Verifiable Random Functions and Verifiable Delay Functions Caleb - - PowerPoint PPT Presentation

β–Ά
verifiable random functions and verifiable delay functions
SMART_READER_LITE
LIVE PREVIEW

Verifiable Random Functions and Verifiable Delay Functions Caleb - - PowerPoint PPT Presentation

Sep 07, 2022 149 likes β€’358 views

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

slide-1
SLIDE 1

Verifiable Random Functions
 and
 Verifiable Delay Functions

Caleb Smith University of Virginia

slide-2
SLIDE 2

Why do these matter?

Alternative consensus protocols Applications to public randomness generation

slide-3
SLIDE 3

Leader election

Bitcoin Proof of Work style Everyone generates a random number, and the largest is the leader?

slide-4
SLIDE 4

Generate random numbers

Assume we have a hash function, , and we have a public challenge,

h 𝑦

𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦)

slide-5
SLIDE 5

Generate random numbers

Assume we have a hash function, , and we have a public challenge,

h 𝑦

𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦) 𝑙𝑓𝑧 ← {0,1}π‘œ 𝑧 = h(𝑙𝑓𝑧||𝑦)

?

slide-6
SLIDE 6

Verifiable Random Function

Introduced by Micali, Rabin, and Vadhan in 1999 Security Property:

πΏπ‘“π‘§π»π‘“π‘œ(1πœ‡) β†’ (𝑑𝑙, π‘žπ‘™) 𝑄𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦) β†’ (𝑧, 𝜌) π‘Šπ‘“π‘ π‘—π‘”π‘§(π‘žπ‘™, 𝑦, 𝑧, 𝜌) β†’ {0,1} 𝐺𝑝𝑠 π‘π‘šπ‘š 𝑦, π‘π‘œ 𝑏𝑒𝑀𝑓𝑠𝑑𝑏𝑠𝑧 π‘‘π‘π‘œπ‘œπ‘π‘’ π‘”π‘—π‘œπ‘’ 𝑧0 β‰  𝑧1 𝑑𝑣𝑑h 𝑒h𝑏𝑒 π‘Šπ‘“π‘ π‘—π‘”π‘§(π‘žπ‘™, 𝑦, 𝑧0, 𝜌0) = 1 = π‘Šπ‘“π‘ π‘—π‘”π‘§(π‘žπ‘™, 𝑦, 𝑧1, 𝜌1)

Pseudorandom Proof

slide-7
SLIDE 7

Generate random numbers

Assume we have a hash function, , and we have a public challenge,

h 𝑦

𝑑𝑙, π‘žπ‘™ ← πΏπ‘“π‘§π»π‘“π‘œ

𝑧, 𝜌 = 𝑄 𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦)

?

𝑑𝑙, π‘žπ‘™ ← πΏπ‘“π‘§π»π‘“π‘œ

𝑧, 𝜌 = 𝑄 𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦)

𝑑𝑙, π‘žπ‘™ ← πΏπ‘“π‘§π»π‘“π‘œ

𝑧, 𝜌 = 𝑄 𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦)

𝑑𝑙, π‘žπ‘™ ← πΏπ‘“π‘§π»π‘“π‘œ

𝑧, 𝜌 = 𝑄 𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦)

𝑑𝑙, π‘žπ‘™ ← πΏπ‘“π‘§π»π‘“π‘œ

𝑧, 𝜌 = 𝑄 𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦)

𝑑𝑙, π‘žπ‘™ ← πΏπ‘“π‘§π»π‘“π‘œ

𝑧, 𝜌 = 𝑄 𝑠𝑝𝑀𝑓(𝑑𝑙, 𝑦)

slide-8
SLIDE 8

Verifiable Random Function Assumptions

RSA + Random Oracle [Micali, Rabin, and Vadhan 1999] Decisional Bilinear Diffie Hellman Inversion [Dodis and Yampolski 2004] Decisional Diffie Hellman + Random Oracle [Papadopoulos et al 2017]

slide-9
SLIDE 9

Verifiable Delay Functions

Introduced by Boneh, Bonneau, BΓΌnz, and Fisch in 2018 Delay – Takes a minimum amount of parallel time to compute Function – Unique outputs Verifiable – Third parties can verify that it was evaluated correctly

slide-10
SLIDE 10

Verifiable Delay Function

Alice wants to require Bob to spend solving a challenge

π‘ˆ π‘žπ‘π‘ π‘π‘šπ‘šπ‘“π‘š 𝑒𝑗𝑛𝑓

10

Takes parallel time,

π‘ˆ

Unique solution

slide-11
SLIDE 11

Verifiable Delay Function Syntax

A function that takes a long time to compute, has unique outputs, and can be verified quickly , specifies input and output space , runs in at least , runs in time

