoST uses a trap-gate VDF [14] and carefully designs the challenge response process to ensure the continuous availability of data to a certain extent, and ePoST further optimizes the design based on cPoST, realizes the characteristics of client-friendly, publicly verifiable, and stateless operation, and makes the storage proof protocol more practical. These mechanisms play a key role in decentralized storage networks. For example, in platforms such as Filecoin [15], they are used to verify whether storage nodes actually fulfill their data storage obligations. Although existing PoST protocols, such as cPoST and ePoST, have seen progress in theoretical research and practical applications, their security is highly dependent on the soundness of the VDF component.

As a unique cryptographic primitive, the VDF has the characteristics of providing efficient verification capabilities while ensuring a computational delay. Specifically, it takes a certain amount of time (i.e., delay) to calculate the output of the VDF, while verifying the correctness of the computational result can be completed efficiently. This feature means that it is widely used in the PoST protocol, which prevents storage providers from quickly generating proofs through parallel computing [16] and ensures that the proof generation process is carried out in sequence. However, the soundness of the VDF [17] depends on the security of its underlying mathematical structure. If there are vulnerabilities in the implementation of the VDF or its mathematical assumptions are violated, the security of the entire PoST protocol will be seriously affected. In particular, when the VDF used has easily found small-order elements in the relevant group [18], its soundness may be easily destroyed, thus affecting the security of the entire PoST. The latest research shows that Filecoin has achieved privacy enhancement and scalability optimization in IPFS decentralized storage by integrating zk-SNARKs and smart contracts [19]. However, its underlying architecture still relies on the iterated modular squaring assumption, which exposes the system to systemic risks when facing potential algorithmic breakthroughs. These risks stem from three fundamental vulnerabilities inherent to algebraic assumption-dependent designs: structural fragility emerges when algorithmic breakthroughs compromise modular squaring assumptions, catastrophically collapsing VDF soundness, as shown in quantum computing studies; simultaneously, the presence of efficiently computable small-order elements in group structures enables forgery attacks by reducing discrete logarithm complexity, while ePoST’s trusted third-party initialization introduces centralization risks that may bypass verification. Collectively, these vulnerabilities expose decentralized storage networks to systemic failures, including forged proof injections and data integrity bypass.

Overview of Our Construction

Existing cPoST/ePoST protocols face systemic security risks due to their reliance on modular squaring assumptions and vulnerability to small-order elements. To address these limitations, we propose Lucas-PoST: a novel four-layer protocol that replaces iterative modular squaring with Lucas sequences for delay functions, constructs $\lambda$-strong groups (Definition 1) using specially generated $(\lambda ,a)$-strong primes (Definition 2) to eliminate small-order threats, and maintains efficiency through batched zk-SNARK proofs. This approach fundamentally redefines the security foundation of PoST protocols.

Research Objectives. Building on this framework, we establish three measurable objectives:

(1)

Security Foundation Shift: To formally prove that Lucas sequence irreducibility provides soundness even when modular squaring assumptions fail.

(2)

Small-Order Threat Elimination: To demonstrate how $\lambda$-strong groups prevent attacks from efficiently computable small-order elements.

(3)

Practical Deployment Guarantee: To achieve sub-30ms verification latency with sublinear overhead growth under data scaling.

Paper Structure. This paper is organized as follows: Section 2 reviews the related work on Proof of Storage (PoS) and PoST, highlighting the security risks in existing cPoST/ePoST protocols; Section 3 proposes the Lucas-PoST protocol, including its architecture, mechanism, and security analysis; and Section 4 presents the implementation details and experimental evaluation. Finally, Section 5 discusses the security advantages and practical challenges of the Lucas-PoST protocol, followed by the conclusions in Section 6.

2. Related Work

2.1. Proof of Storage

The need to verify the integrity of cloud-outsourced data has driven the development of numerous verification mechanisms [20]. These solutions are broadly categorized into two approaches: PDP [21,22], delivering probabilistic assurances of data integrity, and PoR [23,24], which leverages erasure coding to enforce robust data recovery guarantees. For both PDP [8] and PoR [9], clients first generate the necessary security metadata during an initial setup phase. These metadata are then uploaded alongside the actual data to the untrusted cloud server. Following this, clients conduct repeated verification challenges to confirm that the server maintains the complete dataset. Consistent success in these challenges provides strong probabilistic evidence that client data integrity remains intact. Beyond these core methods, researchers have developed alternative protocols [25] incorporating distinct cryptographic approaches [26] or offering enhanced capabilities [27]. Building on the homomorphic identity protocol, Ateniese et al. [28] pioneered a cryptographic technique for the construction of a public key-based homomorphic linear authenticator (HLA) [29], which constitutes a novel publicly verifiable PoS framework. This innovative approach exhibits three interrelated advantages: seamless support for static datasets, a constant communication overhead regardless of the data volume, and the ability to perform unlimited audits without performance degradation.

However, in the existing interaction model, the data owner’s verification of data availability is highly dependent on the real-time interaction process with the storage party. During the interaction, the data owner can check the integrity and availability of the data based on the established verification mechanism, but, in the intervals between interactions, the data owner lacks effective means to monitor the behavior of the storage party and cannot determine whether the storage party continuously and stably maintains the integrity and availability of the data [30]. The limitations of this interactive model mean that data owners always face uncertainty about data security risks when outsourcing data, making it difficult for them to establish full trust in the storage party.

2.2. Proof of Storage-Time

To solve this problem, Ateniese et al. [12] proposed the concept of PoST. PoST is a mechanism for verifying that data are continuously stored within a specific period of time. It aims to ensure that the data storer always maintains the integrity and availability of the data during the storage period, rather than just proving that the data are stored at a certain moment. The earliest PoST protocol was proposed by Ateniese et al., and its core idea is to prove the continuous storage of data through a time delay function (VDF) [31]. The VDF is a unique computational function whose design goal is to ensure that the computation process is difficult to parallelize, so that the generation of the proof must be delayed for a certain period of time. This time delay mechanism can effectively prevent malicious nodes from deceiving the system by quickly generating proofs and ensure that the proof generation process matches the actual storage time of the data.

Current PoST protocols are mainly divided into two categories: cPoST and ePoST. The core goal of the cPoST protocol is to reduce the communication overhead and verification cost by compressing the size of the proof. In traditional PoST protocols, the size of the proof is usually linearly related to the storage time, which leads to a significant increase in the amount of communication and the computing resources required for verification as the storage time increases. cPoST introduces an optimization mechanism to compress the size of the proof to a fixed size, thereby significantly reducing the communication overhead and verification time.

However, the security of cPoST relies on the difficulty assumption of iterated modular squaring. Iterated modular squaring is a classic computational problem whose security assumption is based on the computational complexity of modular squaring operations. Although cPoST has seen significant progress in engineering implementation, its security foundation essentially relies on algebraic structure assumptions and it has potential security risks. If the underlying algebraic structure is destroyed or a new algorithmic breakthrough occurs, the difficulty assumption of iterative modular squaring may fail, causing the entire PoST system to face systemic security risks.

