proof systems for sustainable blockchains how to prove
play

Proof Systems for Sustainable Blockchains: How to Prove you Waste - PowerPoint PPT Presentation

Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof Pietrzak 1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019. Proof Systems


  1. Constructions from “Hard to Pebble Graphs” a • Optimal bounds: either Θ ( N ) space or Θ ( N ) time • Non-Interactive Initialization Phase, Complicated a Stefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, Krzysztof Pietrzak: Proofs of Space. CRYPTO 2015 Inverting Random Functions a • Bounds (only) asymptotically optimal: T ⋅ S k ≥ N k for “small” k , e.g. S = T = N k /( 1 + k ) (proof size exponential in k ) • Non-Interactive Initialization Phase, Simple! a H. Abusalah, J. Alwen, B. Cohen, D. Khilko, K. Pietrzak, L. Reyzin: Beyond Hellman’s Time- Memory Trade-Offs with Applications to Proofs of Space. ASIACRYPT 2017

  2. Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists.

  3. Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists. is ( 2 , 3 ) depth-robust

  4. Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists. is ( 2 , 3 ) depth-robust ∃ ( Θ ( N ) , Θ ( N )) depth-robust graphs on N nodes with O ( log ( N )) max-indegree [EGS75].

  5. Two Basic Concepts Depth-Robust Graphs DAG G = ( V,E ) is ( e,d ) depth-robust if after removing any 1 2 3 4 5 6 e nodes a path of length d exists. Graph Labelling label ℓ i = H( ℓ parents ( i ) ) , e.g. ℓ 4 = H( ℓ 3 ,ℓ 4 )

  6. Pebbling Based Proofs of Space [FDPK’15] P V

  7. Pebbling Based Proofs of Space [FDPK’15] P V depth-robust DAG (on Θ ( N ) nodes) 1 2 3 4 5 6

  8. Pebbling Based Proofs of Space [FDPK’15] initialization initialization P computes labelling of DR graph. P computes labelling of DR graph. Stores labels Stores labels Sends Merkle-tree commitment to labels to V . Sends Merkle-tree commitment to labels to V . H P V φ F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6

  9. Pebbling Based Proofs of Space [FDPK’15] P V F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6

  10. Pebbling Based Proofs of Space [FDPK’15] proof execution V hallenges P to open a few random labels. P V i open ℓ i F φ φ verify opening ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6

  11. Pebbling Based Proofs of Space [FDPK’15] proof execution V hallenges P to open a few random labels. P V i open ℓ i F φ φ verify opening e.g. i = 4 ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6

  12. Pebbling Based Proofs of Space [FDPK’15] security [FDPK’15] ˜ P only stores N ( 1 − ǫ ) labels ⇒ ˜ P needs to make Ω ( N ) H queries to make V accept intuition: ∃ long path on lables that are not stored P V F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6

  13. Pebbling Based Proofs of Space [FDPK’15] security [FDPK’15] ˜ P only stores N ( 1 − ǫ ) labels ⇒ security [Pie’19] security against general adversaries: ˜ P stores any file of size ≤ N ( 1 − ǫ ) ⇒ ˜ P needs to make Ω ( N ) H queries to make V accept intuition: ∃ long path on lables that are not stored P V F φ φ ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6

  14. Proofs of “useful” Space In a proof of space the dedicated space must be “wasted”. In Proofs of catalytic space and Proofs of replication it can be used to store useful data.

  15. Proofs of “useful” Space In a proof of space the dedicated space must be “wasted”. In Proofs of catalytic space and Proofs of replication it can be used to store useful data.

  16. ⋮ Verifiable Delay Functions

  17. Time-Capsules

  18. Time-Capsules

  19. inherently sequential computation ∼ computation time

  20. RSW96 Time-Lock Puzzle Definition on input a time parameter T sample a puzzle π Instantiation π = ( N = p ⋅ q,x ∈ Z ∗ N ,T ∈ Z )

  21. RSW96 Time-Lock Puzzle Definition on input a time parameter T sample a puzzle π and the solution σ . Instantiation π = ( N = p ⋅ q,x ∈ Z ∗ N ,T ∈ Z ) solution σ = x 2 T mod N can be computed with two exponentiation given p,q : x 2 T = x e mod N e ← 2 T mod φ ( N ) ,

  22. RSW96 Time-Lock Puzzle Definition on input a time parameter T sample a puzzle π and the solution σ . (completeness) given π the solution σ can be computed in T sequential computational “steps” (security) but not less, even given parallelism. Instantiation π = ( N = p ⋅ q,x ∈ Z ∗ N ,T ∈ Z ) solution σ = x 2 T mod N can be computed with two exponentiation given p,q : x 2 T = x e mod N e ← 2 T mod φ ( N ) , requires T sequential squarings given only N x → x 2 → x 2 2 → ...x 2 T mod N

  23. Sending Messages to the Future

  24. Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) TLP.sample(T) → ( π,σ ) m c Enc

  25. Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) Publish π,c TLP.sample(T) → ( π,σ ) π,c m c Enc

