Simple Proofs of Sequential Work Bram Cohen Krzysztof Pietrzak - - PowerPoint PPT Presentation

Simple Proofs of Sequential Work

Bram Cohen Krzysztof Pietrzak

Eurocrypt 2018, Tel Aviv, May 1st 2018

Outline

• What
• How
• Why

Proofs of Sequential Work Sustainable Blockchains Sketch of Construction & Proof

Outline

• What
• How
• Why

Proofs of Sequential Work Sustainable Blockchains Sketch of Construction & Proof

Outline

• What
• How
• Why

Proofs of Sequential Work Sustainable Blockchains Sketch of Construction & Proof

Outline

• What
• How
• Why

Proofs of Sequential Work Sustainable Blockchains Sketch of Construction & Proof

σi τi βi σi+1 τi+1 βi+1 αi αi+1

Proofs of Sequential Work

puzzle: (N = p · q, x, T) , solution: x2T mod N solution computed with two exponentiation given p, q: e ← 2T mod φ(N) , x2T = xe mod N conjectured to require T sequential squarings given only N x → x2 → x22 → . . . x2T mod N

puzzle: (N = p · q, x, T) , solution: x2T mod N sequential computation ∼ computation time ⇒ “send message to the future” solution computed with two exponentiation given p, q: e ← 2T mod φ(N) , x2T = xe mod N conjectured to require T sequential squarings given only N x → x2 → x22 → . . . x2T mod N

PoSW vs. Time-Lock Puzzles

• Prove that time has passed

⇒ Non-interactive time-stamps

• Send message to the future

Functionality

PoSW vs. Time-Lock Puzzles

• Prove that time has passed

⇒ Non-interactive time-stamps

• Send message to the future
• Random oracle model or

“sequential” hash-function

• Non-standard algebraic

assumption Functionality Assumption

PoSW vs. Time-Lock Puzzles

• Prove that time has passed

⇒ Non-interactive time-stamps

• Send message to the future
• Random oracle model or

“sequential” hash-function

• Non-standard algebraic

assumption Functionality Assumption Public vs. Private

• Public-coin ⇒

Publicly verfiable

• Private-coin ⇒

Designated verifier

Proofs of Sequential Work

• aka. Verifiable Delay Algorithm

Prover P χ ← Verifier V statement χ Time T ∈ N

Proofs of Sequential Work

• aka. Verifiable Delay Algorithm

τ = τ(χ, T) verify(χ, T, τ) ∈ accept/reject Prover P χ ← Verifier V statement χ Time T ∈ N

Proofs of Sequential Work

• aka. Verifiable Delay Algorithm

τ = τ(χ, T) verify(χ, T, τ) ∈ accept/reject Completeness and Soundness in the random oracle model:

H

Prover P χ ← Verifier V statement χ Time T ∈ N

Proofs of Sequential Work

• aka. Verifiable Delay Algorithm

τ = τ(χ, T) verify(χ, T, τ) ∈ accept/reject Completeness and Soundness in the random oracle model:

H

Prover P χ ← Verifier V statement χ Time T ∈ N Completeness: τ(c, T) can be computed making T queries to H Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept for random χ requires almost T sequential queries to H

Proofs of Sequential Work

• aka. Verifiable Delay Algorithm

τ = τ(χ, T) verify(χ, T, τ) ∈ accept/reject Completeness and Soundness in the random oracle model:

H

Prover P χ ← Verifier V statement χ Time T ∈ N Completeness: τ(c, T) can be computed making T queries to H Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept for random χ requires almost T sequential queries to H massive parallelism useless to generate valid proof faster ⇒ prover must make almost T sequential queries ∼ T time

Three Problems of the [MMV’13] PoSW

1) Space Complexity : Prover needs massive (linear in T) space to compute proof. 2) Poor/Unclear Parameters due to usage of sophisticated combinatorial objects. 3) Uniqueness : Once an accepting proof is computed, many

• ther valid proofs can be generated (not a problem for

time-stamping, but for blockchains).