The ePoST solution improves the practicality and user experience of the system by optimizing client friendliness. The design of ePoST focuses on reducing the computational burden and number of interactions of the client, making the verification process more efficient and flexible. ePoST significantly reduces the demand for high-performance hardware by dividing the storage cycle into multiple batches and using zero-knowledge proof [32] technology to generate batch proofs. In addition, ePoST also achieves public verifiability, transparency, and statelessness through verifiable computation (VC) [33], making the verification process more flexible. However, the security of ePoST also relies on the difficulty assumption of iterative modular squaring. Although ePoST has seen significant progress in engineering implementation, its security foundation essentially relies on algebraic structure assumptions, which poses potential security risks. In addition, the VDF configuration of ePoST needs to rely on a trusted third party to ensure the security of its setup, which may introduce additional trust assumptions and security vulnerabilities.

In summary, although cPoST and ePoST have achieved significant progress in engineering implementation, their security relies on the difficulty assumption of iterated modular squares, which causes them to carry systemic security risks in the face of potential algorithmic breakthroughs. Therefore, researchers have been exploring safer and more efficient PoST solutions to cope with possible security challenges in the future.

3. Proposed Lucas-PoST Protocol

3.1. Background and Definitions

3.1.1. Proof of Storage

PoS [34] is a protocol that allows clients to verify whether a storage service provider actually stores their data [35]. PoS usually includes the following four algorithms:

• $PoS.KeyGen\left(\lambda \right)$: Generates a public and private key pair.
• $PoS.Store(pk,sk,F)$: Encodes the file F into a storage format and generate the corresponding metadata.
• $PoS.Prove(pk,M,T,c)$: Generates proof that the storage node does store the file.
• $PoS.Verify\left(\right(pk,sk),c,\pi )$: Verifies the validity of the proof.

PoS should satisfy integrity and knowledge reliability. Integrity requires that legally generated proofs can always be verified, while knowledge reliability requires that any storage node that can generate a valid proof must actually store the file.

3.1.2. Verifiable Delay Function

A VDF [36] is a function that is computationally difficult to parallelize. Its core feature is to ensure that the output of the function can only be generated after a certain time delay and that the output can be quickly verified. The VDF plays a vital role in the PoSt protocol. By introducing computational delays, the VDF can prevent storage providers from quickly generating proofs through parallel computing, thereby ensuring the order of proof generation. VDFs usually consist of three algorithms:

• $\mathrm{Setup}(\lambda ,\mathrm{T})$: Generates the public and private keys of the VDF, where $\lambda$ is the security parameter and T is the time parameter.
• $\mathrm{Eval}(\mathrm{pk},\mathrm{x})$: Generates the output y of the VDF given the public key $pk$ and the input x.
• $\mathrm{Verify}(\mathrm{pk},\mathrm{x},\mathrm{y},\pi )$: Verifies whether the output y is generated by the $Eval$ algorithm, where $\pi$ is the verification proof.

The security of the VDF relies on the difficulty assumption of its underlying mathematical structure, such as the difficulty assumption of iterated modular squaring. However, this assumption may fail in the case of algorithmic breakthroughs or quantum computing.

3.1.3. Verifiable Computation

Verifiable computation (VC) [37] enables clients to delegate computational workloads to untrusted executors while obtaining cryptographic assurance of result correctness. A VC protocol comprises three polynomial-time algorithms:

• $VC.Setup(\lambda ,R)$: Outputs a prover key $ek$ and verifier key $vk$.
• $VC.Prove(ek,u,w)$: Produces a proof $\pi$ attesting to correct execution.
• $VC.Verify(vk,u,\pi )$: Validates the proof against input u.

VC must satisfy two fundamental properties:

(1)

Completeness: Valid proofs generated by $VC.Prove$ always pass verification.

(2)

Soundness: No adversary can forge accepting proofs for incorrect outputs.

3.1.4. Modular Lucas Sequences

Modular Lucas sequences [38] are sequences based on linear recursion and have sequence hardness properties similar to iterated modular squares. The security of modular Lucas sequences relies on the irreducibility of their linear recursive structure. Even when the modular square hardness assumption fails due to algorithmic breakthroughs, the sequence hardness of modular Lucas sequences can still be maintained. The definition of modular Lucas sequences is as follows. Given two initial values P and Q, modular Lucas sequences $u_n$ and $v_n$ satisfy the following recursion relation:

$$u_n=P·u_{n-1}-Q·u_{n-2}modN$$

(1)

$$v_n=P·v_{n-1}-Q·v_{n-2}modN$$

(2)

where N is a large integer, usually the product of two large prime numbers. The irreducibility of the modular Lucas sequence enables it to maintain high security in the face of algorithm breakthroughs, so we introduce it into the PoSt protocol and construct a new delay function.

3.2. Algebraic Foundation and Security Definitions

3.2.1. Definition of Algebraic Structures

The following definitions of $\lambda$-strong groups, $(\lambda ,a)$-strong primes, and related algebraic constructs (Definitions 3 and 4) are directly adopted from Hoffmann et al. [39], who first formalized these concepts for Lucas sequence-based cryptography. We utilize these established structures as the foundation for our security proofs.

Definition 1.

A non-trivial group $\mathbb{G}$ is termed λ-strong (for $\lambda \in \mathbb{N}$) if every non-trivial subgroup has order exceeding $2^{\lambda }$.

Definition 2.

For $p\in \mathbb{P}$ and $\lambda ,a\in \mathbb{N}$ with $\lambda >a$, p is $(\lambda ,a)$-strong if $\exists b\in \mathbb{N}\mathit{with}b>1$ satisfying $p^2-1=ab\wedge (\forall q\mid b,q>2^{\lambda })$.

Definition 3.

Consider an Abelian group $\mathbb{G}$ and integer $a\ge 1$. The multiplicative subgroup of a-th powers is defined as $G\left(a\right):=\{x^a\mid x\in \mathbb{G}\}$, while the additive subgroup of a-multiples is given by $a\mathbb{G}:=\{ax\mid x\in \mathbb{G}\}$.

Definition 4.

For any $m\in \mathbb{N}$ and polynomial $f\left(x\right)\in {\mathbb{Z}}_m\left[x\right]$, denote by $(m,f(x\left)\right)$ the ideal generated by the element m and the polynomial $f\left(x\right)$ in the ring $\mathbb{Z}\left[x\right]$. Then, the quotient ring $\mathbb{Z}\left[x\right]/(m,f(x\left)\right)$ is denoted as ${\mathbb{Z}}_{m,f}$.

3.2.2. Cryptographic Strength Validation

$\lambda$-Strong groups and $(\lambda ,a)$-strong primes satisfy the following security properties:

(1)

The definition of $\lambda$-strong groups ensures that all non-trivial subgroups have an order exceeding $2^{\lambda }$. This implies that solving the discrete logarithm problem requires $\Omega \left(2^{\lambda /2}\right)$ operations against generic algorithms such as Pollard’s rho.

(2)

The structure of $(\lambda ,a)$-strong primes guarantees that all prime factors of b (where $p^2-1=ab$) exceed $2^{\lambda }$, ensuring that factorization attacks require $\Omega \left(2^{\lambda }\right)$ operations.

