Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas - - PowerPoint PPT Presentation

Indistinguishable Proofs of Work or Knowledge

Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

ASIACRYPT 2016 8th December, Hanoi, Vietnam

Motivation

(ZK) Proofs of Knowledge - PoK

Prover Verifier Statement: 𝑦 ∈ 𝑀

⋮

Accept/Reject Witness: 𝒙 1) Completeness: the verifier always accepts a valid proof 2) PoK: for any convincing verifier, we can extract 𝒙 3) Prover privacy is preserved via some ZK variant Accept/Reject

Schnorr Identification – PoK of DLog

Prover Verifier Parameters: 𝑕, 𝑟 Check if 𝑕𝑠 = 𝑏 ∙ (𝑞𝑙)𝑑 pick 𝑢 ∈ 𝑎𝑟 𝑏 = 𝑕𝑢 𝑏 pick 𝑑 ∈ 𝑎𝑟 𝑑 𝑠 = 𝑢 + 𝑑 ∙ 𝑡𝑙 𝑠 Statement: ∃𝑡𝑙: 𝑞𝑙 = 𝑕𝑡𝑙 Witness: 𝑡𝑙

Schnorr Identification – PoK of DLog

Prover Verifier Parameters: 𝑕, 𝑟

Schnorr identification is a Sigma protocol that achieves special soundness and honest-verifier ZK

Statement: ∃𝑡𝑙: 𝑞𝑙 = 𝑕𝑡𝑙 Witness: 𝑡𝑙

Some motivating thoughts…

• PoK of DLog convinces us that the prover

actually has the witness.

Some motivating thoughts…

• PoK of DLog convinces us that the prover

actually has the witness.

• But how did the prover manage to

convince us?

• Did it run efficiently because it had

knowledge of the witness OR

• Did it work for a (superpolynomial)

amount of a time to solve the given DLog problem?

Reducing Spam

“If I don’t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message” [DN92]

Reducing Spam

“If I don’t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message” [DN92]

Alice

Verifier

I am an approved contact

email Server

Approved contacts:

• Alice
• ...

Bob

Alice

Verifier

I am an approved contact

email Server

Bob Approved contacts:

• Alice
• ...

Eve Not approved!

Reducing Spam

“If I don’t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message” [DN92]

Verifier

email Server

Bob Approved contacts:

• Alice
• ...

Eve Not approved!

Mail server distinguishes between approved and non-approved contacts!!

Reducing Spam

“If I don’t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message” [DN92]

Alice I am an approved contact

Verifier

email Server

Bob Approved contacts:

• Alice
• ...

Eve Not approved!

Reducing Spam

Where Email approval is done in a privacy-preserving manner!

Alice I am an approved contact

Reducing spam in a privacy-preserving way

• 1. For senders to have access, they must

prove that either

○ know some secret that implies their relation with the receiver OR ○ has spent a certain amount of work in terms

• f computational resources.

• 1. For senders to have access, they must

prove that either

○ know some secret that implies their relation with the receiver OR ○ has spent a certain amount of work in terms

• f computational resources.
• 2. The prover’s mode that provided access to

the sender, remains unknown to the mail server.

Reducing spam in a privacy-preserving way

Proofs of Work - PoW

Task/Puzzle solution Verifier Prover Accept/Reject

Proofs of Work - PoW

Task/Puzzle solution Verifier Prover Accept

The verifier ascertains that the prover performed some certain amount of work, given the difficulty of the puzzle parameters

Proofs of Work or Knowledge (PoWorKs)

PoK: PoW:

Prover either knows a witness to the statement

• r performed work to

solve a puzzle

Prover Verifier Prover Statement: 𝑦 ∈ 𝑀

PoK: PoW:

Prover either knows a witness to the statement

• r performed work to

solve a puzzle

Prover Verifier Prover

Indistinguishable

Proofs of Work or Knowledge (PoWorKs)

Statement: 𝑦 ∈ 𝑀

Our contributions

Our contributions

 We define cryptographic puzzle systems.

Our contributions

 We define cryptographic puzzle systems.  We define PoWorKs w.r.t. some language in NP and a fixed puzzle system.

