Abstract
We construct a publicly verifiable protocol for proving computational work based on collision-resistant hash functions and a new plausible complexity assumption regarding the existence of hash functions. Our protocol is based on a novel construction of puzzles. Given a sampled P getsr Dn, where $n$ is the security parameter and Dn is the distribution of the puzzles, a corresponding can be generated using N evaluations of the sequential hash function, where N>n is another parameter, while any feasible adversarial strategy for generating valid solutions must take at least as much time as Ω(N) serial evaluations of the hash function after receiving $P$. Thus, valid solutions constitute a proof that Ω(N) parallel time elapsed since p was received. Solutions can be publicly and efficiently verified in time poly(n) ⋅ polylog(N). Applications of these time-lock include noninteractive timestamping of documents (where the distribution over the possible documents corresponds to the puzzle distribution Dn) and universally verifiable CPU benchmarks. Our construction is secure in the standard model under complexity assumptions (collision-resistant hash functions and inherently sequential hash functions), and makes black-box use of the underlying primitives. Consequently, the corresponding construction in the random oracle model is secure unconditionally. Moreover, as it is a public-coin protocol, it can be made non-interactive in the random oracle model using the Fiat-Shamir Heuristic.Our construction makes a novel use of depth-robust directed acyclic graphs---ones whose depth remains large even after removing a constant fraction of vertices---which were previously studied for the purpose of complexity lower-bounds. The construction bypasses a recent lower-bound of Mahmoody, Moran, and Vadhan (CRYPTO '11) for puzzles in the random oracle model, which showed that it is impossible to have puzzles like ours in the random oracle model if the puzzle generator also computes a solution together with the puzzle.
Highlights
A timestamping scheme is a mechanism for proving that a document was created before a certain time in the past
In this paper, following Mahmoody et al [MMV11], we study proofs of work and noninteractive timestamping
Since we have k = ω(log n) Theorem 3.7 follows as a corollary from Lemmas 3.10, 3.11, and 3.12, because (1) it holds that d = O(log3 N ) and (2) for k = ω(log n) and α = 1−Ω(1) it holds that αk = negl(n)
Summary
A timestamping scheme is a mechanism for proving that a document was created before a certain time in the past. We would like to have proofs of work that are inherently sequential, i.e., even a massively parallel effort to evaluate g(D) would still take time close to N . A verifier who already knows the secret factorization of N can check the computation efficiently using the “shortcut” 22D ≡ 2(2D mod φ(N)) (mod N ); if |N | ≈ |D|, this shortcut gives an exponential speed-up The security of this scheme is based on the conjecture that modular exponentiation is an inherently sequential task without knowing the factorization of N. Efficient argument systems can be constructed based on collisionresistant hash functions [Kil, Mic00, BG08] and can be made noninteractive in the ROM This approach appears conceptually simple, but hides complexity in the construction of the argument system: existing schemes all make use of complex Probabilistically Checkable Proofs (PCPs), and this appears to be an inherent property of efficient argument systems [RV10]. As well as being of theoretical interest, a black-box construction has practical advantages: the implementation can be made in a modular way, changing the underlying sequential function can be done and it may even be replaced with a hardware module (or a corresponding physical assumption)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
