Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, - - PowerPoint PPT Presentation

verifiable delay functions
SMART_READER_LITE
LIVE PREVIEW

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, - - PowerPoint PPT Presentation

Sep 06, 2023 259 likes •642 views

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

slide-1
SLIDE 1

Dan Boneh, Joe Bonneau, Benedikt Bünz, Ben Fisch Crypto 2018

Verifiable Delay Functions

1

slide-2
SLIDE 2

What is a VDF?

2

Verifier

slide-3
SLIDE 3

What is a VDF?

3

  • Setup(λ, T) ⟶ public parameters pp
  • pp specify domain X and range Y
  • Eval(pp, x) ⟶ output y, proof π
  • PRAM runtime T with polylog(T) processors
  • Verify(pp, x, y, π) ⟶ { yes, no }
  • Time complexity at most polylog(T)
slide-4
SLIDE 4

Security Properties (Informal)

  • Setup(λ, T) ⟶ public parameters pp
  • Eval(pp, x) ⟶ output y, proof π (requires T steps)
  • Verify(pp, x, y, π) ⟶ { yes, no }

4

slide-5
SLIDE 5

Related Crypto Primitives

  • Time-lock puzzles [RSW’96, BN’00, BGJPVW’16]
  • Trapdoor (secret key) setup per puzzle
  • Not ``publicly verifiable”
  • Proof-of-sequential-work [MMV’13, CP’18]
  • Publicly verifiable
  • Not a function (output isn’t unique)

5

slide-6
SLIDE 6

VDF minus any property is “easy”

6

slide-7
SLIDE 7

Modular square roots [DN’92, LW’15]

8

slide-8
SLIDE 8

Modular square roots [DN’92, LW’15]

log(p) squarings 1 squaring

9

proof size = log(p)

slide-9
SLIDE 9

Modular square roots

  • A “proto-VDF”
  • Eval time: log(p) * M(p)
  • Verify time: M(p)
  • Problem: Verify time not polylogarithmic in Eval time

10

M(p) = time complexity of multiplication mod p

slide-10
SLIDE 10

Security Properties (Informal)

  • Setup(λ, T) ⟶ public parameters pp
  • Eval(pp, x) ⟶ output y, proof π (requires T steps)
  • Verify(pp, x, y, π) ⟶ { yes, no }

11

slide-11
SLIDE 11

VDF security more formally…

12

Sequentiality Game

slide-12
SLIDE 12

Part I: Applications of VDFs

14

Permissionless consensus

slide-13
SLIDE 13

Randomness beacon

  • Rabin ‘83

15

An ideal service that regularly publishes random value which no party can predict or manipulate

slide-14
SLIDE 14

Many uses for random beacons

16

slide-15
SLIDE 15

Randomness beacon

``Public displays” are easily corrupted

17

slide-16
SLIDE 16

Public entropy source

18

Assumption: (1) unpredictable, (2) adversary cannot fix stock prices

slide-17
SLIDE 17

Stock price manipulation

19

slide-18
SLIDE 18

Stock price randomness beacon

Closing prices of 100 stocks: Hash(prices) extractor 128 bits pseudorandom generator Lots of bits 20 bits The problem:

  • Once prices settle a minute before

closing, attacker executes 20 last- minute trades to influence seed.

  • Attacker can predict outcome of

trades and choose favorable trades to bias result

(seed)

slide-19
SLIDE 19

Solution: slow things down with a VDF

A solution: one hour VDF

  • Attacker cannot tell what

trades to execute before market closes Uniqueness: ensures no ambiguity about output

Hash(prices) extractor 128 bits

VDF

128 bits

, π

20 bits

(seed)

slide-20
SLIDE 20

Simple Bulletin Board

Alice Bob Claire Zoe Public Bulletin Board ra rb rc rz

  • utput seed = Hash(ra || rb || ⋯ || rz ) ∈ {0,1}256

Problem: Zoe controls the final seed !!

24

Mildly synchronous

slide-21
SLIDE 21

Solution: slow things down with a VDF [LW’15]

Alice Bob Claire Zoe Public Bulletin Board (blockchain) ra rb rc rz Hash(ra || rb || ⋯ || rz ) ∈ {0,1}256 VDF seed, π H

25

slide-22
SLIDE 22

Part II: Constructions

y x

I.

(reverse permutation)

II.

This work Followup:

Pietrzak’18, Wesolowski’18

27

slide-23
SLIDE 23

Hash Chain w/ Verifiable Computation

28

  • SNARK = “succinct non-interactive argument of knowledge”

[G’10,GGPR’13, BCIOP’13, BCCT’13]

  • STARK = “succinct transparent non-interactive argument of

knowledge” [M’00, BBHR’18]

slide-24
SLIDE 24

Hash Chain w/ Verifiable Computation

29

Problem

  • Proof generation slower than hash chain, without

massive parallelism

slide-25
SLIDE 25

Incrementally Verifiable Computation

30

slide-26
SLIDE 26

IVC SNARK Optimizations

31

slide-27
SLIDE 27

IVC SNARK Optimizations

y x y x

Slow Fast

33

slide-28
SLIDE 28

IVC SNARK Optimizations

34

y x y x

Slow Fast

slide-29
SLIDE 29

Square-roots vs SHA256

s c s c

35

s c

27,904 gates 4 gates

Coordinate swap

SHA256: Square-roots:

slide-30
SLIDE 30

Better asymmetric permutations?

37

Slow Fast

slide-31
SLIDE 31

Permutation polynomials

38

Eval requires d parallelism d2.85 parallel. infeasible for Adv.

slide-32
SLIDE 32

Permutation Polynomials Holy Grail

Eval: O(d) PRAM steps Verify: O(log(d))

Exponential gap!

39

Exponentially large

slide-33
SLIDE 33

Permutation polynomials

40

Guralnick, Müler ’97

slide-34
SLIDE 34

Permutation polynomials

Guralnick, Müler ’97

41

slide-35
SLIDE 35

Construction Summary

42

Verification O(log(T)) SNARKs Proof size O(log(T)) Assumption SNARK/STARK +

  • Sqr. rts. or ideal perm. polynomial

Trusted setup None w/ STARKs or using “slower” verification, sequentiality not broken Quantum resistant Possibly with STARKs Simple No

slide-36
SLIDE 36

Newer VDFs [P’18, W’18]

  • Let G be a finite cyclic group with generator g ∈ G

G = {1, g, g2, g3, … }

  • Assumption: the group G has unknown size

pp = (G, H: X ⟶ G)

  • Eval(pp, x): output

proof π = (proof of correct exponentiation) T squarings

[P’18, W’18]

43

slide-37
SLIDE 37

THE END

https://eprint.iacr.org/2018/601 Survey of VDFs https://eprint.iacr.org/2018/712.pdf

44