Our contributions

 We define cryptographic puzzle systems.  We define PoWorKs w.r.t. some language in NP and a fixed puzzle system.  We provide an efficient 3-move PoWorK construction.

Our contributions

 We define cryptographic puzzle systems.  We define PoWorKs w.r.t. some language in NP and a fixed puzzle system.  We provide an efficient 3-move PoWorK construction.  We provide two puzzle system instantiations

(one in the RO model and one under complexity assumptions).

Our contributions

 We define cryptographic puzzle systems.  We define PoWorKs w.r.t. some language in NP and a fixed puzzle system.  We provide an efficient 3-move PoWorK construction.  We provide two puzzle system instantiations

(one in the RO model and one under complexity assumptions).

 We present applications of PoWorKs in

• 1. Privacy-preserving reduce spam.
• 2. Robustness in cryptocurrencies.
• 3. 3-round concurrently simulatable arguments of

knowledge.

Cryptographic puzzles

Cryptographic Puzzles

Basic properties: 1) Easy to generate and efficiently sampleable 2) Hard to solve 3) Easy to verify 4) Amortization resistant

Cryptographic Puzzles

Basic properties: 1) Easy to generate and efficiently sampleable 2) Hard to solve 3) Easy to verify 4) Amortization resistant 5) Dense (can be sampled by just generating random strings )

Cryptographic Puzzles

We do not restrict parallelizability of our puzzles!

Dense Cryptographic Puzzles

• Sample (𝒊) −> 𝒒𝒗𝒜 ∈ 𝑸𝑻
• Solve (𝒊, 𝒒𝒗𝒜) −> 𝒕𝒑𝒎𝒐 ∈ 𝑻𝑸
• SampleSol(𝒊) −> (𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐)
• Verify(𝒊, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐) −> 𝑢𝑠𝑣𝑓/𝑔𝑏𝑚𝑡𝑓

PuzSys = {Sample, Solve , SampleSol, Verify}

hardness parameter

Puzzle Space 𝑸𝑻, Solution Space 𝑻𝑻, Hardness space 𝑰𝑻

Dense Cryptographic Puzzles

• Sample (𝒊) −> 𝒒𝒗𝒜 ∈ 𝑸𝑻
• Solve (𝒊, 𝒒𝒗𝒜) −> 𝒕𝒑𝒎𝒐 ∈ 𝑻𝑸
• SampleSol(𝒊) −> (𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐)
• Verify(𝒊, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐) −> 𝑢𝑠𝑣𝑓/𝑔𝑏𝑚𝑡𝑓

PuzSys = {Sample, Solve , SampleSol, Verify}

hardness parameter

Puzzle Space 𝑸𝑻, Solution Space 𝑻𝑻, Hardness space 𝑰𝑻

Cryptographic Puzzles Security

1) Completeness/Correctness and Efficient Sampleability of Sample and SampleSol PuzSys = {Sample, Solve, SampleSol, Verify}

Cryptographic Puzzles Security

1) Completeness and Efficient sampleability of Sample and SampleSol

2) 𝒉-Hardness: PuzSys = {Sample, Solve , SampleSol, Verify}

Cryptographic Puzzles Security

1) Completeness and Efficient Sampleability of Sample and SampleSol

2) 𝒉-Hardness: PuzSys is 𝒉-hard, if for every adversary:

𝒒𝒗𝒜 < − Sample (𝒊)

𝒊, 𝒒𝒗𝒜 𝒕𝒑𝒎𝒐

Verify (𝒊, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐) −> 𝑢𝑠𝑣𝑓

𝑼𝒋𝒏𝒇𝑩𝒆𝒘𝒇𝒔𝒕𝒃𝒔𝒛(𝒊, 𝒒𝒗𝒜) < 𝒉 (𝑼𝒋𝒏𝒇𝐓𝐩𝐦𝐰𝐟(𝒊, 𝒒𝒗𝒜))

With negligible probability

PuzSys = {Sample, Solve , SampleSol, Verify}

Cryptographic Puzzles Security

1) Completeness and Efficient sampleability of Sample and SampleSol 2) 𝒉-Hardness

3) Statistical indistinguishability of Sample and SampleSol PuzSys = {Sample, Solve , SampleSol, Verify}

