work or knowledge
play

Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas - PowerPoint PPT Presentation

Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK Statement: Prover


  1. Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam

  2. Motivation

  3. (ZK) Proofs of Knowledge - PoK Statement: ๐‘ฆ โˆˆ ๐‘€ โ‹ฎ Prover Verifier Witness: ๐’™ Accept/Reject Accept/Reject 1) Completeness: the verifier always accepts a valid proof 2) PoK: for any convincing verifier, we can extract ๐’™ 3) Prover privacy is preserved via some ZK variant

  4. Schnorr Identification โ€“ PoK of DLog Parameters: ๐‘•, ๐‘Ÿ Statement: โˆƒ๐‘ก๐‘™: ๐‘ž๐‘™ = ๐‘• ๐‘ก๐‘™ Prover Verifier Witness: ๐‘ก๐‘™ ๐‘ pick ๐‘ข โˆˆ ๐‘Ž ๐‘Ÿ pick ๐‘‘ โˆˆ ๐‘Ž๐‘Ÿ ๐‘‘ ๐‘ = ๐‘•๐‘ข ๐‘  ๐‘  = ๐‘ข + ๐‘‘ โˆ™ ๐‘ก๐‘™ Check if ๐‘• ๐‘  = ๐‘ โˆ™ (๐‘ž๐‘™) ๐‘‘

  5. Schnorr Identification โ€“ PoK of DLog Parameters: ๐‘•, ๐‘Ÿ Statement: โˆƒ๐‘ก๐‘™: ๐‘ž๐‘™ = ๐‘• ๐‘ก๐‘™ Prover Verifier Witness: ๐‘ก๐‘™ Schnorr identification is a Sigma protocol that achieves special soundness and honest-verifier ZK

  6. Some motivating thoughts โ€ฆ โ€ข PoK of DLog convinces us that the prover actually has the witness.

  7. Some motivating thoughts โ€ฆ โ€ข PoK of DLog convinces us that the prover actually has the witness. โ€ข But how did the prover manage to convince us? ๏‚ง Did it run efficiently because it had knowledge of the witness OR ๏‚ง Did it work for a (superpolynomial) amount of a time to solve the given DLog problem?

  8. Reducing Spam โ€œ If I don โ€™ t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message โ€ [DN92]

  9. Reducing Spam โ€œIf I donโ€™t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this messageโ€ [DN92] email Server I am an approved contact Alice Verifier Bob Approved contacts: - Alice - ...

  10. Reducing Spam โ€œIf I donโ€™t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this messageโ€ [DN92] email Server I am an approved contact Alice Verifier Bob Not approved! Approved contacts: - Alice Eve - ...

  11. Reducing Spam โ€œ If I don โ€™ t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message โ€ [DN92] email Server Mail server distinguishes between I am an approved contact Alice approved and non-approved contacts!! Verifier Bob Not approved! Approved contacts: - Alice Eve - ...

  12. Reducing Spam Where Email approval is done in a privacy-preserving manner! email Server I am an approved contact Alice Verifier Bob Not approved! Approved contacts: - Alice Eve - ...

  13. Reducing spam in a privacy-preserving way 1. For senders to have access, they must prove that either โ—‹ know some secret that implies their relation with the receiver OR โ—‹ has spent a certain amount of work in terms of computational resources.

  14. Reducing spam in a privacy-preserving way 1. For senders to have access, they must prove that either โ—‹ know some secret that implies their relation with the receiver OR โ—‹ has spent a certain amount of work in terms of computational resources. 2. The proverโ€™s mode that provided access to the sender, remains unknown to the mail server.

