Verifiable Delay Functions Joe Netti
Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up calculation (sequential) 3. unique mapping (function) 4. Compact verification proof 5. Proof is non-interactive
Use Case: Randomness beacon present past future time
Precursor: Time lock puzzle (Rivest, Shamir, Wagner 1996) Goal: “Send a message to the future” Primitives: Blum-Blum-Shub pseudorandom generator: x x+1 = x 2 (mod n) 1. 2. RSA factoring : n = pq 3. Difficulty of calculating ϕ (n) with p,q unknown. Euler’s theorem: a ϕ (n) = 1 (mod n) 4.
Time lock puzzle Variables Protocol T: wait period in seconds Alice: private: (K, p, q, M) S: expected squares-per-sec of solver 1. C M = Encrypt(K, M) t = TS difficulty of puzzle (# of squares) 2. ϕ (n) = (p-1)(q-1) C K = K + a (2^t) (mod n) # “encryption” of K 3. e = 2 t (mod ϕ (n)) # e squares for Alice K: random private key 4. n = pq p,q are prime Bob (solver): public: (C M ,C K , n, a, t) a : 1 < a < n K = C K - a (2^t) (mod n) # t squares for Bob 1. M: message to encrypt to the future 2. M = Decrypt(K, C M )
More prior work: 1. Non-Interactive Zero-Knowledge and Its Applications (Micali et al. 1988) 2. Pricing via processing or combatting junk mail (Dwork, Naor 1992) 3. A partial hash collision based postage scheme (hashcash) (Back 1997) 4. Bitcoin: a peer-to-peer electronic cash system (Nakamoto 2008) 5. Proofs of sequential work (POSW) (Mahmoody et al. 2013) And many others
This slide again Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up calculation (sequential) 3. unique mapping (function) 4. Compact verification proof 5. Proof is non-interactive
Simple VDF (Pietrzak 2019) 1. Extends original time lock puzzle 2. Creates interactive protocol 3. Protocol is made non-interactive using Fiat-Shamir transform
Interactive protocol Repeat until T = 1 this combines previous rounds to make compact proof r is given by verifier at each round
x “grows” relative to y
The proof π = {μ 1 , … μ s } Calculating μ 3
Non-interactive using Fiat-Shamir - Fiat-shamir: replace every “choice” with a random oracle. - Random oracle often from hash functions - Beware of “grinding” attacks where input to hash can be chosen Choosing random r
References [1] Boneh, D., Bonneau, J., Bünz, B., & Fisch, B. (2018, August). Verifiable delay functions. In Annual international cryptology conference (pp. 757-788). Springer, Cham. https://eprint.iacr.org/2018/601.pdf. [2] Bonneau. (2019, November). Exploring VDFs with Joseph Bonneau. Zero Knowledge Podcast https://www.zeroknowledge.fm/103. [3] Mahmoody, M., Moran, T., & Vadhan, S. (2013, January). Publicly verifiable proofs of sequential work. In Proceedings of the 4th conference on Innovations in Theoretical Computer Science (pp. 373-388). https://eprint.iacr.org/2011/553.pdf. [4] Pietrzak, K. (2018). Simple verifiable delay functions. In 10th innovations in theoretical computer science conference (itcs 2019) . Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. https://eprint.iacr.org/2018/627.pdf. [5] Rivest, R. L., Shamir, A., & Wagner, D. A. (1996). Time-lock puzzles and timed-release crypto. https://people.csail.mit.edu/rivest/pubs/RSW96.pdf.
Recommend
More recommend