Proof Systems for Sustainable Blockchains: How to Prove you Waste - - PowerPoint PPT Presentation
Proof Systems for Sustainable Blockchains: How to Prove you Waste Space and Time Krzysztof Pietrzak 1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019. Proof Systems
Krzysztof Pietrzak
1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019.
Krzysztof Pietrzak
1st International Summer School on Security & Privacy for Blockchains and Distributed Ledger Technologies. September 5th 2019.
Outline
Outline
Outline
Outline
Proof Systems
interacting with honest P.
interacting with any malicious ˜ P.
Proof Systems
interacting with honest P.
interacting with any malicious ˜ P.
binary relation R ∶ X × W → {0,1}. P(x,w) should make V(x) accept iff R(x,w) = 1.
zero-knowledge, succinct,. . .
Proof Systems
interacting with honest P.
interacting with any malicious ˜ P.
Proof Systems
interacting with honest P.
interacting with any malicious ˜ P.
Proofs of Work
Proof system where prover P must waste T units of computation to make verifier V accept.
Proofs of Work
Proof system where prover P must waste T units of computation to make verifier V accept.
random x ν 0.H(ν,x)
?
≤ 1/D
Proofs of Work
Proof system where prover P must waste T units of computation to make verifier V accept.
random x ν 0.H(ν,x)
?
≤ 1/D If H is modelled as a random function, then making an expected D queries is necessary (security) and sufficient (soundness).
Proofs of Work in Bitcoin
Proofs of Work in Bitcoin
hash of last block
Proofs of Work in Bitcoin
0.H(0,...) > 1/D
hash of last block
Proofs of Work in Bitcoin
0.H(0,...) > 1/D 0.H(1,...) > 1/D
hash of last block
Proofs of Work in Bitcoin
0.H(0,...) > 1/D 0.H(1,...) > 1/D
hash of last block
Proofs of Work in Bitcoin
0.H(0,...) > 1/D 0.H(1,...) > 1/D H(ν,...) ≤ 1/D
hash of last block
Proofs of Work in Bitcoin
0.H(0,...) > 1/D 0.H(1,...) > 1/D H(ν,...) ≤ 1/D
majority of hashing power honest ⇒ secure blockchain lucky miner publishes new block gets block-reward hash of last block
Bitcoin Mining
Miners incentivized by “block reward” and “transaciton fees”. Nakamoto’s Vision (arguably): People will use space CPU cycles for mining.
Bitcoin Mining
Mining went from CPUs to GPUs to FPGAs to ASICS, improving on hardware cost
by around an order of magnitude in each step. Miners incentivized by “block reward” and “transaciton fees”. Nakamoto’s Vision (arguably): People will use space CPU cycles for mining.
Bitcoin Sustainability
Bitcoin Sustainability
Bitcoin Sustainability
https://digiconomist.net/bitcoin-energy-consumption
Bitcoin Sustainability
Bitcoin Sustainability
Using Stake instead of Work as Resource?
PoW based blockchain (Bitcoin): Probability a miner can add a block proportional to its hashing power. Proof of Stake: Probability proportional to the fraction of coins the miner owns.
Using Stake instead of Work as Resource?
PoW based blockchain (Bitcoin): Probability a miner can add a block proportional to its hashing power. Proof of Stake: Probability proportional to the fraction of coins the miner owns. Nxt, Algorand, Snow White, Ouroboros,. . .
Using Stake instead of Work as Resource?
PoW based blockchain (Bitcoin): Probability a miner can add a block proportional to its hashing power. Proof of Stake: Probability proportional to the fraction of coins the miner owns. Very difficulty to get (Bitcoin like) blockchain for various
prevented unless we assume checkpoints:
return) everything.
at T. This is possible as you have majority of stake at time T!