All references to “cryptographically strong” in this work strictly mean the following:

• For groups, $\lambda$-strong with $\Omega \left(2^{\lambda /2}\right)$ attack complexity (Cor.1);
• For primes, $(\lambda ,a)$-strong with $\Omega \left(2^{\lambda }\right)$ factorization resistance.

3.2.3. Security Assumptions

We formalize the cryptographic assumptions on which the soundness of Lucas-PoST rests.

Assumption 1

(Lucas-Sequence Irreducibility, LSI). For security parameter λ, let $N=pq$ be an n-bit modulus generated from two $(\lambda ,·)$-strong primes, and let $P,Q\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$. There exists no PPT adversary $\mathcal{A}$ such that

$$Pr\left[\mathcal{A}(N,P,Q,T)=u_{T}modN\right]\ge \mathsf{negl}\left(\lambda \right),$$

where $u_n$ is the Lucas sequence defined by $u_0=2$, $u_1=P$, and $u_k=P·u_{k-1}-Q·u_{k-2}modN$ for $k\ge 2$.

Assumption 2

($\lambda$-Strong Subgroup Decision, $\lambda$-SG). Let $\mathbb{G}$ be a λ-strong group (Definition 1). For any PPT distinguisher $\mathcal{D}$,

$$\left|Pr\left[\mathcal{D}(g,g^a)=1\right]-Pr\left[\mathcal{D}(g,h)=1\right]\right|\le \mathsf{negl}\left(\lambda \right),$$

where $g,h\stackrel{\$}{\leftarrow }\mathbb{G}$ and $a\stackrel{\$}{\leftarrow }{\mathbb{Z}}_{\left|\mathbb{G}\right|}$.

3.3. Construction of Our Proposed Lucas-PoST Protocol

This section presents our Lucas-PoST protocol, which employs a novel four-layer architecture to fundamentally enhance cryptographic strength. By replacing iterative modular squaring with Lucas sequences in the cyclic function layer, compressing proofs via Merkle trees, enabling efficient verification through zk-SNARKs, and ensuring constant-size proofs via aggregation, it systematically addresses the security limitations of existing cPoST/ePoST protocols. The following subsections detail this protocol.

3.3.1. Overview of the Protocol

Lucas-PoST as a whole consists of four layers, as shown in Figure 1, namely the cyclic function layer, the Merkle tree layer, the verifiable calculation layer, and the aggregation layer.

The loop function layer consists of Lucas-VDF and PoS, and its core mechanism is to generate storage proofs through chain dependencies. Specifically, each PoS proof depends on the result of the previous Lucas-VDF, thus forming a strict chain dependency. In each cycle, the input challenge $c_i$ passes through a Lucas-VDF and a PoS and then generates an output challenge $c_{i+1}$. Several cycles will form a batch. The loop function layer will continuously generate Lucas-VDF and PoS proofs $(u,v)$, as well as challenges c. Subsequently, the challenge set $\left\{c\right\}$ is sent to the Merkle tree layer, and the Lucas-VDF and PoS proofs $(u,v)$ are sent to the verifiable computing layer.

The Merkle tree layer is responsible for compressing the challenge set $\left\{c\right\}$ of the loop function layer. The Merkle tree is constructed through the challenge set $\left\{c\right\}$. The root of the tree is output to the aggregation layer, and the Merkle tree is output to the verifiable computing layer.

The verifiable computation layer accepts the proof $(u,v)$ from Lucas-VDF and PoS in the loop function layer and the Merkle tree transmitted from the Merkle tree layer. In batches, the proof $(u,v)$ and the Merkle tree are verifiably computed to generate a verifiable computation proof ${\pi }_{VC}$.

The aggregation layer is the last layer of the system and aggregates multiple batches of tree root sets $\left\{root\right\}$ and verifiable computational proof sets $\left\{{\pi }_{VC}\right\}$ into aggregated proofs of a fixed size, achieving a transition in verification efficiency from single-batch verification to batch proofs.

3.3.2. Challenges and Solutions

We have carefully designed solutions to address the following challenges.

(1)

Improve system security: In the ePoST protocol, the delay function in the simple VDF used is constructed by iterative modular squaring. Iterative modular squaring is a common construction method in many current VDF implementations. It repeatedly performs square operations under a large prime modulus to ensure the time delay of the calculation and generate a verifiable output after a given time. However, the security of this iterative modular squaring method is based on its computational difficulty. Moreover, accelerating iterative modular squaring through non-universal algorithms will weaken the security of these VDFs, thereby affecting the reliability and trust of the entire system. Our Lucas-PoST protocol uses the Lucas sequence to ensure that, even if non-universal algorithms can break iterative modular squaring, the security of the system can be guaranteed.

(2)

Solving small-order elements: If there are small-order elements in the group that are easy to find, the reliability of the cryptographic system based on the group may be threatened. This is because the existence of small-order elements may make certain computational problems easier to solve, thereby reducing the security of the system. Our protocol maps all elements to the target $\lambda$-strong groups through homomorphic mapping. However, since the mapping is not injective, restrictions need to be placed on the input of the domain. In addition, the only way to verify whether a certain x belongs to a high-order domain is to find the a-th root of x and raise it to the a-th power. Therefore, we introduce a non-unique representation of domain elements.

3.3.3. Protocol Description

Below is the construction of the Lucas-PoST protocol, which is composed of five algorithms: $(KeyGen,Store,V_{\mathit{challenge}},\mathcal{P},\mathit{V})$.

• PoST.KeyGen($1^{\lambda }$, $1^n$, T): First, execute PoS.KeyGen($\lambda$) to generate the proof-of-storage key pair $(p{k}_{PoS},s{k}_{PoS})$. Then, compute the VDF public key $p{k}_{vdf}$ via VDF.Setup($1^{\lambda }$, $1^n$, T), which involves generating two n-bit strong primes, a $(\lambda ,a_p)$-strong prime p and $(\lambda ,a_q)$-strong prime q, using a certified prime generator with inputs ($1^{\lambda }$, $1^n$). Construct the modulus $N=p·q$ and select a cryptographic hash function $H_{hash}:\mathbb{Z}\times {\mathbb{Z}}_N^3\to {\mathbb{Z}}_2^{\lambda }$. The VDF public key is then formed as $p{k}_{vdf}:=(N,a:=\mathrm{lcm}(a_p,a_q),H_{hash})$. Finally, define the Lucas-PoST public key as the pair $(p{k}_{PoS},p{k}_{vdf})$ and retain $s{k}_{PoS}$ as the protocol’s private key.
• PoST.Store(pk, sk, F): Invoke PoS.Store($p{k}_{PoS}$, $s{k}_{PoS}$, F) to generate a file $\mathcal{M}=\left\{m_i\right\}$ composed of data blocks and its corresponding tags $\mathcal{J}=\left\{ta{g}_i\right\}$. Output the encoded file $\mathcal{M}$ and its corresponding tags $\mathcal{J}$.
• $PoST.V_{challenge}(pk,\mathcal{J},N,T)$: Uniformly sample $P\leftarrow {\mathbb{Z}}_N$, $Q\leftarrow {\mathbb{Z}}_N$ and construct $D:=P^2-4Q$, $z^2=D$, $x:={\displaystyle \frac{P+z}{2}}$ to build the initial challenge $c_0=x$.
• PoST.$\mathcal{P}$($pk$, $\mathcal{M}$, $\mathcal{J}$, c): The proof algorithm PoST.$\mathcal{P}$ is composed of the Eval, VC, and Agg subalgorithms. In the Eval subalgorithm, according to Algorithm 1, execute the CyclelFn loop algorithm, continuously perform VDF and PoS challenges on the challenged data blocks, and continuously generate VDF proofs and PoS proofs. When invoking LucasVDF.Eval, an additional hash function is required to construct the challenge, controlling the output as the format of the challenge in $PoST.V_{challenge}$. In the VC subalgorithm, compress the challenge and proof into a VC proof. The Agg subalgorithm aggregates all VC proofs to generate the final combined proof.