  26. Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) Publish π,c Anyone can decrypt after solving the puzzle TLP.sample(T) → ( π,σ ) π,c m c Enc T sequential steps TLP.solve ( π ) σ c m Dec

  27. Sending Messages to the Future Compute puzzle/solution ( π,σ ) and ciphertext c = Enc ( σ,m ) Publish π,c Anyone can decrypt after solving the puzzle TLP.sample(T) → ( π,σ ) π,c m c Enc T sequential steps TLP.solve ( π ) σ c m Dec

  28. Proofs of Sequential Work / Verifiable Delay Function

  29. Proofs of Sequential Work / Verifiable Delay Function Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps.

  30. Proofs of Sequential Work / Verifiable Delay Function Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps. PoSW from a time-lock puzzle ( π,σ ) ← TLP.sample(T) P V π

  31. Proofs of Sequential Work / Verifiable Delay Function Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps. PoSW from a time-lock puzzle ( π,σ ) ← TLP.sample(T) P V π σ ′ ( = σ ) σ ← TLP.solve ( π ) σ ′ ? = σ

  32. Proofs of Sequential Work / Verifiable Delay Function instantiated with the RSW96 puzzle Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x

  33. Proofs of Sequential Work / Verifiable Delay Function instantiated with the RSW96 puzzle Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps

  34. Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. instantiated with the RSW96 puzzle Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps

  35. Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. instantiated with the RSW96 puzzle N Sample random p,q N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ φ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps verify( x,σ,φ ) ∈ { 0 , 1 } and proof φ certifying σ = x 2 T

  36. Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. instantiated with the RSW96 puzzle NOBODY knows factorization N Sample random p,q of N (group order of Z ∗ N ) N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x σ φ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps verify( x,σ,φ ) ∈ { 0 , 1 } and proof φ certifying σ = x 2 T

  37. Proofs of Sequential Work / Verifiable Delay Function SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. instantiated with the RSW96 puzzle NOBODY knows factorization N Sample random p,q of N (group order of Z ∗ N ) N ∶= p ⋅ q random x ∈ Z ∗ P N V N,x computing φ must be cheap σ φ compared to computing σ computes σ = x 2 T mod N = x 2 T mod N σ ? in T sequential steps verify( x,σ,φ ) ∈ { 0 , 1 } and proof φ certifying σ = x 2 T

  38. History of Time Release Crypto

  39. History of Time Release Crypto [Crypto’11] � No Time-Lock Puzzles from Random Oracles

  40. History of Time Release Crypto [Crypto’11] � No Time-Lock Puzzles from Random Oracles [ITCS’13] � Introduce Proofs of Sequential Work and constructs them from Random Oracles. � Not practical as prover need not only T sequential steps, but also T space. � Not unique (finding many proofs at same cost as finding one). Uniqueness required for some applications (blockchains, randomness beacons), but not for “non-interactive time-stamps”.

  41. History of Time Release Crypto [Crypto’11] � No Time-Lock Puzzles from Random Oracles [Eurocrypt’17] � Simple construction where prover just needs log ( T ) space. � Still not unique....

  42. History of Time Release Crypto [Crypto’18] � VDF (morally a unique proof of sequential work): on input ( x,T ) compute ( y,π ) where y = f ( x ) needs T sequential steps and π proof for y = f ( x ) . � Use incrementally verifiable computation (Valiant’08).

  43. History of Time Release Crypto [Crypto’18] � VDF (morally a unique proof of sequential work): on input ( x,T ) compute ( y,π ) where y = f ( x ) needs T sequential steps and π proof for y = f ( x ) . � Use incrementally verifiable computation (Valiant’08). [ITCS’19] � simple/efficient VDFs based on the RSW time-lock puzzle

  44. History of Time Release Crypto [Crypto’18] � VDF (morally a unique proof of sequential work): on input ( x,T ) compute ( y,π ) where y = f ( x ) needs T sequential steps and π proof for y = f ( x ) . � Use incrementally verifiable computation (Valiant’08). [ITCS’19] � simple/efficient VDFs based on the RSW time-lock puzzle

  45. Proving σ = x 2 T in Groups of Unknown Order ( x,y,T,N ) claim y = x 2 T mod N P V x x 2 x 2 2 x 2 3 ... ... x 2 T − 1 x 2 T

  46. Proving σ = x 2 T in Groups of Unknown Order ( x,y,T,N ) claim y = x 2 T mod N P V µ (= x 2 T / 2 ) x x 2 x 2 2 x 2 3 ... ... x 2 T − 1 x 2 T µ (= x 2 T / 2 )

  47. Proving σ = x 2 T in Groups of Unknown Order ( x,y,T,N ) claim y = x 2 T mod N P V µ (= x 2 T / 2 ) y = x 2 T µ = x 2 T / 2 ∧ y = µ 2 T / 2 2 claims for T / 2 for 1 claim for T x x 2 x 2 2 x 2 3 ... ... x 2 T − 1 x 2 T µ (= x 2 T / 2 )

Recommend


More recommend