Constructions from “Hard to Pebble Graphs” a • Optimal bounds: either Θ ( N ) space or Θ ( N ) time • Non-Interactive Initialization Phase, Complicated a Stefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, Krzysztof Pietrzak: Proofs of Space. CRYPTO 2015 Inverting Random Functions a • Bounds (only) asymptotically optimal: T ⋅ S k ≥ N k for “small” k , e.g. S = T = N k /( 1 + k ) (proof size exponential in k ) • Non-Interactive Initialization Phase, Simple! a H. Abusalah, J. Alwen, B. Cohen, D. Khilko, K. Pietrzak, L. Reyzin: Beyond Hellman’s Time- Memory Trade-Offs with Applications to Proofs of Space. ASIACRYPT 2017
Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists.
Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists. is ( 2 , 3 ) depth-robust
Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists. is ( 2 , 3 ) depth-robust ∃ ( Θ ( N ) , Θ ( N )) depth-robust graphs on N nodes with O ( log ( N )) max-indegree [EGS75].
Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists. Graph Labelling label ℓ i = H( ℓ parents ( i ) ) , e.g. ℓ 4 = H( ℓ 3 ,ℓ 4 )
Pebbling Based Proofs of Space [FDPK’15] P V
Pebbling Based Proofs of Space [FDPK’15] P V depth-robust DAG (on Θ ( N ) nodes) 1 2 3 4 5 6
Pebbling Based Proofs of Space [FDPK’15] initialization initialization P computes labelling of DR graph. P computes labelling of DR graph. Stores labels Stores labels Sends Merkle-tree commitment to labels to V . Sends Merkle-tree commitment to labels to V . H P V φ F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6
Pebbling Based Proofs of Space [FDPK’15] P V F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6
Pebbling Based Proofs of Space [FDPK’15] proof execution V hallenges P to open a few random labels. P V i open ℓ i F φ φ verify opening ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6
Pebbling Based Proofs of Space [FDPK’15] proof execution V hallenges P to open a few random labels. P V i open ℓ i F φ φ verify opening e.g. i = 4 ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6
Pebbling Based Proofs of Space [FDPK’15] security [FDPK’15] ˜ P only stores N ( 1 − ǫ ) labels ⇒ ˜ P needs to make Ω ( N ) H queries to make V accept intuition: ∃ long path on lables that are not stored P V F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6
Pebbling Based Proofs of Space [FDPK’15] security [FDPK’15] ˜ P only stores N ( 1 − ǫ ) labels ⇒ security [Pie’19] security against general adversaries: ˜ P stores any file of size ≤ N ( 1 − ǫ ) ⇒ ˜ P needs to make Ω ( N ) H queries to make V accept intuition: ∃ long path on lables that are not stored P V F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6
Proofs of “useful” Space In a proof of space the dedicated space must be “wasted”. In Proofs of catalytic space and Proofs of replication it can be used to store useful data.
Proofs of “useful” Space In a proof of space the dedicated space must be “wasted”. In Proofs of catalytic space and Proofs of replication it can be used to store useful data.
⋮ Verifiable Delay Functions
Time-Capsules
Time-Capsules
inherently sequential computation ∼ computation time
RSW96 Time-Lock Puzzle Definition on input a time parameter T sample a puzzle π Instantiation π = ( N = p ⋅ q,x ∈ Z ∗ N ,T ∈ Z )
RSW96 Time-Lock Puzzle Definition on input a time parameter T sample a puzzle π and the solution σ . Instantiation π = ( N = p ⋅ q,x ∈ Z ∗ N ,T ∈ Z ) solution σ = x 2 T mod N can be computed with two exponentiation given p,q : x 2 T = x e mod N e ← 2 T mod φ ( N ) ,
RSW96 Time-Lock Puzzle Definition on input a time parameter T sample a puzzle π and the solution σ . (completeness) given π the solution σ can be computed in T sequential computational “steps” (security) but not less, even given parallelism. Instantiation π = ( N = p ⋅ q,x ∈ Z ∗ N ,T ∈ Z ) solution σ = x 2 T mod N can be computed with two exponentiation given p,q : x 2 T = x e mod N e ← 2 T mod φ ( N ) , requires T sequential squarings given only N x → x 2 → x 2 2 → ...x 2 T mod N
Sending Messages to the Future
Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) TLP.sample(T) → ( π,σ ) m c Enc
Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) Publish π,c TLP.sample(T) → ( π,σ ) π,c m c Enc
Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) Publish π,c Anyone can decrypt after solving the puzzle TLP.sample(T) → ( π,σ ) π,c m c Enc T sequential steps TLP.solve ( π ) σ c m Dec
Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) Publish π,c Anyone can decrypt after solving the puzzle TLP.sample(T) → ( π,σ ) π,c m c Enc T sequential steps TLP.solve ( π ) σ c m Dec
Proofs of Sequential Work / Verifiable Delay Function
Proofs of Sequential Work / Verifiable Delay Function Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps.