  (1)

  $PoST.{\mathcal{P}}_{Eval}(pk,\mathcal{M},\mathcal{T},c)\to \left\{(c_i,({\pi }_{VDF}^i,{\pi }_{PoS}^i))\right\}$: In the Eval algorithm, run the CycleFn algorithm. In each round, given the challenge $c_i$, generate the corresponding VDF proof ${\pi }_{VDF}^i$ and PoS proves ${\pi }_{PoS}^i$. Output these challenges and their proofs.

  (2)

  $PoST.VC(pk,\mathcal{M},\mathcal{J},\{c_i,({\pi }_{VDF}^i,{\pi }_{PoS}^i)\},\mathcal{B})\to \left\{(r_j,\left\{{\pi }_{VC}\right\})\right\}$: In the VC algorithm, all proofs and challenges in Eval are divided into batches according to the $\mathcal{B}$-rounds CycleFn cycle, all challenges $(c_j,...,c_{j+\mathcal{B}})$ in the jth batch are Merkle-ized, and the root $r_j$ of the Merkle tree is output. Secondly, $VC.Prove(ek,{\mathrm{u}}_i,{\mathrm{w}}_i)$ is called to perform verifiable calculations on the challenges and proofs in the batch, where ${\mathrm{u}}_i=(imod\mathcal{B}),imod\mathcal{B}+1, r_j, {\mathrm{w}}_i=(c_i,({\pi }_{VDF}^i,{\pi }_{PoS}^i),c_{i+1},{\mathit{tree}}_j),i\in [j,j+\mathcal{B}]$, and finally outputs the VC proof π_VC of this batch.

  (3)

  $PoST.Agg(pk,\left\{{\pi }_{VC}\right\})$$\to {\pi }_{agg}$: By calling $Agg.Prove(e{k}_{agg},\overline{\mathrm{u}},\overline{\pi }),\overline{\mathrm{u}}=\{\mathrm{u}\},\overline{\pi }=\{{\pi }_{VC}\}$, all VC proofs π_VC are compressed to obtain the final aggregate proof π_agg.

• $PoST.V({\pi }_{agg},\left\{r_j\right\})$$\to \{0,1\}$: Here, the Agg.Verify algorithm is called to verify the correctness of the final ${\pi }_{agg}$. If the verification is successful, 1 is output; otherwise, 0 is output.

Algorithm 1: CycleFn: Iterative proof chaining and verification.

The proposed Lucas-PoST protocol achieves three critical cryptographic enhancements: it weakens security assumptions from modular squaring to Lucas sequence irreducibility, it eliminates small-order element risks through homomorphic mapping to $\lambda$-strong groups, and it maintains practical efficiency via optimized batch verification. Collectively, these innovations provide a robust foundation for decentralized storage verification, as formally analyzed next.

3.4. Security Analysis of the Proposed Protocol

Building on the protocol design from the previous section, this section formally validates its security properties with a focus on three core aspects: resistance to algorithm breakthrough attacks via Lucas sequence irreducibility, $\delta$-continuous knowledge soundness under a random oracle model, and comparative robustness against cPoST/ePoST vulnerabilities. The proofs establish quantifiable security guarantees for each architectural layer.

Theorem 1.

Let p be a $(\lambda ,a)$-strong prime according to Definition 2. For any quadratic polynomial $f\left(x\right)\in {\mathbb{Z}}_p\left[x\right]$, the subgroup ${\left({\mathbb{Z}}_{p,f}^{*}\right)}^{\left(a\right)}$ is $(\lambda ,a)$-strong.

Proof. 

By the $(\lambda ,a)$-strong prime definition, there exists $b\in \mathbb{N}$ with all prime divisors exceeding $2^{\lambda }$, satisfying $p^2-1=ab$. Let $b^{-}:=gcd(p-1,b)$, a proper divisor of b.

• When $\left({\displaystyle \frac{D}{p}}\right)=-1$, $f\left(x\right)$ becomes irreducible over ${\mathbb{Z}}_p$, endowing ${\mathbb{Z}}_{p,f}$ with a field structure of cardinality $p^2$. Being a finite field, ${\mathbb{Z}}_{p,f}^{*}$ constitutes a cyclic group of order $p^2-1$.
• When $\left({\displaystyle \frac{D}{p}}\right)=0$, the vanishing discriminant $D=0$ implies that f has a double root $\alpha \in {\mathbb{Z}}_p$, thus factoring as $\beta {(x-\alpha )}^2$ for some $\beta \in {\mathbb{Z}}_p^{*}$. This factorization induces a ring isomorphism ${\mathbb{Z}}_{p,\beta {(x-\alpha )}^2}\simeq {\mathbb{Z}}_{p,x^2}$, allowing structural reduction to ${\mathbb{Z}}_{p,x^2}$.
  To establish this isomorphism, we define the mapping $\psi$ as

  $$\psi :{\mathbb{Z}}_p^{*}(·)\times {\mathbb{Z}}_p(+)\to {\mathbb{Z}}_{p,x^2}^{*}(·)$$

  (3)

  $$\psi :(a,e)\mapsto a·{(1+x)}^e$$

  (4)
  First, observe that any element $a+cx\in {\mathbb{Z}}_{p,x^2}$ is invertible precisely when $a\ne 0$, with explicit inverse $a^{-1}-a^{-2}cx$. Selecting $e=a^{-1}c$ yields the following congruence:

  $$\psi (a,e)=a{(1+x)}^e\equiv a(1+ex)\equiv a(1+a^{-1}cx)\equiv a+cxmod(p,x^2).$$

  (5)
  This establishes $\psi$ as a surjective map. Moreover, the cardinality equality

  $$|{\mathbb{Z}}_{p,x^2}^{*}(·)|=p^2-p=(p-1)·p=|{\mathbb{Z}}_p^{*}(·)\times {\mathbb{Z}}_p(+)|.$$

  (6)

  implies that $\psi$ is bijective. Finally, the homomorphic property follows directly from

  $$\psi (a_1,e_1)·\psi (a_2,e_2)=a_1{a}_2{(1+x)}^{e_1+e_2}=\psi (a_1{a}_2,e_1+e_2).$$