Using (disk)Space instead of Work as Resource?
https://chia.net/
Blockchain by Proofs of Space and VDFs (Chia Network)
Blockchain by Proofs of Space and VDFs (Chia Network)
Blockchain by Proofs of Space and VDFs (Chia Network)
hash of last block
Blockchain by Proofs of Space and VDFs (Chia Network)
each miner gets proof of random quality (indicated by length of arrow) hash of last block
Blockchain by Proofs of Space and VDFs (Chia Network)
each miner gets proof of random quality (indicated by length of arrow) to complete block run VDF for time=quality hash of last block
Blockchain by Proofs of Space and VDFs (Chia Network)
each miner gets proof of random quality (indicated by length of arrow) to complete block run VDF for time=quality hash of last block
Blockchain by Proofs of Space and VDFs (Chia Network)
each miner gets proof of random quality (indicated by length of arrow) to complete block run VDF for time=quality hash of last block Why enforce delay?
Proofs of Space
Proof system where prover P must waste N units of disk-space to make verifier V accept.
Proofs of Space
Proof system where prover P must waste N units of disk-space to make verifier V accept.
positions. F F[i] = PRFk(i) for i = 1...N F
Proofs of Space
Proof system where prover P must waste N units of disk-space to make verifier V accept.
positions. F F[i] = PRFk(i) for i = 1...N random i y F[i] ? = PRFk(i) F
Proofs of Space
Proof system where prover P must waste N units of disk-space to make verifier V accept.
positions. F F[i] = PRFk(i) for i = 1...N random i y F[i] ? = PRFk(i) F V has huge (communication)complexity ∣F∣ = N. For blockchain applications V must be efficient.
Proofs of Space
Proofs of Space
initialization F initialization phase Efficient for V P runs in time ˜ O(N) and at the end stores file ∣F∣ = N
Proofs of Space
F proof execution (or audit) Efficient for V and P challenge response accept/reject
Proofs of Space
F proof execution (or audit) Efficient for V and P challenge response accept/reject security Malicious ˜ P who stores ˜ F of size ∣˜ F∣ ≪ ∣F∣ = N must run in time Ω(N) to pass audit.
Constructions from “Hard to Pebble Graphs”a
aStefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, Krzysztof Pietrzak: Proofs of
Constructions from “Hard to Pebble Graphs”a
aStefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, Krzysztof Pietrzak: Proofs of
Inverting Random Functionsa
S = T = N k/(1+k) (proof size exponential in k)
Memory Trade-Offs with Applications to Proofs of Space. ASIACRYPT 2017
Constructions from “Hard to Pebble Graphs”a
aStefan Dziembowski, Sebastian Faust, Vladimir Kolmogorov, Krzysztof Pietrzak: Proofs of
Inverting Random Functionsa
S = T = N k/(1+k) (proof size exponential in k)
Memory Trade-Offs with Applications to Proofs of Space. ASIACRYPT 2017
Two Basic Concepts
DAG G = (V,E) is (e,d) depth-robust if after removing any e nodes a path of length d exists.
1 2 3 4 5 6 Depth-Robust Graphs
Two Basic Concepts
DAG G = (V,E) is (e,d) depth-robust if after removing any e nodes a path of length d exists.
1 2 3 4 5 6 Depth-Robust Graphs
is (2,3) depth-robust
Two Basic Concepts
DAG G = (V,E) is (e,d) depth-robust if after removing any e nodes a path of length d exists.
1 2 3 4 5 6 Depth-Robust Graphs
is (2,3) depth-robust
∃ (Θ(N),Θ(N)) depth-robust graphs on N nodes with O(log(N)) max-indegree [EGS75].
Two Basic Concepts
DAG G = (V,E) is (e,d) depth-robust if after removing any e nodes a path of length d exists.
1 2 3 4 5 6 Depth-Robust Graphs label ℓi = H(ℓparents(i)), e.g. ℓ4 = H(ℓ3,ℓ4) Graph Labelling
Pebbling Based Proofs of Space [FDPK’15]
Pebbling Based Proofs of Space [FDPK’15]
1 2 3 4 5 6 depth-robust DAG (on Θ(N) nodes)
Pebbling Based Proofs of Space [FDPK’15]
φ H ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6 initialization P computes labelling of DR graph. Stores labels Sends Merkle-tree commitment to labels to V. φ F φ initialization P computes labelling of DR graph. Stores labels Sends Merkle-tree commitment to labels to V.
