Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify...

37
Dan Boneh, Joe Bonneau, Benedikt Bünz, Ben Fisch Crypto 2018 Verifiable Delay Functions 1

Transcript of Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify...

Page 1: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Dan Boneh, Joe Bonneau,

Benedikt Bünz, Ben Fisch

Crypto 2018

Verifiable Delay Functions

1

Page 2: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

What is a VDF?

2

Verifier

Page 3: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

What is a VDF?

3

• Setup(λ, T) ⟶ public parameters pp

pp specify domain X and range Y

• Eval(pp, x) ⟶ output y, proof π

PRAM runtime T with polylog(T) processors

• Verify(pp, x, y, π) ⟶ { yes, no }

Time complexity at most polylog(T)

Page 4: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Security Properties (Informal)

• Setup(λ, T) ⟶ public parameters pp

• Eval(pp, x) ⟶ output y, proof π (requires T steps)

• Verify(pp, x, y, π) ⟶ { yes, no }

4

Page 5: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Related Crypto Primitives

• Time-lock puzzles [RSW’96, BN’00, BGJPVW’16]

o Trapdoor (secret key) setup per puzzle

o Not ``publicly verifiable”

• Proof-of-sequential-work [MMV’13, CP’18]

o Publicly verifiable

o Not a function (output isn’t unique)

5

Page 6: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

VDF minus any property is “easy”

6

Page 7: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Modular square roots [DN’92, LW’15]

8

Page 8: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Modular square roots [DN’92, LW’15]

log(p) squarings

1 squaring

9

proof size = log(p)

Page 9: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Modular square roots

• A “proto-VDF”

Eval time: log(p) * M(p)

Verify time: M(p)

Problem: Verify time not polylogarithmic in Eval time

10

M(p) = time complexity of multiplication mod p

Page 10: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Security Properties (Informal)

• Setup(λ, T) ⟶ public parameters pp

• Eval(pp, x) ⟶ output y, proof π (requires T steps)

• Verify(pp, x, y, π) ⟶ { yes, no }

11

Page 11: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

VDF security more formally…

12

Sequentiality Game

Page 12: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Part I: Applications of VDFs

14

Permissionless consensus

Page 13: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Randomness beacon

• Rabin ‘83

15

An ideal service that regularly publishes random value which no party can predict or manipulate

Page 14: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Many uses for random beacons

16

Page 15: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Randomness beacon

``Public displays” are easily corrupted

17

Page 16: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Public entropy source

18

Assumption: (1) unpredictable, (2) adversary cannot fix stock prices

Page 17: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Stock price manipulation

19

Page 18: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Stock price randomness beacon

Closing prices of 100 stocks: Hash(prices)

extractor

128 bits

pseudorandom generator

Lots of bits

20 bits

The problem: • Once prices settle a minute before

closing, attacker executes 20 last-minute trades to influence seed.

• Attacker can predict outcome of

trades and choose favorable trades to bias result

(seed)

Page 19: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Solution: slow things down with a VDF

A solution: one hour VDF

• Attacker cannot tell what trades to execute before market closes

Uniqueness: ensures no ambiguity about output

Hash(prices)

extractor

128 bits

VDF

128 bits , π

20 bits

(seed)

Page 20: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Simple Bulletin Board

Alice Bob Claire Zoe

Public Bulletin Board

ra rb rc rz

output seed = Hash(ra || rb || ⋯ || rz ) ∈ {0,1}256

Problem: Zoe controls the final seed !! 24

Mildly

synchronous

Page 21: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Solution: slow things down with a VDF [LW’15]

Alice Bob Claire Zoe

Public Bulletin Board (blockchain)

ra rb rc rz

Hash(ra || rb || ⋯ || rz ) ∈ {0,1}256

VDF seed, π H 25

Page 22: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Part II: Constructions

y x I.

(reverse permutation)

II.

This work

Followup: Pietrzak’18,

Wesolowski’18

27

Page 23: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Hash Chain w/ Verifiable Computation

28

• SNARK = “succinct non-interactive argument of knowledge” [G’10,GGPR’13, BCIOP’13, BCCT’13]

• STARK = “succinct transparent non-interactive argument of

knowledge” [M’00, BBHR’18]

Page 24: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Hash Chain w/ Verifiable Computation

29

Problem

• Proof generation slower than hash chain, without massive parallelism

Page 25: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Incrementally Verifiable Computation

30

Page 26: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

IVC SNARK Optimizations

31

Page 27: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

IVC SNARK Optimizations

y x

y x

Slow

Fast

33

Page 28: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

IVC SNARK Optimizations

34

y x

y x

Slow

Fast

Page 29: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Square-roots vs SHA256

s c

s c

35

s c

27,904 gates

4 gates Coordinate swap

SHA256:

Square-roots:

Page 30: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Better asymmetric permutations?

37

Slow Fast

Page 31: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Permutation polynomials

38

Eval requires d parallelism

d2.85 parallel. infeasible for

Adv.

Page 32: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Permutation Polynomials Holy Grail

Eval: O(d) PRAM steps Verify: O(log(d))

Exponential

gap!

39

Exponentially large

Page 33: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Permutation polynomials

40

Guralnick, Müler ’97

Page 34: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Permutation polynomials

Guralnick, Müler ’97

41

Page 35: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Construction Summary

42

Verification O(log(T)) SNARKs

Proof size O(log(T))

Assumption SNARK/STARK + Sqr. rts. or ideal perm. polynomial

Trusted setup None w/ STARKs or using “slower” verification, sequentiality not broken

Quantum resistant Possibly with STARKs

Simple No

Page 36: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

Newer VDFs [P’18, W’18]

• Let G be a finite cyclic group with generator g ∈ G

G = {1, g, g2, g3, … }

• Assumption: the group G has unknown size

pp = (G, H: X ⟶ G)

• Eval(pp, x): output

proof π = (proof of correct exponentiation)

T squarings

[P’18, W’18] 43

Page 37: Verifiable Delay Functions · What is a VDF? 3 • Setup(λ, T) public parameters pp pp specify domain X and range Y • Eval(pp, x) output y, proof π PRAM runtime T with polylog(T)

THE END

https://eprint.iacr.org/2018/601

Survey of VDFs

https://eprint.iacr.org/2018/712.pdf 44