Simple Proofs of Sequential WorkBram Cohen Krzysztof Pietrzak

Eurocrypt 2018, Tel Aviv, May 1st 2018

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

Outline• What• How• Why

Proofs of Sequential Work

Sustainable Blockchains

Sketch of Construction & Proof

σi τi

βi

σi+1 τi+1

βi+1

αi αi+1

Proofs of Sequential Work

puzzle: (N = p · q, x, T ) , solution: x2T

mod Nsolution computed with two exponentiation given p, q:

e← 2T mod φ(N) , x2T

= xe mod N

conjectured to require T sequential squarings given only N

x→ x2 → x22 → . . . x2

T

mod N

puzzle: (N = p · q, x, T ) , solution: x2T

mod N

sequential computation ∼computation time ⇒

“send message to the future”

solution computed with two exponentiation given p, q:

e← 2T mod φ(N) , x2T

= xe mod N

conjectured to require T sequential squarings given only N

x→ x2 → x22 → . . . x2

T

mod N

PoSW vs. Time-Lock Puzzles

• Prove that time has passed⇒ Non-interactive time-stamps

• Send message to the futureFunctionality

PoSW vs. Time-Lock Puzzles

• Prove that time has passed⇒ Non-interactive time-stamps

• Send message to the future

• Random oracle model or“sequential” hash-function

• Non-standard algebraicassumption

Functionality

Assumption

PoSW vs. Time-Lock Puzzles

• Prove that time has passed⇒ Non-interactive time-stamps

• Send message to the future

• Random oracle model or“sequential” hash-function

• Non-standard algebraicassumption

Functionality

Assumption

Public vs. Private• Public-coin ⇒

Publicly verfiable• Private-coin ⇒

Designated verifier

Proofs of Sequential Workaka. Verifiable Delay Algorithm

Prover Pχ←

Verifier Vstatement χ

Time T ∈ N

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Prover Pχ←

Verifier Vstatement χ

Time T ∈ N

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Completeness and Soundness in the random oracle model:

HProver Pχ←

Verifier Vstatement χ

Time T ∈ N

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Completeness and Soundness in the random oracle model:

HProver Pχ←

Verifier Vstatement χ

Time T ∈ N

Completeness: τ(c, T ) can be computed making T queries to H

Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to H

Proofs of Sequential Workaka. Verifiable Delay Algorithm

τ = τ(χ, T ) verify(χ, T, τ) ∈accept/reject

Completeness and Soundness in the random oracle model:

HProver Pχ←

Verifier Vstatement χ

Time T ∈ N

Completeness: τ(c, T ) can be computed making T queries to H

Soundness: Computing any τ ′ s.t. verify(χ, T, τ ′) =accept forrandom χ requires almost T sequential queries to Hmassive parallelism useless to generate valid proof faster ⇒prover must make almost T sequential queries ∼ T time

Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)

space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated

combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many

other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).

Three Problems of the [MMV’13] PoSW1) Space Complexity : Prover needs massive (linear in T)

space to compute proof.2) Poor/Unclear Parameters due to usage of sophisticated

combinatorial objects.3) Uniqueness : Once an accepting proof is computed, many

other valid proofs can be generated (not a problem fortime-stamping, but for blockchains).

1) Prover needs only O(log(T )) (not O(T )) space, e.g. forT = 242 (≈ a day) that’s ≈ 10KB vs. ≈ 1PB.

2) Simple construction and proof with good concreteparameters.

3) Awesome open problem!

New Construction

Construction and Proof Sketch

Three Basic Concepts

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

Three Basic Concepts

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

is (2, 3) depth-robust

Three Basic Concepts

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

label `i = H(`parents(i)), e.g. `4 = H(`3, `4)

Graph Labelling

Three Basic Concepts

x y

H H

x′y′

queries y = H(x), y′ = H(x′) wherey ⊆ x′ ⇒ query x′ was made after x

Random Oracles are Sequential

DAG G = (V,E) is (e, d)depth-robust if after removing anye nodes a path of length d exists.

