Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam
Motivation
(ZK) Proofs of Knowledge - PoK Statement: ๐ฆ โ ๐ โฎ Prover Verifier Witness: ๐ Accept/Reject Accept/Reject 1) Completeness: the verifier always accepts a valid proof 2) PoK: for any convincing verifier, we can extract ๐ 3) Prover privacy is preserved via some ZK variant
Schnorr Identification โ PoK of DLog Parameters: ๐, ๐ Statement: โ๐ก๐: ๐๐ = ๐ ๐ก๐ Prover Verifier Witness: ๐ก๐ ๐ pick ๐ข โ ๐ ๐ pick ๐ โ ๐๐ ๐ ๐ = ๐๐ข ๐ ๐ = ๐ข + ๐ โ ๐ก๐ Check if ๐ ๐ = ๐ โ (๐๐) ๐
Schnorr Identification โ PoK of DLog Parameters: ๐, ๐ Statement: โ๐ก๐: ๐๐ = ๐ ๐ก๐ Prover Verifier Witness: ๐ก๐ Schnorr identification is a Sigma protocol that achieves special soundness and honest-verifier ZK
Some motivating thoughts โฆ โข PoK of DLog convinces us that the prover actually has the witness.
Some motivating thoughts โฆ โข PoK of DLog convinces us that the prover actually has the witness. โข But how did the prover manage to convince us? ๏ง Did it run efficiently because it had knowledge of the witness OR ๏ง Did it work for a (superpolynomial) amount of a time to solve the given DLog problem?
Reducing Spam โ If I don โ t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message โ [DN92]
Reducing Spam โIf I donโt know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this messageโ [DN92] email Server I am an approved contact Alice Verifier Bob Approved contacts: - Alice - ...
Reducing Spam โIf I donโt know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this messageโ [DN92] email Server I am an approved contact Alice Verifier Bob Not approved! Approved contacts: - Alice Eve - ...
Reducing Spam โ If I don โ t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message โ [DN92] email Server Mail server distinguishes between I am an approved contact Alice approved and non-approved contacts!! Verifier Bob Not approved! Approved contacts: - Alice Eve - ...
Reducing Spam Where Email approval is done in a privacy-preserving manner! email Server I am an approved contact Alice Verifier Bob Not approved! Approved contacts: - Alice Eve - ...
Reducing spam in a privacy-preserving way 1. For senders to have access, they must prove that either โ know some secret that implies their relation with the receiver OR โ has spent a certain amount of work in terms of computational resources.
Reducing spam in a privacy-preserving way 1. For senders to have access, they must prove that either โ know some secret that implies their relation with the receiver OR โ has spent a certain amount of work in terms of computational resources. 2. The proverโs mode that provided access to the sender, remains unknown to the mail server.
Proofs of Work - PoW Task/Puzzle Prover Verifier solution Accept/Reject
Proofs of Work - PoW Task/Puzzle Prover Verifier solution Accept The verifier ascertains that the prover performed some certain amount of work, given the difficulty of the puzzle parameters
Proofs of Work or Knowledge (PoWorKs) Statement: ๐ฆ โ ๐ PoK: Prover Verifier Prover either knows a witness to the statement PoW: or performed work to solve a puzzle Prover
Indistinguishable Proofs of Work or Knowledge (PoWorKs) Statement: ๐ฆ โ ๐ PoK: Prover Verifier Prover either knows a witness to the statement PoW: or performed work to solve a puzzle Prover
Our contributions
Our contributions ๏ถ We define cryptographic puzzle systems .
Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system.
Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system. ๏ถ We provide an efficient 3-move PoWorK construction .
Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system. ๏ถ We provide an efficient 3-move PoWorK construction. ๏ถ We provide two puzzle system instantiations (one in the RO model and one under complexity assumptions).
Our contributions ๏ถ We define cryptographic puzzle systems. ๏ถ We define PoWorKs w.r.t. some language in NP and a fixed puzzle system. ๏ถ We provide an efficient 3-move PoWorK construction. ๏ถ We provide two puzzle system instantiations (one in the RO model and one under complexity assumptions). ๏ถ We present applications of PoWorKs in 1. Privacy-preserving reduce spam . 2. Robustness in cryptocurrencies . 3. 3-round concurrently simulatable arguments of knowledge.
Cryptographic puzzles
Cryptographic Puzzles Basic properties: 1) Easy to generate and efficiently sampleable 2) Hard to solve 3) Easy to verify 4) Amortization resistant
Cryptographic Puzzles Basic properties: 1) Easy to generate and efficiently sampleable 2) Hard to solve 3) Easy to verify 4) Amortization resistant 5) Dense (can be sampled by just generating random strings )
Cryptographic Puzzles We do not restrict parallelizability of our puzzles!