  (7)

  confirming that $\psi$ is a homomorphic mapping.
• For the case $\left({\displaystyle \frac{D}{p}}\right)=1$, $f\left(x\right)$ possesses two distinct roots ${\beta }_1,{\beta }_2\in {\mathbb{Z}}_p$. This gives rise to the ring isomorphism

  $$\psi :{\mathbb{Z}}_p\left[x\right]/\left(f\left(x\right)\right)\to {\mathbb{Z}}_p\times {\mathbb{Z}}_p$$

  (8)

  $$\psi :g\left(x\right)+\left(f\left(x\right)\right)\mapsto (g\left({\beta }_1\right),g\left({\beta }_2\right))$$

  (9)

  and

  $${({\mathbb{Z}}_p\times {\mathbb{Z}}_p)}^{*}\simeq {\mathbb{Z}}_p^{*}\simeq {\mathbb{Z}}_{p-1}(+)\times {\mathbb{Z}}_{p-1}(+)$$

  (10)
  Considering the factorization $(p-1)(p+1)=ab$ from Definition 2, all divisors of $p-1$ must divide the product $ab$. By the $gcd(a,b)=1$ condition in Definition 2, each divisor of $p-1$ divides exclusively either a or b. Eliminating all common factors shared by $p-1$ and a yields the residual value $gcd(b,p-1)=b^{-}$, confirming that $(p-1)/gcd(a,p-1)=b^{-}$. This results in the group isomorphism $a{\mathbb{Z}}_{p-1}(+)\simeq {\mathbb{Z}}_b$.

  $${\left({\mathbb{Z}}_{p,f}^{*}\right)}^{\left(a\right)}\simeq \left\{\begin{array}{cc}a{\mathbb{Z}}_{p^2-1}(+)\simeq a{\mathbb{Z}}_{ab}(+)\simeq {\mathbb{Z}}_b(+)\hfill & \left({\displaystyle \frac{D}{p}}\right)=-1\hfill \\ a{\mathbb{Z}}_p(+)\times a{\mathbb{Z}}_{p-1}(+)\simeq {\mathbb{Z}}_p(+)\times {\mathbb{Z}}_{b^{-}}(+)\hfill & \left({\displaystyle \frac{D}{p}}\right)=0\hfill \\ a{\mathbb{Z}}_{p-1}(+)\times a{\mathbb{Z}}_{p-1}(+)\simeq {\mathbb{Z}}_{b^{-}}(+)\times {\mathbb{Z}}_{b^{-}}(+)\hfill & \left({\displaystyle \frac{D}{p}}\right)=1.\hfill \end{array}\right.$$

  (11)

□

Corollary 1

(Attack Complexity). For λ-strong groups, discrete logarithm attacks require $\Omega \left(2^{\lambda /2}\right)$ operations.

Theorem 2.

The completeness of the PoS, Lucas-VDF, VC, and Agg protocols implies the completeness of the Lucas-PoST construction.

Proof. 

All honestly generated proofs via the VC circuit (constructed from PoS and VDF components) are verifiable by $Post.V_{\mathrm{valid}}$ after aggregation. We first establish the completeness of CycleFn. Given the completeness of PoS.Verify, $H_{\mathrm{PoS}}$, $H_{\mathrm{VDF}}$, and VDF.Verify, coupled with the deterministic nature of hash functions, formally, for every honestly generated transcript $((l,l^{\prime },r),w)$, the relation R defined in the preceding paragraph contains $((l,l^{\prime },r),w)$, so CycleFn exhibits completeness.

Consider a relation R defined by pairs $(u,w)$ where

• $u=(l,l^{\prime },r)$;
• $w=(c,({\pi }_{\mathrm{VDF}},{\pi }_{\mathrm{Pos}}),c^{\prime },\mathrm{tree})$

subject to the following:

• $\mathrm{CycleFnVerify}(pk,c,({\pi }_{\mathrm{VDF}},{\pi }_{\mathrm{Pos}}))=1$;
• The hash of challenge c resides at leaf l;
• The hash of challenge $c^{\prime }$ occupies leaf $l^{\prime }$.

By the completeness of $\mathit{CycleFn}$ and the determinism of hash functions, any valid proof $\pi$ generated through $\mathit{CycleFn}$ with correctly constructed Merkle trees implies $(u_i,w_i)\in R$. Here, $u_i=(i\mathrm{mod}\mathcal{B},\left(i\mathrm{mod}\mathcal{B}\right)+1,r_j)$ and $w_i=(c_i,({\pi }_{VDF}^i,{\pi }_{Pos}^i),c_{i+1},{tree}_j)$. VC completeness ensures that proofs $\pi$ generated by $\mathit{VC}.\mathit{Prove}(ek,u_i,w_i)$ satisfy $\mathit{VC}.\mathit{Verify}(u,\pi )=1$. Define the aggregation relation $R_{\mathit{agg}}=(\overline{u},\overline{\pi })$ with $\overline{u}=\left\{u_i\right\}$, $\overline{\pi }=\left\{{\pi }_i\right\}$, where $\mathit{VC}.\mathit{Verify}(u_i,{\pi }_i)=1$. Consequently, $\left\{u_i\right\},\left\{w_i\right\}\in R_{\mathit{agg}}$. Aggregation completeness guarantees that honestly generated aggregation proofs are accepted by $\mathit{Agg}.\mathit{Verify}$. Therefore, Lucas-PoST proofs produced honestly will be validated by $\mathit{PoSt}.\mathit{Verify}$, establishing the completeness of Lucas-PoST. □

Theorem 3.

Our Lucas-PoSt protocol has δ-continuous knowledge reliability when the audit interval is $\delta \in [T,(1+ϵ\left)T\right]$, if the following conditions are met:

• Hash functions modeled as random oracles;
• Reliability of VC and Agg;
• Knowledge reliability of PoS;
• VDF has ϵ-evaluation time, continuity, and reliability;
• Compared to $VDF.Eval$, the time of $Pos.Prove$ and the execution time of the hash function are negligible.

Proof. 

As preliminary work, establishing the soundness of Lucas-VDF is essential. This follows directly from Theorem 1, combined with the Lucas-VDF parameterization in $Post.KeyGen$. Specifically, consider an n-bit prime p that is $(\lambda ,a_p)$-strong and an n-bit prime q that is $(\lambda ,a_q)$-strong. The modulus is constructed as $N=p·q$, while the parameter a is defined as the least common multiple $\mathrm{lcm}(a_p,a_q)$. Selecting coefficients $P,Q\in {\mathbb{Z}}_N$ defines the quadratic polynomial $f\left(x\right)=x^2-Px+Q$. Consequently, the group ${\left({\mathbb{Z}}_{N,f}^{*}\right)}^{\left(a\right)}$ constitutes a strong group.