Cryptographic Puzzles Security

1) Completeness and Efficient sampleability of Sample and SampleSol 2) 𝒉-Hardness 3) Statistical indistinguishability of Sample and SampleSol

4) (𝒖, 𝒍) −amortization resistance

𝒒𝒗𝒜𝟐, … , 𝒒𝒗𝒜𝒍 < − Sample(𝒊) 𝒊, 𝒒𝒗𝒜𝟐, … , 𝒒𝒗𝒜𝒍 𝒕𝒑𝒎𝒐𝟐, … , 𝒕𝒑𝒎𝒐𝒍 for all 1 < 𝑗 < 𝑙 Verify(𝒊, 𝒒𝒗𝒜𝒋, 𝒕𝒑𝒎𝒐𝒋) −> 𝑢𝑠𝑣𝑓

PuzSys = {Sample, Solve , SampleSol, Verify}

𝑼𝒋𝒏𝒇𝑩𝒆𝒘𝒇𝒔𝒕𝒃𝒔𝒛(𝒊, 𝒒𝒗𝒜) < 𝒖(෍

𝒋=𝟐 𝒍

𝒉 (𝑼𝒋𝒏𝒇𝑻𝒑𝒎𝒘𝒇(𝒊, 𝒒𝒗𝒜𝒋)) With negligible probability

PoWorKs

PoWorK Definition

(𝑄, 𝑊) is an f-sound PoWorK for 𝑀 ∈ 𝑶𝑸 w.r.t. witness relation 𝑆𝑀 and PuzSys, if it achieves the following properties:

PoWorK Definition

(𝑄, 𝑊) is an f-sound PoWorK for 𝑀 ∈ 𝑶𝑸 w.r.t. witness relation 𝑆𝑀 and PuzSys, if it achieves the following properties: 1) Completeness: for all 𝒚 ∈ 𝑀, 𝒙 ∈ 𝑆𝑀 𝑦 , 𝒜 ∈ 0,1

∗ , 𝒊 ∈ 𝐼𝑇

Pr[< 𝑄(𝒙) ↔ 𝑊 > (𝒚, 𝒜, 𝒊); 𝑊 → “accept”] = 1 − negl(𝜇) & Pr[< 𝑄Solve(h) ↔ 𝑊 > 𝒚, 𝒜, 𝒊 ; 𝑊 → “accept”] = 1 − negl(𝜇)

PoWorK Definition

(𝑄, 𝑊) is an 𝒈-sound PoWorK for 𝑀 ∈ 𝑶𝑸 w.r.t. witness relation 𝑆𝑀 and PuzSys, if it achieves the following properties: 1) Completeness 2) 𝒈-Soundness: for all 𝒚 ∈ 𝑀, 𝒛, 𝒜 ∈ 0,1

∗ , 𝒊 ∈ 𝐼𝑇 and

prover 𝑸′:

• 𝒒𝒗𝒜 ←Sample(𝒊)
• < 𝑸′(𝒛) ↔ 𝑊 > (𝒚, 𝒜, 𝒊)

If 𝑊 accepts while 𝑈𝑗𝑛𝑓𝑸′ ≤ 𝒈 (𝑈𝑗𝑛𝑓Solve(𝒊, 𝒒𝒗𝒜)) then ∃ PPT extractor 𝑳 s.t 𝑳𝑸′(𝒚, 𝒛, 𝒜, 𝒊) ∈ 𝑆𝑀(𝒚)

PoWorK Definition

(𝑄, 𝑊) is an 𝒈-sound PoWorK for 𝑀 ∈ 𝑶𝑸 w.r.t. witness relation 𝑆𝑀 and PuzSys, if it achieves the following properties: 1) Completeness 2) 𝒈-Soundness 3) Stat./Comp. Indistinguishability: for all 𝒚 ∈ 𝑀, 𝒙 ∈ 𝑆𝑀 𝑦 , 𝒜

∈ 0,1

∗ , 𝒊 ∈ 𝐼𝑇 and verifier 𝑾′:

