On the Security of Proofs of Sequential Work in a Post-Quantum World

2007 IEEE International Test Conference Pub Date : 2020-06-19 DOI:10.4230/LIPIcs.ITC.2021.22

Jeremiah Blocki, Seunghoon Lee, Samson Zhou

{"title":"On the Security of Proofs of Sequential Work in a Post-Quantum World","authors":"Jeremiah Blocki, Seunghoon Lee, Samson Zhou","doi":"10.4230/LIPIcs.ITC.2021.22","DOIUrl":null,"url":null,"abstract":"A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},\\ldots,L_{v_\\delta})$, where $v_1,\\ldots,v_\\delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $\\mathcal{H}$-sequence to pass the audit with non-negligible probability. An $\\mathcal{H}$-sequence $x_0,x_1\\ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i \\cdot H(x_i) \\cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $\\mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":"1 1","pages":"22:1-22:27"},"PeriodicalIF":0.0000,"publicationDate":"2020-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2021.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 16

Abstract

A proof of sequential work allows a prover to convince a resource-bounded verifier that the prover invested a substantial amount of sequential time to perform some underlying computation. Proofs of sequential work have many applications including time-stamping, blockchain design, and universally verifiable CPU benchmarks. Mahmoody, Moran, and Vadhan (ITCS 2013) gave the first construction of proofs of sequential work in the random oracle model though the construction relied on expensive depth-robust graphs. In a recent breakthrough, Cohen and Pietrzak (EUROCRYPT 2018) gave a more efficient construction that does not require depth-robust graphs. In each of these constructions, the prover commits to a labeling of a directed acyclic graph $G$ with $N$ nodes and the verifier audits the prover by checking that a small subset of labels are locally consistent, e.g., $L_v = H(L_{v_1},\ldots,L_{v_\delta})$, where $v_1,\ldots,v_\delta$ denote the parents of node $v$. Provided that the graph $G$ has certain structural properties (e.g., depth-robustness), the prover must produce a long $\mathcal{H}$-sequence to pass the audit with non-negligible probability. An $\mathcal{H}$-sequence $x_0,x_1\ldots x_T$ has the property that $H(x_i)$ is a substring of $x_{i+1}$ for each $i$, i.e., we can find strings $a_i,b_i$ such that $x_{i+1} = a_i \cdot H(x_i) \cdot b_i$. In the parallel random oracle model, it is straightforward to argue that any attacker running in sequential time $T-1$ will fail to produce an $\mathcal{H}$-sequence of length $T$ except with negligible probability -- even if the attacker submits large batches of random oracle queries in each round. (See the paper for the full abstract.)

查看原文本刊更多论文

后量子世界中顺序工作证明的安全性研究

顺序工作的证明允许证明者说服资源有限的验证者，证明者投入了大量的顺序时间来执行一些底层计算。顺序工作的证明有许多应用，包括时间戳、区块链设计和普遍可验证的CPU基准测试。Mahmoody, Moran和Vadhan (ITCS 2013)给出了随机oracle模型中顺序工作证明的第一个构造，尽管该构造依赖于昂贵的深度鲁棒图。在最近的一项突破中，Cohen和Pietrzak (EUROCRYPT 2018)给出了一种更有效的构造，不需要深度鲁棒图。在每一个结构中，证明者提交一个有向无环图$G$的标记，有$N$个节点，验证者通过检查标签的一个小子集是否在局部一致来审计证明者，例如，$L_v = H(L_{v_1}，\ldots,L_{v_\delta})$，其中$v_1，\ldots,v_\delta$表示节点$v$的父节点。假设图$G$具有一定的结构性质(例如，深度鲁棒性)，证明者必须产生一个长$\mathcal{H}$-序列才能以不可忽略的概率通过审计。$\mathcal{H}$-sequence $x_0,x_1\ldots x_T$具有$H(x_i)$是$x_{i+1}$对于每个$i$的子字符串的性质，即，我们可以找到$a_i,b_i$这样的字符串$x_{i+1} = a_i \cdot H(x_i) \cdot b_i$。在并行随机oracle模型中，可以直接认为，任何在顺序时间$T-1$运行的攻击者都无法产生长度$T$的$\mathcal{H}$-序列，除非概率可以忽略不计——即使攻击者在每轮中提交大量随机oracle查询。(查看全文摘要)

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE International Test Conference

自引率

0.00%

发文量