Pebbling Based Proofs of Space [FDPK’15]
ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6 φ F φ
Pebbling Based Proofs of Space [FDPK’15]
ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6 φ F φ proof execution V hallenges P to open a few random labels. i
verify opening
Pebbling Based Proofs of Space [FDPK’15]
ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6 φ F φ proof execution V hallenges P to open a few random labels. i
verify opening e.g.i = 4
Pebbling Based Proofs of Space [FDPK’15]
ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6 φ F φ security [FDPK’15] ˜ P only stores N(1 − ǫ) labels ⇒ ˜ P needs to make Ω(N) H queries to make V accept intuition: ∃ long path on lables that are not stored
Pebbling Based Proofs of Space [FDPK’15]
ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6 φ F φ security [FDPK’15] ˜ P only stores N(1 − ǫ) labels ⇒ ˜ P needs to make Ω(N) H queries to make V accept intuition: ∃ long path on lables that are not stored security [Pie’19] security against general adversaries: ˜ P stores any file of size ≤ N(1 − ǫ) ⇒
Proofs of “useful” Space
In a proof of space the dedicated space must be “wasted”. In Proofs of catalytic space and Proofs of replication it can be used to store useful data.
Proofs of “useful” Space
In a proof of space the dedicated space must be “wasted”. In Proofs of catalytic space and Proofs of replication it can be used to store useful data.
Time-Capsules
Time-Capsules
RSW96 Time-Lock Puzzle π = (N = p ⋅ q,x ∈ Z∗
N,T ∈ Z)
Definition Instantiation
RSW96 Time-Lock Puzzle π = (N = p ⋅ q,x ∈ Z∗
N,T ∈ Z)
solution σ = x2T mod N can be computed with two exponentiation given p,q: e ← 2T mod φ(N) , x2T = xe mod N
and the solution σ. Definition Instantiation
RSW96 Time-Lock Puzzle π = (N = p ⋅ q,x ∈ Z∗
N,T ∈ Z)
solution σ = x2T mod N can be computed with two exponentiation given p,q: e ← 2T mod φ(N) , x2T = xe mod N
and the solution σ. requires T sequential squarings given only N x → x2 → x22 → ...x2T mod N (completeness) given π the solution σ can be computed in T sequential computational “steps” (security) but not less, even given parallelism. Definition Instantiation
Sending Messages to the Future
Sending Messages to the Future
Compute puzzle/solution (π,σ) and ciphertext c = Enc(σ,m) Enc m c TLP.sample(T) → (π,σ)
Sending Messages to the Future
Compute puzzle/solution (π,σ) and ciphertext c = Enc(σ,m) Enc m c Publish π,c
TLP.sample(T) → (π,σ)
Sending Messages to the Future
Compute puzzle/solution (π,σ) and ciphertext c = Enc(σ,m) Enc m c Publish π,c
Anyone can decrypt after solving the puzzle TLP.sample(T) → (π,σ) σ Dec c m T sequential steps TLP.solve(π)
Sending Messages to the Future
Compute puzzle/solution (π,σ) and ciphertext c = Enc(σ,m) Enc m c Publish π,c
Anyone can decrypt after solving the puzzle TLP.sample(T) → (π,σ) σ Dec c m T sequential steps TLP.solve(π)
Proofs of Sequential Work / Verifiable Delay Function
Proofs of Sequential Work / Verifiable Delay Function
Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps.