𝐰𝐣𝐟𝐱 𝑾′ ←< 𝑄 𝒙 ↔ 𝑾′ > 𝒚, 𝒜, 𝒊 𝐰𝐣𝐟𝐱 𝑾′ ←< PSolve(h) ↔ 𝑾′ > 𝒚, 𝒜, 𝒊

PoWorK construction

Trivial 4-round PoWorK construction

Verifier Prover pick puzzle 𝒒𝒗𝒜 𝒒𝒗𝒜

compute commitment 𝒅𝒑𝒏 s.t. 𝒅𝒑𝒏 = Commit (𝒚) + ZK: know 𝒙 that 𝒚 ∈ 𝑴

OR

𝒅𝒑𝒏 = Commit (𝒕𝒑𝒎)+ ZK : solved 𝒒𝒗𝒜 to sol

𝒅𝒑𝒏+ZK proof

42

Parameters: 𝑴, 𝒚, 𝝁,𝒊

3- round PoWorK Compiler

43

3-round special-sound HVZK

PuzSys

PoWorK

PoWorK Compiler

44

PoWorK

PuzSys= {Sample, Solve, Verify, SampleSol}

3-move special-sound HVZK

3-move special-sound HVZK

Π = (P1,P2,Ver)

45

Verifier 𝑀, 𝑆𝑀, 𝒚 Prover (w) Goal: prove that (𝒚, 𝒙) ∈ 𝑆𝑀 (𝒃, 𝒗) ←P1(𝒙, 𝒚) 𝒔 ← P2(𝒅, 𝒗) 𝒃 𝒅 ← ChallengeSpace 0/1 ←Ver(𝒚, 𝒃, 𝒅, 𝒔) 𝒅 𝒔

3-move special-sound HVZK

Π = (P1,P2,Ver)

46

Verifier 𝑀, 𝑆𝑀, 𝒚 Prover (w) Goal: prove that (𝒚, 𝒙) ∈ 𝑆𝑀 (𝒃′, 𝒗′) ←P1(𝒙, 𝒚) 𝒔′ ← P2(𝒅′, 𝒗′) 𝒃′ 𝒅′ ← ChallengeSpace 0/1 ←Ver(𝒚, 𝒃′, 𝒅′, 𝒔′) 𝒅′ 𝒔′

• Completeness
• Special Soundness: poly-time extractor K that on input (x,a,c,r) & (x,a,c’,r’) outputs

w s.t. (x,w) ∈ RL

• HVZK: poly-time simulator Sim that on input (x) outputs an accepting (x,a,c,r) with

same distribution as P on input (x,w) and honest V

PoWorK Compiler - PoK mode

Verifier Prover (𝒙) 𝑀, 𝑆𝑀, 𝒚, 𝒊

PoWorK Compiler - PoK mode

Verifier Prover (𝒙)

(𝒃′, 𝒗) ←P1(𝒙, 𝒚)

𝒃′ 𝑀, 𝑆𝑀, 𝒚, 𝒊

PoWorK Compiler - PoK mode

Verifier Prover (𝒙)

(𝒃′, 𝒗) ←P1(𝒙, 𝒚)

𝒃′

𝒅 ← ChallengeSpace

𝒅 𝑀, 𝑆𝑀, 𝒚, 𝒊

PoWorK Compiler - PoK mode

Verifier Prover (𝒙)

(𝒃′, 𝒗) ←P1(𝒙, 𝒚)

𝒃′

𝒅 ← ChallengeSpace

𝒅 𝒅′, 𝒔′, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐

(𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐)←SampleSol(𝒊) Set 𝒅′ = 𝒅 ⊕ 𝒒𝒗𝒜 𝒔′ ← P2(𝒅′, 𝒗)

𝑀, 𝑆𝑀, 𝒚, 𝒊

PoWorK Compiler - PoK mode

51

Verifier Prover (𝒙)

(𝒃′, 𝒗) ←P1(𝒙, 𝒚)

𝒃′

𝒅 ← ChallengeSpace

𝒅 𝒅′, 𝒔′, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐

Verification

• 𝒅 = 𝒅′ ⊕ 𝒒𝒗𝒜
• Ver(𝒚, 𝒃′, 𝒅′, 𝒔′)
• Verify(𝒊, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐)

(𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐)←SampleSol(𝒊) Set 𝒅′ = 𝒅 ⊕ 𝒒𝒗𝒜 𝒔′ ← P2(𝒅′, 𝒗)