1 2 3 4 5 6

Depth-Robust Graphs (only [MMV’13])

label `i = H(`parents(i)), e.g. `4 = H(`3, `4)

Graph Labelling

Three Basic Concepts

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

1 2 3 4 5 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

• Compute labels of G using Hχ

`1 `2 `3 `4 `5 `6

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

• Compute labels of G using Hχ

`1 `2 `3 `4 `5 `6

• Send commitment φ to labels to Vφ

φ

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

• Protocol specifies depth-robustDAG G on T nodes

• Define “fresh” random oracleHχ(·) ≡ H(χ‖·)

• Compute labels of G using Hχ

`1 `2 `3 `4 `5 `6

• Send commitment φ to labels to Vφ

φ

• V challenged to open random subset of nodes and parents(interaction can be removed using Fiat-Shamir)

c ⊂ Vopen {`i}i∈c∪i∈parents(i)

check openings andif labels consistentwith parent labels

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

φ

`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))

Proof Sketch

φ

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

φ

`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))

Proof Sketch

φ

• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.

The MMV’13 ConstructionHProver P

χ←Verifier V

statement χ

Time T = 6

φ

`′1 `′2 `′3 `′4 `′5 `′6• G is (e, d) depth-robust• φ commits P̃ to labels {`′i}i∈V• i is bad if `′i 6= H(`′parents(i))

Proof Sketch

φ

• Case 1: ≥ e bad nodes ⇒ will fail opening phase whp.• Case 2: Less than e bad labels ⇒ ∃ path of good nodes

(by (e, d) depth-robustness) ⇒ P̃ made d sequentialqueries (by sequantality of RO)

The New ConstructionT = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

right siblingT = 15

left sibling

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

T = 15

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

`1 `2

`3

`14

`15

• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.

T = 15

• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)

The New Construction

For every leaf i add all edges (j, i) where j is left sibling ofnode on path i→ root

`1 `2

`3

`14

`15

• P computes labelling `i = H(`parents(i)) and sends rootlabel φ = `T to V. Can be done storing only log(T ) labels.

T = 15

• V challenges P to open a subset of leaves and checksconsistency (blue and green edges!)

PKC’00

The New Construction

Proof Sketch

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).

• Claim 1: ∃ path going through V − S.

• Claim 2: P̃ can’t open |S|/T fraction of leafs.

φ T = 15

The New Construction

Proof Sketch• P̃ committed to labels `′i after sending φ = `15.• i is bad if `′i 6= H(`′parents(i)).• Let S ⊂ V denote the bad nodes and all nodes below.• Claim 1: ∃ path going through V − S (of length T − |S|).

• Claim 1: ∃ path going through V − S.

• Claim 2: P̃ can’t open |S|/T fraction of leafs.

Theorem: P̃ made only T (1− ε) sequential queries⇒ will pass opening phase with prob. ≤ (1− ε)#of challenges

φ T = 15

why we care

Sustainable Blockchains

σi τi

βi

σi+1 τi+1

βi+1

αi αi+1

Mining Bitcoin (Proofs of Work)

Mining Bitcoin (Proofs of Work)

Ecological: Massive energy & hardwarewaste.

Economical: Requires high rewards ⇒inflation and/or high transaction fees.

Security: E.g. buy old ASICs for 51%attack.

Ecological: Massive energy & hardwarewaste.

Economical: Requires high rewards ⇒inflation and/or high transaction fees.

Security: E.g. buy old ASICs for 51%attack.

Can we have a more “sustainable”

Blockchain?

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Workcomputation as resource

prob. of solving PoW first ∼ fraction of hashing power

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

Chia: Proofs of Space and Time

computation as resourceprob. of solving PoW first ∼ fraction of hashing power

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

Chia: Proofs of Space and Timespace as resource

prob. of finding PoSpace of best quality ∼ fraction ofdedicated space

computation as resourceprob. of solving PoW first ∼ fraction of hashing power

dynamicsproof of work hardness set so blocks appear ≈ every 10 minutes

Bitcoin: Proofs of Work

Chia: Proofs of Space and Timespace as resource

prob. of finding PoSpace of best quality ∼ fraction ofdedicated space

dynamicsRun PoSW on top of PoSpace for T ∼ quality of PoSpace to

“finalize” block

computation as resourceprob. of solving PoW first ∼ fraction of hashing power

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

σi : proof of space on challenge hash(τi−1)

τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

αi αi+1 αi+2

σi : proof of space on challenge hash(τi−1)

τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

βi = (. . . , φi, αi)

φi : proof of work on challenge hash(βi−1) transactions

σi τi σi+1 τi+1 σi+2 τi+2

αi αi+1 αi+2

σi : proof of space on challenge hash(τi−1)

τi : proof of sequential work on challenge hash(σi−1)and time parameter quality(σi−1)

βi βi+1 βi+2 βi+3 βi+4

NOTHING TOGRIND HERE!