verifiable delay functions
play

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, - PowerPoint PPT Presentation

Sep 06, 2023 •259 likes •638 views

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

  1. Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bünz, Ben Fisch Crypto 2018 1

  2. What is a VDF? Verifier 2

  3. What is a VDF? • Setup( λ , T ) ⟶ public parameters pp  pp specify domain X and range Y • Eval( pp , x ) ⟶ output y , proof π  PRAM runtime T with polylog(T) processors • Verify( pp , x , y , π ) ⟶ { yes, no }  Time complexity at most polylog(T) 3

  4. Security Properties (Informal) • Setup( λ , T ) ⟶ public parameters pp • Eval( pp , x ) ⟶ output y , proof π (requires T steps) • Verify( pp , x , y , π ) ⟶ { yes, no } 4

  5. Related Crypto Primitives • Time-lock puzzles [RSW’96, BN’00, BGJPVW’16] o Trapdoor (secret key) setup per puzzle o Not ``publicly verifiable” • Proof-of-sequential-work [MMV’13, CP’18] o Publicly verifiable o Not a function (output isn’t unique) 5

  6. VDF minus any property is “easy” 6

  7. Modular square roots [ DN’92, LW’15 ] 8

  8. Modular square roots [ DN’92, LW’15 ] log(p) squarings 1 squaring proof size = log(p) 9

  9. Modular square roots • A “proto - VDF” M(p) = time complexity of  Eval time: log(p) * M(p) multiplication mod p  Verify time: M(p)  Problem: Verify time not polylogarithmic in Eval time 10

  10. Security Properties (Informal) • Setup( λ , T ) ⟶ public parameters pp • Eval( pp , x ) ⟶ output y , proof π (requires T steps) • Verify( pp , x , y , π ) ⟶ { yes, no } 11

  11. VDF security more formally… Sequentiality Game 12

  12. Part I: Applications of VDFs Permissionless consensus 14

  13. Randomness beacon • Rabin ‘83 An ideal service that regularly publishes random value which no party can predict or manipulate 15

  14. Many uses for random beacons 16

  15. Randomness beacon ``Public displays” are easily corrupted 17

  16. Public entropy source Assumption : (1) unpredictable, (2) adversary cannot fix stock prices 18

  17. Stock price manipulation 19

  18. Stock price randomness beacon Closing prices of 100 stocks: Hash(prices) 20 bits The problem : extractor • Once prices settle a minute before closing, attacker executes 20 last- 128 bits (seed) minute trades to influence seed. pseudorandom generator • Attacker can predict outcome of Lots of bits trades and choose favorable trades to bias result

  19. Solution: slow things down with a VDF Hash(prices) 20 bits A solution: one hour VDF extractor • Attacker cannot tell what trades to execute before 128 bits market closes VDF Uniqueness: ensures no ambiguity about output , π 128 bits (seed)

  20. Simple Bulletin Board Alice Bob Claire Zoe Mildly r a r b r c r z synchronous Public Bulletin Board output seed = Hash(r a || r b || ⋯ || r z ) ∈ {0,1} 256 Problem: Zoe controls the final seed !! 24

  21. Solution: slow things down with a VDF [LW’15] Alice Bob Claire Zoe r a r b r c r z Public Bulletin Board (blockchain) Hash(r a || r b || ⋯ || r z ) ∈ {0,1} 256 seed, π H VDF 25

  22. Part II: Constructions I. x y (reverse permutation) This work II. Followup: Pietrzak’18, Wesolowski’18 27

  23. Hash Chain w/ Verifiable Computation • SNARK = “succinct non - interactive argument of knowledge” [G’10,GGPR’13, BCIOP’13, BCCT’13] • STARK = “succinct transparent non -interactive argument of knowledge” [M’00, BBHR’18] 28

  24. Hash Chain w/ Verifiable Computation Problem • Proof generation slower than hash chain, without massive parallelism 29