  15. Proofs of Work - PoW Task/Puzzle Prover Verifier solution Accept/Reject

  16. Proofs of Work - PoW Task/Puzzle Prover Verifier solution Accept The verifier ascertains that the prover performed some certain amount of work, given the difficulty of the puzzle parameters

  17. Proofs of Work or Knowledge (PoWorKs) Statement: ๐‘ฆ โˆˆ ๐‘€ PoK: Prover Verifier Prover either knows a witness to the statement PoW: or performed work to solve a puzzle Prover

  18. Indistinguishable Proofs of Work or Knowledge (PoWorKs) Statement: ๐‘ฆ โˆˆ ๐‘€ PoK: Prover Verifier Prover either knows a witness to the statement PoW: or performed work to solve a puzzle Prover

  19. Our contributions

  20. Our contributions ๏ถ We define cryptographic puzzle systems .

  21. Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system.

  22. Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system. ๏ถ We provide an efficient 3-move PoWorK construction .

  23. Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system. ๏ถ We provide an efficient 3-move PoWorK construction. ๏ถ We provide two puzzle system instantiations (one in the RO model and one under complexity assumptions).

  24. Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system. ๏ถ We provide an efficient 3-move PoWorK construction. ๏ถ We provide two puzzle system instantiations (one in the RO model and one under complexity assumptions). ๏ถ We present applications of PoWorKs in 1. Privacy-preserving reduce spam . 2. Robustness in cryptocurrencies . 3. 3-round concurrently simulatable arguments of knowledge.

  25. Cryptographic puzzles

  26. Cryptographic Puzzles Basic properties: 1) Easy to generate and efficiently sampleable 2) Hard to solve 3) Easy to verify 4) Amortization resistant

  27. Cryptographic Puzzles Basic properties: 1) Easy to generate and efficiently sampleable 2) Hard to solve 3) Easy to verify 4) Amortization resistant 5) Dense (can be sampled by just generating random strings )

  28. Cryptographic Puzzles We do not restrict parallelizability of our puzzles!

  29. Dense Cryptographic Puzzles Puzzle Space ๐‘ธ๐‘ป , Solution Space ๐‘ป๐‘ป , Hardness space ๐‘ฐ๐‘ป PuzSys = {Sample, Solve , SampleSol, Verify} hardness parameter โ— Sample (๐’Š) โˆ’> ๐’’๐’—๐’œ โˆˆ ๐‘ธ๐‘ป โ— Solve (๐’Š, ๐’’๐’—๐’œ) โˆ’> ๐’•๐’‘๐’Ž๐’ โˆˆ ๐‘ป๐‘ธ โ— SampleSol (๐’Š) โˆ’> (๐’’๐’—๐’œ, ๐’•๐’‘๐’Ž๐’) โ— Verify (๐’Š, ๐’’๐’—๐’œ, ๐’•๐’‘๐’Ž๐’) โˆ’> ๐‘ข๐‘ ๐‘ฃ๐‘“/๐‘”๐‘๐‘š๐‘ก๐‘“

  30. Dense Cryptographic Puzzles Puzzle Space ๐‘ธ๐‘ป , Solution Space ๐‘ป๐‘ป , Hardness space ๐‘ฐ๐‘ป PuzSys = {Sample, Solve , SampleSol, Verify} hardness parameter โ— Sample (๐’Š) โˆ’> ๐’’๐’—๐’œ โˆˆ ๐‘ธ๐‘ป โ— Solve (๐’Š, ๐’’๐’—๐’œ) โˆ’> ๐’•๐’‘๐’Ž๐’ โˆˆ ๐‘ป๐‘ธ โ— SampleSol (๐’Š) โˆ’> (๐’’๐’—๐’œ, ๐’•๐’‘๐’Ž๐’) โ— Verify (๐’Š, ๐’’๐’—๐’œ, ๐’•๐’‘๐’Ž๐’) โˆ’> ๐‘ข๐‘ ๐‘ฃ๐‘“/๐‘”๐‘๐‘š๐‘ก๐‘“

  31. Cryptographic Puzzles Security PuzSys = {Sample, Solve, SampleSol, Verify} 1) Completeness/Correctness and Efficient Sampleability of Sample and SampleSol

  32. Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient sampleability of Sample and SampleSol 2) ๐’‰ -Hardness:

