Simple Proofs of Sequential Work Bram Cohen Krzysztof Pietrzak - PowerPoint PPT Presentation

Simple Proofs of Sequential Work Bram Cohen Krzysztof Pietrzak Eurocrypt 2018, Tel Aviv, May 1st 2018

Outline • What Proofs of Sequential Work • How Sketch of Construction & Proof • Why Sustainable Blockchains

Outline • What Proofs of Sequential Work • How Sketch of Construction & Proof • Why Sustainable Blockchains

Outline • What Proofs of Sequential Work • How Sketch of Construction & Proof • Why Sustainable Blockchains

Outline • What Proofs of Sequential Work • How Sketch of Construction & Proof • Why Sustainable Blockchains α i +1 α i β i β i +1 σ i +1 τ i +1 σ i τ i

Proofs of Sequential Work

puzzle: ( N = p · q, x, T ) , solution: x 2 T mod N solution computed with two exponentiation given p, q : x 2 T = x e mod N e ← 2 T mod φ ( N ) , conjectured to require T sequential squarings given only N x → x 2 → x 2 2 → . . . x 2 T mod N

puzzle: ( N = p · q, x, T ) , solution: x 2 T mod N solution computed with two exponentiation given p, q : x 2 T = x e mod N e ← 2 T mod φ ( N ) , conjectured to require T sequential squarings given only N x → x 2 → x 2 2 → . . . x 2 T mod N sequential computation ∼ computation time ⇒ “send message to the future”

PoSW vs. Time-Lock Puzzles Functionality • Prove that time has passed • Send message to the future ⇒ Non-interactive time-stamps

PoSW vs. Time-Lock Puzzles Functionality • Prove that time has passed • Send message to the future ⇒ Non-interactive time-stamps Assumption • Random oracle model or • Non-standard algebraic “sequential” hash-function assumption

PoSW vs. Time-Lock Puzzles Functionality • Prove that time has passed • Send message to the future ⇒ Non-interactive time-stamps Assumption • Random oracle model or • Non-standard algebraic “sequential” hash-function assumption Public vs. Private • Public-coin ⇒ • Private-coin ⇒ Publicly verfiable Designated verifier

Proofs of Sequential Work aka. Verifiable Delay Algorithm Prover P Verifier V χ ← statement χ Time T ∈ N

Proofs of Sequential Work aka. Verifiable Delay Algorithm Prover P Verifier V χ ← statement χ Time T ∈ N τ = τ ( χ, T ) verify ( χ, T, τ ) ∈ accept / reject

Proofs of Sequential Work aka. Verifiable Delay Algorithm H Prover P Verifier V χ ← statement χ Time T ∈ N τ = τ ( χ, T ) verify ( χ, T, τ ) ∈ accept / reject Completeness and Soundness in the random oracle model:

Proofs of Sequential Work aka. Verifiable Delay Algorithm H Prover P Verifier V χ ← statement χ Time T ∈ N τ = τ ( χ, T ) verify ( χ, T, τ ) ∈ accept / reject Completeness and Soundness in the random oracle model: Completeness: τ ( c, T ) can be computed making T queries to H Soundness: Computing any τ ′ s.t. verify ( χ, T, τ ′ ) = accept for random χ requires almost T sequential queries to H

Proofs of Sequential Work aka. Verifiable Delay Algorithm H Prover P Verifier V χ ← statement χ Time T ∈ N τ = τ ( χ, T ) verify ( χ, T, τ ) ∈ accept / reject Completeness and Soundness in the random oracle model: Completeness: τ ( c, T ) can be computed making T queries to H Soundness: Computing any τ ′ s.t. verify ( χ, T, τ ′ ) = accept for random χ requires almost T sequential queries to H massive parallelism useless to generate valid proof faster ⇒ prover must make almost T sequential queries ∼ T time

Three Problems of the [MMV’13] PoSW 1) Space Complexity : Prover needs massive (linear in T) space to compute proof. 2) Poor/Unclear Parameters due to usage of sophisticated combinatorial objects. 3) Uniqueness : Once an accepting proof is computed, many other valid proofs can be generated (not a problem for time-stamping, but for blockchains).

Three Problems of the [MMV’13] PoSW 1) Space Complexity : Prover needs massive (linear in T) space to compute proof. 2) Poor/Unclear Parameters due to usage of sophisticated combinatorial objects. 3) Uniqueness : Once an accepting proof is computed, many other valid proofs can be generated (not a problem for time-stamping, but for blockchains). New Construction 1) Prover needs only O ( log ( T )) (not O ( T ) ) space, e.g. for T = 2 42 ( ≈ a day) that’s ≈ 10 KB vs. ≈ 1 PB . 2) Simple construction and proof with good concrete parameters. 3) Awesome open problem!

Construction and Proof Sketch

Three Basic Concepts

Three Basic Concepts Depth-Robust Graphs (only [MMV’13]) DAG G = ( V, E ) is ( e, d ) 1 2 3 4 5 6 depth-robust if after removing any e nodes a path of length d exists.