π‘‡π‘“π‘’π‘£π‘ž(πœ‡, π‘ˆ ) β†’ 𝑄𝑄 = (𝑓𝑙, 𝑀𝑙) πΉπ‘€π‘π‘š(𝑓𝑙, 𝑦) β†’ (𝑧, 𝜌) π‘žπ‘π‘ π‘π‘šπ‘šπ‘“π‘š 𝑒𝑗𝑛𝑓 π‘ˆ π‘Šπ‘“π‘ π‘—π‘”π‘§(𝑀𝑙, 𝑦, 𝑧, 𝜌) β†’ {π΅π‘‘π‘‘π‘“π‘žπ‘’, π‘†π‘“π‘˜π‘“π‘‘π‘’} 𝑒 β‰ͺ π‘ˆ

11

Proof from the Evaluator to help the Verifier

slide-12
SLIDE 12

Verifiable Delay Function Properties

Sequentiality – cannot be solved in less than , with number of processors Uniqueness – If the adversary runs in time , then they are unable to find a that passes verification

Eval(𝑦) π‘žπ‘π‘ π‘π‘šπ‘šπ‘“π‘š 𝑒𝑗𝑛𝑓 π‘ˆ π‘žπ‘π‘šπ‘§(π‘ˆ ) 𝑃(π‘žπ‘π‘šπ‘§(π‘ˆ, πœ‡)) 𝑧 β‰  πΉπ‘€π‘π‘š(𝑦)

12

slide-13
SLIDE 13

Application - Randomness Beacon

Generate a stream of public random values

r1 r2 r3 r4 r5 r6 … rn

Can submit values from 1:00pm to 1:10pm

𝑔(𝑠1, 𝑠2, …, π‘ π‘œ) =

𝑠1 βŠ• 𝑠2 βŠ• … βŠ• π‘ π‘œ

13

slide-14
SLIDE 14

Application - Randomness Beacon

Generate a stream of public random values

r1 r2 r3 r4 r5 r6 … rn

Can submit values from 1:00pm to 1:10pm

h(𝑠1, 𝑠2, …, π‘ π‘œ) = 𝑦

π‘ŠπΈπΊ . πΉπ‘€π‘π‘š(𝑦) β†’ (𝑧, 𝜌)

𝐹𝑦𝑒𝑠𝑏𝑑𝑒(𝑧) β†’ 𝑀

14

slide-15
SLIDE 15

Application – Proof of Space and Time

Cohen and Pietrzak from Chia Change the assumption from majority of computing power is honest to 2/3 of committed disk space is honest Proofs of Space will populate some disk space with some function and given a challenge, will find their β€œbest” solution almost instantly

𝑔

slide-16
SLIDE 16

Why not just chain Proofs of Space?

The next Proof of Space challenge is the hash of the previous Proof of Space solution and proof There are attacks where an adversary can β€œtweak” elements in their control to bias the next challenge This does not occur in Bitcoin because of the cost to split resources

slide-17
SLIDE 17

Adding Verifiable Delay Functions

Take the solution and proof of the Proof of Space, , and compute Then determines the next Proof of Space challenge We can now argue that an adversary cannot determine how to β€œtweak” anything to bias the next challenge

(𝑧, πœŒπ‘„π‘π‘‡) 𝑦 = h(𝑧| πœŒπ‘„π‘π‘‡), π‘ŠπΈπΊ . πΉπ‘€π‘π‘š(𝑦) β†’ (𝑧, πœŒπ‘ŠπΈπΊ) 𝑔(𝑧)

slide-18
SLIDE 18

Verifiable Delay Function Assumptions

Repeated squaring in group of unknown order is inherently sequential Let be an RSA modulus where nobody knows the factorization

𝑂

𝑦2π‘ˆπ‘›π‘π‘’ 𝑂

Conjectured to take sequential squarings

π‘ˆ

slide-19
SLIDE 19

Questions?

19