Now, let $T\in \mathbb{N}$ and $x,\mu ,y\in {\left({\mathbb{Z}}_{N,f}^{*}\right)}^{\left(a\right)},r\in {\mathbb{Z}}_2^{\lambda }$ satisfy

$${\mu }^{r}y={\left(x^r\mu \right)}^{2^{{\displaystyle \frac{T}{2}}}}.$$

(12)

Since ${\left({\mathbb{Z}}_{N,f}^{*}\right)}^{\left(a\right)}$ constitutes a strong group, there exist primes $p_1,\dots ,p_m\in \mathbb{P}$ with $p_i>2^{\lambda }$ and exponents $k_1,\dots ,k_m\in \mathbb{N}$.

$${\left({\mathbb{Z}}_{N,f}^{*}\right)}^{\left(a\right)}\simeq {\mathbb{Z}}_{p_1}^{k_1}(+)\times \dots \times {\mathbb{Z}}_{p_m}^{k_m}(+)$$

(13)

At this point, we can decompose the formula ${\mu }^{r}y={\left(x^r\mu \right)}^{2^{{\displaystyle \frac{T}{2}}}}$ into

$$r{\mu }_j+y_j\equiv 2^{{\displaystyle \frac{T}{2}}}(r{x}_j+{\mu }_j)mod{p}_j^{k_j},j\in [1,m]$$

(14)

That is,

$$r({\mu }_j-2^{{\displaystyle \frac{T}{2}}}{x}_j)+y_j-2^{{\displaystyle \frac{T}{2}}}{\mu }_j\equiv 0mod{p}_j^{k_j},j\in [1,m]$$

(15)

If, for all j, there is $r({\mu }_j-2^{{\displaystyle \frac{T}{2}}}{x}_j)\equiv 0mod{p}_j^{k_j}$, $y_j-2^{{\displaystyle \frac{T}{2}}}{\mu }_j\equiv 0mod{p}_j^{k_j}$, then ${\mu }_j=2^{{\displaystyle \frac{T}{2}}}{x}_j$, $y_j=2^{{\displaystyle \frac{T}{2}}}{\mu }_j$, and we can deduce $y=x^{2^T}$. This conflicts with the previous assumption $y\ne x^{2^T}$. Therefore, there exists j such that $r({\mu }_j-2^{{\displaystyle \frac{T}{2}}}{x}_j)\not\equiv 0mod{p}_j^{k_j}$.

There exists $k<k_j$ such that $p_j^{k_j}$ divides $(2^{T/2}{x}_j-{\mu }_j)$ and

$$(2^{T/2}{x}_j-{\mu }_j)/p_j^k\not\equiv 0mod{p}_j$$

(16)

In addition, since $p_j^{k_j}$ can divide $(2^{T/2}{\mu }_j-y_j)$, we get

$$r\equiv -{\displaystyle \frac{(2^{T/2}{\mu }_j-y_j)}{p_j^{k_j}}}/{\displaystyle \frac{(2^{T/2}{x}_j-{\mu }_j)}{p_j^{k_j}}}mod{p}_j.$$

(17)

Using $2^{\lambda }<p_j$, we can deduce that $r\in {\mathbb{Z}}_{\lambda }$, so r is uniquely determined. From this, we can conclude that, when r is randomly selected from a uniform distribution, the probability that ${\mu }^{r}y={\left(x^r\mu \right)}^{2^{T/2}}$ satisfies is less than $1/2^{\lambda }$. Therefore, we can finally deduce that

$$Pr\left[y^{\prime }={\left(x^{\prime }\right)}^{2^{{\displaystyle \frac{T}{2}}}}\mid r\leftarrow {\mathbb{Z}}_{\lambda },x^{\prime }:=x^r\mu ,y^{\prime }:={\mu }^{r}y\right]\le {\displaystyle \frac{1}{2^{\lambda }}}.$$

(18)

During each protocol round, T undergoes reduction to $\lfloor T/2\rfloor$. This decremental process implies that the bipartite protocol requires at most $logT$ rounds to attain $T=1$.

When the verifier accepts the final-round tuple $((N,a),\left[x^{\prime \prime }\right],1,\left[y^{\prime \prime }\right])$, the equality $\left[y^{\prime \prime }\right]=\left[{\left[x^{\prime \prime }\right]}^2\right]$ necessarily holds. This final equality forces the initial inequality to collapse to equality in at least one intermediate bisection round. Given that the probability of such equality collapse in any single round is at most $1/2^{\lambda }$, the union bound over all $logT$ rounds establishes $(logT)/2^{\lambda }$ as the aggregate probability upper bound. Consequently, the probability that a PPT adversary breaks $\delta$-continuous knowledge soundness is bounded by $(logT)/2^{\lambda }=\mathsf{negl}\left(\lambda \right)$, satisfying the formal definition of $\delta$-continuous knowledge soundness. Notably, the transformation $x\mapsto x^2$ represents not mere iterative modular squaring but rather a simplification of the Lucas sequence recurrence $g(a,b)=(a^2+b^{2}D,2ab)$. Additionally, we constrain the Lucas-VDF verification domain from ${\mathbb{Z}}_{N,f}$ to the strong subgroup ${\left({\mathbb{Z}}_{N,f}\right)}^{\left(a\right)}$. Element x’s membership in this subgroup is verifiable solely by computing its a-th root and confirming $x={\left(x^{1/a}\right)}^a$. Since distinct elements $x_1,x_2\in {\mathbb{Z}}_{N,f}$ may satisfy $x_1^a=x_2^a$, we employ a non-unique representation protocol where $\left[x\right]$ denotes the equivalence class of $x^a$ (thus $\left[x_1\right]=\left[x_2\right]$ when $x_1^a=x_2^a$). Finally, order preservation must be established: Lucas-VDF inherits order security if the underlying RSW delay function satisfies it.

Assuming that there is an adversary $({\mathcal{A}}_0,{\mathcal{A}}_1)$ that can destroy the order of the Lucas sequence, we construct an adversary $(B_0,B_1)$ that attacks the order of RSW as follows.

• $B_0$ directly inherits the pre-computation capability of ${\mathcal{A}}_0$, i.e., $B_0:={\mathcal{A}}_0$.
• After receiving the input $(N,\mathrm{state},(x,T\left)\right)$, $B_1$ executes the following:

  (1)

  Randomly select $P\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, set $Q=x$ and calculate the discriminant $D=P^2-4Q$;

  (2)

  Call ${\mathcal{A}}_1(N,\mathrm{state},(P,D,T))$ to obtain the Lucas sequence output $(l{u}_T,l{v}_T)$;

  (3)

  Calculate $y=x^{2^T}modN$ as the RSW output.

Although Q in $B_1$ is taken from the multiplicative group ${\mathbb{Z}}_N^{*}$, and the standard VDF generator is sampled from ${\mathbb{Z}}_N$, the deviation of the parameter generation process can be ignored because the statistical distance between the distribution of D from the adversary’s perspective and the real environment satisfies $\Delta \le \mathrm{negl}\left(\lambda \right)$. Therefore, the probability that the adversary $(B_0,B_1)$ successfully destroys the RSW order is the same as the probability that $({\mathcal{A}}_0,{\mathcal{A}}_1)$ successfully destroys the Lucas order. This will directly violate the security constraints of the RSW assumption and cause a contradiction.

Secondly, we divide the $\delta$-continuous knowledge soundness proof of Lucas-Post into two parts. First, we prove that, in each $\delta$ time interval, the prover executes the $\mathit{CycleFn}$ function exactly once. Second, we prove that the $\mathit{CycleFn}$ function satisfies knowledge soundness and further deduce that Lucas-Post’s $\delta$-continuous knowledge soundness is constructed based on these two parts.