Proofs of Sequential Work / Verifiable Delay Function
Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps. PoSW from a time-lock puzzle π
(π,σ) ← TLP.sample(T)
Proofs of Sequential Work / Verifiable Delay Function
Proof of Sequential Work Proof system where prover P convinces verifier V it performed a sequential computation of T steps. PoSW from a time-lock puzzle π σ ← TLP.solve(π) σ′ (= σ)
(π,σ) ← TLP.sample(T) σ′ ? = σ
Proofs of Sequential Work / Verifiable Delay Function
N,x Sample random p,q N ∶= p ⋅ q random x ∈ Z∗
N
instantiated with the RSW96 puzzle
Proofs of Sequential Work / Verifiable Delay Function
N,x Sample random p,q N ∶= p ⋅ q random x ∈ Z∗
N
σ ? = x2T mod N instantiated with the RSW96 puzzle σ computes σ = x2T mod N in T sequential steps
Proofs of Sequential Work / Verifiable Delay Function
N,x Sample random p,q N ∶= p ⋅ q random x ∈ Z∗
N
σ ? = x2T mod N instantiated with the RSW96 puzzle SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. σ computes σ = x2T mod N in T sequential steps
Proofs of Sequential Work / Verifiable Delay Function
N,x Sample random p,q N ∶= p ⋅ q random x ∈ Z∗
N
σ ? = x2T mod N instantiated with the RSW96 puzzle SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. N φ verify(x,σ,φ) ∈ {0,1} σ computes σ = x2T mod N in T sequential steps and proof φ certifying σ = x2T
Proofs of Sequential Work / Verifiable Delay Function
N,x Sample random p,q N ∶= p ⋅ q random x ∈ Z∗
N
σ ? = x2T mod N instantiated with the RSW96 puzzle SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. N φ verify(x,σ,φ) ∈ {0,1} σ computes σ = x2T mod N in T sequential steps and proof φ certifying σ = x2T NOBODY knows factorization
N)
Proofs of Sequential Work / Verifiable Delay Function
N,x Sample random p,q N ∶= p ⋅ q random x ∈ Z∗
N
σ ? = x2T mod N instantiated with the RSW96 puzzle SECRET COIN : p,q required for verification, but must be secret otherwise puzzle does not need T sequential work. This Work : A publicly verifiable version (i.e., a “verifiable delay function”) of the RSW96 time lock puzzle. N φ verify(x,σ,φ) ∈ {0,1} σ computes σ = x2T mod N in T sequential steps and proof φ certifying σ = x2T NOBODY knows factorization
N)
computing φ must be cheap compared to computing σ
History of Time Release Crypto
History of Time Release Crypto
[Crypto’11]
History of Time Release Crypto
from Random Oracles.
but also T space.
randomness beacons), but not for “non-interactive time-stamps”. [Crypto’11]
[ITCS’13]
History of Time Release Crypto
[Eurocrypt’17]
[Crypto’11]
History of Time Release Crypto
(x,T) compute (y,π) where y = f(x) needs T sequential steps and π proof for y = f(x).
[Crypto’18]
History of Time Release Crypto
(x,T) compute (y,π) where y = f(x) needs T sequential steps and π proof for y = f(x).
based on the RSW time-lock puzzle [Crypto’18]
[ITCS’19]
History of Time Release Crypto
(x,T) compute (y,π) where y = f(x) needs T sequential steps and π proof for y = f(x).
based on the RSW time-lock puzzle [Crypto’18]
[ITCS’19]
Proving σ = x2T in Groups of Unknown Order
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T claim y = x2T mod N
Proving σ = x2T in Groups of Unknown Order
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) claim y = x2T mod N
Proving σ = x2T in Groups of Unknown Order
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) µ = x2T /2 y = µ2T /2 ∧ y = x2T 2 claims for T/2 for 1 claim for T claim y = x2T mod N
Proving σ = x2T in Groups of Unknown Order
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) µ = x2T /2 y = µ2T /2 ∧ y = x2T 2 claims for T/2 for 1 claim for T claim y = x2T mod N µr ⋅ y = (xr ⋅ µ)2T /2
Proving σ = x2T in Groups of Unknown Order
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) µ = x2T /2 y = µ2T /2 ∧ y = x2T µr ⋅ y ≠ (xr ⋅ µ)2T /2 for almost all r claim y = x2T mod N µr ⋅ y = (xr ⋅ µ)2T /2 µ ≠ x2T /2 y ≠ µ2T /2 ∨
Proving σ = x2T in Groups of Unknown Order
new claim y′ = x′2T /2 mod N where x′ ∶= µr ⋅ y y′ ∶= (xr ⋅ µ)2T /2
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) random r claim y = x2T mod N
Proving σ = x2T in Groups of Unknown Order
new claim y′ = x′2T /2 mod N where x′ ∶= µr ⋅ y y′ ∶= (xr ⋅ µ)2T /2
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) random r claim y = x2T mod N
√ T time and space to compute proof.