  25. Incrementally Verifiable Computation 30

  26. IVC SNARK Optimizations 31

  27. IVC SNARK Optimizations Slow x y x y Fast 33

  28. IVC SNARK Optimizations Slow x y x y Fast 34

  29. Square-roots vs SHA256 SHA256: c s 27,904 gates Square-roots: 4 gates Coordinate swap c s c s 35

  30. Better asymmetric permutations? Slow Fast 37

  31. Permutation polynomials Eval requires d parallelism d 2.85 parallel. infeasible for Adv. 38

  32. Permutation Polynomials Holy Grail Exponentially large Eval: O(d) PRAM steps Exponential gap! Verify: O(log(d)) 39

  33. Permutation polynomials Guralnick, Müler ’97 40

  34. Permutation polynomials Guralnick, Müler ’97 41

  35. Construction Summary Verification O(log(T)) SNARKs Proof size O(log(T)) Assumption SNARK/STARK + Sqr. rts. or ideal perm. polynomial Trusted setup None w/ STARKs or using “slower” verification, sequentiality not broken Quantum resistant Possibly with STARKs Simple No 42

  36. Newer VDFs [P’18, W’18] • Let G be a finite cyclic group with generator g ∈ G G = {1, g, g 2 , g 3 , … } • Assumption : the group G has unknown size T squarings pp = (G, H: X ⟶ G) • Eval(pp, x): output proof π = (proof of correct exponentiation) [P’18, W’18] 43

  37. THE END https://eprint.iacr.org/2018/601 Survey of VDFs https://eprint.iacr.org/2018/712.pdf 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S.

Verifiable Delay Functions from Isogenies and Pairings Luca De Feo joint work with J. Burdges, S. Masson, C. Petit, A. Sanso Universit Paris Saclay UVSQ, France July 13, 2019, SIAM AG, Bern Slides online at https://defeo.lu/docet Tired of

350 views • 23 slides
Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up

185 views • 15 slides
Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions

Unique Aggregate Signatures with Applications to Distributed Verifiable Random Functions Veronika Kuchta and Mark Manulis CANS 2013, Paraty, Brazil November 21, 2013 Overview Unique Signature Schemes Verifiable Random Functions Unique

420 views • 13 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay (

Advanced Digital IC-Design Propagation Delay Lumped C p Distributed model C model Interconnect Gate delay Wire delay The delay in VLSI circuits have two components Gate delay ( t pHL / t pLH ) Wire (interconnect) delay ( t w ) The Wire

492 views • 20 slides
Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable

Leonard Lensink, Sjaak Smetsers and Marko van Eekelen Generating Verifiable Java Code from Verified PVS Specifications NFM2012 Generating Verifiable Java Code from Verified PVS Specifications Overview Motivation Code generation

544 views • 26 slides
RC delay 4: The Elmore delay - 3 Application of the Elmore delay formula to a (RC) wire. Let R

RC delay 4: The Elmore delay - 3 Application of the Elmore delay formula to a (RC) wire. Let R

RC delay 4: The Elmore delay - 3 Application of the Elmore delay formula to a (RC) wire. Let R , C , and l be the total line resistance, capacitance, and length. = = = / ; / ; / r R l c C l L l N N ( ) ( ) ( ) 2

653 views • 16 slides
P Packet Scheduling: k S h d li E d t End-to-End Delay Bounds E d D l B d Delay bounds

P Packet Scheduling: k S h d li E d t End-to-End Delay Bounds E d D l B d Delay bounds

P Packet Scheduling: k S h d li E d t End-to-End Delay Bounds E d D l B d Delay bounds (Simon S. Lam) 1 2/7/2017 1 References References Delay Guarantee of Virtual Clock server Geoffrey G. Xie and Simon S. Lam, Delay

696 views • 43 slides
11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

Introduction Introduction Four sources of packet delay Delay in packet-switched networks 3. Transmission delay: 4. Propagation delay: 1. nodal processing: 2. queueing R=link bandwidth (bps) d = length of physical link check

185 views • 3 slides
Outline Introduction Delay Test Issues Our Solutions Improved Launch Delay

Outline Introduction Delay Test Issues Our Solutions Improved Launch Delay

DESIGN FOR AT-SPEED DELAY TEST Youhua Shi Information Technology Research Organization Waseda University Outline Introduction Delay Test Issues Our Solutions Improved Launch Delay Testing Power-aware Test Technique

