verifiable delay functions
play

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, - PowerPoint PPT Presentation

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up


  1. Verifiable Delay Functions Joe Netti

  2. Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up calculation (sequential) 3. unique mapping (function) 4. Compact verification proof 5. Proof is non-interactive

  3. Use Case: Randomness beacon present past future time

  4. Precursor: Time lock puzzle (Rivest, Shamir, Wagner 1996) Goal: “Send a message to the future” Primitives: Blum-Blum-Shub pseudorandom generator: x x+1 = x 2 (mod n) 1. 2. RSA factoring : n = pq 3. Difficulty of calculating ϕ (n) with p,q unknown. Euler’s theorem: a ϕ (n) = 1 (mod n) 4.

  5. Time lock puzzle Variables Protocol T: wait period in seconds Alice: private: (K, p, q, M) S: expected squares-per-sec of solver 1. C M = Encrypt(K, M) t = TS difficulty of puzzle (# of squares) 2. ϕ (n) = (p-1)(q-1) C K = K + a (2^t) (mod n) # “encryption” of K 3. e = 2 t (mod ϕ (n)) # e squares for Alice K: random private key 4. n = pq p,q are prime Bob (solver): public: (C M ,C K , n, a, t) a : 1 < a < n K = C K - a (2^t) (mod n) # t squares for Bob 1. M: message to encrypt to the future 2. M = Decrypt(K, C M )

  6. More prior work: 1. Non-Interactive Zero-Knowledge and Its Applications (Micali et al. 1988) 2. Pricing via processing or combatting junk mail (Dwork, Naor 1992) 3. A partial hash collision based postage scheme (hashcash) (Back 1997) 4. Bitcoin: a peer-to-peer electronic cash system (Nakamoto 2008) 5. Proofs of sequential work (POSW) (Mahmoody et al. 2013) And many others

  7. This slide again Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up calculation (sequential) 3. unique mapping (function) 4. Compact verification proof 5. Proof is non-interactive

  8. Simple VDF (Pietrzak 2019) 1. Extends original time lock puzzle 2. Creates interactive protocol 3. Protocol is made non-interactive using Fiat-Shamir transform

  9. Interactive protocol Repeat until T = 1 this combines previous rounds to make compact proof r is given by verifier at each round

  10. x “grows” relative to y

  11. The proof π = {μ 1 , … μ s } Calculating μ 3

  12. Non-interactive using Fiat-Shamir - Fiat-shamir: replace every “choice” with a random oracle. - Random oracle often from hash functions - Beware of “grinding” attacks where input to hash can be chosen Choosing random r

  13. References [1] Boneh, D., Bonneau, J., Bünz, B., & Fisch, B. (2018, August). Verifiable delay functions. In Annual international cryptology conference (pp. 757-788). Springer, Cham. https://eprint.iacr.org/2018/601.pdf. [2] Bonneau. (2019, November). Exploring VDFs with Joseph Bonneau. Zero Knowledge Podcast https://www.zeroknowledge.fm/103. [3] Mahmoody, M., Moran, T., & Vadhan, S. (2013, January). Publicly verifiable proofs of sequential work. In Proceedings of the 4th conference on Innovations in Theoretical Computer Science (pp. 373-388). https://eprint.iacr.org/2011/553.pdf. [4] Pietrzak, K. (2018). Simple verifiable delay functions. In 10th innovations in theoretical computer science conference (itcs 2019) . Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. https://eprint.iacr.org/2018/627.pdf. [5] Rivest, R. L., Shamir, A., & Wagner, D. A. (1996). Time-lock puzzles and timed-release crypto. https://people.csail.mit.edu/rivest/pubs/RSW96.pdf.

Recommend


More recommend