On the one hand, if $\mathit{CycleFnVerify}$ outputs 1, then the internal call $\mathit{VDF}.\mathit{Verify}$ must pass verification. According to the reliability of the VDF, it can be proven that the output u is generated by $\mathit{VDF}.\mathit{Eval}\left(H_{\mathit{PoS}}\left(v\right)\right)$ honest calculation.

The temporal characteristics and sequential nature of the VDF guarantee that the evaluation duration ${\delta }_{\mathit{VDF}}$ of $\mathit{VDF}.\mathit{Eval}$ adheres to $T\le {\delta }_{\mathrm{VDF}}\le (1+ϵ)T$. Given standard cryptographic assumptions, operations including $\mathit{PoS}.\mathit{Prove}$, $H_{\mathit{PoS}}$, and $H_{\mathit{VDF}}$ incur a negligible computational overhead. Consequently, the execution time of $\mathit{CycleFnEval}$ remains bounded within $[T,(1+ϵ\left)T\right]$. Moreover, modeling $H_{\mathrm{VDF}}$ as a random oracle implies that any probabilistic polynomial-time adversary $\mathcal{A}$ cannot precompute $c_{i+1}$ without querying $H_{\mathit{VDF}}$. Crucially, the dependency where u (output of $\mathit{VDF}.\mathit{Eval}$) serves as input for the $(i+1)$-th $\mathit{CycleFnEval}$ necessitates sequential execution after completing the i-th cycle. This chained dependency enforces the strict sequentiality of the loop function, with each iteration consuming between T and $(1+ϵ)T$ time units.

On the other hand, according to the knowledge soundness of $\mathit{PoS}$, if the adversary ${\mathcal{A}}_{\mathit{PoS}}$ can generate a valid proof $\pi$, then the knowledge extractor ${\epsilon }_{{\mathcal{A}}_{\mathit{PoS}}}$ can extract the response file through reversible non-black-box access. The knowledge extractor ${\epsilon }_{{\mathcal{A}}_{\mathit{CycleFn}}}$ for the cycle function $\mathit{CycleFn}$ is designed as follows. The extractor internally maintains two random oracles $H_{\mathit{PoS}}$ and $H_{\mathit{VDF}}$. Knowledge extraction is achieved by controlling the interaction process of the adversary ${\mathcal{A}}_{\mathit{CycleFn}}$. When ${\mathcal{A}}_{\mathit{CycleFn}}$ calls $H_{\mathit{VDF}}$, the output value c is captured directly. When ${\mathcal{A}}_{\mathit{CycleFn}}$ calls $H_{\mathit{PoS}}$, the extractor pauses its execution and backtracks to the state after the most recent $H_{\mathit{VDF}}$ query, and it then grants ${\epsilon }_{{\mathcal{A}}_{\mathit{PoS}}}$ full access: it can access all subprocesses between $H_{\mathit{VDF}}$ and $H_{\mathit{PoS}}$. ${\epsilon }_{{\mathcal{A}}_{\mathit{CycleFn}}}$ only needs to obtain the output of ${\mathcal{A}}_{\mathit{PoS}}$ to ensure the knowledge soundness of $\mathit{CycleFn}$. Building on the soundness guarantees of both VC and Agg, we conclude that, for any probabilistic polynomial-time adversary $\mathcal{A}$, the proof forgery probability remains negligible:

$$Pr\left[\begin{array}{c}Vc.Verify\left(\right)=1\wedge \\ (u,w)\notin R\end{array}|\begin{array}{c}(ek,vk)\leftarrow VC.Setup\left(\right),\hfill \\ (u,w,\pi )\leftarrow \mathcal{A}(ek,vk)\hfill \end{array}\right]=negl\left(\lambda \right)$$

(19)

Similarly, for the verification process of the aggregation protocol $\mathit{Agg}$, we also have $Pr[\mathit{Agg}.\mathit{Verify}\left(\right)=1\wedge (\overline{u},\overline{\pi })\notin R_{\mathit{agg}}]=\mathit{negl}\left(\lambda \right)$.

Based on the relationship $\mathit{R}$ and $R_{\mathit{agg}}$ defined in Theorem 2, if the proof ${\pi }_{\mathrm{agg}}$ generated by the adversary $\mathcal{A}$ is accepted by $\mathit{Agg}.\mathit{Verify}$, then $(\overline{u},\overline{\pi })\in R_{\mathit{agg}}$. Similarly, when $\mathit{VC}.\mathit{Verify}$ accepts ${\pi }_{\mathit{vc}}$, then $(u,w)\in R$ must be true. When both types of verification pass, the execution process of $\mathit{CycleFn}$ must strictly follow the protocol rules to ensure computational integrity.

Although the adversary $\mathcal{A}$ may try to construct a pseudo-node of the Merkle path, it cannot generate a complete valid path because the probability of valid guesses of the sibling nodes in the path is $\mathit{negl}\left(\lambda \right)$. Therefore, when ${\pi }_{\mathit{agg}}$ passes verification, the extractor ${\epsilon }_{{\mathcal{A}}_{\mathit{CycleFn}}}$ can successfully restore the original file in each $\mathit{CycleFn}$ iteration.   □

4. Implementation and Evaluation

4.1. Instantiations

Our implementation employs Groth’s zk-SNARK framework [40] to ensure data confidentiality and enable third-party verification. By integrating its aggregation capabilities, we extend the protocol’s proof compression functionality. Additionally, we adopt an RSA-based publicly verifiable partial data possession protocol, configuring a single data block per challenge round. This streamlined approach guarantees a linearly increasing misbehavior detection probability with the storage duration, achieving 99% malicious data alteration detection within approximately 480 rounds. To optimize the zero-knowledge proof efficiency, we incorporate the Poseidon hash function [41], which reduces R1CS constraints by 10–100 times compared to SHA-256. For 128-bit security, our parameterization specifies a 2048-bit RSA modulus, 128-bit outputs for both pseudo-random and hash functions, 1917-bit data blocks, and a batch size of 1024 operations.

In the zk-SNARK protocol, the Common Reference String (CRS) is a core public parameter that needs to be generated through a trusted setup to ensure its security. The generation process involves large-scale elliptic curve operations and polynomial commitments, which takes about 40 minutes in our solution, but, as a one-time offline operation, its overhead does not affect the real-time performance of subsequent proofs and verifications. It is worth noting that, when using the Groth protocol, the Common Reference String can be distributedly generated through multi-party computing, weakening the trust assumption to “there is at least one honest participant”, thereby significantly reducing the reliance on a single authority, which meets the anti-censorship requirements of decentralized systems. In addition, data owners can independently generate exclusive CRSs for specific file sets, completely eliminating the risk of third-party intervention.

zk-SNARK Framework Details. Our implementation employs the Groth16 zk-SNARK scheme instantiated on the BLS12-381 curve through a three-phase aggregation protocol. (1) Proof batching structures VC proofs $\left\{{\pi }_{VC}\right\}$ into a Merkle tree; (2) circuit processing computes the root via the Poseidon hash (three R1CS constraints per node) and signs it with BLS12-381 pairing (six constraints); (3) SNARK verification validates the root with a single 192-byte Groth16 proof. The verification circuit $C_{\mathrm{VC}}(u,w)$ integrates $\mathsf{MerkleVerify}$, $\mathsf{LucasVDF}.\mathsf{Verify}$, and $\mathsf{PoS}.\mathsf{Verify}$ through these R1CS constraints, reducing the per-block overhead to 2–5% of the SHA-256 requirements while maintaining a fixed proof size. The benchmarks conducted in Section 4.2 confirm the protocol’s logarithmic scaling and significant efficiency gain: aggregating 256 batches reduces the verification latency from a linear overhead to a near-constant 29 ms, achieving an order-of-magnitude reduction in verification time. The CRS is generated via a t-party MPC ceremony ($t\ge 6$), ensuring decentralized trust initialization.