Dense Cryptographic Puzzles Puzzle Space ๐ธ๐ป , Solution Space ๐ป๐ป , Hardness space ๐ฐ๐ป PuzSys = {Sample, Solve , SampleSol, Verify} hardness parameter โ Sample (๐) โ> ๐๐๐ โ ๐ธ๐ป โ Solve (๐, ๐๐๐) โ> ๐๐๐๐ โ ๐ป๐ธ โ SampleSol (๐) โ> (๐๐๐, ๐๐๐๐) โ Verify (๐, ๐๐๐, ๐๐๐๐) โ> ๐ข๐ ๐ฃ๐/๐๐๐๐ก๐
Dense Cryptographic Puzzles Puzzle Space ๐ธ๐ป , Solution Space ๐ป๐ป , Hardness space ๐ฐ๐ป PuzSys = {Sample, Solve , SampleSol, Verify} hardness parameter โ Sample (๐) โ> ๐๐๐ โ ๐ธ๐ป โ Solve (๐, ๐๐๐) โ> ๐๐๐๐ โ ๐ป๐ธ โ SampleSol (๐) โ> (๐๐๐, ๐๐๐๐) โ Verify (๐, ๐๐๐, ๐๐๐๐) โ> ๐ข๐ ๐ฃ๐/๐๐๐๐ก๐
Cryptographic Puzzles Security PuzSys = {Sample, Solve, SampleSol, Verify} 1) Completeness/Correctness and Efficient Sampleability of Sample and SampleSol
Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient sampleability of Sample and SampleSol 2) ๐ -Hardness:
Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient Sampleability of Sample and SampleSol 2) ๐ -Hardness: PuzSys is ๐ -hard , if for every adversary: ๐, ๐๐๐ ๐๐๐ < โ Sample (๐) ๐๐๐๐ Verify (๐, ๐๐๐, ๐๐๐๐) โ> ๐ข๐ ๐ฃ๐ ๐ผ๐๐๐ ๐ฉ๐๐๐๐๐๐๐๐ (๐, ๐๐๐) < ๐ (๐ผ๐๐๐ ๐๐ฉ๐ฆ๐ฐ๐ (๐, ๐๐๐)) With negligible probability
Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient sampleability of Sample and SampleSol 2) ๐ -Hardness 3) Statistical indistinguishability of Sample and SampleSol
Cryptographic Puzzles Security PuzSys = {Sample, Solve , SampleSol, Verify} 1) Completeness and Efficient sampleability of Sample and SampleSol 2) ๐ -Hardness 3) Statistical indistinguishability of Sample and SampleSol 4) (๐, ๐) โ amortization resistance ๐, ๐๐๐ ๐ , โฆ , ๐๐๐๐ ๐๐๐ ๐ , โฆ , ๐๐๐๐ < โ Sample (๐) ๐๐๐๐ ๐ , โฆ , ๐๐๐๐๐ for all 1 < ๐ < ๐ Verify (๐, ๐๐๐๐, ๐๐๐๐๐) โ> ๐ข๐ ๐ฃ๐ ๐ ๐ผ๐๐๐ ๐ฉ๐๐๐๐๐๐๐๐ (๐, ๐๐๐) < ๐(เท ๐ (๐ผ๐๐๐๐ป๐ ๐๐๐ (๐, ๐๐๐๐)) ๐=๐ With negligible probability
PoWorKs
PoWorK Definition (๐, ๐) is an f -sound PoWorK for ๐ โ ๐ถ๐ธ w.r.t. witness relation ๐ ๐ and PuzSys , if it achieves the following properties:
PoWorK Definition (๐, ๐) is an f -sound PoWorK for ๐ โ ๐ถ๐ธ w.r.t. witness relation ๐ ๐ and PuzSys , if it achieves the following properties: โ , ๐ โ ๐ผ๐ 1) Completeness: for all ๐ โ ๐, ๐ โ ๐๐ ๐ฆ , ๐ โ 0,1 Pr[< ๐(๐) โ ๐ > (๐, ๐, ๐); ๐ โ โ accept โ] = 1 โ negl(๐) & Pr[< ๐ Solve ( h ) โ ๐ > ๐, ๐, ๐ ; ๐ โ โ accept โ] = 1 โ negl(๐)
Recommend
More recommend