Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, - - PowerPoint PPT Presentation

Verifiable Delay Functions

Joe Netti

Overview of VDFs (Boneh, Bonneau, et al. 2019)

Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up calculation (sequential) 3. unique mapping (function) 4. Compact verification proof 5. Proof is non-interactive

Use Case: Randomness beacon

time

present past future

Precursor: Time lock puzzle (Rivest, Shamir, Wagner 1996)

Goal: “Send a message to the future” Primitives: 1. Blum-Blum-Shub pseudorandom generator: xx+1 = x2 (mod n) 2. RSA factoring : n = pq 3. Difficulty of calculating ϕ(n) with p,q unknown. 4. Euler’s theorem: aϕ(n) = 1 (mod n)

Time lock puzzle

T: wait period in seconds S: expected squares-per-sec of solver t = TS difficulty of puzzle (# of squares) K: random private key n = pq p,q are prime a : 1 < a < n M: message to encrypt to the future Alice: private: (K, p, q, M) 1. CM = Encrypt(K, M) 2. ϕ(n) = (p-1)(q-1) 3. CK = K + a(2^t) (mod n) # “encryption” of K 4. e = 2t (mod ϕ(n)) # e squares for Alice Bob (solver): public: (CM,CK, n, a, t) 1. K = CK - a(2^t) (mod n) # t squares for Bob 2. M = Decrypt(K, CM)

Protocol Variables

More prior work:

1. Non-Interactive Zero-Knowledge and Its Applications (Micali et al. 1988) 2. Pricing via processing or combatting junk mail (Dwork, Naor 1992) 3. A partial hash collision based postage scheme (hashcash) (Back 1997) 4. Bitcoin: a peer-to-peer electronic cash system (Nakamoto 2008) 5. Proofs of sequential work (POSW) (Mahmoody et al. 2013) And many others

This slide again

Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up calculation (sequential) 3. unique mapping (function) 4. Compact verification proof 5. Proof is non-interactive

Simple VDF (Pietrzak 2019)

• 1. Extends original time lock puzzle
• 2. Creates interactive protocol
• 3. Protocol is made non-interactive using Fiat-Shamir

transform

Interactive protocol

this combines previous rounds to make compact proof

Repeat until T = 1

r is given by verifier at each round

x “grows” relative to y

The proof

π = {μ1 , … μs}

Calculating μ3

Non-interactive using Fiat-Shamir

• Fiat-shamir: replace every “choice” with a random oracle.
• Random oracle often from hash functions
• Beware of “grinding” attacks where input to hash can be chosen

Choosing random r

References

[1] Boneh, D., Bonneau, J., Bünz, B., & Fisch, B. (2018, August). Verifiable delay functions. In Annual international cryptology conference (pp. 757-788). Springer, Cham. https://eprint.iacr.org/2018/601.pdf. [2] Bonneau. (2019, November). Exploring VDFs with Joseph Bonneau. Zero Knowledge Podcast https://www.zeroknowledge.fm/103. [3] Mahmoody, M., Moran, T., & Vadhan, S. (2013, January). Publicly verifiable proofs of sequential work. In Proceedings of the 4th conference on Innovations in Theoretical Computer Science (pp. 373-388). https://eprint.iacr.org/2011/553.pdf. [4] Pietrzak, K. (2018). Simple verifiable delay functions. In 10th innovations in theoretical computer science conference (itcs 2019). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik. https://eprint.iacr.org/2018/627.pdf. [5] Rivest, R. L., Shamir, A., & Wagner, D. A. (1996). Time-lock puzzles and timed-release crypto. https://people.csail.mit.edu/rivest/pubs/RSW96.pdf.