Trusted Setup Analysis. Building on the MPC-based CRS generation described above, we formally evaluate the trusted setup from three perspectives.

(1)

Security: MPC-based CRS generation reduces trust to at least one honest participant among t parties. The compromise probability satisfies $Pr\left[\mathrm{CRS}\mathrm{compromised}\right]\le {\prod }_{i=1}^t{p}_i$, where $p_i=Pr\left[{\mathrm{party}}_i\mathrm{malicious}\right]$. This meets the decentralized requirements.

(2)

Overhead: The 40 min generation is a one-time cost amortized over subsequent verifications. The per-file overhead is $O(1/k)$ for k files sharing a CRS.

(3)

Practicality: The file-specific CRS eliminates third-party risks, while a public CRS (e.g., Filecoin’s) supports lightweight clients.

4.2. Performance and Evaluation

We implement the Lucas-PoST protocol in Rust based on the BLS12-381 curve [42], where mathematical operations are implemented using the rust-openssl library and zk-SNARK circuits are built using the Bellperson framework. For fairness verification, we reimplement the comparison protocols cPoST [12] and ePoST [13] using the same technology stack. All experiments are benchmarked on an 8-core 2.8 GHz Google Cloud N2 instance with a uniform computing resource configuration.

Figure 2 shows the time overhead of our storage algorithm compared with cPoST and ePoST. Since cPoST relies on trapdoors, data owners need to consume a lot of expensive computing resources, and the computing time overhead is linearly related to the storage period. As the storage period increases, the time required for a single verification interaction will also increase. The times of our protocol and ePoST only depend on the file size and do not change with the extension of the storage period, which makes our protocol more feasible for practical deployment.

The proof time overhead experiment comparing our protocol with ePoST under the same hardware environment and the same number of cycles is shown in Figure 3. The results show that, under different delay parameters, our protocol improves security while maintaining almost the same computational delay as in ePoST. This result shows that our protocol does not introduce an additional time overhead in strengthening security.

The verification time overhead experiment comparing the protocol with cPoST and ePoST is shown in Figure 4. The verification time of our protocol is stable at the order of 28 ms. Although there is an order-of-magnitude difference from the 3 ms benchmark of cPoST, it is still practical. Crucially, the verification latency remains stable regardless of the amount of data, with no significant correlation between the verification time and the number of blocks. The experimental results confirm that the verification time remains stable as the amount of stored data scales from thousands to tens of thousands of blocks. This shows that the verification process of our protocol performs well in terms of scalability and can effectively handle large-scale data without significantly increasing the verification overhead.

To isolate the performance benefit of our zk-SNARK aggregation layer, we measured the total verification latency with and without aggregation. Without aggregation, each individual proof must be verified sequentially, resulting in latency that scales linearly with the batch size. As

Table 1. Verification latency comparison with and without zk-SNARK aggregation.

Batch Size	Without Aggregation (ms)	With Aggregation (ms)	Reduction
16	47.2	28.5	39.6%
64	188.1	28.9	84.6%
256	752.4	29.1	96.1%

shows, enabling aggregation reduces this latency to a near-constant 29 ms, confirming the logarithmic scaling claimed in Section 4.1. This represents a 96.1% overhead reduction at 256 batches.

Examining the composition of the proof generation timelines across our experiments reveals a critical operational characteristic: Lucas-VDF computations consistently dominate the processing cycle, consuming 99.98% of the total time at T = 10 s with 10,000 data blocks. This overwhelming proportion leaves minimal overhead for auxiliary operations—PoS.Prove and hashing contribute less than 0.02% (approximately 1.9 ms per cycle), while Merkle tree updates account for similarly negligible residual latency (about 1.7 ms per batch). Such operational asymmetry directly validates the chained dependency structure’s efficacy in enforcing sequential execution bounded by VDF delays, thereby upholding the time-bound soundness condition established in Theorem 3. Consequently, this design inherently prevents effective parallelization attacks by adversaries, as any such attempt would be detected by the protocol’s sequential verification mechanism.

5. Discussion

The irreducibility of modular Lucas sequences fundamentally redefines the security foundation of PoST protocols. Unlike cPoST/ePoST, whose security collapses catastrophically if the modular squaring assumption is broken (e.g., by algorithmic breakthroughs), Lucas-PoST maintains robustness through the inherent complexity of linear recurrence relations—experimentally verified to impose no additional latency compared to conventional approaches. This breakthrough positions our protocol as the first backward-compatible security upgrade for decentralized storage networks.

The design of the protocol also addresses critical practical security concerns. The sequential chaining in CycleFn (Algorithm 1) establishes computation blocks with a deterministic duration, which eliminates data-dependent timing variations—a known side-channel vulnerability in modular squaring implementations. Concurrently, the Merkle tree commitment layer enables tamper detection through cryptographic bindings; any runtime manipulation would induce detectable root mismatches during batch verification. Furthermore, by constraining operations to $\lambda$-strong groups (Definition 1), the protocol resists small-order element exploitation, a common vector for fault injection attacks. Together, these layered protections extend the protocol’s resilience from theoretical foundations to practical deployment scenarios where implementation-level vulnerabilities could be exploited.

From an implementation perspective, the generation of certified $(\lambda ,a)$-strong primes requires specialized computational resources, contributing to an approximate 40-minute initialization phase due to the complexity of large-scale elliptic curve operations. While this one-time offline cost does not impact real-time protocol operation, optimizing this process could enhance the deployment flexibility. Future work will explore accelerated prime generation techniques to streamline this initialization while preserving the rigorous security guarantees established.

6. Conclusions

This work demonstrates that Lucas-PoST represents a transformative advancement in decentralized storage verification. Our contribution is threefold. Firstly, we pioneer the integration of modular Lucas sequences as delay functions, yielding the first PoST protocol that maintains cryptographic soundness even when modular squaring assumptions fail. Secondly, we introduce a novel triple-protection strategy—combining homomorphic mapping to $\lambda$-strong groups, domain input constraints, and non-unique representation—to provide mathematically proven resistance against small-order element attacks. Thirdly, we develop a four-layer architecture that achieves unprecedented practicality, with experimental validation confirming its stable verification latency under data scaling and computational efficiency on par with that of state-of-the-art solutions. By bridging theoretical security with real-world deployability, Lucas-PoST establishes a new pathway for trustworthy decentralized storage ecosystems.