simple proofs of sequential work · 2018. 5. 15. · other valid proofs can be generated (not a...
TRANSCRIPT
Simple Proofs of Sequential WorkBram Cohen Krzysztof Pietrzak
Eurocrypt 2018, Tel Aviv, May 1st 2018
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
Outline• What• How• Why
Proofs of Sequential Work
Sustainable Blockchains
Sketch of Construction & Proof
σi τi
βi
σi+1 τi+1
βi+1
αi αi+1
Proofs of Sequential Work
puzzle: (N = p · q, x, T ) , solution: x2T
mod Nsolution computed with two exponentiation given p, q:
e← 2T mod φ(N) , x2T
= xe mod N
conjectured to require T sequential squarings given only N
x→ x2 → x22 → . . . x2
T
mod N
puzzle: (N = p · q, x, T ) , solution: x2T
mod N
sequential computation ∼computation time ⇒
“send message to the future”
solution computed with two exponentiation given p, q:
e← 2T mod φ(N) , x2T
= xe mod N
conjectured to require T sequential squarings given only N
x→ x2 → x22 → . . . x2
T
mod N
PoSW vs. Time-Lock Puzzles
• Prove that time has passed⇒ Non-interactive time-stamps
• Send message to the futureFunctionality
PoSW vs. Time-Lock Puzzles
• Prove that time has passed⇒ Non-interactive time-stamps
• Send message to the future
• Random oracle model or“sequential” hash-function
• Non-standard algebraicassumption
Functionality
Assumption
PoSW vs. Time-Lock Puzzles
• Prove that time has passed⇒ Non-interactive time-stamps
• Send message to the future
• Random oracle model or“sequential” hash-function
• Non-standard algebraicassumption
Functionality
Assumption
Public vs. Private• Public-coin ⇒
Publicly verfiable• Private-coin ⇒
Designated verifier
Proofs of Sequential Workaka. Verifiable Delay Algorithm
Prover Pχ←
Verifier Vstatement χ
Time T ∈ N
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Prover Pχ←
Verifier Vstatement χ
Time T ∈ N
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Completeness and Soundness in the random oracle model:
HProver Pχ←
Verifier Vstatement χ
Time T ∈ N
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Completeness and Soundness in the random oracle model:
HProver Pχ←
Verifier Vstatement χ
Time T ∈ N
Completeness: τ(c, T ) can be computed making T queries to H
Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to H
Proofs of Sequential Workaka. Verifiable Delay Algorithm
τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject
Completeness and Soundness in the random oracle model:
HProver Pχ←
Verifier Vstatement χ
Time T ∈ N
Completeness: τ(c, T ) can be computed making T queries to H
Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to Hmassive parallelism useless to generate valid proof faster ⇒prover must make almost T sequential queries ∼ T time
Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)
space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated
combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many
other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).
Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)
space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated
combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many
other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).
1) Prover needs only O(log(T )) (not O(T )) space, e.g. forT = 242 (≈ a day) that’s ≈ 10KB vs. ≈ 1PB.
2) Simple construction and proof with good concreteparameters.
3) Awesome open problem!
New Construction
Construction and Proof Sketch
Three Basic Concepts
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
Three Basic Concepts
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
is (2, 3) depth-robust
Three Basic Concepts
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
label `i = H(`parents(i)), e.g. `4 = H(`3, `4)
Graph Labelling
Three Basic Concepts
x y
H H
x′y′
queries y = H(x), y′ = H(x′) wherey ⊆ x′ ⇒ query x′ was made after x
Random Oracles are Sequential
DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.