  33. Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient Sampleability of Sample and SampleSol 2) ๐’‰ -Hardness: PuzSys is ๐’‰ -hard , if for every adversary: ๐’Š, ๐’’๐’—๐’œ ๐’’๐’—๐’œ < โˆ’ Sample (๐’Š) ๐’•๐’‘๐’Ž๐’ Verify (๐’Š, ๐’’๐’—๐’œ, ๐’•๐’‘๐’Ž๐’) โˆ’> ๐‘ข๐‘ ๐‘ฃ๐‘“ ๐‘ผ๐’‹๐’๐’‡ ๐‘ฉ๐’†๐’˜๐’‡๐’”๐’•๐’ƒ๐’”๐’› (๐’Š, ๐’’๐’—๐’œ) < ๐’‰ (๐‘ผ๐’‹๐’๐’‡ ๐“๐ฉ๐ฆ๐ฐ๐Ÿ (๐’Š, ๐’’๐’—๐’œ)) With negligible probability

  34. Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient sampleability of Sample and SampleSol 2) ๐’‰ -Hardness 3) Statistical indistinguishability of Sample and SampleSol

  35. Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient sampleability of Sample and SampleSol 2) ๐’‰ -Hardness 3) Statistical indistinguishability of Sample and SampleSol 4) (๐’–, ๐’) โˆ’ amortization resistance ๐’Š, ๐’’๐’—๐’œ ๐Ÿ , โ€ฆ , ๐’’๐’—๐’œ๐’ ๐’’๐’—๐’œ ๐Ÿ , โ€ฆ , ๐’’๐’—๐’œ๐’ < โˆ’ Sample (๐’Š) ๐’•๐’‘๐’Ž๐’ ๐Ÿ , โ€ฆ , ๐’•๐’‘๐’Ž๐’๐’ for all 1 < ๐‘— < ๐‘™ Verify (๐’Š, ๐’’๐’—๐’œ๐’‹, ๐’•๐’‘๐’Ž๐’๐’‹) โˆ’> ๐‘ข๐‘ ๐‘ฃ๐‘“ ๐’ ๐‘ผ๐’‹๐’๐’‡ ๐‘ฉ๐’†๐’˜๐’‡๐’”๐’•๐’ƒ๐’”๐’› (๐’Š, ๐’’๐’—๐’œ) < ๐’–(เท ๐’‰ (๐‘ผ๐’‹๐’๐’‡๐‘ป๐’‘ ๐’Ž๐’˜๐’‡ (๐’Š, ๐’’๐’—๐’œ๐’‹)) ๐’‹=๐Ÿ With negligible probability

  36. PoWorKs

  37. PoWorK Definition (๐‘„, ๐‘Š) is an f -sound PoWorK for ๐‘€ โˆˆ ๐‘ถ๐‘ธ w.r.t. witness relation ๐‘† ๐‘€ and PuzSys , if it achieves the following properties:

  38. PoWorK Definition (๐‘„, ๐‘Š) is an f -sound PoWorK for ๐‘€ โˆˆ ๐‘ถ๐‘ธ w.r.t. witness relation ๐‘† ๐‘€ and PuzSys , if it achieves the following properties: โˆ— , ๐’Š โˆˆ ๐ผ๐‘‡ 1) Completeness: for all ๐’š โˆˆ ๐‘€, ๐’™ โˆˆ ๐‘†๐‘€ ๐‘ฆ , ๐’œ โˆˆ 0,1 Pr[< ๐‘„(๐’™) โ†” ๐‘Š > (๐’š, ๐’œ, ๐’Š); ๐‘Š โ†’ โ€œ accept โ€] = 1 โˆ’ negl(๐œ‡) & Pr[< ๐‘„ Solve ( h ) โ†” ๐‘Š > ๐’š, ๐’œ, ๐’Š ; ๐‘Š โ†’ โ€œ accept โ€] = 1 โˆ’ negl(๐œ‡)

Recommend


More recommend