Proofs of Sequential Work / Verifiable Delay Function Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps. PoSW from a time-lock puzzle ( π,σ ) ← TLP.sample(T) P V π
Proofs of Sequential Work / Verifiable Delay Function Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps. PoSW from a time-lock puzzle ( π,σ ) ← TLP.sample(T) P V π σ ′ ( = σ ) σ ← TLP.solve ( π ) σ ′ ? = σ
Proofs of Sequential Work / Verifiable Delay Function instantiated with the RSW96 puzzle Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x
Proofs of Sequential Work / Verifiable Delay Function instantiated with the RSW96 puzzle Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps
Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. instantiated with the RSW96 puzzle Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps
Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. instantiated with the RSW96 puzzle N Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ φ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps verify( x,σ,φ ) ∈ { 0 , 1 } and proof φ certifying σ = x 2 T
Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. instantiated with the RSW96 puzzle NOBODY knows factorization N Sample random p,q of N (group order of Z ∗ N ) N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ φ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps verify( x,σ,φ ) ∈ { 0 , 1 } and proof φ certifying σ = x 2 T
Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. instantiated with the RSW96 puzzle NOBODY knows factorization N Sample random p,q of N (group order of Z ∗ N ) N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x computing φ must be cheap σ φ compared to computing σ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps verify( x,σ,φ ) ∈ { 0 , 1 } and proof φ certifying σ = x 2 T
History of Time Release Crypto
History of Time Release Crypto [Crypto’11] � No Time-Lock Puzzles from Random Oracles
History of Time Release Crypto [Crypto’11] � No Time-Lock Puzzles from Random Oracles [ITCS’13] � Introduce Proofs of Sequential Work and constructs them from Random Oracles. � Not practical as prover need not only T sequential steps, but also T space. � Not unique (finding many proofs at same cost as finding one). Uniqueness required for some applications (blockchains, randomness beacons), but not for “non-interactive time-stamps”.
History of Time Release Crypto [Crypto’11] � No Time-Lock Puzzles from Random Oracles [Eurocrypt’17] � Simple construction where prover just needs log ( T ) space. � Still not unique....
History of Time Release Crypto [Crypto’18] � VDF (morally a unique proof of sequential work): on input ( x,T ) compute ( y,π ) where y = f ( x ) needs T sequential steps and π proof for y = f ( x ) . � Use incrementally verifiable computation (Valiant’08).
History of Time Release Crypto [Crypto’18] � VDF (morally a unique proof of sequential work): on input ( x,T ) compute ( y,π ) where y = f ( x ) needs T sequential steps and π proof for y = f ( x ) . � Use incrementally verifiable computation (Valiant’08). [ITCS’19] � simple/efficient VDFs based on the RSW time-lock puzzle
History of Time Release Crypto [Crypto’18] � VDF (morally a unique proof of sequential work): on input ( x,T ) compute ( y,π ) where y = f ( x ) needs T sequential steps and π proof for y = f ( x ) . � Use incrementally verifiable computation (Valiant’08). [ITCS’19] � simple/efficient VDFs based on the RSW time-lock puzzle
Proving σ = x 2 T in Groups of Unknown Order ( x,y,T,N ) claim y = x 2 T mod N P V x x 2 x 2 2 x 2 3 ... ... x 2 T − 1 x 2 T
Proving σ = x 2 T in Groups of Unknown Order ( x,y,T,N ) claim y = x 2 T mod N P V µ (= x 2 T / 2 ) x x 2 x 2 2 x 2 3 ... ... x 2 T − 1 x 2 T µ (= x 2 T / 2 )
Proving σ = x 2 T in Groups of Unknown Order ( x,y,T,N ) claim y = x 2 T mod N P V µ (= x 2 T / 2 ) y = x 2 T µ = x 2 T / 2 ∧ y = µ 2 T / 2 2 claims for T / 2 for 1 claim for T x x 2 x 2 2 x 2 3 ... ... x 2 T − 1 x 2 T µ (= x 2 T / 2 )
Recommend
More recommend