Three Basic Concepts Depth-Robust Graphs (only [MMV’13]) DAG G = ( V, E ) is ( e, d ) 1 2 3 4 5 6 depth-robust if after removing any e nodes a path of length d exists. is (2 , 3) depth-robust

Three Basic Concepts Depth-Robust Graphs (only [MMV’13]) DAG G = ( V, E ) is ( e, d ) 1 2 3 4 5 6 depth-robust if after removing any e nodes a path of length d exists. Graph Labelling label ℓ i = H ( ℓ parents ( i ) ) , e.g. ℓ 4 = H ( ℓ 3 , ℓ 4 )

Three Basic Concepts Depth-Robust Graphs (only [MMV’13]) DAG G = ( V, E ) is ( e, d ) 1 2 3 4 5 6 depth-robust if after removing any e nodes a path of length d exists. Graph Labelling label ℓ i = H ( ℓ parents ( i ) ) , e.g. ℓ 4 = H ( ℓ 3 , ℓ 4 ) Random Oracles are Sequential queries y = H ( x ) , y ′ = H ( x ′ ) where H H y ⊆ x ′ ⇒ query x ′ was made after x y ′ x y x ′

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 • Protocol specifies depth-robust DAG G on T nodes 1 2 3 4 5 6 • Define “fresh” random oracle H χ ( · ) ≡ H ( χ �· )

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 • Protocol specifies depth-robust DAG G on T nodes ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6 • Define “fresh” random oracle H χ ( · ) ≡ H ( χ �· ) • Compute labels of G using H χ

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 φ • Protocol specifies depth-robust DAG G on T nodes ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6 • Define “fresh” random oracle H χ ( · ) ≡ H ( χ �· ) • Compute labels of G using H χ φ • Send commitment φ to labels to V

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 φ check openings and if labels consistent c ⊂ V open { ℓ i } i ∈ c ∪ i ∈ parents ( i ) with parent labels • Protocol specifies depth-robust DAG G on T nodes ℓ 1 ℓ 2 ℓ 3 ℓ 4 ℓ 5 ℓ 6 • Define “fresh” random oracle H χ ( · ) ≡ H ( χ �· ) • Compute labels of G using H χ φ • Send commitment φ to labels to V • V challenged to open random subset of nodes and parents (interaction can be removed using Fiat-Shamir)

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 φ Proof Sketch • G is ( e, d ) depth-robust ℓ ′ ℓ ′ ℓ ′ ℓ ′ ℓ ′ ℓ ′ 1 2 3 4 5 6 • φ commits ˜ P to labels { ℓ ′ i } i ∈ V • i is bad if ℓ ′ i � = H ( ℓ ′ parents ( i ) ) φ

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 φ Proof Sketch • G is ( e, d ) depth-robust ℓ ′ ℓ ′ ℓ ′ ℓ ′ ℓ ′ ℓ ′ 1 2 3 4 5 6 • φ commits ˜ P to labels { ℓ ′ i } i ∈ V • i is bad if ℓ ′ i � = H ( ℓ ′ parents ( i ) ) φ • Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.

The MMV’13 Construction H Prover P Verifier V χ ← statement χ Time T = 6 φ Proof Sketch • G is ( e, d ) depth-robust ℓ ′ ℓ ′ ℓ ′ ℓ ′ ℓ ′ ℓ ′ 1 2 3 4 5 6 • φ commits ˜ P to labels { ℓ ′ i } i ∈ V • i is bad if ℓ ′ i � = H ( ℓ ′ parents ( i ) ) φ • Case 1: ≥ e bad nodes ⇒ will fail opening phase whp. • Case 2: Less than e bad labels ⇒ ∃ path of good nodes (by ( e, d ) depth-robustness) ⇒ ˜ P made d sequential queries (by sequantality of RO)

The New Construction T = 15

The New Construction T = 15 For every leaf i add all edges ( j, i ) where j is left sibling of node on path i → root

The New Construction right sibling T = 15 left sibling For every leaf i add all edges ( j, i ) where j is left sibling of node on path i → root

The New Construction T = 15 For every leaf i add all edges ( j, i ) where j is left sibling of node on path i → root

The New Construction T = 15 ℓ 15 ℓ 14 ℓ 3 ℓ 1 ℓ 2 For every leaf i add all edges ( j, i ) where j is left sibling of node on path i → root • P computes labelling ℓ i = H ( ℓ parents ( i ) ) and sends root label φ = ℓ T to V . Can be done storing only log( T ) labels. • V challenges P to open a subset of leaves and checks consistency (blue and green edges!)

The New Construction T = 15 ℓ 15 ℓ 14 ℓ 3 ℓ 1 ℓ 2 For every leaf i add all edges ( j, i ) where j is left sibling of node on path i → root • P computes labelling ℓ i = H ( ℓ parents ( i ) ) and sends root label φ = ℓ T to V . Can be done storing only log( T ) labels. • V challenges P to open a subset of leaves and checks consistency (blue and green edges!) PKC’00

The New Construction φ T = 15 Proof Sketch