Proving σ = x2T in Groups of Unknown Order
new claim y′ = x′2T /2 mod N where x′ ∶= µr ⋅ y y′ ∶= (xr ⋅ µ)2T /2
(x,y,T,N) x x2 x22 x23 ... ... x2T −1 x2T µ (= x2T /2) µ (= x2T /2) random r claim y = x2T mod N Concurrent work by Wesolowskia has proof of size 1 element (not log T), but requires computational assumption: for any α ≠ 1, given random B it’s hard to compute Bth root α1/B.
ahttps://eprint.iacr.org/2018/623.pdf
https://chia.net/
Bitcoin mining: Init: sample signature key-pair (pk,sk)
transactions τi.
βi βi+1 βi+2 βi+3 βi+4 β′
i+3
β′
i+2
Bticoin block βi = (˜ βi,φ), ˜ βi = (i,H(βi−1),pk,τi) contains
βi) ≤ treshhold
Unique Digital Signatures ∀m ∶ Pr[Sig.verify(pk,m,φ) = accept] = 1 where (pk,sk) ← Sig.keygen ; φ ← Sig.sign(sk,m) Unique : (Sig.verify(pk,m,φ) = Sig.verify(pk,m,φ′) = accept) ⇒ (φ = φ′) ∀pk,N ∶ PoSpace.verify(c,PoSpace.prove(S,pk,c)) = accept S ← PoSpace.init(pk,N) Proofs of Space Weakly Unique : Ec [{σ ∶ PoSpace.verify(pk,c,σ) = accept}] = 1 Signed : σ = (σ′,Sig.sign(sk,σ′))
Verifiable Delay Functions ∀t,c ∶ VDF.verify(c,t,VDF.prove(c,t)) = accept VDF.prove(c,t) should take almost sequential time t to compute
A Blockchain from Proofs of Space and VDFs
Initialization:(pk,sk) ← Sig.KeyGen,Σ ← PoSpace.Init(pk,N) Mining: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk) gossip φ and define “quality” of φ as q(φ) ∶= H(φ).
Space Farmers
A Blockchain from Proofs of Space and VDFs
Initialization:(pk,sk) ← Sig.KeyGen,Σ ← PoSpace.Init(pk,N) Mining: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk) gossip φ and define “quality” of φ as q(φ) ∶= H(φ).
Space Farmers Time Lords
If PoSpace φ received, start computing τ ← VDF(challenge = φ,time = q(φ) ⋅ hardness parameter) ONLY IF (given local view) this will be the first VDF to finalize a block at this level. Gossip τ once finished.
Farming: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk)
Farming: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk) Extending Multiple Chains: As (unlike PoW) computing a PoSpace is cheap, the miner can try to extend all blocks it learns about.
Farming: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk) Extending Multiple Chains: As (unlike PoW) computing a PoSpace is cheap, the miner can try to extend all blocks it learns about. provably not such a big problem (wait two slides)
Farming: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk) Extending Multiple Chains: As (unlike PoW) computing a PoSpace is cheap, the miner can try to extend all blocks it learns about. Grinding: try out many τi’s to get different c’s until one found which gives me a super high quality PoSpace for next round ⇒ can hijack chain forever! provably not such a big problem (wait two slides)
Farming: When new longest chain with head βi observed: compute φ ← PoSpace(Σ,c) for challenge c ∶= H(i,βi,τi,pk) Extending Multiple Chains: As (unlike PoW) computing a PoSpace is cheap, the miner can try to extend all blocks it learns about. Grinding: try out many τi’s to get different c’s until one found which gives me a super high quality PoSpace for next round ⇒ can hijack chain forever! separate proofs from everything “graindable”, Chia block format (next slide) kills the problem! provably not such a big problem (wait two slides)
The Chia Block Format & (Non-)Grinding
σi τi βi σi+1 τi+1 βi+1 σi+2 τi+2 βi+2 αi αi+1 αi+2 σ′
i+1
τ ′
i+1
β′
i+1
α′
i+1
σ′
i+2
A full block γi = (βi,αi) contains βi = (i,(pki,σi),τi) and αi = (φi,datai)
The Chia Block Format & (Non-)Grinding
σi τi βi σi+1 τi+1 βi+1 σi+2 τi+2 βi+2 αi αi+1 αi+2 σ′
i+1
τ ′
i+1
β′
i+1
α′
i+1
σ′
i+2
A full block γi = (βi,αi) contains βi = (i,(pki,σi),τi) and αi = (φi,datai)
All proofs in the trunk, nothing to grind here! Transactions and other grindable stuff in the foliage
in [0,1].
in [0,1].