1 2 3 4 5 6
Depth-Robust Graphs (only [MMV’13])
label `i = H(`parents(i)), e.g. `4 = H(`3, `4)
Graph Labelling
Three Basic Concepts
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
1 2 3 4 5 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
• Compute labels of G using Hχ
`1 `2 `3 `4 `5 `6
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
• Compute labels of G using Hχ
`1 `2 `3 `4 `5 `6
• Send commitment φ to labels to Vφ
φ
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
• Protocol specifies depth-robustDAG G on T nodes
• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)
• Compute labels of G using Hχ
`1 `2 `3 `4 `5 `6
• Send commitment φ to labels to Vφ
φ
• V challenged to open random subset of nodes and parents(interaction can be removed using Fiat-Shamir)
c ⊂ Vopen {`i}i∈c∪i∈parents(i)
check openings andif labels consistentwith parent labels
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
φ
`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))
Proof Sketch
φ
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
φ
`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))
Proof Sketch
φ
• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.
The MMV’13 ConstructionHProver P
χ←Verifier V
statement χ
Time T = 6
φ
`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))
Proof Sketch
φ
• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.• Case 2: Less than e bad labels ⇒ ∃ path of good nodes
(by (e, d) depth-robustness) ⇒ P̃ made d sequentialqueries (by sequantality of RO)
The New ConstructionT = 15
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
T = 15
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
right siblingT = 15
left sibling
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
T = 15
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
`1 `2
`3
`14
`15
• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.
T = 15
• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)
The New Construction
For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root
`1 `2
`3
`14
`15
• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.
T = 15
• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)
PKC’00
The New Construction
Proof Sketch
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).
• Claim 1: ∃ path going through V − S.
• Claim 2: P̃ can’t open |S|/T fraction of leafs.
φ T = 15
The New Construction
Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).
• Claim 1: ∃ path going through V − S.
• Claim 2: P̃ can’t open |S|/T fraction of leafs.
Theorem: P̃ made only T (1− ε) sequential queries⇒ will pass opening phase with prob. ≤ (1− ε)#of challenges
φ T = 15
why we care
Sustainable Blockchains
σi τi
βi
σi+1 τi+1
βi+1
αi αi+1
Mining Bitcoin (Proofs of Work)
Mining Bitcoin (Proofs of Work)
Ecological: Massive energy & hardwarewaste.
Economical: Requires high rewards ⇒inflation and/or high transaction fees.
Security: E.g. buy old ASICs for 51%attack.
Ecological: Massive energy & hardwarewaste.
Economical: Requires high rewards ⇒inflation and/or high transaction fees.
Security: E.g. buy old ASICs for 51%attack.
Can we have a more “sustainable”
Blockchain?
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Workcomputation as resource
prob. of solving PoW first ∼ fraction of hashing power
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Work
Chia: Proofs of Space and Time
computation as resourceprob. of solving PoW first ∼ fraction of hashing power
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Work
Chia: Proofs of Space and Timespace as resource
prob. of finding PoSpace of best quality ∼ fraction ofdedicated space
computation as resourceprob. of solving PoW first ∼ fraction of hashing power
dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes
Bitcoin: Proofs of Work
Chia: Proofs of Space and Timespace as resource
prob. of finding PoSpace of best quality ∼ fraction ofdedicated space
dynamicsRun PoSW on top of PoSpace for T ∼ quality of PoSpace to
“finalize” block
computation as resourceprob. of solving PoW first ∼ fraction of hashing power
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
βi βi+1 βi+2 βi+3 βi+4
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
σi τi σi+1 τi+1 σi+2 τi+2
σi : proof of space on challenge hash(τi−1)
τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)
βi βi+1 βi+2 βi+3 βi+4
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
σi τi σi+1 τi+1 σi+2 τi+2
αi αi+1 αi+2
σi : proof of space on challenge hash(τi−1)
τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)
βi βi+1 βi+2 βi+3 βi+4
βi = (. . . , φi, αi)
φi : proof of work on challenge hash(βi−1) transactions
σi τi σi+1 τi+1 σi+2 τi+2
αi αi+1 αi+2
σi : proof of space on challenge hash(τi−1)
τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)
βi βi+1 βi+2 βi+3 βi+4
NOTHING TOGRIND HERE!