𝑀, 𝑆𝑀, 𝒚, 𝒊

Verifier Prover

PoWorK Compiler - PoW mode

𝑀, 𝑆𝑀, 𝒚, 𝒊

Verifier Prover

(𝒃′, 𝒅′, 𝒔′) ←Sim(𝒚)

𝒃′

PoWorK Compiler - PoW mode

𝑀, 𝑆𝑀, 𝒚, 𝒊

Verifier Prover 𝒃′

𝒅 ← ChallengeSpace

𝒅

PoWorK Compiler - PoW mode

(𝒃′, 𝒅′, 𝒔′) ←Sim(𝒚)

𝑀, 𝑆𝑀, 𝒚, 𝒊

Verifier Prover 𝒃′

𝒅 ← ChallengeSpace

𝒅 𝒅′, 𝒔′, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐

PoWorK Compiler - PoW mode

Set 𝒒𝒗𝒜 = 𝒅 ⊕ 𝒅′ 𝒕𝒑𝒎𝒐←Solve(𝒊, 𝒒𝒗𝒜) (𝒃′, 𝒅′, 𝒔′) ←Sim(𝒚)

𝑀, 𝑆𝑀, 𝒚, 𝒊

Verifier Prover 𝒃′

𝒅 ← ChallengeSpace

𝒅 𝒅′, 𝒔′, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐

PoWorK Compiler - PoW mode

Set 𝒒𝒗𝒜 = 𝒅 ⊕ 𝒅′ 𝒕𝒑𝒎𝒐←Solve(𝒊, 𝒒𝒗𝒜) Verification

• 𝒅 = 𝒅′ ⊕ 𝒒𝒗𝒜
• Ver(𝒚, 𝒃′, 𝒅′, 𝒔′)
• Verify(𝒊, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐)

(𝒃′, 𝒅′, 𝒔′) ←Sim(𝒚)

𝑀, 𝑆𝑀, 𝒚, 𝒊

Security of PoWorK compiler

Assumptions

• Challenge and puzzle sampling distributions are statistically close
• Both distributions are (statistically) invariant to any group operation ⊕
• Solve asymptotically dominates the protocol run

Theorem:

• 𝑀 language in 𝑶𝑸 with a witness relation 𝑆𝑀
• Π =(P1, P2, Ver) special-sound 3-move statistical HVZK for 𝑆𝑀
• PuzSys = (Sample, Solve,SampleSol , Verify)

with 𝒉-hardness (𝑄, 𝑊) is a (Θ(𝒉))-sound PoWorK with statistical indistinguishability.

Dense Puzzle Instantiations

Dense Puzzle Instantiations

PuzSys = (Sample,SampleSol, Solve, Verify) (1) Based on random oracles (2) Based on complexity assumptions

Random Oracle instantiation

Assume a hash function 𝐼: {0,1}𝜇 → {0,1}𝜇

• Sample (𝒊): return 𝒒𝒗𝒜 ∈ 0,1 𝜇
• SampleSol (𝒊): pick 𝒚 ∈ 0,1 𝜇 and set

𝒒𝒗𝒜 = 𝑴𝑻𝑪𝒊(𝐼(𝒚)) and 𝒕𝒑𝒎𝒐 = 𝒚

• Solve (𝒒𝒗𝒜): randomly pick 𝒚′ ∈ 0,1 𝜇 and try whether

𝑴𝑻𝑪𝒊(𝐼 𝒚′ ) = 𝒒𝒗𝒜 If yes, then output 𝒕𝒑𝒎𝒐 = 𝒚′

• Verify (𝒊, 𝒒𝒗𝒜, 𝒕𝒑𝒎𝒐): check whether

𝑴𝑻𝑪𝒊(𝐼 𝒕𝒑𝒎𝒐 ) = 𝒒𝒗𝒜

Random Oracle instantiation

Theorem: For every ℎ ∈ [log2𝜇, 𝜇/4], 𝑑 > 2, 𝑙 = 𝑃(

8 2𝜇), if H

is a RO, then the RO instantiation is a dense puzzle system with

𝑑 (∙)- soundness and (𝑗𝑒, 𝑙)-

amortization resistance.

DLog instantiation

• We construct target collision resistant (TCR)

strong extractors from regular universal oneway hash functions (UOWHFs).