κ,h is length of shortest path we find when always
following the κ best edges from root to a leave. .1 .2 .8 .4 .6 .8 .1 .5 .8 .1 .3 .4 C2
1,3 = .5
C2
∞,3 = .3
in [0,1].
κ,h is length of shortest path we find when always
following the κ best edges from root to a leave. .1 .2 .8 .4 .6 .8 .1 .5 .8 .1 .3 .4 C2
1,3 = .5
C2
∞,3 = .3
κ,h is expected time h honest miners
need to grow chain of length ℓ.
∞,m is expected time adversary
controlling m space needs to grow chain of length ℓ.
Algorithm 1 sample Cℓ
κ,h
1: Input: κ,ℓ,h 2: s[1,...,κ] = 0
▷ initially we have κ paths of length 0
3: for i = 1 to ℓ do
▷ sample ℓ steps
4:
for j = 1 to κ do ▷ extend each of the κ states...
5:
for k = 1 to h do ▷ by h values...
6:
p[j,k] = s[j] + rand([0,1]) ▷ chosen uniform from [0,1]
7:
end for
8:
end for
9:
z = sort(p[1,1],...,p[κ,h]) ▷ sort the κ ⋅ h values
10:
s = z[1,...,κ] ▷ new state are the κ shortest paths
11: end for 12: Return min(s)
κ,h
κ = 3 κ = 2 κ = 1 ℓ = 30,h = 29
κ,h
κ,h
κ,h is expected time h honest miners need to grow chain
space and parallelism (but which cannot break the underlying signature scheme) cannot slow down the rate at which this chain grows.
E[Cℓ
1,h] =
ℓ h + 1
E[Cℓ
∞,h] ≥
ℓ h + 1 ⋅ 1 e
κ,h
κ,h is expected time h honest miners need to grow chain
space and parallelism (but which cannot break the underlying signature scheme) cannot slow down the rate at which this chain grows.
E[Cℓ
1,h] =
ℓ h + 1
E[Cℓ
∞,h] ≥
ℓ h + 1 ⋅ 1 e (Weak) Chain Quality Lemma: If m < h/e (m space controlled by adversary, h honest space) then the fraction of honestly mined blocks is > 0.
E[Cℓ
∞,h] ≥
ℓ h + 1 ⋅ 1 e
.1 .2 .8 .4 .6 .8 .1 .5 .8 .1 .3 .4 C2
1,3 = .5
C2
∞,3 = .3
E[Cℓ
∞,h] ≥
ℓ h + 1 ⋅ 1 e
consider hℓ independent paths, prove that this tilts the bound in right direction.
shorter than x is ≪
1 hℓ .
.1 .2 .8 .4 .6 .8 .1 .5 .8 .1 .3 .4 C2
1,3 = .5
C2
∞,3 = .3
h = 2 h = 2 h = 4 h = 9 h = 99,999 Cℓ
κ,h for ℓ = 1000(h + 1)
1000/e ≈ 367.88...
κ
20 30 40 50 60 70 80 90 100
κ ∶ 1 2 3 4 5 6 7 8 9 Cℓ
1,h/Cℓ κ,h ∶
1 1.45 1.69 1.83 1.93 1.99 2.05 2.09 2.12 eκ ≈
e Cℓ
1,h/Cℓ κ,h ∶
2.71 1.86 1.60 1.47 1.40 1.36 1.32 1.29 1.27
Algorithm 2 SpaceMiner.init
1: Global Parameters: N 2: C ← Chain.init
▷ extract view from network
3: (pk,sk) ← Sig.keygen
▷ generate a signature key pair
4:
S ← PoSpace.init(N,pk). ▷ run PoSpace initialisation with space N and identity pk to get a file S of size ∣S∣ = N.