Three Problems of the [MMV’13] PoSW

1) Space Complexity : Prover needs massive (linear in T) space to compute proof. 2) Poor/Unclear Parameters due to usage of sophisticated combinatorial objects. 3) Uniqueness : Once an accepting proof is computed, many

• ther valid proofs can be generated (not a problem for

time-stamping, but for blockchains). 1) Prover needs only O(log(T)) (not O(T)) space, e.g. for T = 242 (≈ a day) that’s ≈ 10KB vs. ≈ 1PB. 2) Simple construction and proof with good concrete parameters. 3) Awesome open problem!

New Construction

Construction and Proof Sketch

Three Basic Concepts

DAG G = (V, E) is (e, d) depth-robust if after removing any e nodes a path of length d exists.

1 2 3 4 5 6 Depth-Robust Graphs (only [MMV’13])

Three Basic Concepts

DAG G = (V, E) is (e, d) depth-robust if after removing any e nodes a path of length d exists.

1 2 3 4 5 6 Depth-Robust Graphs (only [MMV’13])

is (2, 3) depth-robust

Three Basic Concepts

DAG G = (V, E) is (e, d) depth-robust if after removing any e nodes a path of length d exists.

1 2 3 4 5 6 Depth-Robust Graphs (only [MMV’13]) label ℓi = H(ℓparents(i)), e.g. ℓ4 = H(ℓ3, ℓ4) Graph Labelling

Three Basic Concepts

x y H H x′ y′ queries y = H(x), y′ = H(x′) where y ⊆ x′ ⇒ query x′ was made after x Random Oracles are Sequential

DAG G = (V, E) is (e, d) depth-robust if after removing any e nodes a path of length d exists.

1 2 3 4 5 6 Depth-Robust Graphs (only [MMV’13]) label ℓi = H(ℓparents(i)), e.g. ℓ4 = H(ℓ3, ℓ4) Graph Labelling

Three Basic Concepts

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6 1 2 3 4 5 6

• Protocol specifies depth-robust

DAG G on T nodes

• Define “fresh” random oracle

Hχ(·) ≡ H(χ·)

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

• Protocol specifies depth-robust

DAG G on T nodes

• Define “fresh” random oracle

Hχ(·) ≡ H(χ·)

• Compute labels of G using Hχ

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

• Protocol specifies depth-robust

DAG G on T nodes

• Define “fresh” random oracle

Hχ(·) ≡ H(χ·)

• Compute labels of G using Hχ

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6

• Send commitment φ to labels to V

φ

φ

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

• Protocol specifies depth-robust

DAG G on T nodes

• Define “fresh” random oracle

Hχ(·) ≡ H(χ·)

• Compute labels of G using Hχ

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 ℓ6

• Send commitment φ to labels to V

φ

φ

• V challenged to open random subset of nodes and parents

(interaction can be removed using Fiat-Shamir)

c ⊂ V

• pen {ℓi}i∈c∪i∈parents(i)

check openings and if labels consistent with parent labels

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

φ ℓ′

1

ℓ′

2

ℓ′

3

ℓ′

4

ℓ′

5

ℓ′

6

• G is (e, d) depth-robust
• φ commits ˜

P to labels {ℓ′

i}i∈V

• i is bad if ℓ′

i = H(ℓ′ parents(i))

Proof Sketch

φ

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

φ ℓ′

1

ℓ′

2

ℓ′

3

ℓ′

4

ℓ′

5

ℓ′

6

• G is (e, d) depth-robust
• φ commits ˜

P to labels {ℓ′

i}i∈V

• i is bad if ℓ′

i = H(ℓ′ parents(i))

Proof Sketch

φ

• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.

The MMV’13 Construction

H

Prover P χ ← Verifier V statement χ Time T = 6

φ ℓ′

1

ℓ′

2

ℓ′

3

ℓ′

4

ℓ′

5

ℓ′

6

• G is (e, d) depth-robust
• φ commits ˜

P to labels {ℓ′

i}i∈V

• i is bad if ℓ′

i = H(ℓ′ parents(i))

Proof Sketch

φ

• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.
• Case 2: Less than e bad labels ⇒ ∃ path of good nodes

(by (e, d) depth-robustness) ⇒ ˜ P made d sequential queries (by sequantality of RO)

The New Construction

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling of node on path i → root

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling of node on path i → root

right sibling T = 15 left sibling

The New Construction

For every leaf i add all edges (j, i) where j is left sibling of node on path i → root

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling of node on path i → root

ℓ1 ℓ2 ℓ3 ℓ14 ℓ15

• P computes labelling ℓi = H(ℓparents(i)) and sends root

label φ = ℓT to V. Can be done storing only log(T) labels.

