simple proofs of sequential work · 2018. 5. 15. · other valid proofs can be generated (not a...

Simple Proofs of Sequential WorkBram Cohen Krzysztof Pietrzak

Eurocrypt 2018, Tel Aviv, May 1st 2018

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

σi τi

βi

σi+1 τi+1

βi+1

αi αi+1

Proofs of Sequential Work

puzzle: (N = p · q, x, T ) , solution: x2T

mod Nsolution computed with two exponentiation given p, q:

e← 2T mod φ(N) , x2T

= xe mod N

conjectured to require T sequential squarings given only N

x→ x2 → x22 → . . . x2

T

mod N

puzzle: (N = p · q, x, T ) , solution: x2T

mod N

sequential computation ∼computation time ⇒

“send message to the future”

solution computed with two exponentiation given p, q:

e← 2T mod φ(N) , x2T

= xe mod N

conjectured to require T sequential squarings given only N

x→ x2 → x22 → . . . x2

T

mod N

PoSW vs. Time-Lock Puzzles

• Prove that time has passed⇒ Non-interactive time-stamps

• Send message to the futureFunctionality

PoSW vs. Time-Lock Puzzles

• Prove that time has passed⇒ Non-interactive time-stamps

• Send message to the future

• Random oracle model or“sequential” hash-function

• Non-standard algebraicassumption

Functionality

Assumption

PoSW vs. Time-Lock Puzzles

• Prove that time has passed⇒ Non-interactive time-stamps

• Send message to the future

• Random oracle model or“sequential” hash-function

• Non-standard algebraicassumption

Functionality

Assumption

Public vs. Private• Public-coin ⇒

Publicly verfiable• Private-coin ⇒

Designated verifier

Proofs of Sequential Workaka. Verifiable Delay Algorithm

Prover Pχ←

Verifier Vstatement χ

Time T ∈ N

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Prover Pχ←

Verifier Vstatement χ

Time T ∈ N

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Completeness and Soundness in the random oracle model:

HProver Pχ←

Verifier Vstatement χ

Time T ∈ N

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Completeness and Soundness in the random oracle model:

HProver Pχ←

Verifier Vstatement χ

Time T ∈ N

Completeness: τ(c, T ) can be computed making T queries to H

Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to H

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Completeness and Soundness in the random oracle model:

HProver Pχ←

Verifier Vstatement χ

Time T ∈ N

Completeness: τ(c, T ) can be computed making T queries to H

Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to Hmassive parallelism useless to generate valid proof faster ⇒prover must make almost T sequential queries ∼ T time

Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)

space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated

combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many

other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).

Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)

space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated

combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many

other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).

1) Prover needs only O(log(T )) (not O(T )) space, e.g. forT = 242 (≈ a day) that’s ≈ 10KB vs. ≈ 1PB.

2) Simple construction and proof with good concreteparameters.

3) Awesome open problem!

New Construction

Construction and Proof Sketch

Three Basic Concepts

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

Three Basic Concepts

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

is (2, 3) depth-robust

Three Basic Concepts

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

label `i = H(`parents(i)), e.g. `4 = H(`3, `4)

Graph Labelling

Three Basic Concepts

x y

H H

x′y′

queries y = H(x), y′ = H(x′) wherey ⊆ x′ ⇒ query x′ was made after x

Random Oracles are Sequential

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

label `i = H(`parents(i)), e.g. `4 = H(`3, `4)

Graph Labelling

Three Basic Concepts

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

1 2 3 4 5 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

• Compute labels of G using Hχ

`1 `2 `3 `4 `5 `6

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

• Compute labels of G using Hχ

`1 `2 `3 `4 `5 `6

• Send commitment φ to labels to Vφ

φ

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

• Compute labels of G using Hχ

`1 `2 `3 `4 `5 `6

• Send commitment φ to labels to Vφ

φ

• V challenged to open random subset of nodes and parents(interaction can be removed using Fiat-Shamir)

c ⊂ Vopen {`i}i∈c∪i∈parents(i)

check openings andif labels consistentwith parent labels

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

φ

`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))

Proof Sketch

φ

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

φ

`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))

Proof Sketch

φ

• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

φ

`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))

Proof Sketch

φ

• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.• Case 2: Less than e bad labels ⇒ ∃ path of good nodes

(by (e, d) depth-robustness) ⇒ P̃ made d sequentialqueries (by sequantality of RO)

The New ConstructionT = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

right siblingT = 15

left sibling

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

`1 `2

`3

`14

`15

• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.

T = 15

• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

`1 `2

`3

`14

`15

• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.

T = 15

• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)

PKC’00

The New Construction

Proof Sketch

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).

• Claim 1: ∃ path going through V − S.

• Claim 2: P̃ can’t open |S|/T fraction of leafs.

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).

• Claim 1: ∃ path going through V − S.

• Claim 2: P̃ can’t open |S|/T fraction of leafs.

Theorem: P̃ made only T (1− ε) sequential queries⇒ will pass opening phase with prob. ≤ (1− ε)#of challenges

φ T = 15

why we care

Sustainable Blockchains

σi τi

βi

σi+1 τi+1

βi+1

αi αi+1

Mining Bitcoin (Proofs of Work)

Mining Bitcoin (Proofs of Work)

Ecological: Massive energy & hardwarewaste.

Economical: Requires high rewards ⇒inflation and/or high transaction fees.

Security: E.g. buy old ASICs for 51%attack.

Ecological: Massive energy & hardwarewaste.

Economical: Requires high rewards ⇒inflation and/or high transaction fees.

Security: E.g. buy old ASICs for 51%attack.

Can we have a more “sustainable”

Blockchain?

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Workcomputation as resource

prob. of solving PoW first ∼ fraction of hashing power

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

Chia: Proofs of Space and Time

computation as resourceprob. of solving PoW first ∼ fraction of hashing power

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

Chia: Proofs of Space and Timespace as resource

prob. of finding PoSpace of best quality ∼ fraction ofdedicated space

computation as resourceprob. of solving PoW first ∼ fraction of hashing power

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

Chia: Proofs of Space and Timespace as resource

prob. of finding PoSpace of best quality ∼ fraction ofdedicated space

dynamicsRun PoSW on top of PoSpace for T ∼ quality of PoSpace to

“finalize” block

computation as resourceprob. of solving PoW first ∼ fraction of hashing power

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

σi : proof of space on challenge hash(τi−1)

τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

αi αi+1 αi+2

σi : proof of space on challenge hash(τi−1)

τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

αi αi+1 αi+2

σi : proof of space on challenge hash(τi−1)

τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

NOTHING TOGRIND HERE!