5: Initalize a vector pos count to all 0
▷ see Remark ??
6: Output: 7: (pk,sk),S,pos count
▷ State for SpaceMiner.mine
8: C
▷ State for Chain.update Algorithm 3 SpaceMiner.loop
1: loop 2:
Wait for block(s) Γ to be received from the network
3:
(Γf,Γn) ← Chain.update(Γ)
4:
∀γ ∈ Γf ∶ SpaceMiner.mine(γ) ▷ Algorithm 4
5: end loop
Algorithm 4 SpaceMiner.mine
1: Global Parameters: κ 2: Input: γi = (βi = (i,σi,τi),αi).
▷ finalized, fresh & valid block for slot i
3: State: (pk,sk), S, pos count 4: if pos count(i) = κ then
▷ already generated κ PoS for slot i
5:
return without output
6: end if 7: pos count(i) ← pos count(i) + 1 8: σi+1 ← PoSpace.prove(S,pk,H(τi))
▷ produce PoSpace
9: Generate datai+1
▷ application specific
10: φi+1 ← Sig.sign(sk,(αi,σi+1,datai+1)▷ signature for signature chain 11: Chain.update((i + 1,σi+1),αi+1 = (φi+1,datai+1))
▷ Cf. §??
Algorithm 5 TimeMiner.init
1: C ← Chain.init
▷ extract view from network
2: Initalize a vectors finalized and running to all 0 3: Output: 4: finalized,running
▷ State for TimeMiner.mine/finalized/runPoSW
5: C
▷ State for Chain.update Algorithm 6 TimeMiner.loop
1: loop 2:
Wait for block(s) Γ to be received from the network
3:
(Γf,Γn) ← Chain.update(Γ)
4:
∀((i,σ),α) ∈ Γn ∶ TimeMiner.mine(i,σ) ▷ Algorithm 7
5:
∀((i,σ,τ),α) ∈ Γf ∶ TimeMiner.finalized(i) ▷ Algorithm 9
6: end loop
Algorithm 7 TimeMiner.mine
1: Global Parameters: T, κ 2: Input: βi = (i,σi)
▷ non-finalized, fresh & valid block for slot i received
3: State: finalized, running 4: if finalize[i] = κ then
▷ already finalized κ blocks for this slot
5:
return with no output
6: end if 7: t ∶= 0.H(σi) ⋅ T
▷ time required to finalize this block
8: if finalize[i] + running[i] < κ then
▷ < κ proofs finalized or running
9:
start thread TimeMiner.runPoSW(i,H(σi),t) ▷ to finish at time now + t
10:
running[i] = running[i] + 1
11: end if 12: if finalize[i] + running[i] = κ then
▷ exactly κ proofs finalized or running
13:
if the slowest PoSW for slot i will finish at time > t + now then
14:
abort the thread of this PoSW
15:
start thread TimeMiner.runPoSW(i,H(σi),t)
16:
end if
17: end if
Algorithm 8 TimeMiner.runPoSW
1: State: finalized, running 2: Input: i,(c,t) 3: τi ← PoSW(c,t) ▷ start PoSW, if not aborted will output proof τi in
time t
4: finalized[i] = finalized[i] + 1 5: running[i] = running[i] − 1 6: Chain.update(τi)
Algorithm 9 TimeMiner.finalized
1: State: finalized, running 2: Input: i
▷ fresh, valid & finalized block for slot i was received
3: if running[i] > 0 and running[i]+finalized[i] = κ then 4:
abort the thread TimeMiner.runPoSW for slot i scheduled to finish last
5:
running[i] = running[i] − 1
6: end if 7: finalized[i] = min{finalized[i] + 1,κ}
initialization and (at least asymptotically) optimal bounds?
Can we say something about rational (not just honest) miners?
initialization and (at least asymptotically) optimal bounds?
Can we say something about rational (not just honest) miners?
initialization and (at least asymptotically) optimal bounds?
Can we say something about rational (not just honest) miners?
initialization and (at least asymptotically) optimal bounds?
Can we say something about rational (not just honest) miners?