T = 15

• V challenges P to open a subset of leaves and checks

consistency (blue and green edges!)

The New Construction

For every leaf i add all edges (j, i) where j is left sibling of node on path i → root

ℓ1 ℓ2 ℓ3 ℓ14 ℓ15

• P computes labelling ℓi = H(ℓparents(i)) and sends root

label φ = ℓT to V. Can be done storing only log(T) labels.

T = 15

• V challenges P to open a subset of leaves and checks

consistency (blue and green edges!) PKC’00

The New Construction

Proof Sketch

φ

T = 15

The New Construction

Proof Sketch

• ˜

P committed to labels ℓ′

i after sending φ = ℓ15.

• i is bad if ℓ′

i = H(ℓ′ parents(i)).

φ

T = 15

The New Construction

Proof Sketch

• ˜

P committed to labels ℓ′

i after sending φ = ℓ15.

• i is bad if ℓ′

i = H(ℓ′ parents(i)).

• Let S ⊂ V denote the bad nodes and all nodes below.

φ

T = 15

The New Construction

Proof Sketch

• ˜

P committed to labels ℓ′

i after sending φ = ℓ15.

• i is bad if ℓ′

i = H(ℓ′ parents(i)).

• Let S ⊂ V denote the bad nodes and all nodes below.
• Claim 1: ∃ path going through V − S (of length T − |S|).

φ

T = 15

The New Construction

Proof Sketch

• ˜

P committed to labels ℓ′

i after sending φ = ℓ15.

• i is bad if ℓ′

i = H(ℓ′ parents(i)).

• Let S ⊂ V denote the bad nodes and all nodes below.
• Claim 1: ∃ path going through V − S (of length T − |S|).
• Claim 2: ˜

P can’t open |S|/T fraction of leafs.

φ

T = 15

The New Construction

Proof Sketch

• ˜

P committed to labels ℓ′

i after sending φ = ℓ15.

• i is bad if ℓ′

i = H(ℓ′ parents(i)).

• Let S ⊂ V denote the bad nodes and all nodes below.
• Claim 1: ∃ path going through V − S (of length T − |S|).
• Claim 2: ˜

P can’t open |S|/T fraction of leafs. Theorem: ˜ P made only T(1 − ǫ) sequential queries ⇒ will pass opening phase with prob. ≤ (1 − ǫ)#of challenges

φ

T = 15

why we care

Sustainable Blockchains

σi τi βi σi+1 τi+1 βi+1 αi αi+1

Mining Bitcoin (Proofs of Work)

Mining Bitcoin (Proofs of Work) Ecological: Massive energy & hardware waste. Economical: Requires high rewards ⇒ inflation and/or high transaction fees. Security: E.g. buy old ASICs for 51% attack. Ecological: Massive energy & hardware waste. Economical: Requires high rewards ⇒ inflation and/or high transaction fees. Security: E.g. buy old ASICs for 51% attack.

Can we have a more “sustainable” Blockchain?

dynamics proof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

computation as resource

• prob. of solving PoW first ∼ fraction of hashing power

dynamics proof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work Chia: Proofs of Space and Time

computation as resource

• prob. of solving PoW first ∼ fraction of hashing power

dynamics proof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work Chia: Proofs of Space and Time

space as resource

• prob. of finding PoSpace of best quality ∼ fraction of

dedicated space computation as resource

• prob. of solving PoW first ∼ fraction of hashing power

dynamics proof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work Chia: Proofs of Space and Time

space as resource

• prob. of finding PoSpace of best quality ∼ fraction of

dedicated space dynamics Run PoSW on top of PoSpace for T ∼ quality of PoSpace to “finalize” block computation as resource

• prob. of solving PoW first ∼ fraction of hashing power

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

σi : proof of space on challenge hash(τi−1) τi : proof of sequential work on challenge hash(σi−1) and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2 αi αi+1 αi+2

σi : proof of space on challenge hash(τi−1) τi : proof of sequential work on challenge hash(σi−1) and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2 αi αi+1 αi+2

σi : proof of space on challenge hash(τi−1) τi : proof of sequential work on challenge hash(σi−1) and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

NOTHING TO GRIND HERE!