450 views • 10 slides
Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT Verifiable Computation Verifiable Computation Verifiable Computation M(x)=? M(x) = y Verifiable Computation M(x)=? , challenge , proof

1.73k views • 119 slides
A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York

A Survey of Verifiable Delegation of Computations Rosario Gennaro The City College of New York rosario@cs.ccny.cuny.edu CANS 2013, Paraty, Brasil November 22, 2013 Outline Motivation Verifiable Computation Memory Delegation Conclusion

937 views • 80 slides
Chasing Minimal Inductive Validity Cores in Hardware Model Checking Ryan Berryhill Andreas

Chasing Minimal Inductive Validity Cores in Hardware Model Checking Ryan Berryhill Andreas

Chasing Minimal Inductive Validity Cores in Hardware Model Checking Ryan Berryhill Andreas Veneris University of Toronto Outline Motivation Background The UMIVC Algorithm Experiments Conclusion Outline Motivation

490 views • 47 slides
Presented by Dr Nishat Siddiqi on behalf of: Ischaemia-reperfusion-injury Can account for up

Presented by Dr Nishat Siddiqi on behalf of: Ischaemia-reperfusion-injury Can account for up

The effects of intravenous sodium nitrite in acute ST elevation myocardial infarction: a randomised controlled trial Presented by Dr Nishat Siddiqi on behalf of: Ischaemia-reperfusion-injury Can account for up to 50% of final infarct size

692 views • 15 slides
The Other Half of the Fracture Equation: Fall Prevention and Management Anna Chodos, MD, MPH

The Other Half of the Fracture Equation: Fall Prevention and Management Anna Chodos, MD, MPH

7/5/2017 OSTEOPOROSIS NEW INSIGHTS IN RESEARCH, DIAGNOSIS,AND CLINICAL CARE School of Medicine Division of Geriatrics The Other Half of the Fracture Equation: Fall Prevention and Management Anna Chodos, MD, MPH Geriatrics, Zuckerberg San

597 views • 33 slides
Gradients of pronominal and verbal deficiency Hakyung Jung (Seoul National University,

Gradients of pronominal and verbal deficiency Hakyung Jung (Seoul National University,

Slavic Linguistics Society 15 Indiana University September 46, 2020 Gradients of pronominal and verbal deficiency Hakyung Jung (Seoul National University, hakyungj@snu.ac.kr) Krzysztof Migdalski (University of Wroc aw,

222 views • 10 slides
In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca

In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca

In-Guest Mechanisms to Strengthen Guest Separation XenSummit 2013 Philip Tricca <philip.tricca@citrix.com> Background Xen does security well Value is added when VMs communicate / cooperate Strong isolation using hardware

451 views • 14 slides
PhD Seminar - Autumn Semester 2020 Vinicius Azevedo CGL ETH Zurich (CNB G 102.2)

PhD Seminar - Autumn Semester 2020 Vinicius Azevedo CGL ETH Zurich (CNB G 102.2)

PhD Seminar - Autumn Semester 2020 Vinicius Azevedo CGL ETH Zurich (CNB G 102.2) vinicius.azevedo@inf.ethz.ch Objectives & Requirements Objectives Requirements Present and discuss current PhD students must present their research

178 views • 5 slides
1 Anthony Heath and Yizhang Zhao Centre for Social Investigation Nuffield College, Oxford

1 Anthony Heath and Yizhang Zhao Centre for Social Investigation Nuffield College, Oxford

1 Anthony Heath and Yizhang Zhao Centre for Social Investigation Nuffield College, Oxford Background: why occupation Measuring occupation -> class schemas Application in developing countries China India Chile and Brazil

475 views • 26 slides
WELCOME! The link for the polo shirt is live on our webpage. snow.edu/ce 1 Resources Available

WELCOME! The link for the polo shirt is live on our webpage. snow.edu/ce 1 Resources Available

WELCOME! The link for the polo shirt is live on our webpage. snow.edu/ce 1 Resources Available Snow.edu/ce CE Academic Advisors Weekly automated reports Show example-redacted Rolls201940 Parental Permission

483 views • 21 slides

More recommend