DLog instantiation

• We construct target collision resistant (TCR) strong

extractors from regular universal oneway hash functions (UOWHFs).

• We prove that given a target TCR strong extractor

𝐅𝐲𝐮, and a one-way function 𝒈 , we get that Ψ(𝒚, 𝑡𝑓𝑓𝑒)=(𝐅𝐲𝐮 𝒈(𝒚), 𝑡𝑓𝑓𝑒 , 𝑡𝑓𝑓𝑒 ) is a dense one-way function (i.e. its output is close to uniform)

DLog instantiation

• We construct target collision resistant (TCR) strong

extractors from regular universal oneway hash functions (UOWHFs).

• We prove that given a target TCR strong extractor 𝐅𝐲𝐮,

and a one-way function 𝒈 , we get that Ψ(𝒚, 𝑡𝑓𝑓𝑒)=(𝐅𝐲𝐮 𝒈(𝑦), 𝑡𝑓𝑓𝑒 , 𝑡𝑓𝑓𝑒) is a dense one-way function

• Given randomness 𝒔 and hardness parameter 𝒊

we set the puzzle 𝒒𝒗𝒜 = 𝐅𝐲𝐮 𝐄𝐌𝐩𝐡

_𝟐 𝒚 + 𝒔 , 𝑡𝑓𝑓𝑒) , 𝑡𝑓𝑓𝑒, 𝒔

with solution 𝒕𝒑𝒎𝒐 = 𝒚 ∈ {0,1}𝒊

DLog instantiation

Theorem: For every ℎ ∈ [2log4𝜇, log5𝜇], 𝑑 > 2, 𝑙 = 𝑃(2log3𝜇), if the TCR property of Ext is 𝑃( 2ℎ) −secure and DLog is 𝑃(

𝑑 2ℎ) − hard, then the DLog instantiation

is a dense puzzle system with

𝑑 (∙)- soundness

and (𝑗𝑒, 𝑙)-amortization resistance.

PoWorK applications

Privacy-Preserving Reducing Spam

Verifier

email Server

PoWorK PoWorK Mail server cannot distinguish between approved contacts or not

email Server

Bob

“If I don’t know you and you want to send me a message, then you must prove that you spent, say, ten seconds of CPU time, just for me and just for this message” [DN92]

Cryptocurrencies with enhanced liveness

Most blockchains are maintained via proofs of work

But...recent suggestions exist that are based in signatures/ proofs of knowledge

Cryptocurrencies with enhanced liveness

Hybrid PoW - PoK Cryptocurrencies

OR

Cryptocurrencies with enhanced liveness

Hybrid PoW - PoK Cryptocurrencies

OR

Cryptocurrencies with enhanced liveness

The ledger remains live even if many miners go

• ffline

Hybrid PoW - PoK Cryptocurrencies

OR

Cryptocurrencies with enhanced liveness

A trusted party could issue blocks in case of such emergency

Hybrid PoW - PoK Cryptocurrencies

OR

Cryptocurrencies with enhanced liveness

the trusted party’s involvement will be unnoticed and hence will have no impact to the economy that the cryptocurrency supports

3-round concurrently simulatable arguments of knowledge

• We show that under reasonable

assumptions our 3-move PoWorK construction is straight-line simulatable in 𝑃(𝜇poly(log𝜇)) time.

• 𝜇poly(log𝜇) is closed under polynomial.
• By the results of Pass, our PoWorK

construction is a 3-round concurrently simulatable argument of knowledge.

Conclusions and Future Work

Conclusions

• We define PoWorKs, a meaningful novel

class of interactive proof systems.

• We define and instantiate cryptographic

puzzle systems.

• We provide an efficient 3-round PoWorK

construction.

• We motivate the applicability of PoWorKs

via real-world and theoretic applications.

Future directions

• Alternative PoWorK constructions.
• Relation of PoWorKs with other

complexity classes.

• Applications of PoWorKs in real-world

scenarios.

• Puzzle system instantiations.

𝑼𝒊𝒃𝒐𝒍 𝒛𝒑𝒗!!!

Indistinguishable Proofs of Work or Knowledge

Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang

ASIACRYPT 2016 8th December, Hanoi, Vietnam